The Birmingham Business Journal recently featured Past President of Warren Averett Technology Group Jason Asbury in a Table of Experts series discussing Cyber Security. Jason has more than 15 years of experience working in the IT industry. He has worked in an advanced technical capacity as a systems engineer, and has had a primary focus in IT consulting. He has been heavily involved in implementations and management of multiple patient care systems and associated medical management applications including EMR, Practice Management, PACS, Lab Information Systems, IMH, Telemetry, Clearing Houses and Oncology Radiation Systems. He maintains a unique skillset including experience providing consulting services and managing projects for clients in the fields of banking, insurance, education and law. Jason worked in an advanced technical capacity as a systems engineer for Science Applications International Corporation and served as an operations executive in the managed services and project implementations consulting arena for six years. As President of Warren Averett Technology Group he is responsible for the day-to-day management of the company and its overall direction with regard to strategic growth and planning. Jason’s portion of the discussion is featured below.
Q: A number of large retailers have been impacted by data breaches in recent years. How serious is the risk for small businesses? Answer: The risk for small businesses is just as great as it is for large organizations, and the consequences are more severe. Smaller organizations are less equipped to manage an incident from a dollars-and-cents point of view. I’m dealing with a client – a small mom-and-pop organization – that has experienced a breach relative to credit cards. They’re looking at an expense in excess of $50,000 to remediate, which is multiplied by each location, and they have 11 locations. So in terms of consequence, it’s even more impactful for them.
Q: What can my business do to reduce the likelihood of a cyber-attack? Answer: First and foremost, in order to manage risk, key stakeholders have to recognize and acknowledge that risk does exist for their organization. If that requirement is not met and leadership doesn’t really acknowledge that there needs to be a proactive approach to security, then most organizations are going to have a hard time successfully securing and preventing a breach. The general concept and approach should be proactive, to ensure that an organization is doing as much as possible to eliminate the need to be reactive. That includes regular vulnerability scanning at least on a quarterly basis and annual penetration testing. Additionally, a clear security plan that addresses endpoint management, user access, system administration and incident response is a foundational necessity for reducing exposure and preventing a breach.
Q: What are the key ingredients for a strong small business cyber-security plan? Answer: I like to talk to my clients about safeguards, and the Department of Health and Human Services really did a good job defining those safeguards and categorizing them into three buckets. They are physical, technical and administrative. Physical safeguards deal with physically securing your data. Technical deals with using technology in an effective way to manage security. The administrative component is what most organizations overlook. It deals with the documentation of policies and procedures, and then the communication of those policies and procedures. I couldn’t agree more about needing to have buy-in from the bottom as well as the top. It’s important for organizations to understand that there’s a need to communicate to all the users in a particular system. There’s a term that’s been coined by the PCI (Payment Card Industry) Security Standards Council that’s called BAU: business as usual. What that means is you communicate changes in policy or a security plan as things change in an organization. So business as usual means if new users are added or new systems are introduced to an organization, those administrative components are communicated. Good ways to do that are through emails, videos and at least semi-annual training. Take advantage of company events when employees are pulled together to talk through what has changed in the organization and how to be prepared to mitigate risk.
Q: Are there any laws or regulations I need to be aware of when it comes to protecting my customer’s secure information? Answer: There are laws and regulatory requirements that really apply according to industry. PCI is something a lot of people are hearing about right now and it is relative to credit card transaction processing. There’s compliance for the merchant, for the processor and for the large credit card organizations. In the health care realm, there’s been the recent Omnibus ruling that’s added additional rules and more clarity. There’s information on privacy regulations, where 47 of the 50 states currently have legislation in place. Alabama is one of the three states with no information privacy legislation. However, there’s definitely a requirement for Alabama-based companies to comply with the laws of other states. So if you’re doing business in multiple states, you have to be concerned with those information privacy laws. In addition, for those government contractors doing federal work, there’s a thing called the Federal Acquisition Regulation, or FAR. And within FAR, there are 20 critical access controls that are required to be met by government contractors. I dealt with an organization recently that received a deficiency FAR report, and what that basically meant was their network wasn’t meeting minimal standards as it relates to security. So their contract was at risk of being suspended until they were able to prove they’d met those 20 critical access controls. And then there are laws relative to insurance organizations. Additionally, banking organizations have to follow strict sets of guidelines around regulatory compliance. This list goes on. I would encourage business leaders to spend time to study and discern what regulation applies to each applicable industry.
