Episode 005: Combatting a False Sense of Cybersecurity


Cyberattacks pose one of the greatest risks to the profitability and longevity of businesses in today’s economy, and, at the end of the day, businesses have a responsibility to protect themselves against the threats that cybercrime poses. Why does cybersecurity matter, what makes your company most vulnerable and what should businesses do to be prepared?

In this episode of The Wrap, Amy Williams and Justin Headley, CISSP, CISA connect with Kim and Paul to talk about the importance of having a defensive mentality, an educated team and the necessary tools when it comes to protecting your company against cyberattacks.

Click Here for more resources.

Commentator [00:00:00]

Welcome to The Wrap. A Warren Averett podcast for business leaders designed to help you access vital business information and trends when you need it so you can listen learn and then get on with your day. Time is tight. That’s why our advisors have wrapped up today’s most timely topics into a podcast with actionable advice. Now let’s get down to business.

Paul Perry [00:00:22]

Hey Kim how are you today.

Kim Hartsock [00:00:23]

Hi Paul I’m good.

Paul Perry [00:00:24]

Good to see you.

Kim Hartsock [00:00:25]

I know it’s good to see you.

Paul Perry [00:00:26]

Glad to be back for another wrap podcast conversation.

Kim Hartsock [00:00:29]

Yeah it’s always fun to record these episodes. 

Paul Perry [00:00:32]

Today’s conversation is gonna be really good.

Kim Hartsock [00:00:34]

I’m excited and you know this is your area.

Paul Perry [00:00:38]

Yeah, but you know I do this a lot but I’m going to step back and I’m going to let these experts talk about cybersecurity today.

Kim Hartsock [00:00:43]

You’re shining the light on other people in this area where the light is always shown on you.

Paul Perry [00:00:48]

You know spread the love.

Kim Hartsock [00:00:49]

I like that.

Paul Perry [00:00:50]

With us today from Warren Averett is Amy Williams one of our business consultants in the risk controls group. Amy welcome.

Amy Williams [00:00:58]

Thank you.

Kim Hartsock [00:00:58]

Welcome Amy. Good to see you.

Amy Williams [00:01:00]

Glad to be here.

Paul Perry [00:01:01]

Also with Amy is Justin Headley. He’s one of the managers in our risk and control group does a lot with our clients from an I.T. review perspective. Justin good to have you here.

Justin Headley [00:01:10]

Yeah thank you for having me.

Kim Hartsock [00:01:10]

Thanks for joining us. So Amy why is cybersecurity such a hot topic today for business owners and executives.

Amy Williams [00:01:18]

Sure. I think you know when I’m meeting with people and having these discussions about what their concerns are and kind of what’s out there in the environment right now they’re always in sort of what we would call a firefight. And it’s either they have the knowledge and the skills and they’re really proactively addressing it or they have the other end of the spectrum which is kind of a it’s never gonna happen to me mentality. So we’re either coming alongside people to kind of help them out or we’re trying to get the light bulb to come on.

Paul Perry [00:01:46]

So why do you think they have that it’s never gonna happen to me mentality.

Amy Williams [00:01:51]

You know it’s I think in general it’s kind of a scary topic or it’s maybe a lack of understanding or knowledge of what’s out there and what the concerns are. And it’s ever changing. So you get your mind wrapped around one thing and it’s already shifted to something else. So it’s not necessarily that they think it won’t happen to me. They think they’ve got their bases covered. And then if they get too comfortable they’ve just fallen in that category by accident really.

Kim Hartsock [00:02:14]

And Justin why does it always seem that they’re in a firefight.

Justin Headley [00:02:18]

Well I think a piece of that is I think we grow a little bit numb to cyber security breaches. I think you know we’re constantly seeing it’s on a daily basis we’re seeing something in the news that there’s another another data breach has happened. So I think I think we can grow a little bit numb toward that thinking that either this is a big guy business is only hitting the big guys. But you know the truth is if if you’re out there on the Internet you know it’s it can happen to anyone.

Amy Williams [00:02:42]

Well and to add to that people kind of try to stay in their lane. So you have the executives that say hey my internal department takes care of that and you have your internal department that thinks that they’ve got everything in order. But if you’re not in a constant conversation with each other then you’re basically putting yourself out there for risk.

Paul Perry [00:03:00]

There’s a lot of laws related to data breach right. And those are growing by the day. Any any sort of kind of forethought on to what’s coming from a federal law perspective. I don’t think there’s a federal law yet is that right.

Justin Headley [00:03:18]

That’s correct. From what you’ve had thus far is your states individually enacting their own laws around data breaches and something you haven’t seen like you see over in other countries mainly in the European Union as you have. They’ve they’ve got a unified kind of data breach wall similar to GDPR you’ve seen California kind of come out with a similar also a similar wall. But I think what you haven’t seen yet is in the United States kind of coming unified together in saying this is what we expect of our of our companies making sure that their customers and United States citizens are protected on the data breach data breach front.

