Recap on Season 3 - Receipts on The Tea on Cybersecurity

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. I can't believe we've made it through another season of The Tea on Cybersecurity. I truly appreciate you all being a part of this journey, and I hope you're learning as much about cybersecurity as I am. Now let's dive into what I've learned on season three of The Tea on Cybersecurity. Now, this first receipt, this major thing that I've taken away from the whole season, and that is MFA, multifactor authentication. This is something that every single guest I had on the podcast talked about, the importance of it, how it's just easy to switch on and just gives you that extra layer of security, just makes it harder for those bad guys to get into our accounts. And the first time we heard about it on this season was actually the first episode when Jim and I talked about what's new in cybersecurity and compliance in 2024. Jim talked about how cyber criminals take advantage of vulnerabilities like the lack of MFA to launch ransomware attacks. Let's hear what he had to say.

Jim Goldman: What are the other things we could do to prevent a ransomware attack? And it goes back to what I was saying before about cyber criminals are always looking for openings. So besides not having MFA enabled, another vulnerability, if you will, another unlocked door is that people's laptops, which by the way is now the edge of the network, in many cases, there's no such thing as a corporate network anymore with work from home. The edge of the corporate network is Jim's laptop running off his home internet. What that means is that you can't really protect the network as much as you used to with corporate firewalls and so forth. Now Jim's laptop better be super secure because that's the entry point or the gateway into Trava's network, into Trava's platform, et cetera. Often overlooked is, okay, how secure are your employees or your contractors? This gets tricky, your contractors' laptops. Why? Because chances are your contractors' laptops are their property, not company property. At the same time, if they're vulnerable or they're working for multiple different companies, et cetera, very tricky, very scary, very dangerous. We spend a lot of time on two things. One is only having company owned laptops or laptops that the contractors have agreed we can control, monitor, et cetera. And so we have to have a standard configuration on there knowing that the software on those laptops is properly patched and knowing that random software that may have vulnerabilities can't be downloaded onto that. So it's almost an insurance policy of sorts internally because everything's very predictable. You want to eliminate the unknowns. Standard configuration on all the laptops. Everything's being monitored. We know that everything's shipshaped just where it needs to be, that kind of thing.

Jara Rowe: And like I mentioned, several of the guests talked about MFA. In the episode we had about cyber hygiene, Craig and Mario from Insight Assurance also talked about the importance of implementing MFA and is good for our cyber hygiene. Let's hear what they had to say.

Craig : Taking control of your digital security really begins with adopting that proactive mindset and implementing just sound hygiene practices in your daily life. One is start by conducting thorough audit of your digital book. Identify areas where security measures can be hit. I think Mario touched on a lot of this in day- to- day lives. Invest in a reputable password manager to generate and store complex passwords for your accounts. And next is definitely enabling MFA where possible. So it just adds that extra layer of security. And then staying informed about the latest cybersecurity threats. There's so many blogs out there and there's so many news articles. I mean, you can do a quick search of cybersecurity threats and you could find hundreds of articles. Just take a quick read of that. It may take five minutes, but maybe you'll learn something that you have it and you can incorporate that in your daily life. And then specifically from the organizational perspective, I think really starting with potentially outside out to help conduct assessments like SOC 2. It can pave the way for better cyber hygiene and TRC practices going forward.

Jara Rowe: And Craig also emphasized that employee training is really the frontline defense in any organization's cybersecurity. So MFA and training go hand in hand. Let's hear more about this.

Craig : Employee training is really the frontline defense in any organization's cybersecurity strategy. Employees are your biggest asset, but sometimes also be your biggest threat. Human error is very prevalent. Educating staff about latest cybersecurity threats, teaching them to recognize phishing attempts and instilling just best practices from a day- to- day basis is going to significantly reduce the chances of cyber attacks. By fostering really a culture of cybersecurity from the top down, from the executive, the C- suite level, it's really making active participants feel welcome in safeguarding the organization's assets and creating that formidable barrier against cybersecurity threats.

