Every month, Utah Business partners with Holland & Hart and Big-D Construction to host roundtable events featuring industry insiders. This month we invited the top cybersecurity and digital privacy specialists to discuss security breaches, privacy tools, and mitigating damage. Moderated by Romaine Marshall, cybersecurity and digital privacy lawyer with Holland & Hart, here are a few highlights from the event.

Cybersecurity and privacy are terms that are used interchangeably. What is the distinction?

Kate Riley | Director of Information Security & Compliance | Braintrace

Cybersecurity is safeguards of information systems, and privacy is about the data itself, the individual. So you compile information that tells you that ‘I am Kate Riley and that’s my privacy,’ and the safeguard is where is it stored, how do you get access to it, how’s it distributed?

Elaina Maragakis | Attorney | Ray Quinney & Nebeker

The privacy end of it would be things like, can we monitor this employee’s email? And what kinds of accounts can we get into? What kind of information can we ask a candidate or employee for? Can we put up this video camera? Can we turn the audio on? And the other related issue is really what is private information? Which we all know is vast, and if we get into Europe we’re in a whole new ballgame because everything is private information.

What are the main types of cybersecurity incidents you expect to see in 2019?

George Phipps | VP of Strategic Services | NetWize

The proliferation of IOT is going to create a monumental risk that we don’t really understand yet, this value of data and what can data do to predict or forecast business trends. Now the market is saying go out and gather all that data, but the devices that are in place are not built to be secure, and so now you’re going to be ingesting this data that you don’t know where it’s coming from. And so that pressure we’re going to get from clients as we talk about where are you forecasting your business? What are your three to five year plans? And they say, ‘Oh, whatever my plans are, I wanna grow; I wanna build; now let’s start ingesting and analyzing data.’ Now we’re being pushed out to the edge without being prepared to say, ‘How do we secure that edge?’

Robert Jorgensen | Assistant Professor | Utah Valley University

I think we’re going to see smarter phishing schemes. We’re going to see business email compromised, using AI to really create these wonderful lures of people. I mean one of the things that we’ve seen is that phishing and BEC works, and if the money’s there, it’s going to keep happening. It’s just going to get more and more sophisticated.

I think IOT’s also going to be an issue. We’re already seeing crypto malware that’s using an IOT to do crypto veining. When you start looking at those devices, we could be back to denial of service like we used to have but from within your own IOT devices. So I think that we’re probably going to see more of the same, especially at the small business level, is it’s going to be the BECs because they’re working. It’s going to be the phishing emails and those sort of things because they’re working.

Richard Hickman | Forensics Manager | Eide Bailly

I saw an article recently about the increased use of AI with chatbots that people are embedding into their websites and it says ‘Hey, can I help you?’ And you start chatting, you’re not chatting with an actual person. You’re chatting with a chatbot, and so there are privacy concerns over what are you going to do with this data, and then there’s also cybersecurity issues. How are we going to protect those chatbots from becoming compromised and trying to trick users into giving them information you shouldn’t be giving to someone you think is a person.

What can businesses do to prepare for cybersecurity incidents?

Dan Schuyler | Cybersecurity Architect | VLCM

Most of the companies that we’ve seen have very few policies and procedures, or a framework, around their security posture. They don’t know where to start. That’s one of the things we advise companies―develop a framework with all your policies and procedures, because that’s the foundation that everything grows from. Your security orders training all comes from policies and procedures, and that’s where you really need to start.

Robert Jorgensen | Assistant Professor | Utah Valley University

Businesses really need to start moving away from this idea that they’re going to stop the attack. They might, but a lot of organizations have this idea that we build this great perimeter and then if it’s breached, well that’s it. And so they need to assume that they’re going to get breached and have whatever it is in place to be able to react. Focus on detection, and look at remediation, not just that initial protection. Assume that networks are going to be compromised, and once the threat actors are in, what do we do about it? What happens when we get that business email compromised? Or what can we do to stop that? Look at the controls that can be placed inside of the perimeter to prevent that sort of thing.

