Embed Size (px)
Citation preview
CYBERSECURITYTable of Experts ADVERTISING SUPPLEMENT
JEFF OLEJNIKDirector, Wipfli LLP
KEVIN DOHRMANNCTO, Cosentry Inc.
JENNIFER RATHBURNPartner, Quarles & Brady LLP
Je� Olejnik is a highly-experienced IT security professional and director in Wipfli LLP’s risk advisory services practice. With more than 20 years in the industry, Je� helps clients manage risk through e� ective information security, business continuity planning, and program management. He is a seasoned entrepreneur with proven experience in building successful companies in the IT services industry.
Prior to co-founding Cosentry, where he is responsible for technology direction and strategy, Kevin Dohrmann helped create an Internet telephony company that provided Web-based telephone services to large U.S. and European carriers. Kevin has worked extensively as a systems and support engineer. He published articles on technology networking topics and is a frequent speaker on technology trends and their impact on business. In 1998 he was granted a patent (6,192,123) used in telephony and database technology.
Jennifer Rathburn advises companies on data management, data breach and privacy and security issues. She regularly counsels clients on developing privacy and security compliance programs. Jennifer also advises clients on how to proactively prepare for data breaches and handle privacy and security investigations, including assisting clients through the security breach notification process. She is a national speaker and author on privacy and security issues.
R EXPERT: ACCOUNTINGR EXPERT: TECHNOLOGY R EXPERT: LAW
R SPONSORS
APRIL 17, 2015 ADVERTISING SUPPLEMENT 15
KIRA LAFOND: What are some things every company, regardless of size, should be doing regarding cybersecurity?
JENNIFER RATHBURN: Develop a cybersecurity program. Many of our clients are using the NIST framework, a voluntary standard that is a good tool for technical sta� , risk managers and legal counsel in any type of industry.
KEVIN DOHRMANN: Training em-ployees is absolutely critical. Most data breaches occur because someone clicks on a link that downloads malware. You also need to make somebody accountable for cybersecurity. Unfortunately, this role is not well-defined in many organiza-tions.
JEFF OLEJNIK: Companies should conduct a vulnerability assessment of their Internet perimeter and internal systems. Businesses should also review their cyber-security insurance policy to make sure they understand what is covered and what is not covered.
LAFOND: If a company does these things can they be guaranteed they won’t have a data breach?
OLEJNIK: 100% protection is not pos-sible. � ere’s only one way to guarantee that a breach will never occur: encrypt all of your data, unplug from the Internet and � re all of your employees. Kidding aside, that is why all companies need to have the ability to protect, detect and respond to data breach incidents.
RATHBURN: Cyberthieves are very smart and data losses are happening to the best of companies. I think companies are realizing that they will still have vulnerabil-ities no matter what they do, so there is an increased focus on planning for what they should do if something does happen.
LAFOND: What are the most likely cyber-security threats a company will face?
DOHRMANN: A rogue employee, someone like Edward Snowden, is the num-ber one cause of critical data loss. Another
major cause is malware that gets installed on someone’s desktop and steals your data.
OLEJNIK: Employees being tricked by phishing, phone calls or even a walk-in per-petrator who pretends to be a telecommuni-cations engineer or printer repairman.
LAFOND: What is a cybersecurity audit and what should it include?
RATHBURN: It really depends on what industry you are in.
DOHRMANN: And what are you trying to secure. � ere is no such thing as an overall standard, except for maybe NIST 800.
OLEJNIK: In a cybersecurity audit we look at identi� cation, protection, detection, response, and recovery controls. We look to make sure the proper controls are in place across those � ve broad categories, then we test to make sure those controls are working as we would anticipate.
RATHBURN: Cybersecurity audits are critical for � nding vulnerabilities, but they
don’t really help you prepare for a cyberat-tack. We are starting to see audits simulat-ing cyberattacks with tabletop exercises that help employees train how to respond.
LAFOND: How often are cybersecurity audits done?
RATHBURN: � ey can be annual or periodic. You should review or audit your cybersecurity measures whenever there is a change in your business operations, when a new technology is introduced or if you buy a company. � at’s where a lot of companies get into trouble. � ey buy another company or implement a new information system and they don’t evaluate it.
LAFOND: What is an incident response plan and why is it important?
OLEJNIK: An incident response plan is the logical approach your company will take to minimize impact and avoid chaos if there is a security breach.
Table of EXPERTS
LOCKING UP YOUR DATAWhat businesses can do to secure their data and minimize the impact of a data breach
‘‘At Cleary Gull, protecting our clients has always been our main priority, and cyber security throughout our operation is at the top of the list. Technology is evolving rapidly and cyber threats are constant everywhere. Expanding our partnership with Cosentry gave us access to a security operations center – a deep bench of cyber security experts and 24x7 monitoring to augment our own staff. That gives us flexibility with our resources and the ability to be better prepared at all levels of service.’’
James J. Blahnik, Manager of IT Systems
Cleary Gull
www.cosentry.com 414.476.0757
OMAHA KANSAS CITY ST. LOUIS MILWAUKEE SIOUX FALLS
The best defense is a strong offense.
Go on offense with Cosentry’s 7-Point Vulnerability Quiz and Cyber Security eBook. Get both now at cosentry.com/cybersecurity
In a world increasingly driven by electronic communication and e-commerce, data privacy and security are vital to safeguarding business relationships with customers, employees, and vendors.