Amy Williams [00:03:57]

Sure and I agree with that. I mean essentially the more data that we collect and store the more susceptible we are to attacks or threats and so you know we have to be proactive and then everybody has to come to a place where the landscape looks the same where we’re all meeting the same criteria and credentials and and I think like he said the European Union and then California are starting to set that precedence.

Paul Perry [00:04:19]

And it’s that standard that’s hard because everybody wants to do it their way. They’ve got their their way of doing things and I think that that’s going to cause a major issue there.

Kim Hartsock [00:04:28]

Yeah. Amy you brought up a good point around the more data we collect the more vulnerable we are to this kind of breach happening and you know I’ve seen it with our own clients where this is a closely held business that is in you know kind of a rural area of Georgia and yet they had a breach of their data. It doesn’t seem that anyone is immune to the potential of a breach. And I would assume that that weighs heavy on executives and business owners minds.

Amy Williams[00:05:03]

Yeah exactly I mean I think I looked at a statistic today that said that you know where people feel comfortable is I’m a small business or I’m a midsize business so I’m not as interesting to hackers. And in reality over half of all breaches occurred in small to mid-sized businesses primarily because of they’re hoping that the knowledge or the resources in order to fight the cyber crime is reduced or that they’re more capable of getting that information and information is information if they can get it and they can use it. They’re going for it.

Kim Hartsock [00:05:34]

Right. And I would assume they’re also hoping that there is the opportunity for that business to be more reliant on that data and they’ll pay you know if there if it’s a ransomware for example you know most big organizations have backups upon backup so you can you can threaten them but they’re not going to pay the ransom whereas a small business may be forced to.

Amy Williams [00:06:04]

Well that and the likelihood of them maybe having some sort of area where it hasn’t been addressed is potentially higher. Not in every case. I mean you meet super savvy small businesses on security that are just as like they’re just as the oversight is just as high on the big companies. But then like you said you’ve got organizations that just don’t have the resources of the knowledge internally don’t know where to get it. And then they are very likely to have to pay those fees.

Commentator [00:06:32]

Like what you hear so far. Make sure you never miss a show by clicking the Subscribe button now. This podcast is made possible by listeners like you. Thank you for your support. Now back to this show.

Paul Perry [00:06:45]

Y’all are out there talking to customers, clients, organizations, conferences. What are the things y’all telling businesses they need to do to be prepared. Obviously there’s a laundry list of things but let’s talk about the top five or six. What are what are those what are those areas.

Justin Headley [00:07:00]

You know the first thing I’ll start off with is it’s top of mind we’re always constantly reminding clients is is creating a Cyber Security Awareness culture within their organizations. You know i always like to tell our clients that you can have the greatest tools the greatest I.T. security appliances in the world but you know that can all be undone with one click of an e-mail or one mistake by an employee that that introduces malware ransomware at your organization. So I think all the tools are great. I think you know one of the greatest things that you can you can do for your organization to protect it is really is training and educating your employees.

Paul Perry [00:07:35]

Is that one time training or is that kind of constant ongoing.

Justin Headley [00:07:38]

Yeah that constantly has to be an ongoing conversation that you have to have never could be a one time event.

Amy Williams [00:07:44]

Yeah. People should never get on autopilot in that area. And I would agree with Justin that primarily your people are your area of risk. But I think knowing that good policy and procedure development is really important. So the mentality of it’s probably going to happen to us. Let’s go ahead and have things written out and I say written because having it in theory is not good it’s not enough. So you want to make sure that you have it in writing who knows who’s on first kind of deal so that whenever the breach does happen and it’s likely that it will that you have a good response and a timely response. I think timeliness is huge.

Paul Perry [00:08:22]

On the internal control side can we say if you didn’t documented.

Kim Hartsock [00:08:26]

It didn’t happen.

Paul Perry [00:08:27]

You didn’t do it.

Kim Hartsock [00:08:27]

That’s right.

Paul Perry [00:08:28]

So we’ve got to make sure that that documentation is there.

Justin Headley [00:08:31]

Yeah. In another area you know we kind of go over with our clients you know what we do a lot of these I.T. control reviews I.T. risk assessments every year. But you know we kind of develop good technology based controls into kind of six areas. You know one of those areas we kind of focus on I.T Structure and strategy you know how. How is the I.T. organization kind of aligned with the the overall best practices of the organization you know they are on the same page. There is change management which is huge you know if you have these homegrown solutions. What does that look like as far as a change to that application. Are those changes approved or are they documented are they tested before they’re pushed into the process. You know another big area is vendor management. It’s certainly a big hot topic with financial institutions but you know before you onboard a new vendor that you’re giving access to your critical information you know what are you doing to make sure that that that you’re on the same page you review SOC reports making sure that they have the same stringent I.T. controls around your data that you would have you know another area logical physical access making sure that there’s a good password parameters of physical access around your data. Another area that we look at around data backups. Why do our organizations have really good controls around making sure that their data is backed up but not making sure that you know if we do have to recover something from those backups can we actually you know recover that successfully. And then finally kind of the last area is around incident management. So as Amy mentioned before if you do have a breach what processes what procedures do you have in place to inform your customers to get your business back up and operating.

