Cybersecurity and enterprise risk may sound like business buzzwords, but they are absolutely crucial to the stability of businesses. With the continuing rise of cyberattacks on businesses, not having a cybersecurity plan is setting yourself up for failure.

In this episode, Abhijit Verekar discusses these two crucial elements with Avèro Advisors’ Senior Manager, Robert Kornovich. With over two decades of experience in IT strategic planning, Robert has a lot of insights to share on cybersecurity, risk mitigation and why education and engagement are critical. Gain more valuable insights and information by tuning in to this episode.

AV: I want to do a quick introduction before we get into the presentation. A little background about what Avèro is: we are an IT modernization company based in Tennessee. We do a lot of work with public housing authorities across the country. We’re on the NIGP’s Cybersecurity Practice Forum, and we were just awarded one of the best workplaces to work in in the U.S. by Inc. Magazine. 

We serve clients all over the country, public housing authorities, cities, counties and municipalities. We have a wide range of clients that we serve. My background is: I’ve got years providing IT consulting services, anything from IT strategic planning, process redesign, helping you choose the right enterprise software, helping you move from one software to the other. The one thing we don’t do is sell anyone’s product. We’re completely independent. 

The presentation is from an independent lens in your best interest. My colleague is Robert Kornovich, a Senior Manager with Avèro – he has tons of experience in IT. He used to be a CIO for a city government and is an expert in technology as it applies to cybersecurity and public housing, specifically. What we want to talk about is how do you get beyond the blinking lights in the data center? You may have the right technology, you may have the right systems, but what do executive directors, CEOs, mayors, council members need to know about cybersecurity so that your organization is safe?

We have been ripe with cyberattacks and hacks. I’m sure those large enterprises have their ducks in a row as far as having the right systems, software and hardware in place. What’s missing? That’s the focus of this presentation. I do want to point out that we truly believe that cybersecurity today goes beyond just hardware and software. It is the executive directors, CEOs that are ultimately held responsible and face the press, the board members and citizens when hacks and breaches happen. With that, I want to hand this off. Robert, the floor is yours

RK: Thank you. Thanks, everyone, for reading. I appreciate your time. Let’s go ahead and dive in. We’re speaking to you as executives and as leadership. We’re talking about enterprise risk because this falls within your domain. For those who aren’t familiar with enterprise risk, there’s a variety of different ways of defining it. I like to define it as a risk you’re trying to mitigate that has a substantial influence on your organization, how you operate and your mindset. Obviously, these are risks that are critical to your operations, and they do require executive-level engagement.

One thing I want to point out, even though we’re dealing with risks and especially cybersecurity risks, one of the benefits you get is: risks don’t always have to be a negative mindset. By managing and mitigating your risks, you can actually seize a lot of opportunities. 2020 was a great example. If your cybersecurity was in a good place, you knew what your resources are and what you can and cannot do technology-wise as an organization. It opened up a lot of opportunities for you to be able to take advantage of the remote workforce or adding some additional technology.

Even though we’re going to get into some of the heavier discussions about the risks that you face with cybersecurity, let’s also keep a mindset that the goal here is to give your organization opportunities to leverage the technology that you’ve already invested in. Our topic is cybersecurity. This is not just data security per se. This is a mindset for proactive mitigation. One of the reasons why this is very important is an obvious liability. Organizations usually have to decide, are they going to be risk-taking or are they going to be risk-averse?

Operations don’t really get more risk-averse than this. There’s a high requirement, a high expectation that you protect your sensitive data. Where do we start? A lot of things are going on here. We’re going to discuss some of the assumptions that we’re going to make here. We’re going to talk about what we’re trying to focus on. I’m going to start with feeding the portion of the risk of it.

There is a real concern that complacency with your cybersecurity can set in with organizations that haven’t experienced a cyber event. Unfortunately, you have to assume that you will have a cyber event. You can just look in the headlines to realize that cybersecurity incidents are affecting a great number of organizations. The largest ones usually make it into the news headlines and the smaller ones tend not to.