The Quarles & Brady Data Privacy & Security Team helps companies develop, implement, and maintain comprehensive privacy and security compliance programs, including assisting clients with data breach notification and remediation. We partner with industry-leading third parties to provide our clients with a comprehensive, multidisciplinary approach to protecting their data.
a FOCUS on Prevention
quarles.com
Data breaches have become a common occurrence, leaving many business to wonder how secure their data really is and the potential damage it would cause if stolen. In order to help our readers understand cybersecurity challenges, the Milwaukee Business Journal assembled a panel of experts to discuss what companies can do to make their data more secure and what they need to know in the event they have a security breach. Milwaukee Business Journal Director of Advertising, Kira Lafond, moderated the Cybersecurity Table of Experts.
16 ADVERTISING SUPPLEMENT MILWAUKEE BUSINESS JOURNAL
RATHBURN: I cannot stress enough the importance of incident response plans. People often make mistakes during a securi-ty breach because they are stressed, fatigued and scared. Your plan does not have to be too detailed. At the very least it should identify who is on your security incident response team. � at team should include IT, compliance, risk management and communications sta� , lawyers, and senior leadership.
OLEJNIK: I agree. A lot of your re-sponse will be focused on preserving your reputation and brand. In addition, the vendors you deal with during a cyberse-curity incident are typically not the same vendors you deal with in your day-to-day operations, so the time to � nd and develop relationships with these vendors is before you have a crisis.
LAFOND: Data encryption is touted as a great way to keep data secure. When and how should data be encrypted?
DOHRMANN: All data can be encrypt-ed, but you have to decrypt it if you want to use it. You should encrypt data whenever it is at rest or in � ight to limit people’s ability to get to the data.
OLEJNIK: � ere are some pretty easy-to-use encryption utilities. And while a lot of companies encrypt their employees’ laptops, I think mobile devices are the bigger issue.
RATHBURN: One thing that’s im-portant to know is that if your data that is breached is truly encrypted, you don’t have to report the breach unless the person who took your data also has the key to decrypt it.
LAFOND: What cybersecurity issues should a company keep in mind when working with a cloud vendor or data warehouse?
DOHRMANN: You should make sure that they have the proper certi� cations. Make sure your vendor has those controls and that they have hired someone from the outside to certify that they follow those controls.
RATHBURN: One caution is that cer-ti� cation can bring a false sense of security. You have to take a close look at the contract with the cloud vendor to determine what liability the vendor assumes for data breach-es. If there is a data breach, how is the cloud vendor going to work with you? Will they notify you if you have co-located informa-tion and there is a breach of another client? Do you have to notify the cloud if you have a breach? It is all about understanding your security policy and their security policy and making sure you � ll in any gaps with appropriate security measures.
OLEJNIK: A lot depends on the type of cloud provider. With cloud applications like Salesforce, you really have no control be-
cause they manage everything. You do want to make sure you understand how they protect your data, but there is not much technically that you can do. � e other type of cloud vendor gives you systems, storage and bandwidth, but you use your own ap-plication and are responsible for managing it, patching it and setting up the di� erent kinds of authentication controls giving you more control over security.
LAFOND: Security risks are continually evolving. What are some of the ‘what’s coming next’ issues that companies need to be thinking about and planning for?
DOHRMANN: Cybersecurity is an arms race. � e bad guys have the same tools as the good guys, so you need to continually make sure you are protecting your data.
OLEJNIK: Security needs to be viewed as an evolving process, not a destination be-cause cybercriminals are always looking for new ways to attack. As a result, businesses need to apply some of the great manage-ment tools like Six Sigma and Lean for continuous risk management improvement.
RATHBURN: Technology is changing so quickly the law cannot keep up with it, and the standards that are out there are pretty much baseline. Companies need to look at cybersecurity from risk manage-ment and ethical perspectives. � ey need to think through what is the right way to manage data, what they should do if they have a breach and how their actions will be perceived.
OLEJNIK: One thing that concerns me is state sponsored hacking of private enter-prises. When we have foreign governments sponsoring cyber-espionage to compete with private enterprises in the United States or conducting attacks on businesses in retaliation to US policy decisions, it really blurs the lines between private sector and federal government responsibility for cybersecurity and will require better collaboration and information sharing be-tween public and private sectors. I am also concerned about having devices, appliances and equipment communication on the Internet without the appropriate security controls. Farm equipment, for example, is becoming automated with satellite-driven tractors that can grab information about the soil, apply the appropriate amount of fertilizer and determine the proper planting depth. If that information is compromised or sabotaged, a hacker could destroy crops, which would a� ect the futures and our economy. All businesses must think about what can go wrong and build security into the design of their product or service.
DOHRMANN: One of the biggest things we face today is personally identi-fying that you are who you say you are. We have been using the password concept forever, but that is not good enough. Now we have � ngerprint security and facial recognition. � ere are also concerns about who has the right to personal data and the ability of companies to target people using that data.
Table of EXPERTS
Jeff Olejnik (second from left)...“Cybercriminals are always looking for new ways to attack.”
Jennifer Rathburn (at right)...“Cyberthieves are very smart and data losses are happening to the best of companies.”