Amy Williams [00:10:14]

And the vendor management one I think is what I’m particularly seeing a lot of people ask about because you can do everything you can possibly do but if you’re have a relationship or a business associate relationship with someone and they aren’t doing what they’re supposed to do then that’s as big of a problem as you’re not doing it. So we’re having a lot of people say hey come look at my critical vendors over here and make sure that they’re doing everything that they need to that they’re checking all their boxes so they’re not putting our organization at risk. We don’t want to find out it’s them not us and still end up in the same place.

Paul Perry [00:10:47]

Justin what does it all say all the time you can outsource what you can outsource policies and procedures but.

Justin Headley [00:10:53]

Can’t outsource responsibility. That’s is so true in this day and age.

Kim Hartsock [00:10:59]

So we hear a lot about. Clients that are paying for cyber. Insurance. What is that and what is it for and. When should a company consider having it.

Justin Headley [00:11:15]

I think the cyber insurance you know you can relate that back to any kind of insurance you would buy. It’s in place so to indemnify you from a loss. But the main thing you need to think about with cyber security insurance and it’s a big misnomer in the market is that when you go to actually file a claim. The insurance company’s going to look back at you and say as far as you’re from a due diligence perspective what have you done to make sure this breach may not have taken place. You know things like making sure that you do have good security awareness training in place for your employees for end users do you have a firewall that would have protected this traffic and you send out social engineering phishing e-mails to your to your your employees on a periodic basis. So things like that just to make sure that you had do good due diligence in place to to actually prevent that attack.

Amy Williams [00:12:06]

So and one thing to watch out for is that under your General Liability policy you’re not going to be covered if you experience social engineering. However under the cybersecurity liability insurance that would be coverage.

Paul Perry [00:12:18]

Yeah. So. So this is really an add on that they need to have.

Amy Williams [00:12:20]


Paul Perry [00:12:21]


Kim Hartsock [00:12:22]

So Justin is there any particular industry that is more vulnerable to a breach.

Justin Headley [00:12:28]

I think that is a common myth that that 1 1 industry may be more vulnerable than another. You know you hear a lot about in the headlines now in the news headlines that you know cities municipalities are under attack.

Kim Hartsock [00:12:41]

City of Atlanta.

Justin Headley [00:12:42]

Absolutely. City of Atlanta the city of Baltimore. And you know all these things are dominating the news headlines but any business with sensitive information of any kind is a vulnerable attack 

Paul Perry [00:12:53]

Alright guys. So here on the wrap we’d like to wrap it up in 60 seconds. What’s the one thing you want to leave the listeners with to know about as it relates to cybersecurity going forward.

Amy Williams [00:13:04]

I think from my standpoint having a it’s not if it’s when mentality related to cybersecurity. So you are going to get breached. It’s just how bad is it and how quickly are you able to respond. And so it goes back to everything we’ve said previously. We’re all vulnerable to attack and we’ve got to know what to do when it happens.

Paul Perry [00:13:24]


Justin Headley [00:13:25]

Yeah just to kind of rehash what we talked about earlier. The tools are great and I think we get caught in to a phase these days a saying that I can add this bolt on appliance to my firewall or this next tool is the cyber you know bullet you know is the silver bullet of cyber security but it really comes down to education and giving knowledge to our employees. They are the front lines of our organization and that’s that that’s key to protecting our company.

Paul Perry [00:13:55]

Kim usually when we walk away from cyber security conversations I’m a little scared because there’s always something new you’ve learned. Hopefully we didn’t scare you too bad today.

Kim Hartsock [00:14:05]

No. I think I was already scared about this coming in. You’ve done a good job educating me.

Paul Perry [00:14:11]

Well good. Well good. Well Justin Amy we really appreciate your being here.

Kim Hartsock [00:14:15]

Thank you both.

Justin Headley [00:14:16]

Thank you.

Commentator [00:14:17]

And that’s a wrap. If you’re enjoying the podcast please leave a review on your streaming platform to check out more episodes subscribe to our podcast series or make a suggestion for other topics to cover. Visit us at warrenaverett.com/thewrap


Listen to More Podcast Episodes

Listen to additional episodes of Wrap—a podcast by Warren Averett designed to help business leaders access the information that you need, when you need it, in the time that you have, so you can accomplish what’s important to you.