You will have a day that will come where you will probably have to execute either your disaster recovery plan, your incident response plan or take a look at your business continuity plan and determine. There are a lot of bad actors out there who will spend a lot of time and effort and gather resources to steal your data. If you’re talking about the financial data that you collect, personal information, possibly medical information, your financial information, bad actors could very easily target that. As cybersecurity is not robust enough, there could be seriously compromised data. No one wants to be in that position.

We’re talking about a risk mitigation mindset. Risk mitigation is held from moment to moment. There simply isn’t a way in cybersecurity to just buy a piece of technology, turn it on and go, “We’re good to go. We’re secure.” Unfortunately, that’s not the case for a variety of reasons. The resources that these bad actors and hackers can put together are massive, especially if this is backed by a foreign government. You have to deal with the fact that the risks are going to change slightly in terms of the attack vectors they’re going to try and get to you. You have to be mindful of maintaining what you do have. Possibly be looking at some new solutions as attack vectors change.

It’s moment to moment. Never get to a place where you feel that you can be complacent about that. We’re going to assume that your physical security is in good shape and it’s in a mature stage. We are going to focus a little bit on change management, but this works best if there’s already a culture of change management. What I mean by change management is planning and documentation.

What we find in a lot of cases when we go into this organization is that documentation is either out of date, there are multiple versions of it, so people don’t know which one is the correct one or it’s just not there at all. There has to be this mindset of, “We’re going to document and then keep those documents fresh and keep them actionable.” I think you’re going to be surprised. You likely own almost all the tools that you need to be successful at this.

I’m sure we’ve all heard about issues where someone received an email asking for banking information and it appeared to be an executive inside the organization or someone sends an email out posing as an employee, “Can you please cut a check to this vendor?” They are hoping that the person’s not going to use the controls in place or just the suspicion that they have that, “This might not be right. Let me pick up the phone and call them and verify this.” Not just cyberattacks but also dealing with fraud in general.

When we think about data loss, we tend to think in prior years, strictly of your data backups. Data loss expands now into not only your backup system working correctly and has it been stress tested, but “What about employees who could be taking your data off-site either on purpose or accidentally?” Data loss can also be ransomware where you still have your data, but it’s been encrypted by the ransomware and it’s very difficult for you to get it back. Hopefully, you can restore from a good clean backup. Otherwise, you might have to pay a ransom. That’s not a very straightforward process or an exchange. This seems like a ridiculous question. Would you be okay with suspending your operations for a month or two? I think almost everyone would say no.

The point is on a lot of these recovery operations for organizations that haven’t been prepared. It can take a month or two for you to get your systems back and up and running. It’s more common than you probably think. It’s a disturbing trend. We want to focus on the business continuity, making sure you provide the solutions to your organization. To be able to mitigate an ongoing issue and get you recovered quickly.

Existing tools, you probably own a lot of what you need. You’ve probably made purchases in the past 15 to 18 months. One thing you need to do is make sure that those were actually fully implemented. We’re not here to beat up on your IT team – they are just as busy as everyone else. As with a lot of your departments, they’re being asked to do more with less. They tend to be under-resourced and stretched thin. You might not even have an IT staff. One of the things that we see is like a lot of other departments you have when that situation occurs, it’s very easy to become complacent, especially if you’ve never had a cyber event or at least one that you know of.

We can talk about the fact that sometimes you can have a data loss or a data theft, but because you don’t have the tools in place to track that, you don’t even know that you’ve been compromised. It’s very easy in that type of environment to become desensitized to risk. It’s also easy to take shortcuts that, at the time, you think have little consequence. “I haven’t tested my backup procedure in three or four months. The last time I did a file restoration, it seemed to work okay, so I’m not going to worry about it.”

You still need to do robust testing for your disaster recovery. Unfortunately, in some cases, we’ve had IT departments that just outright abuse the trust that’s been placed into them in exchange for reduced workload. They either want you to just think everything is okay or they tell you everything’s okay, but they’re doing that because they just don’t have the time and resources to really dive into the cybersecurity that they want.

A lot of times, your IT department is screaming out for help internally. They’re just either too fearful to ask. They might think it’s embarrassing to ask for the resources, but they are just as concerned as you are about cybersecurity. They really would like to get that resolved. This is an executive-level way for you to be able to set up your IT department to be successful at dealing with cybersecurity.

