The Blame Game: Trava’s Scott Schlimmer Talks Who’s at Fault in a Security Breach
Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Who's to blame during a security breach? Hey there, you're tuning in to Episode Nine of The Tea on Cybersecurity. If you've listened to any of the previous episodes, then you know about all of the cybersecurity topics we have covered so far. Some of those include what cybersecurity is, some of the different terms, like ransomware and phishing, and we've even learned that people are the weakest links. But one thing we haven't covered yet is what actually happens when there's a security breach. Specifically, who's to blame? And that is exactly what we are going to be tackling on this episode of The Tea on Cybersecurity. I am joined by Scott Schlimmer, Trava's cyber risk specialist. Hi, Scott.
Scott Schlimmer: Hello. It's great to be here.
Jara Rowe: I am so excited to have you here with me. I know you have a lot of cybersecurity experience. So can you introduce yourself to our listeners?
Scott Schlimmer: Hello, everyone. My name is Scott Schlimmer, and I'm a cyber risk specialist with Trava Security. And my job is when a customer signs up for the Trava platform, I help evaluate the company's security posture and then create a plan on how to best strengthen security and reduce risk for that customer.
Jara Rowe: That's a very important role for our customers.
Scott Schlimmer: inaudible.
Jara Rowe: All right, so let's jump in. In your opinion, why do you think people find cybersecurity confusing and/ or intimidating?
Scott Schlimmer: Yeah, cybersecurity can be intimidating because it really covers so many different areas. You get into asset inventories, data protection, secure configuration, account management, audit logs, and vulnerability scanning, and trading and pen testing. And really that's just still a portion of it. It's a big topic.
Jara Rowe: It definitely has a lot to cover. And you mentioned a couple of terms here that I'm not too familiar with, so I'm going to just pull out too. Can you tell me a little bit more about asset inventories and audit logs?
Scott Schlimmer: Sure, yeah. Asset inventories is knowing all of the assets, all of the devices and things that are on your networks and in your systems. The idea is if you don't even know what's there, you can't protect it well. And audit logs is just keeping track of what's happening and where. And then later you analyze those logs to see if there's been anything out of the ordinary. It's a good way to see if something's wrong, if somebody's tinkering around in there. It's a way to catch them.
Jara Rowe: Okay, so you can catch the people doing the not right things. inaudible.
Scott Schlimmer: Right.
Jara Rowe: I'm sure a lot of people hear about, " It's in the cloud," or, "Save it in the cloud," or, " Back it up in the cloud." So we all pretty much live in the cloud now. Can you discuss some common cyber risks that come with cloud platforms?
Scott Schlimmer: Sure. Yeah. So the Cloud Security Alliance put out a report last summer about the top threats to cloud computing. And the number one threat was account management. And as you can imagine, if you could have the most secure kingdom in the world, then if you leave the keys right outside the front door, you're still not going to be secure. So it's important to make sure that only the right people are accessing your cloud. And number two is insecure APIs. That one's a little more complex. But APIs are how external resources connect to your cloud. And usually this means that sensitive data is exposed by mistake through an unsecured API. And then number three, interestingly, was misconfigurations. So this is things like having the wrong permissions and just not enabling the right security options. So these are some of the more common cloud risks.
Jara Rowe: Cool. So can you go into number three a little more? How could people better configure their cloud?
Scott Schlimmer: There's a lot of different configurations and it's good to look into some of the more secure configurations, the standards, but sometimes it's as simple as just going in and seeing what can I enable? The simplest easy one, and this is a combination of one and three, because number one was the authentication and account management, is multifactor authentication where it's ensuring that anyone who logs in passes that second factor. And again, requiring that you have two keys really.
Jara Rowe: For sure. So listeners, he just mentioned multifactor authentication, which is something that we've talked about on probably every episode so far. So I pull that out as something that's really important. So on the different platforms that you use, if they ask you to do two- factor authentication, or MFA, make sure you do that. It's like one of the easiest ways now to just make sure you're a little more secure.
Scott Schlimmer: It's just a no- brainer. It's so much bang for the buck.
Jara Rowe: Definitely. So back to the cloud a little bit. I asked that question because many companies are customers of other companies that then store that data in the cloud. So if my account on a cloud platform gets compromised and my data or my customer's data gets leaked, whose problem is that?