Jara Rowe: So when Jim and I talked about what's new in 2024, he also talked about the shift in remote work. This is something Marie and I talked about as well in the episode on asset inventories. Marie told me about the challenges of inventory management in the context of BYOD, which stands for bring your own device, if you ever see that acronym out in the wild. She highlighted the challenges of tracking and monitoring employee owned devices, shedding light on the risks associated with shadow IT. So let's refresh our memories on what Marie had to say.

Marie: There are definitely a lot of different challenges depending on the person, the company. One would be deciding how you are going to track this inventory. So you're going to have to decide are you going to utilize a tool or is this something you're going to track manually like in a spreadsheet. Another challenge I also see is when getting started is just tracking down all assets for a company. If they do not have a list already started, it can be pretty time- consuming to get it up and running. So especially if you have more than just laptops to include in that hardware inventory, it gets a little bit more hectic. And I think people also struggle on getting the proper identification when they're running a BYOD, so bring your own device company. Those devices can be harder to track and monitor when they're not company owned. Knowing IPs are coming into your network is really important, and a lot of times the employee on the other side probably does not know their IP address or how to find it, but Google's there to help. And another challenge would be keeping up consistent reviews of that inventory and keeping that up to date. So auditors look for specific cadences depending on the framework to make sure the company's staying compliant. So making sure that they're updating that list at least on a quarterly basis is pretty typical.

Jara Rowe: So obviously when it comes to cybersecurity, we hear risks a lot. And Michael and I talked about risk management, but one of the main things that stuck out to me that Michael was telling me is how a natural disaster is considered a risk. And that was something that had never occurred to me. So let's hear what Michael had to say.

Michael : I'll go right back to what is the definition of it, and that's to identify, evaluate, and control risks. That doesn't really help us that much. But if we break that down into three different parts, one hand we have to identify what risks do exist. As, for example, the natural disaster, we may not think about that as being a cyber risk, but to some extent it can be when we think about availability. So we first have to identify the different risks that are out there. There's common ones that are true for every organization, simple as being hacked or ransomware, or I mentioned things like releasing bugs to production if you create applications. Even losing customers and not having enough revenue is technically a risk for an organization. This expands much more beyond just cyber. But when we're thinking about cyber risks, there are also industry specific ones. So maybe the chance that for healthcare industry that there's a hack and then EPHI, electronic personal health information, gets released. And so then what does that entail? That's identifying risks, but we also need to evaluate them. And so not only do we need to understand what risks might exist, but we need to understand what impact that might have. And so that goes into both of the chance that they're going to happen and the chance that they're going to be successful in creating damage, and then also the likely damage that's going to happen from them. And so those two pieces get put together to understand what a likely overall impact or risk that is to the organization. For management, so we talk about controlling risks, we also have to decide how we're going to deal with that. So most people would say, " Well, to deal with a risk, you just need to eliminate it entirely." And that is one possible way to deal with the risk, but that's not all the possible ways. Sometimes we might mitigate it. We might say, " We're not going to fully be able to get rid of the chance of get ransomware, but maybe we have very strong offline backups, and that is our way of at least addressing the outages that might occur from ransomware. " There's ways to mitigate it even if we don't fully take it away because you can't fully take any risk away. As crazy as it sounds, we can also accept the risk and just say, " That's a very small risk, and the cost it would take to fix it is too great. So let's not actually fix it. Let's accept that risk. It's small. We've done things to mitigate it," et cetera, or we can also transfer that risk such as using cyber liability insurance.

Jara Rowe: But again, in cybersecurity when we talk about risks, vulnerabilities are also a part of the conversation. You may be asking yourself, what's the difference between a risk and a vulnerability? Well, a threat plus a vulnerability equals a risk. Jim and I talked at length about vulnerability management. Let's hear him dive into how vulnerability management is fundamental in cybersecurity and compliance.