How does this work, that information we’re presenting to you? This is at the executive level, so you already understand risk mitigation concepts. You’re dealing with it on a regular basis and in a variety of areas. That is the foundation we can very easily start with. I want to focus on you asking these questions internally rather than waiting for external sources to start asking you this.

Whether it’s the public or a newspaper that wants to know why did you have the cybersecurity event or if you’ve been actually backing up your data, protecting your data or encrypting your data. In the worst case, you don’t want to wait until an outside lawyer or an investigator shows up and wants to check on your cybersecurity operations. It’s very important. Ask these questions now. Ask them internally and get those resolved and avoid embarrassment or the discomfort of having to deal with that.

It’s also like the headline test. If you stepped to the microphone and you had to answer hard questions about, “We didn’t have policies and procedures in place. We never told our employees that they can’t use USB drives.” That can also put you in an embarrassing situation that can be easily avoidable. We know we’re talking about a technical topic here, but we’re going to put this in a digestible format.

The idea here is you don’t even have to know how to use a computer. This is just built upon the fundamentals of enterprise risk, focused more on technology and building this high-level framework. Most importantly, if you’re asking questions in your organization and you don’t like what you hear or you’re not sure, hire an expert, get some help.

When we look at evaluating IT enterprise risks, this is the framework that we use. We start with the defined scope of this enterprise risk, which is pretty standard in the industry. We also apply the NIST standards, the National Institute of Standards and Technology. That gives us some industry-standard protocols and guidance. We marry that with security standards and compliance requirements. You now have your criteria. You can now do an evaluation against the existing resources that you have. It’s important to be honest about that evaluation.

Take a snapshot of where your organization is. Don’t let the, “We’re about to” or “we’re almost there” or “we’re thinking about it,” creep into your evaluation. Have an honest evaluation of where you are. That’s the best way to mitigate those risks. After you do that evaluation, you can now lead into action steps and determine how you’re going to resolve those issues, mitigate your future risks, and set up a plan for doing this on a fairly regular basis.

Understanding you’re very busy, you’re probably understaffed and this is the last thing you want to take on. Being proactive about this and making this a cultural mindset in your organization actually helps it to not become a burden or an additional overhead on your staffing needs and operations. On risk severity levels, we’re focusing on the high-level framework for items that either have a very high impact, tremendous liability or are very likely to occur.

Let’s dive into this framework. Let’s look at the high level: these key areas and what you, as an executive or a leader in your organization, can do to make your organization and IT department successful. You need an incident response plan. What makes this different from the other plans is that this is for something that is in progress. You are experiencing a cyber event or you’ve had a natural disaster. It takes out your data center or suspends your technology operations.

This is a common failure that we see: an organization does have a response plan, but it hasn’t been updated in a while and doesn’t reflect personnel changes. You hire a network engineer, but that person leaves the organization. Maybe you don’t fill that position as a network engineer, you fill it as something else and your incident response plan doesn’t reflect that. Your IT department is busy, so they’re not going to be able to sit down and put together a plan for every single possible cyber event.

The goal of this plan is you need to have the basics outlined. If you try to plan and put things together and determine resources in the middle of the incident, the confusion you can have or the inability to actually put your resources together in a defined way can make not only major data loss inevitable, it’s going to substantially increase the time it’s going to take for you to mitigate that and restoring your operations.

This doesn’t have to be a 20, 30, 40-page plan. It does need to cover the basics, though. You need to outline who would be available to participate in an incident response and what their roles would be. Determine a communication plan: How are you going to communicate with the executive? How are you going to communicate with the board that you report to? Figure this all out in advance. It benefits IT departments immensely because you don’t have to stop and try and put that together when you’re in the middle of this. You can immediately start to take action because everyone knows what their basic role is.

You also have to remember that in some cases, such as a natural disaster, if you have a flood or an earthquake, the entire IT department might not be able to show up on-site. You have to factor in that you might be bringing in someone else and handing them a piece of paper that describes what their role is. You thought in your head, “When this happens, all I have to do is bring in my three database analysts and my network engineer.” You have to assume that some of those might not be available, especially with their regional natural disaster.

