Panel:
Transcript:
Good morning, everyone. It's my pleasure to welcome you to you on 2025 and this talk today. What could possibly go wrong from a lawyer and technologist? Perspectives.
We have today Haley Trace, attorney at Holland Knight and Houston, member of the data security or strategy, security and privacy team. Advises clients on data breach response, regulatory compliance, privacy policies and security procedures. Experience spans M&A, due diligence, vendor management, and technology transactions. Works with companies across energy, construction, software, health care, and cybersecurity sectors. And we have Bart Hoffman, data security or strategy, security and privacy attorney at Holland and Knight Houston office.
Background in systems engineering and intellectual property. Extensive experience and privacy, cybersecurity and complex technology transactions. Advises clients across energy, healthcare, financial, transportation, and other critical infrastructures. And then we have Chris Wilkinson, principal at Crowe Cybersecurity Consulting, helping clients with cyber strategy for 20 years. Let's welcome them and, get started.
Well, thank you very much for being here today. Wanted just to put up an agenda. You heard who we are kind of a little bit about what we do, but this is what we plan on talking about today. And you know, the focus being on when an incident happens and they are going to happen kind of what do you what do you do.
What do you think about, and what are the ways to mitigate.
Just a little bit about us, which you've already seen. So I'll go ahead and move on to the next slide.
Maybe.
Okay, there we go.
So first off, we wanted to talk about everything that can go wrong. I don't know if you guys want to stand up with me or if you want to sit down. It doesn't matter. But,
So we've just listed some things up here that when an incident happens, these are kind of the things that we think about. These are the immediate responses after an incident occurs. And we're thinking about this, as the title suggests, from a lawyer and from a technologist perspective. So when we're responding to an incident, these are the, categories that can go wrong.
And we wanted to talk about some of the things will happen immediately as an incident has occurred in the heat of the battle type of things and other things happen later on, you know, maybe months later, years later, when you're talking about litigation and regulatory actions. And so today is where we'll talk about a lot of these things.
But we also want to provide some real life examples of what we see on a day to day basis and responding to incidents as breach coaches from a lawyer perspective. And then also from the forensics side and business resilience. And that's what Chris will be talking about today. Yeah. Let me throw in just quickly to the, like Haley says, we're we're lawyers and we work in this space.
And have for for some time. Chris has been doing it from the technology side. So, you know, these are things that happen. We're going to talk about things that happen, but it's also important and it's kind of top of mind for me. I've been working on a couple of tabletops lately of with Haley and, you know, thinking about these kind of things are also like, these are good checklists for when you start to design your tabletops and think about like, well, what do I want to think about?
You know, like I talked to one executive and he's like, well, I want to, I want to talk about something is going to affect my pocketbook and my reputation. Right. Like, so, you know, because, you know, you don't exactly know. That's a hint. The name of our our talk. Right. You don't exactly know what's going to happen, but, we're going to try to give you some perspective on all the various things that that might be impacted.
Yeah. And I think, one thing is you mentioned, Haley, a lot of organizations focus on maybe the the second, the middle set of bullets here right off the bat. Right. They're worried about business interruption, loss of data, potential loss of money right off the bat, and they lose sight of some of the areas up on the top of the screen that maybe impact them months, even into years into the future.
So, you know, a lot of times these investigations when we go in, obviously are very short term and tactical to start, but you also have to bring that strategic mindset to say, okay, down the road, we still need to account for these types of things, right. And we see that a lot when we go out and, respond to, these types of events.
Yeah, I wanted to highlight a couple of these because while these are kind of the main things that we think about when there's a data incident, there's a lot of subcategories, particularly when you think about a loss of money, it could be a ransom payment. That's a loss of money to the business. It could be a wire fraud transfer incident where money is being sent to the wrong, or a threat actor.
Because wire fraud and or wire instructions were changed, it could be loss of money in relation to having to pay vendors, such as us. When you're responding to an incident litigation later on if you have to settle enforcement actions with regulators. So there's a lot of things packed into these areas and a lot of costs associated with an incident.
And then also, I wanted to talk about loss of data because we typically think of a data incident. We think of personal information being lost. But there are there's so much other types of data that businesses are concerned with. We see, you know, companies, for example, in the wire fraud that I mentioned, you may not necessarily think that accounts payable or accounts receivable information is something to be protected as maybe as much as personal information.
But a threat actor might find that very valuable because they could get into the middle of a transaction and then change the course of the, change the course of the money. And then also from a loss of data, proprietary information for the company. Again, not personal information, but information you wouldn't want to come out, maybe forecasts for the next, year and things like that.