Q: What types of services are out there to help my company prevent or respond to a cyber-security threat or data breach? Answer: There are a number of services available to help companies manage security. Some examples include endpoint management, which is the management of all the connected devices within an organization, and mobile-device management, which basically allows organizations to secure mobile devices like phones and tablets. In addition to that, there are services available for 24-hour monitoring and logging. What that means is organizations engage outside vendors to log all traffic as it enters or leaves an organization, as well as traffic within an organization. Those logs are then stored and reviewed on a regular basis. There are also services available for regular – usually quarterly – vulnerability scanning, both internal and external. Additionally, there are services available for regular penetration testing. Basically, most of the components relative to the management of security and risk in an organization are available as a subscribed service. It really makes sense for smaller organizations with limited resources as it relates to an IT Department – or sometimes a lack thereof – to consider outsourcing the management of some of these recurring security measures.
Q: What are some of best practices to help monitor for and identify breaches? Answer: The one crucial component as it relates to a best practice is to have at least one – and hopefully more – competent employee who understands risk management as it relates to IT. Role assignment is crucial, and that includes a competent security manager or information security officer who can implement processes and protocols to manage security and monitor for an incident or breach. There are also a lot of enterprise-grade technologies out there that are now available to businesses at an affordable price point. Things like intrusion detection and prevention services, web-content filtering services, and monitoring and logging components that are all included in what’s called next-generation firewalls. So for a reasonable price, an organization can invest in technology that will provide some alerting mechanism. And then I will again stress the importance of regularly checking on the health of an organization. Most organizations that experience a breach find out about it weeks or months after it happens. The best way to reduce the window of vulnerability is to regularly assess the degree of risk that an organization sustains.
Q: What are the key components to be included in a breach/incident response plan? Answer: Start with engaging the right people in the development process. If the right people aren’t at the table when it’s being developed, then the plan itself is not going to be as effective. Through that development process, there should be a designated internal security manager or officer. I would also recommend the engagement of a qualified third-party organization that specializes in risk management and cyber-security. And then a critical element is to engage an attorney or law firm that specializes in incident risk management. Once there has been effective development, the other point to consider is role assignments. Who does what in the event of an incident? That doesn’t always just include IT employees. Who responds in what way is something that has to be worked through. One thing to consider is to have a mock exercise – often called a table-top – which plays through the steps taken in the event of an incident. Afterwards, work through that and determine whether the execution of those plans is actually effective or needs modification.
Q: What are some things businesses often overlook when developing a plan to protect their sensitive data? Answer: When these plans are being developed, there’s often not enough engagement from key stakeholders who are part of the business process. It is important to have the right people who can bring the right information about how business is conducted after the attack. Organizations can’t just rely on an IT manager who is solely focused on IT to bring all the necessary information to develop a really good and solid plan. Also, internal risk is often overlooked. There’s often an assumption that the primary risk is outside the organization. However, the primary risk of incident involves data leaving the organization, even if it’s unintentional. So the vulnerabilities themselves are more often than not internal, and it begins with our own employees. Oftentimes that’s not really considered, but proper safeguards from within are critical. So it is important to ensure that employees are engaged in the process.
Q: What are some good components of an emergency plan as it pertains to cyber security and protecting/backing up data? Answer: Oftentimes, IT managers feel that if there are good backups, business continuity is assured. But if that process isn’t tested on a regular basis, organizations are at risk. Second to good backups is the encryption of data as it relates to security management. And finally, a lot of organizations are now using outsourced solutions for offsite backups as part of their security plan. That’s a great service, but I would encourage leaders to go through a proper vetting process to determine whether outsourced vendors are credible. Make sure they’re storing your data in secured facilities that meet certain industry standards to ensure that your information is in fact secure, and that it is truly available in the event of an emergency.
Q: What options are available to train employees about the importance of cyber security? Answer: Most training programs can be reapplied to a number of different industries. The internet is a good resource to find material for training your employees. Those training mechanisms are very important as well. Once you have the information put together, the process of training is important. Don’t just train once and consider it done and not revisit. There has to be that continued approach of ensuring that users and employees are aware of certain protocols and procedures. At Warren Averett, we have at least two meetings a year where we pull all our employees together for an update, and we carve out 10 to 15 minutes for our information security officer to update everyone on what’s taking place relative to security. In addition, we use an internal Intranet site, and updates and reminders are posted on a regular basis. There are also refreshers about our information security plan and protocols that we have our employees read and sign on a regular basis. All of these points are good ones to consider and can be easily applied to many different organizations.