It’s important to plan out those types of things and not necessarily the technical details of, “What exactly am I going to do with the cybersecurity tech that starts with ransomware in an email?” We’re not diving into details on this. We’re allowing you to be able to plan this advance so if something does happen, you can quickly focus on what needs to be focused on and get everything mitigated quickly.

With the disaster recovery plan, I wanted to point out that these two types of plans really do need to be updated on a regular basis. I’m going to emphasize that several times because this is a common finding, especially with the disaster recovery plan. This is after the incident has been mitigated. You’re trying to restore your technology services and resume your operations.

These types of plans have to be practiced as well. Mostly because the first time you practice these, you’re going to be surprised. You’re going to discover that your plan has some flaws. This gives you the ability to address those flaws. It also gives the ability, if you haven’t tested it in a while, to make sure that your disaster recovery plan reflects what your current infrastructure is.

You might’ve done some purchasing of some new technology in the past six months, which makes your existing disaster recovery plan either inadequate or not useful at all. If you don’t plan a lot of this out in advance and define some of the general roles, you could lead to a situation where data is likely to be unrecoverable. You do not want to be in that position.

The other thing is with the mistakes that can be exacerbated by not having this planned out in advance, you could inadvertently cause the data loss on yourself. You can very much make a mistake in the heat of the moment when you’re trying to get everything up and running and cause something that means now your systems are completely unrecoverable. The key on this one is to make sure you engage your stakeholders. Make sure the leaders of your departments, your workflow managers, your process owners have some involvement as well so they know what recovery would look like and mean to them.

The common question is, “How do I know if I need to spend $5,000, $50,000, $150,000 a year on disaster recovery tools and cybersecurity?” This is where your business continuity plan comes into play and helps you answer those. This isn’t just a listing of what you do as an organization. This is a document where you determine what your priorities are and what you’re looking to do. This lays the groundwork for building a lot of the other things in cybersecurity, especially your incident response plan and disaster recovery plan. This is a great document that you can use for your budgeting needs going forward when you’re looking at your annual budgets. Include key stakeholders and process managers in this.

Your IT department needs some direction as to what is the priority when we’re talking about resuming your operations or getting you up and running. That helps drive decision points that they make on the technological side. If you don’t have a good business continuity plan that addresses what your priorities are as an organization and what you’re looking to do, your incident response plans will fail. Your disaster recovery plans will fail. Things down the line will also fail.

Sometimes you’re not going to be able to answer the question of, “Why did we spend this much money on this? Why did we not spend enough?” A business continuity plan helps bring that together, especially at the executive level, which can then trickle down to these other things. It’s also important to define in those three plans what your expected downtime is. That’s another budgeting decision that I wanted to point out.

A couple of days of downtime might not be acceptable to you. A couple of minutes of downtime might not be acceptable to you. In those situations, especially if you have the funding, you might be okay with funding your disaster recovery tools and your cybersecurity tools to ensure that your downtimes don’t exceed more than a few seconds or a few minutes. You don’t have the funding available for that. You’re okay with being down for one day. That defines a different set of price standards when you come to budgeting and planning for your disaster recovery. That prevents you from overbuying or underbuying as to what your organization needs.

Documented policies and procedures. Without these, your cyber strategy is really ineffective. This is another area where we see documentation, but it tends to be out of date. It doesn’t reflect changes in technology within the organization. In some cases, it’s just too much. It’s hundreds and hundreds of pages. It’s very difficult for your staff to be able to digest, let alone practice.

It’s important to remove conflicting versions of this because that tends to happen as well. More importantly, without guidance, your employees don’t know if they’re making the right decision or not. Some of them might abuse that to some extent. There’s no support there for audit or legal action. If you need to take legal action against someone for stealing your data or violating policy, and if you don’t have the policy in place or it’s not well defined, it’s very difficult to take that.

One of the executive level questions is, “Do you know of, off the top of your head, a current comprehensive source for all of your technology policies?” Surprisingly, a lot of organizations don’t or it hasn’t been looked at in a while. These other plans need to be updated and addressed on a regular basis.

