Dan Slusarchuk talks about Cyber Security

Absolutely. So you can ultimately spend a lot of time and money on cybersecurity defense. You can do the same on disaster recovery planning. But ultimately, I think what we all, can agree is that it is still possible to be hacked. It is still possible to have an incident because of the nature of how software is developed and how many bugs it could possess. It's very difficult to have a completely foolproof cyber defense plan. And that's... We see that in the larger companies. They have big budgets and they still get hacked. So I think it's important to realize where you're at and have a plan. So if it is possible to be hacked, what are you going to do about it if you do get hacked? And incident response is the term used when You've been hacked or breached, and now you need to do something about it because your customers, your employees, somebody or something has been harmed significantly enough to where you need to do something about it.

And so this blog post was aimed at what are the things that would go into that policy? And what are just some practical steps? Who do I need to involve? So that way you can start thinking about your risk mitigation measures, whether they're technical controls. You know, we don't accept attachments for emails, whether it's personnel controls. Don't click on links and email. We've got to train you on that. So the idea is to have a plan in place, talk about it, and understand what you think you're going to try to do to help reduce the risk. to lessen the exposure and to get back to work as quickly as possible as you navigate through what in a lot of businesses cases, their final chapter. Unfortunately, cyber attacks can really do a number on your business. And especially in a, in an interesting time where people are really leveraging remote capabilities.

You may not have needed so much technology two years ago, but now it may be absolutely required for you to conduct business. So you have to think about your risks associated with what your business does today and what would happen if you couldn't accomplish something with data or with a system.

So there are a lot of opportunities to have evaluations done. I think one of the reasons why cyber is so cloaked in mystery is because of the nations that are competing against each other. Nobody really wants to tip their hat to cyber capabilities as it is somewhat of an equalizer. It doesn't cost a lot of money to attack, to have a global attack vehicle, to get a lot of money through a cyber attack to affect an election. So I think because of the impact related to national defense and to nation state jockeying, I think that's, Part of the reason why cybersecurity is so hush-hush and not widely discussed. And it also has put businesses at a disadvantage. The reason why businesses are at a disadvantage is because you may have a nation state actor hacking into your company. And that's not fair because you're not the Department of Defense. Defending yourself.

So there's definitely an interesting scenario unfolding related to cybersecurity, being a business, protecting yourself, but not having access to the tools to defend yourself because large bank accounts, government bank accounts are building the attack tools. So it's kind of an interesting time.

Yeah, usually when I start looking at risk within an organization, try to find the items that are risky. So in a healthcare organization, that would be your electronic patient health information. For a publicly traded company, it's probably going to be your financials. And there are regulatory bodies that cover down on those, HIPAA security. Sarbanes-Oxley, PCI if you take credit cards. But typically, I try to look at what's valuable and start with that, start with the controls to protect that. It is possible to attack the receptionist's workstation. It is possible to gain a foothold there and pivot throughout the organization to get access to the valuable information. But from a risk standpoint, I typically like to start with highlighting what is the business's risk? Is it disruption? So, for example, if a bad actor, a competitor, or somebody was able to take a certain system offline, would that be detrimental to how you operate?

Is it your data in a lot of cases? at least in healthcare data is very valuable. They exfiltrate that and sell it. So what is the, what is it that we would be defending and what does it mean to the organization? Because the bad actors, they don't have any rules. We typically have a lot of rules we have to follow, but the bad guys don't have any rules. And so that's what makes it. easier for them. The scales are already tilted. A bad guy just has to get it right once. They can try 200,300, a thousand times. If they get it right once, they win. Defense, you have to get it right every single time, every single day, and always be vigilant, never become complacent, and continue to pay attention, be a part of the community. And so it's an exhausting effort on the defense side versus a target of opportunity on the bad guy's side.

There are some folks that have carved it up into manageable steps that you can follow. I referenced one, the SANS Institute. They have some courses and a lot of this is being driven by forensic evidence gathering. So because there's so much money and so much even criminal activity at stake, they have now moved to where forensic evidence needs to be captured in a certain way, just like any other piece of evidence. So because of that, there's now. a lot more definition behind the cybersecurity arena. But from the bulleted items that I presented, I developed those by going through incident response with my clients. It is a very difficult time for a client to go through incident response. And so because of that, no matter what your plan is, It's very important, I think, to practice that plan in a tabletop exercise with additional experts in the room.

I would recommend at a minimum having a forensics team, somebody you might call on or somebody insurance might employ in the event of a cybersecurity incident because they see it all the time. And so they're going to be able to talk about current. threats as they relate to your industry or what they've seen in your state or in your city. But they're great. They're great to lead the conversation. I would include your insurance carrier. They always provide valuable insight when the question ultimately arises, what mitigating factors or how is insurance going to play in our financial scenario or financial risk? Are they going to pay for credit monitoring? for our customers or our employees if their data gets stolen? Are they going to pay to replace a server that gets encrypted with ransomware? How are they going to help?

And so if you join them into the conversation, you can understand your policy and you can understand your risks and you can adjust that with real questions. I would include somebody from a legal team. If you enter into a scenario where you possibly have caused harm to patients, employees, where there could be a lawsuit, you want to enter into client attorney privilege as soon as possible. And you want them talking to insurance and you want them talking to the cyber forensics team. So that way you can make decisions appropriate to your regulations at the appropriate time. I think one of the things that gets overlooked is your messaging. A lot of folks think that what the leaders do at the top can be kept secret or what's happening to the organization won't get out is not the case. And even if it is the case, anybody that knows something bad is going on will create their own narrative and that will then become. what's actually happened.

So I think it's important to include crisis PR so they can talk to the employees and message to the employees. They can talk to the press. The other thing is if you're under a current persistent attack, you may not want to tip off the bad actor. Now this depends on how big your organization is and what all you deal with. But if you, let's say, You release to the public, we've been hacked, but we found the bad guy and we've kicked him out. That might accelerate their process. So if their intent was to get in your organization, steal data, and then launch ransomware and extort you for the data they've already stolen, if you tip your hat too soon, they may just launch ransomware. ahead of time. So you may have a whole nother problem on your hands or they might adjust their tactics based on the information. So there's a lot of reasons why you want to include those additional expertise.

And if you do it in a tabletop exercise, you get the opportunity to talk to these folks, listen to them, write stuff down without the emotional, visceral reaction of we aren't making money right now, we are shut down and all the potential bad narratives that circulate in your mind when trauma happens to a person. So do it in a non-traumatic way. And maybe in the event with some of our customers, we will do a vulnerability assessment ahead of time. We'll try to hack them through email. We'll try to do different things. That way we bring some... current relevant metrics to the table to incite some discussion and to raise questions to those expertise. And then finally, once you've completed that tabletop exercise, you have effectively brought in other people from your organization to bring their insights. So the HR manager may normally not get to talk about cybersecurity.

But now the HR manager who is in charge in some cases with direct deposit information, with wiring or not wiring instructions, but with benefits information, enrollment forms, things like that, they actually get to participate in this exercise, understand the threats and help to meet those challenges. Maybe your HR system didn't have those controls because nobody ever thought to ask. Well, bring as many people. that handle data and systems relative to your business to this tabletop exercise so you can adjust your policies and have a plan. Because if you don't have a plan, it will go far worse for far longer, I promise you.

Yeah, there's a lot of considerations that go into play with each one of those steps, why they're in that particular order, at least for me. why I use the words that I use because they're starting to have legal ramifications as they define what it is to go through this. And as the legal system and federal policy catches up.