Scott Schlimmer: At the most fundamental level, it's your problem because you're the one who's going to be missing the resources you need to do business. So you're going to be the one losing the money and dealing with the pissed off customers and the regulators. So when the rubber hits the road, it's you. And it's like what we were talking about with configuration. It's important to remember that clouds are not necessarily secure out of the box. A lot of them do require configuration or for someone to turn the security functions on. So when you consider fault though, there is a shared responsibility in cloud security and some security areas are the responsibility of the cloud and some are your responsibility. And when we think back to those top threats from the Cloud Security Alliance that we just talked about, think about account management. That's definitely your responsibility and not the cloud provider's because you decide who gets access and how well those people are going to protect their accounts. Are they trustworthy, are they trained? Number two was the insecure APIs. That one's a little more shared. It's both your responsibility and the cloud provider's responsibility. And then number three was the misconfiguration. And again, that's completely your responsibility. You just need to go in there, configure your cloud, and make sure to turn on the key security features.
Jara Rowe: It looks like that cloud security is pretty much like your responsibility where you need to take, me as the company CEO or leader, I need to take responsibility for those things. And like you mentioned, if something was leaked or taken of my customer, that's honestly my responsibility and that I didn't necessarily do my due diligence to make sure that the third party vendor was secure. Does that sum up everything okay?
Scott Schlimmer: Yeah. That sounds about right. I'd say the big takeaway is that cloud security is largely your responsibility. Then at the same time, you're also reliant on your cloud provider's security. So it is very important to choose a good one.
Jara Rowe: So it seems like it may come down also to ensuring third party vendors is secure. So what are ways companies can check the security of a third party?
Scott Schlimmer: The first is to request the cloud provider's CIAQ or the STAR or the SOC 2 report. And these reports should give you some sense of the security controls that the cloud provider has in place, which hopefully will be a lot of controls. And the second is to run vulnerability scans and pen tests on the cloud environment. And then from there, remediate the vulnerabilities that are your responsibility, or ask the cloud provider to remediate any vulnerabilities that are their responsibility, or potentially choosing to accept those risks. And these are scans that we can run in the Trava platform of course, or help out customers with that.
Jara Rowe: So you mentioned SOC 2, which I know is a compliance, but what is CAIQ and STAR?
Scott Schlimmer: These are cloud- specific frameworks from the Cloud Security Alliance. So these are going to be security reports similar to a SOC 2 report, but more focused and more tailored to cloud security.
Jara Rowe: So okay, we're learning a lot about who's at fault here. In a previous episode we talked about employees and humans just pretty much being the weakest link in a company's cybersecurity. So in your experience, are those employees typically reprimanded in any way if they were the cause of a breach?
Scott Schlimmer: Typically, they're just fired. No. No, I never heard of that happening. It's usually best for companies if employees report everything as soon as possible, even if they've made a really major mistake, and then they can go fix that. And that's why smart companies encourage employees to report things, knowing that's best for the company's security, and reprimanding employees really doesn't accomplish much. So the more common approach is if an employee's made a mistake is to offer extra security training, not much reprimanding.
Jara Rowe: Yeah, because I've always been curious about that because sometimes, especially if it was phishing, that could seriously be an accident. So I'm like, " Oh, I hope Sue doesn't get fired for that." So I've always just been curious about how that works.
Scott Schlimmer: Yeah, it happens. You see it happen a lot to executives too, and it's just training. Thanks for reporting, let's not do it again.
Jara Rowe: Yeah. So again, we've talked a lot about specifically more cloud issues and things like that, but if there was another attack that caused a breach, who is to blame just generally? Is it still just all falls back on you or, yeah, if you could just talk about that in general, who is to blame for a cyber attack?
Scott Schlimmer: In a general cyber attack, that's a big question, I mean, because they happen a lot anyways and it's difficult to stop every breach. There will be breaches if you're a big enough target. So I wouldn't even say, who's to blame is the attacker, but the idea it's a layered approach so that when somebody does get in, they can't do much from there, or if they do, if anything is broken, we can fix it quickly. So I mean, blame is just life, but we can always improve our security. If we lose our most important assets, we blame ourselves because we should be protecting our most important assets more than our less important assets. They should get our most attention.
Jara Rowe: Give me your cybersecurity prediction that you think we may see over the next five years.