Vendor security. Whether you’ve bought a product that you’re using on-premises that you’ve installed on your infrastructure or you’re going to host solutions like a lot of organizations are now, it’s very important to set your standards and expectations upfront. I recommend you do that in the procurement process. If you try to apply vendor security, your expectations, what you are being held to in terms of compliance after you’ve already signed the agreement, it’s very difficult, if not impossible, to do.

Why do we do this? It’s because vendors can be a vulnerability for you as well. What we recommend is to make sure you state all your requirements upfront. Hold your vendors accountable for that by using your technology tools to audit their security, as it applies to your environment. You just don’t want to assume that because they’re a software company, then they should know everything about security. You just can’t afford to make that assumption. There’s too much vulnerability and there could be too much surprise.

As we talked about with our first poll question, cybersecurity education plays a major role in the user portion of that. If your users are not educated in how to recognize suspicious emails or learn how to avoid habits that might lead to security vulnerability, it’s very difficult for them to actually apply that. Cybersecurity education also should marry perfectly with your documented policies and procedures. This is something that should already be familiar to your employees.

The goal of this is, on top of that, to layer the ability to provide current information for current trends that security experts are seeing in terms of new cyberattack vectors. Your IT department can take a look at their help desk trends and determine, “Are we seeing a trend here that we need to mitigate through user education?” This is something that should be married with the compliance that you’re already doing internally. It gives you a robust training program. Most of all, look for something that’s engaging.

I think we’d all been through cybersecurity test questions where after the 10th or 11th, it wasn’t very engaging. We’re not going to remember the content five minutes after we look at it. We go back to our old habits. Make sure it’s something that’s engaging, that you keep current and that you solidify across the organization. You also want to make sure that whatever information you’re providing in your cybersecurity education to your employees reflects policies and procedures that executive-level leadership is willing to stand behind

This is another thing that we see where someone puts cybersecurity education in front of users but hasn’t cleared it with the executive level. Executive starts to get a lot of questions as to, “I didn’t know we were supposed to do this. Why am I being instructed to do that?” Make sure you work with executives ahead of time and determine an overall strategy before you deploy cybersecurity education.

You likely own the tools that you need for cybersecurity. Utilizing existing features varies from the basics of, “Are you applying regular patches to your workstations?” This is a common attack vector for cybersecurity incidents. It also means, “Are you keeping old technology around?” Old technology doesn’t have any updatable security features because it’s been retired. Let’s say you’re using Windows 7 or an older operating system.

If you don’t even have the ability to take advantage of patching features because Microsoft doesn’t support your operating system, you’re leaving yourself wide open. Microsoft releases a lot of patches. They’re targeted to deal with known or potential issues. If your operating system no longer is supported by Microsoft and they’re not providing you patches, the vulnerability that they discover, they’re not going to be able to offer a solution for you. You’re left wide open and vulnerable.

This also extends into other areas like intrusion protection. A lot of networking devices or new infrastructure that you purchase have these features to some degree. They can be turned on to gather information or do some dashboard reporting to your IT department, so they can keep track of what’s going on in your network. It’s very comfortable in terms of your operations in IT to just go without this. A lot of IT organizations look at the information they get from security features as being a lot of noise and overhead.

The liability that you run by not employing them, not knowing if you’ve been hacked, why your servers just shut down or that all your files on your hard drive and your network drives are encrypted puts you in an embarrassing situation. If you don’t know how to put your arms around the event that’s occurring to you because you don’t have any information from logs or from your firewall per se, it’s almost impossible to figure out how to mitigate the situation and stop it.

This stretches from the very basics of, “I’ve got a brand new laptop. Am I maintaining it by my IT department doing regular maintenance and patching?” It goes all the way to a higher level, more advanced networking options. If you don’t have these features, there are a lot of affordable solutions. One of the benefits of the pandemic has been that technology, in a lot of ways, has actually become more available at a lower cost.

If you have a very limited budget, that might not mean very much, but it does allow you to engage in things that before were seen as enterprise-level cybersecurity. These are things that are a lot more affordable and available to smaller organizations. This one tends to fail because you have the solutions. You haven’t either brought them to maturity or you’ve implemented them once and never revisited them to make sure that they’re properly maintained.