Elaina Maragakis | Attorney | Ray Quinney & Nebeker

You have to think, ‘it’s not if, it’s when.’ When you have a cybersecurity incident, you are in a business continuity, and in five days or less, you’re in disaster recovery, and in seven days or less, you are out of business. Why? Because we often underestimate what the incident is. Did it get our online storage backup? Oops, that was our plan to recover. What’s the cost to remediate? And now your offline revenue isn’t there, and now you have to pay somebody to come in and figure it out, and now you’re seven days in, and that’s too long for a lot of small businesses.

What is a control that you can recommend for the preparation of cybersecurity incidents in 2019?

Jared Braithwaite | Shareholder & Registered Patent Attorney | Maschoff Brennan

Once California’s Consumer Privacy Act goes into effect, you can bet there will be an uptick in litigation for data breach and for certain types of data that aren’t protected. And to know that are you keeping the types of data that will expose you to those damages, and if you are and you wanna keep that data, is there a way to safeguard that data to mitigate those risks?

Kevin Abbott | Information Assurance & Security Lead | The Cadence Group

It’s having that incident response plan and knowing what you’re going to do. The majority of our breaches that we’ve responded to, they don’t have a plan, and they’re looking to us to help them figure that out while they’re panicking. Have your contacts in place, and know who that first phone call is going to be and who that second phone call is going to be. Know who it is that you’re going to bring in as a consulting arm to help you with it.

Dan Schuyler | Cybersecurity Architect | VLCM

Monitoring for third parties. The world’s become very comfortable now with cloud services to the point where we go, ‘Oh I’m using AWS; we’re just going to forget about it.’ And you can outsource a lot of things nowadays but in doing so, you’re not outsourcing the risk. A lot of that happens under the hood, and your customers see you as the face of that service. They don’t see the AWS underneath it. They don’t see professional storage storing backups. They see you, so you’re still responsible for monitoring that risk and ensuring that those third parties are doing things the right way.

Robert Jorgensen | Assistant Professor | Utah Valley University

A lot of businesses  still have that idea of the old meaning of password with upper lower blah blah blah, and NIST has come back and said, ‘Hey, you know what? We weren’t right about that; we need to focus on longer passwords.’ Rather than worrying about changing the password, allow password managers and long passwords so that you have those unique passwords. And if one of these big cloud providers gets compromised, even if it’s in plain text form, that’s not the password to your email; that’s not the password to your bank account, to your financial records, to your insurance policy.

What types of resources and tools are available for small- to mid-sized companies?

Eric Montague | President | Executech

Phishing testing. PhishMe  and KnowB4 is going to see how susceptible people are. We’re keeping a little scoreboard at Executech on this, and of the executives that know it’s coming, 54 percent still fall for it.

George Phipps | VP of Strategic Services | NetWize

Sophos InterceptX is one of the strongest security products on the market to stop a lot of these things. It’s stopping phishing, stopping malware, stopping you clicking on the wrong thing on a website. It’s saying, ‘Wait a minute, you’re clicking on something that says it’s Chick-Fil-A, but it’s really taking you somewhere else.’

Robert Jorgensen | Assistant Professor | Utah Valley University

We have local conferences here in Utah. There’s BSides Salt Lake City, there’s Hack West, there’s SAINTCON. These conferences are full of security professionals and IT professionals that are local and they’re cheap. A small organization can send somebody and you give them two or three days off to go, you spend a couple hundred dollars. You don’t have any other travel expenses, and you get somebody who’s going to come back with a wealth of information, who’s going to come back with contacts and have a whole bunch of resources that they didn’t have.

Jared Braithwaite | Shareholder & Registered Patent Attorney | Maschoff Brennan

For small businesses without an in-house attorney or privacy professional, one resource is the Center for Internet Security. It’s a document and executive summary that businesses can go through and kind of run down a checklist and see what they’re doing and what they’re not doing. Ic3.gov can inform you about what government agencies are seeing in terms of scams. You can see business scams and email compromise and it tells you what’s current, and that can feed into your training.

What can companies to do mitigate reputational harm when a cybersecurity incident occurs?