Scott Schlimmer: Yeah, so an interesting one that came up with a customer recently is using AI to write their cybersecurity policies. And with ChatGPT recently, it's the new craze. AI has become very accessible and it's been very powerful for some time now. So I think five years from now, we're already seeing a fair amount of AI in these, the$ 200,000 solutions we were talking about before, but I think we'll see it a lot more. And I think in the next five years we'll be seeing AI doing a lot of the tests that now we have to do manually, like these policies. But I'd say AI still has a ways to go. So for now, I wouldn't recommend having AI write your corporate policies.
Jara Rowe: We just talked about this ChatGPT with Jim with his 2023 cybersecurity predictions. I asked specifically about ChatGPT and how that would affect cybersecurity, so I appreciate you bringing that back up. And I didn't even think about it from the aspect of writing the policy. We were talking about it from those bad actors writing inaudible or phishing or something. But there is a good side to that as well with writing the policies.
Scott Schlimmer: And we actually have one customer who did a training video with an AI, I'd call it a bot, but it's a person talking or it looks like a person. They called it their virtual employee. And I had to ask them, I had a sense it was AI, but I had to ask them, " Is this person or AI?" It was pretty good. So yes, it'll help both sides, although it might help the bad guys a little more.
Jara Rowe: I hope not. We'll see. We'll see.
Scott Schlimmer: Yeah.
Jara Rowe: All right. But before I let you go, is there anything else that you would like to hit home?
Scott Schlimmer: That's a good question. So I think the one thing we really haven't talked about, I don't know how much it's come out on the cast, is that it seems like privacy is the new big thing that's subsuming cybersecurity, and we're seeing new laws in every state. It'll be interesting in 2023, we had California put in a new law and we had other states with new privacy laws starting in January 1st. And it's going to be an interesting year for privacy and AI. It's exciting though. Hopefully everyone stays ahead of it and stays secure.
Jara Rowe: Listeners, make sure you stay up on AI and all of the new privacy laws that are happening. Thank you so much for joining us today, Scott.
Scott Schlimmer: Thank you. It was great to be here.
Jara Rowe: Now that we've spilled the tea, it's time to go over the receipt. So during this episode, we talked a lot about the cloud. And one of the first things I took away is that the cloud is only secure as you make it. One of the threats is account management, and you want to ensure that only the right people have access to your cloud. Which leads me to my second takeaway is that the cloud doesn't come secure straight out of the box. You have to do an add element that actually make it secure for you, your customers, and anyone else that may have their data in that. We learned more about some different frameworks and specifically the cloud. So CAIQ and STAR are cloud- specific frameworks, which we also know about SOC 2 compliance. And then the final thing is when it comes down to a security breach, a lot of the time it's innocent mistakes from people and things like that. So it's not necessarily about who is to blame. It's about how the company then remedies that issue and make sure that it doesn't happen again. Thanks for tuning in to The Tea on Cybersecurity. If you like what you listened to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.
"Make sure you stay up to date on the latest trends and technologies - it's the key to success!"
As a Cyber Risk Specialist at Trava, Scott Schlimmer is in charge of evaluating a company’s security posture and creating a plan on how to best strengthen security and reduce risk. But the question he is answering today is WHO’S TO BLAME?? Cybersecurity risk can be a scary subject for any company, and on today’s episode, Scott talks with host, Jara Rowe about the process companies take when there is a security breach and the intricacies based on what security framework they have in place. Listen in for this as well as his thoughts on AI, multi-factor authentication, and some key terms to know. Head over to YouTube for our extended version of the interview.
What You’ll Learn in this episode:
- How are privacy laws changing?
- The latest advances in AI technology
- Who is to blame for a security breach?
Things to listen for:
[01:42] Why people find cybersecurity confusing and intimidating
[02:26] Common cyber risks that come with cloud platforms
[04:19] Importance of multi-factor authentication
[05:03] Taking responsibility for a security breach - who’s to blame
[07:22] Ways companies can check the security of a third party
[11:05] Scott’s cybersecurity prediction for 2023
[12:58] Final thoughts from Scott
[13:55] Jara’s receipts
Connect with the Guest:
Connect with the Host:
Jara Rowe’s LinkedIn - https://www.linkedin.com/in/jararowe/
Connect with Trava:
Website - https://www.travasecurity.com/
Instagram - https://www.instagram.com/travasecurity/
Twitter - https://twitter.com/travasecurity
Facebook - https://www.facebook.com/travaHQ