You might be having your workstations patched automatically. If no one’s checking to see if that patching is actually working correctly and that they really are patched, ignorance is not bliss in this particular situation. We’re talking about a defined set of standards, especially with the NIST standards. There’s a lot of technical detail that goes inside of those. The idea that we have here is that this is the framework that you need to make those processes down the line successful.

When you get into the more technical aspects of these standards, for that to be successful, to be implemented correctly, for you to be able to buy the right thing, you need this high-level framework that we’ve discussed here. There’s always further reading that could be done if you’re interested. We want to make sure that the framework is at least established in your organization. That’ll help you quite a bit going forward in maintaining your cybersecurity posture.

Cybersecurity is a major enterprise risk. You have to look at the aspect that it also gives your organization a lot of options. Even in terms of collaboration with another organization for data sharing or programs that you’re involved with, if you have solid cybersecurity, you know what your IT resources are and you know what kind of state they’re in. It’s very easy to take advantage of the situations that pop up rather than, “I’m not sure if we can do that. We don’t know the ability to manage a connection like that or bring someone on board or even hire a new vendor because we haven’t established our security standards with them.”

This is about giving your organization options. If it’s not documented, it just doesn’t exist. Your cybersecurity plan might be in your head. You might have an idea of what that’s going to look like or what you need to do. If you had a major server failure or if your data center flooded, you need to document that. There’s always the possibility that if you’re an IT leader, what if you’re not available because of the natural disaster to be on-site to help restore your operations? One of your IT supervisors or technicians now has to try disaster recovery.

If you don’t have it documented in someplace that’s easily accessible, they’re not going to know what to do at all. They’re likely just going to let the incident continue going forward, unmitigated. Whereas if they had the documentation and some sort of plan or at least knew who to call for a particular resource, they could actually start mitigating the situation. A lot of what we mentioned, you probably own to some degree. All it needs to do is be brought to maturity.

If you don’t have it, there are a lot of solutions out there that can be implemented without blowing up your budget, blowing up your IT department, making you have to go out and hire two or three new IT people, which is probably not even an option for most. There are a lot of cost-effective solutions. Don’t ever think that, “I’m just too small to have to worry about cybersecurity. I don’t have an IT department, so I don’t have to worry about it or I hired a software vendor that said they’re going to take care of everything for me.”

At the executive level, you still need to be engaged in that and make sure that’s occurring. The goal here is to give you solutions that are actionable, that doesn’t require you to go through another budget cycle to put together a lot of money or go out and get additional resources or increase your staff. It’s about enterprise risk. Not thinking about it just doesn’t get better with age. Bad news doesn’t get better with age.

If you ignore this enterprise risk or don’t address it, like all of your other enterprise risks in your organization, your culpability and your liability keep growing overnight. Especially because the risk hasn’t gone away, it just isn’t being looked at. Infrastructure security is about mitigating enterprise risks. It’s not building complacency. I don’t want to leave you with the idea that, “All I have to do is buy this and implement that. I’m good to go for the next five years.” This is something that always has to be proactively looked at.

AV: I think we have some questions. The first one is the vendor security question. Does that also apply to non-software vendors?

RK: Nowadays, when you bring in a vendor, you’re almost always giving them access to some sort of your resources, which are usually technology-based. Even if it’s just email, if you give them a card key to be able to get in and out of your building, not every single vendor is going to have that type, but you need to go in with the mindset of, “I need to make sure that I check the boxes and make sure that I am not providing them with any technology or access into my systems. If I am, then I need to make sure that I’m upfront with them about the expectations and the security.” Don’t just assume that because they’re a vendor, they’re going to take care of it themselves or that everything’s going to be okay. You have to be proactive about making sure that you’re not exposing your resources to them and increasing your liability.

AV: Question 2 is about cybersecurity insurance. How much does that impact what we just presented? Is that a fair avenue for mitigating cyber risk? 

RK: I highly recommend organizations look at it. There’s a lot of detail in there. It varies from organization to organization. It is a values judgment because there’s a cost there. You have to determine, do you want to mitigate that risk, that potential payout? You’d have to either pay a ransom, which we do not recommend that you do, but in some cases, you might not have a choice or the additional resources you would have to buy to shore up your systems after a cybersecurity breach.

