Tony Spurlin, Windstream chief information security officer | Thursday, October 10, 2019
Each October, the Department of Homeland Security observes Cybersecurity Awareness Month, but every few months we hear about a major hack or data breach affecting millions of people — this summer it was Capital One and some 100 million Americans’ personal data that was harvested.
Increasingly, though, it’s small and midsize businesses who are the target of cyberattacks. These crimes are almost exponentially more numerous in the United States than in any other country. And, almost two-thirds of the victims aren’t the Wall Street credit card companies we hear about but the Main Street businesses we drive past.
We sat down with our own Tony Spurlin, vice president and chief information security officer at Windstream, to give us insights and advice around business data security. We began by asking him what kinds of breaches, and what damages, victims of cyberattacks sustain.
TONY SPURLIN: You know, there are a plethora of attacks, and not all result in data loss. Malware, ransomware and phishing are just the mechanisms that the bad guys use to get in, sometimes for access to troves of data, sometimes to deliver strikes, such as denial-of-service attacks. At minimum, these result in a loss of productivity due to responding to events or outages within the environment.
Then, of course, there’s that reputational loss that happens. The aim of Cybersecurity Awareness Month, and the goal of every cybersecurity professional, is ultimately to protect data and maintain the integrity of our financial statements and reportings, but we also want to protect our companies’ reputations.
When your bank is breached, there is an impact to your confidence as a customer. That impact to a bank is felt immediately from a revenue generation standpoint, then, of course, the “hidden costs” are the regulators who come in, and the remediation that you have to go through — the years of remedial audits after the breach.
So there are a lot of costs, and a lot of impact on a business to deliver quality service to their customers as a result of these attacks.
BYOD — Bring Your Own Device — has evolved to be the norm in a lot of offices. What’s the biggest security struggle in enabling employee mobility?
You know, ensuring users’ phones are secured and do not expose corporate data is very important to us, and important to cybersecurity for small businesses.
The industry is moving away from these mobile device management controls and it’s more about application controls. That’s really been pushed by the BYOD culture.
That’s because users want to be able to use their own personal phones for work, but they also don’t want to have parts of their phones they can’t control, or data that will get lost as a result of a mobile device management solution that will move data around. So, it really is about giving users lots of flexibility and convenience while at the same time maintaining the confidential integrity and availability of our data.
Would you point out some myths and misconceptions around cybersecurity?
“You’re secure after you install a bunch of operational controls. You can just walk away then, wiping your hands of it.”
Business data security is really an organizational program that must operate perpetually. You really must continue to evolve, to improve with the threats businesses are exposed to. Cybersecurity awareness is a strategic position in your organizational IT and business.
Has the cloud made business more or less secure?
It really depends a lot on your cloud service provider, but ultimately, it elevates business data security. Cloud service providers generally provide very good security capabilities, controls and monitoring. Cloud service providers have a big reputation they have to monitor and take care of. So, they’re going to put a lot of capability into cybersecurity for small business — a lot into monitoring controls around protecting that data.
What’s your best line of cyberattack defense in a small to midsize business?
Your people are always going to be your best line of defense. But, when you break out a lot of successful attacks against enterprises, it’s more often than not people that accidentally enable attacks or make some configuration mistakes.
The reality is, getting in front of your employee population and training them to be more security-aware is really your best, first line of defense. We can put all the controls, the firewalls, malware protections and vulnerability management solutions in place and patch everything. All it takes is one user clicking on an email, or a laptop unlocked at a local coffee shop so someone can sit down and immediately start hacking. A user may leave a laptop in the car and the car gets broken into. So make sure the user base is trained and aware of the security risks out there.
Many workplaces seem to have so many moving parts — systems, data, humans — it’s impossible to comprehend getting a handle on all of it.
You know, it’s interesting, one of the biggest problems a lot of companies right now are working to solve is around asset management – what devices we have in our environment, what software versions they’re on.
Accounting uses asset management data for depreciation schedules and budgeting. Security uses it so we know what we’re trying to protect.
Software versions are critical to ensure they are currently under maintenance and frequently updated from a security standpoint. That’s really a critical piece of asset management, which feeds into the vulnerability management solution that security uses. Let this be your jumping off point this Cybersecurity Awareness Month.
If humans are our greatest and first line of defense, what programs or strategies undergirds that?
The key is, we want to help them not only at work. The way we structure our training at Windstream, we focus a lot on corporate culture, but we also focus a lot on how they can protect their children, their families, as they navigate through the internet on their private time. That type of awareness translates to an overall security acumen that supports our business and our customer.