Jim Goldman: I like to use an analogy that has nothing to do with cybersecurity. So the concept of vulnerability management in many ways is universal. And so if we think about it in a physical sense, try to keep our homes or our businesses secure from a physical sense. It's what are the vulnerabilities? Leaving your doors unlocked, leaving your windows unlocked, leaving a candle lit and then leaving the house and going somewhere. Those are vulnerabilities. What's vulnerability management mean? It's like anything else. With cybersecurity, it's like any other type of vulnerability management. And I think as we'll get into later, there are multiple stages. The best thing you can do is to prevent vulnerabilities. If you can't prevent them, then you certainly need to detect them reliably. And then once you detect them, you have to have a method to respond and recover, et cetera. And so I think that's probably the most important introductory comment we can make. Just because cybersecurity vulnerabilities do have a technical side, that doesn't mean that vulnerability management as a process is necessarily all that. Take it to cybersecurity, what's the equivalent of leaving your door unlocked in cybersecurity? It's not having networks properly protected. It's not having multifactor authentication. It could be as simple as you're in a public place and you're using public WiFi. You go to use the restroom and leave your laptop open and logged in, things like that. That's the equivalent of the unlocked door, the unlocked...

Jara Rowe: Another major thing I've taken away from hosting The Tea on Cybersecurity is that it's important for us to prepare as much as possible to stop something from happening, but it's almost inevitable. Breaches and incidents are super common. These terms are typically used interchangeably, but I actually learned that they are very distinct. Marie also opened up to me about this. So let's hear her talk about the differences between a breach and an incident.

Marie: Both are different. I think these are two terms that a lot of people get confused with too. A breach, this really means that a threat actor has entered an area that might have customer data or other types of data that could lead to an incident. And this has not yet been exposed, but someone has gotten into an area that they should not be in technically. So then that leads to a possible incident where an incident is this is when the data has actually been exposed, touched, and possibly compromised by a threat actor. And this is usually when it becomes a bad case where the catastrophe comes in, has to be documented, have legal response, and then also be given to a customer letting them know, letting them be noticed.

Jara Rowe: What do we do if an incident were to occur? We highlighted tips we should follow when creating a plan. Let's hear what Christina had to say.

Christina : Especially if this is the first time an organization is creating a plan like this, the focus should really be working on it piece by piece so as to not be overwhelmed. So start out small. What are the designated roles and responsibilities that you have? Then determine how the plan can best fit your needs. This can be done by assessing what types of incidents are most detrimental to your organization. So maybe an incident stemming from a compromise login would be more pertinent compared to encountering a, for instance, supply chain attack. You'll want the procedural steps definitely to reflect what you need to do in a real world scenario. Keeping that in mind though, the incident response plan should be flexible to handle multiple types of relevant incidents should they occur.

Jara Rowe: So to continue my conversation on risks with Michael, Michael and I also talked about third party risks. He even talked about steps you can take if an incident were to occur with a third party vendor. Let's hear what Michael had to say.

Michael : These are not fun scenarios to be in. I think we have to think again about what information is in that vendor. If it's an internal product and we think that was breached, maybe we're hosting a VPN product or a firewall or our own email server, what information could be affected by this breach? And that can change a lot of how we respond to it. I think another thing we should consider is what access that product or service has to the rest of our environment. So in the example of Dropbox Sign, there were concerns about access keys that might've been part of that breach. And so not only do we need to think about the information that could be impacted, but which of our systems could be impacted. And we need to think about, okay, can we block access with those keys? CircleCI, which is a common testing platform for software development, was breached several years ago, and there's access to our production environment to deploy our application code through CircleCI. So we need to see not only what information is affected, but how that could be used by a threat actor to pivot into another piece of our organization. Those are two really important things to start with your evaluation process and contain it. Can we contain the threat actor's current access to our product, or can we contain how that can be pivoted right away? Traditional incident response steps. But we also should start thinking about calling our lawyers, calling our incident response firms that hopefully we have on retainer, calling our insurance companies, although we should be a little careful with how we work with them. Sometimes it's better to talk to lawyers first. There's important information you want to be careful about sharing. And on top of that, we also have to think about breach notifications. So if we did have data that was sensitive or PII, we might have to notify parties that we would breach.