It’s too detailed and specific to an organization to give you a blanket answer. I encourage organizations to look at it and see what their options are. If they feel that it is in their best interest to mitigate a substantial high cost through a values judgment on their part, then seriously look at it and make sure you get a good product. If it’s something that you have another avenue or you have a capability of self-insuring, which most places don’t, but if you do, then you wouldn’t necessarily need it. I encourage every organization to take a look at it and see what its options are.

The next question is about penetration testing, if that is also an important tool in shoring up your cybersecurity posture.

It’s hard to get consensus at the executive level and the penetration testing for a couple of reasons. First of all, it can be intrusive into your systems. It can disrupt ongoing operations. It’s important to plan it for most of that to occur after hours. A lot of organizations don’t like the fact that it’s going to expose a lot of things, especially if your penetration testing is also paired with a social engineering test. Some organizations are doing this where the IT department purposely sends out a potentially ransomware-loaded email to see how many people in the organization will click on it.

My experience has been that it’s very difficult to get all your department directors to sign off on the fact that you’re going to be exposing weaknesses, either through user operations, user habits, as well as IT. I highly recommend it, though, because there’s just no substitute for that. You really need someone on the outside to do a full analysis of trying to get into your network to determine just how vulnerable you are. The issues tend to be on the political side, more than the procurement and the technological side of actually running penetration testing.

AV: The universe of combinations that a pen test can test for is very limited, unless you have a pen test going at all times. You really are not testing every scenario that might happen to your organization. Good points. The next question is, how would you ensure that your external IT company is providing the right amount of security for your PHA?

RK: You’re going to have to engage someone else to help you with that. I understand that vulnerability and it occurs as well with your own internal IT department. This is your staff. You place a lot of trust in them. You feel that you don’t have either the technical understanding or the reason to question a lot of their habits, even just asking the questions and really pressuring your external resources to answer questions about the security or at least be able to explain it to you.

You’re not going to be able to detect it most of the time. You should be able to use the risk management skills you have as an executive to go, “I might not understand what they’re talking about technology, but something’s not right in the answers that we’re getting.” Especially, in that case, engage in other experts to help you out or to be involved in that. If you suspect that something isn’t right, you really need to look into it. You don’t have to have a technical understanding to think conceptually and go, “Things aren’t adding up here. Things don’t seem correct. We need to verify that this external partner is actually providing us ways to mitigate risks, not increasing our risk through their services.”

AV: There’s a lot of external factors nowadays because of work from home and pandemic situations. There’s a lot of traffic coming into your core networks that aren’t a new building. It goes hand in hand with what you said. You just have to look at it from a holistic perspective. The next question is what kind of policy against spoofing and staff direction regarding their receipt of such emails, do you usually suggest that opens the doors to hacks and cyber events? 

RK: This is where cybersecurity education can pay off. In most organizations, when you try to update your policies and procedures on a regular basis, it leads to burnout. Unfortunately, it doesn’t feel like you’re keeping up. It tends to have to go through a review process, at least at an executive level, before your policies and procedures and updated version hits your organization for them to start looking at it and implementing. That’s not an excuse to not keep that updated. It’s just a recognition that the process does take a long period of time.

Cybersecurity education fills that in for you. If you at least educate the users to, “There’s a new trend that they’re using in social engineering through email to try and get you to go to a website or click on a link or provide your password,” your cybersecurity education is your best bet to mitigate that upfront, and then let your policies and procedures catch up.

Years ago, we didn’t think that a USB device would necessarily be a threat to cybersecurity. That obviously was not the case when ways were found to either compromise that to load information onto a thumb drive that you then send to someone. You send it to an HR department and say, “Here, please take a look at my resume,” and that’s actually a program that someone put on the USB stick. They plug it into the HR director’s computer, and then it launches a ransomware attack. Those types of things will evolve quickly and they will change. Address that in your cybersecurity education first, and then allow your policies and procedures to address that if it isn’t addressed.

AV: Is there a best-of-breed software that can help us mitigate a lot of these risks? Is there one piece of software you might recommend?