If we can help people understand the impact of security and how it may impact their personal lives, it’s interesting — it comes back as their cybersecurity awareness for the company as well.
You’ve called cybersecurity a “posture.” What do you mean?
At Windstream, we perform a risk assessment every 18 months to evaluate our risk across our entire enterprise. From that, we meet with our stakeholders to figure out what their risk tolerance is so that we organize our program to address the most important risks to our business and our customers first. Your security posture is guided really by your perception of being able to accept risk — not just business data security — and identify what risks are in your environment. In our case, it’s also dictated by regulatory requirements.
What are the basic ways we improve our cybersecurity from the standpoint of automated defenses?
Automate software updates. Keep it current. Always make sure you have the latest browsers, malware and virus protection. But always keep a close and watchful eye on ensuring that any impacts that happen, you can redress back to a previous version. Use strong authentication to protect access. We talk a lot about that here. It used to be passwords, now we use passphrases. I’ve seen some banks ask for 21-character passwords. Or a token-based two-factor authentication.
At Windstream we’ve moved to multi-factor authentication. Access is predicated on something that you have in your possession and something that you know by heart. If hackers and thieves can’t get that user’s physical access, it limits their ability to get in. You have to move to more group-forcing type attacks and less elegant attacks.
I would say one thing for sure — backup your data on a regular basis. Make sure you have a system in place that you follow, and make sure you can recover those backups. You should be able to test them periodically.
Limit access to business data systems to employees who have a job function for it. In other words, role-based access. Not everyone needs access to every bit of data in your environment.
Keep your machine clean. Have standards around ways laptops and desktops are deployed. Limit the way that changes can be made to them so we don’t open up any vulnerabilities.
When it doubt, throw it out, whether it’s a suspicious email or just a file from a long-ago project.
So, in the end, call in the pros. What if you’re a small business on a lean budget?
I will say that if it’s not something you are adept at or have a security organization around you — because in our case we have pros and we are pros — it is a good idea to look at external security service providers.
Make sure that reputationally they’ve done a good job for other customers. Check on their references. Know that their customers are happy and satisfied. Be clear in your scope of what services they’re to deliver to you. If they’re monitoring your environment, when they have an alert, they should know what you expect them to do about it.
How do they integrate into your incident response? That’s critical. When you outsource monitoring to a service provider, you didn’t outsource incident management and response. That still relies on you. The service provider will let you know with a level of efficacy and fidelity that this attack is ongoing. They’ll work with you through the incident, but your organization will have to lead that effort. The service provider will not know the stakeholders in the company, the hierarchy or organizational dynamics, maybe even the digital assets, the private data, and will always rely on internal subject matter experts to help drive that.
And should the worst happen? How should businesses respond?
A cyberattack defense, or realistically, cybersecurity awareness, begins with acknowledging the possibility at all. So first, have an incident response plan.
Every incident response plan is a little different, but I will tell you they have certain universal elements. They have an element of legal to help you understand what your legal rights and legal redress are. You have a public relations or marketing arm to communicate out to your customers, employees and your stakeholders. You have to have an element of a cross-functional team that works with each other and knows where each person is going to be to deliver what they need to.
When an incident occurs, it’s not just security that runs around and solves incidents. We rely on system users and administrators, network administrators, and application administrators. We rely on stakeholders, whether that’s in the business or a third party. So, you really need to have in your incident response plan a capability to bring everyone to the table very quickly, and make sure everyone knows what their roles are.
Ourselves, we drill our incident response plan every year. We perform it as a tabletop exercise, and we’re so bold we actually invite our board of directors to monitor how we perform. The key is testing it and updating it frequently as organizational changes occur and people move into different titles. Make sure you’re constantly updating that. Make sure you have a plan of how you will notify state and federal agencies, depending on the type of data that was breached.
Know who your state representative is and whether you report to a state bureau of investigation or the Federal Bureau of Investigation — or both — or a regulatory body. You need to know who to contact, even how you’re going to contact them, and who’s going to take the responsibility to contact.
Finally, don’t rest on compliance with “industry standards” when it comes to business data security. Take a moment this Cybersecurity Awareness Month to check out the National Institute of Standards and Technology’s Cybersecurity Framework. It’s robust.
Tony Spurlin is a vice president at Windstream and chief information security officer. For more than 20 years as an IT security expert, he’s advised staff and clients on information security and compliance, incident response, disaster risk, vulnerability management and other network security improvements.