Jara Rowe: Incident response plans help show everyone that your company can be trusted if something were to occur. On season three of The Tea on Cybersecurity, we had an entire episode dedicated to trust and transparency with Boomer from BlackInk IT, who had a wealth of knowledge. Let's hear what Boomer had to say about trust and how it is foundational to cybersecurity.

Boomer : I think it's foundational to everything we do in cybersecurity. Understanding that whether it's the system, the data, the organization, the platform that we have trust is a foundation to begin, whether it's a transaction, a multifactor authentication, the ability to identify and validate who we are to maybe even secure communication where we know that both parties are encrypting the data, or then understanding that when I share data with a third party, that they're going to protect it as much as I protect it in order to protect my customers and organizations. So trust is foundational to both the relationship, interpersonal relationship, B2B relationship. Then also we're having to convey that customer. They know as a business that we're looking out for them. Too often now folks think businesses are just out for profits, and there's examples in the media of that, but I think there are also a lot of businesses that are concerned and focused on being a trustworthy agent and protecting the data and systems that so many rely on.

Jara Rowe: For me, when I think of trust in cybersecurity, I automatically think of compliance, and I see compliance as a certification that is similar to a badge of honor that shows that you take cybersecurity and even data privacy seriously. However, compliance can get a bit confusing when you begin to think about all of the different regulations and frameworks. Scott and I discussed how you can think of a framework like a cookbook. Let's take a listen.

Scott : A compliance framework is a set of security controls that can be implemented in an organization. This might include things like implementing security technology like firewalls or maybe patching vulnerabilities, or even things like implementing security trading programs for employees. So it's not just technology. I almost think of it like a recipe and a cookbook. If you pick your favorite recipe or your favorite compliance framework and then follow it closely, you'll end up with a pretty strong security program.

Jara Rowe: Jim and I also had an entire episode dedicated to healthcare and banking industries when it comes to cybersecurity and compliance. Jim told me that these industries have a lot in common, but they differ based on their regulations. So let's hear what Jim had to say.

Jim Goldman: The truth is, we do spend the bulk of our time, the majority of our customers are software as a service companies, but we have a variety of customers in banking and finance, healthcare, manufacturing, et cetera. And what they all have in common is they all have cybersecurity concerns and privacy concerns. And those are distinct, right? And so each of them have to implement controls. They have to implement security controls and privacy controls. I think the big differences come in the compliance side. And as we always said, there's a big difference between security and compliance. And I think the place where people sometimes get themselves in trouble is confusing. Well, what's the dog and what's the tail? And sometimes the tail ends up wagging the dog. In my opinion, security is the dog and compliance is the tail. But if people are only interested in compliance, do you know what I mean? They can be compliant with some standards, some certification or another, but potentially overlook a control that's vitally important to their particular environment. With several industries, that actually have been regulated for a fairly long time outside of the cybersecurity and privacy realm. So let's take finance for example. Finance has been heavily regulated for a long time. Why? Because we wanted to prevent fraud. We wanted to prevent money laundering. We wanted to make sure loans were being issued in an equitable and fair manner, that kind of thing. So these are what we would call really heavily regulated industries. They just haven't necessarily been regulated all that long or longer than any other industry in terms of cybersecurity and privacy.

Jara Rowe: Well, that wraps up season three of The Tea on Cybersecurity. We learned about the overall compliance process, as well as general cybersecurity things like trust and transparency, as well as cyber hygiene. I hope this podcast is proving that cybersecurity doesn't have to be complicated or intimidating. But if your company does need help, please reach out to us at travasecurity. com. See you soon. And that's The Tea on Cybersecurity. If you liked what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.