RK: There isn’t. I’ve yet to see it in the industry yet. I don’t think we’re going to quite get there. The beauty of the innovation that we have with the variety of tech companies out there is they tend to make leaps over one another in terms of their advancements in what they provide and the security they provide. It would be difficult to go with one.

SolarWinds, unfortunately, has a little bit of a tarnished name right now. It’s a good product. It’s very robust if you don’t have a central center for managing all your data logs, all your help desk, all your software inventory, and all the management of your technology policies and procedures. From the hack that occurred, the SolarWinds name can be looked at as potentially suspicious. That’s because the targeted attack was directed at them. It was very difficult for them to mitigate that because of the resources put on there. It’s still a very good product.

If you are still doing a manual inventory of your computer systems, there are a number of really good products that you can purchase for a couple of hundred dollars that can automatically inventory every device on your network, return error logs back to you and tell you if there’s any vulnerability. This varies from month to month as new products and services come out. You’re probably going to want to engage an expert to help give you some guidance on that. It’s difficult to name one single platform because of the innovation that a variety of people are providing to their products and services.

AV: How do you go about educating your staff about threats and risks? 

RK: I think the most common thing is cybersecurity education. It occurs once, twice a year, especially when it’s time to get everyone in the organization certified again. That just doesn’t work. You watch the video, you answer the questions and then five minutes later, you don’t retain that or you go back to your old habits. There needs to be consistent outreach, which also helps with your resourcing as well.

If you’re training deaf every week, if you’re lucky enough to be able to do that or every couple of weeks or every month in cybersecurity education, you can go into smaller, manageable bites with them. There are even simple things like your IT department putting out a newsletter that users can just look at and go, “I see that there’s a new cyberattack vector.” Your users aren’t thinking in those terms, but they’re looking and going, “I see there’s a new method for someone to try and hack and get my password.”

Even if it’s just an outreach newsletter, group meetings, department meetings, having your IT department come by and just spend two minutes talking about something, consistency and having it on a regular basis is the best way to deploy your cybersecurity education so that it’s effective. You don’t want to overwhelm the end-user with two hours of training every six months. Five to 10 minutes every week, every other week, can go a long way into getting them engaged and getting them to where you need to be in terms of being less vulnerable.

How do we humanly monitor all of what’s going on the internet and what’s coming into our networks?

It’s difficult to do because you don’t have the resources to look at absolutely everything that can be provided to you in information. This is not just in cybersecurity. This is just in general and our way of life. You can very easily get bombarded with information. You get desensitized to it as it is difficult to manage it. If you own an IT help desk system for managing your tickets, it probably has a module that’s able to take all of your logs that you’re getting from your network devices and compile them into something useful.

You can also set specific types of alerts on your devices or your software that manages your logs so that you’re only going to get alerted if these particular things happen. In some situations, you just have to set aside some time for one of your network engineers to go through all the information and look for trends. You’re going to have to rely upon dashboarding systems that are built into a lot of curio technology to provide you with that information and to serve it up to you.

Especially if your IT director wants to take something to the executive and provide a report on internet usage, what people are looking at, how many hours people are logging in every day when they work remotely, you’re going to have to rely upon a dashboarding tool to really compile that information. The good news is there are a lot of them. They’re very effective. If you spend a little bit of time, you can customize them to serve your exact reporting needs internally.

AV: There is one question that says, “Is there hope?” I’ll answer that by saying yes. If you do more than buy stuff that goes blinking red and green in your data centers, there’s a lot that goes into cybersecurity that we only scratched the surface of. If you need more information, if you need help, please feel free to contact us. I would be glad to talk to you. Thank you so much.

RK: Thank you.

About Robert Kornovich

Robert Kornovich is a Senior Manager at Avèro Advisors with experience in the service industry, business administration and marketing research. He has expertise in providing all practical IT strategic planning, business process redesign, system advisory, and project management/mentorship services for various public sector organizations. Konorvich has worked with numerous clients across the nation. Also, he has a certification in Project Management and is a Certified Public Manager from Arizona State University.

Request Information

Contact us to discuss your current workflow
and infrastructure needs.