Elaina Maragakis | Attorney | Ray Quinney & Nebeker

I have seen breaches happen that are the fault of the employer, and it was so well managed that those who were the subjects of the breach actually were coming back and thanking the company. It’s communicating. Having someone. It depends on the size of the breach and the size of the company, but having someone making calls just to talk to a human being, giving out resources. Just simple things like identitytheft.com. Really having a touch point.

Spencer Hoole | CEO & President | Diversified Insurance Group

When companies get tripped up on their reputation or their brand, it’s because they didn’t properly disclose. Transparency, authenticity, disclosure, doing the right thing for the right reasons, and it’s that withholding of information that trips them up.

Robert Jorgensen | Assistant Professor | Utah Valley University

One of the best things to look at is what companies have done wrong. When the Equifax breach came out, they discovered it at the end of July. They put out the press release on September 7th. It took them five weeks to do that. They stumbled. They were tweeting out the wrong address that somebody else set up. They did all of these things that were just awkward, and they didn’t communicate well. They just weren’t prepared for that. They didn’t have the PR team in place. They didn’t have a press release framework saying what they were going to say if there was a breach.

What types of training, qualifications, and education exist for people wanting to enter the cybersecurity industry?

George Phipps | VP of Strategic Services | NetWize

Four out of five of our users are on Windows. Microsoft revamped a lot of its certifications over the past year, and there’s very specific Microsoft security certifications that are really really good. So if some of the readers are IT professionals, a really good practice, either for those professionals or for the manager that dictate, is to go get these certifications in Microsoft. It will give them some really good foundational knowledge around security.

Eric Montague | President | Executech

Cybersecurity is the wild west. And cybersecurity professionals today are those who had an interest in it, and on their own, went out and sought out that training. If there’s a reader that says, ‘I’m going to get into this. What should I do?’ I would say SAINTCON is the first conference they can go to. As far as certification, the Certified Information Systems Security Professional is probably the most well-known common certification.

What products would you recommend to the reader for their own personal cybersecurity?

Dan Schuyler | Cybersecurity Architect | VLCM

Two-factor authentication is definitely something everyone should do. But when you’re away from your home, you should be using a VPN. If you’re not on trustable WiFi, you should be using a VPN. The biggest ones are Nord and IP Vanish, and they encrypt all your traffic so when you’re on an untrustable WiFi network, you know that all of your data is being encrypted. Don’t get on an untrusted WiFi network. Period.

Robert Jorgensen | Assistant Professor | Utah Valley University

We work with the National Cybersecurity Alliance at UVU. They have a website at staysafeonline.org that has a lot of tips that cover this sort of thing for the home users, and they recommend a password manager, a strong password. And they talk about keeping a clean machine, getting rid of programs you don’t need, and updating your programs.

Eric Montague | President | Executech

The great Ronald Reagan used to say when thinking about unknown threats: “trust but verify.” Today, it’s “never trust and always verify.”

Spencer Hoole | CEO & President | Diversified Insurance Group

We, as consumers, are a little bit desensitized to the security of our own data. Most of us have probably had our credit card breached at some point, and it hasn’t affected us. We make a call to AmEx or VISA, they erase those charges. We get a new card. So we’ve become inherently less protective of our own personal data. We put it out on all sorts of websites and expect that it’s going to be protected. What do we really care about? Do we care about the privacy of our data?

Richard Hickman | Forensics Manager | Eide Bailly

I don’t have to outrun the bear; I just have to outrun you. And it’s that way with cybersecurity. If you just make yourself a little bit more protected than the next guy, chances are they’re going to go after the other guy, they’re going for the lowest hanging fruit.

Kate Riley | Director of Information Security & Compliance | Braintrace

Encrypt the channel and encrypt the data. Install something like Netcraft on your browser because it’ll give you the heads up when unauthorized or unsecured sites are potential phishing. On your phone, download the app that encrypts your messages and also encrypts your calls. Signal is one. It’s free. So think about the tools you have and start asking yourself what tools are out there, what software is out there.