And so there is a lot of different risks depending on the data. And for a lot of this, yes, we will if we focus on personal information, because that's where a lot of the laws and the regulations require notice there is enforcement. But there's also a lot of other types of data that companies have to think about.
And I'll add operational data to that to like say you've got, yeah, you need to be able to send your bills out. If you can't send your bills that you don't get paid, you know, that paid you can't can continue to do business. So so the, you know, being able to to make payroll for another example.
Right. You get that basic information about your employees and how many hours they worked. You know, anybody remembers that Kronos breach from a couple of years ago. But there and there's, you know, there's a lot of different situations that that can result in and problems if you don't have sort of the data you need on a, on a day to day basis.
Yeah. And Bart, I would add to that, we've been doing penetration testing for over 20 years, right? Where we we put on our hacker hat and we go out and determine, you know, identifying vulnerabilities, all that sort of stuff. And for years, probably ten, 15 years ago, we would look to get what we call domain admin access, right?
The keys to the Kingdom. The the problem with that was that it really didn't translate to overall impact, especially to management, the C-suite, things like that. So we kind of changed our approach a little bit to say what data matters to you, and you've listed a bunch of them. I would throw intellectual property in there, especially for like technology companies.
So we started to target specific pieces of data or access to specific applications or systems, things like that. And then about 4 or 5 years ago, based upon the threat landscape, we had our first request from a client to say, okay, I know you can get to the data you do every year. It's great that we demonstrate that.
It's great that we know where those vulnerabilities are. But I've got three different offline data systems, applications, which I do my data backups, and I know the attackers now are targeting the data and then also trying to encrypt the backups. Are you able to get read write access to any of those three systems? Right. And at the end of that particular engagement, we were able to demonstrate that out of the three, we were able to get admin access to two of them, which then allowed them to respond and proactively increase their level of security with regards to making those data backups immutable.
Yeah, data backups are critical. So I wanted to see I know you probably be looking at this slide maybe glazing over because everybody has slides. But there's some unusual things, particularly the last bullet point and the photo. And I thought I let Chris kind of explain. Yeah. So the last bullet there is somewhat interesting. Right. I will give a hint, but open it up to the audience to see if anybody can figure out it's an anagram.
Usually we get someone out in the audience that can, kind of figure it out.
But in cheating, they don't go away. So it is an anagram, and it spells a very common term that you're probably going to hear 100 times here over the next day or two. Anybody be able to put the puzzle together?
I guess what I'm thinking like at one point is, not only is the fact that your organization spread to others, it very similar as far as what they do on a day to day basis, maybe have one of the safest generation. They don't have a lot of say for infrastructure. So I mean, just that term, I suppose if I got it then you can get it.
Yeah, that that's a really good, way to look at it. Spreads. It's actually an anagram of artificial intelligence. So all of those letters we actually put into, we put up what are anagrams of artificial intelligence into ChatGPT. And that is the one that it came out with. It's not right, but it's not right. It's not right. So the other thing is, I promise you, on the right side of the screen, we can spell.
We actually had ChatGPT pulled together, everything that can go wrong in the impacts. And that is the picture that it provided us. So pretty interesting. We're going to talk a little bit about AI on the next slide and how it's being used. And I'll go ahead and get things started here. It's being used on both both sides of the fence.
So for the red team as well as the blue team, in today's world, certainly when we go out and respond to events, we leverage AI for a lot of what we do. Right. And you just can't not have that in your toolset in this day and age. But on the other side of the fence, the attackers certainly as well are using AI.
So for years and years, phishing was probably the most common way that these attackers were able to get in. We get the slide going. There we go. And usually it was the very well-financed cells that had the ability to craft the most believable emails from a phishing perspective to entice people to click on links and do things that they shouldn't write.
But now with the tool sets like ChatGPT and some of the others that are out there, it's relatively easy for just about anyone to create one of those emails that is way more believable than our friend, the Princeton of Nigeria. That, was my, that was my retirement plan for a number of years. It didn't work out well for me.
But it's relatively easy for those attackers to kind of upskill and really, be more enticing for, your employees, to pick out and spot where those phishing emails come from. And they are still falling for phishing emails. We're dealing with the data center now, and there's all kinds of thing. I mean, this is the importance of sort of ongoing AI governance.
You hear things all the time, in terms of sort of, you know, horror stories. And that one thing I heard yesterday was, a tactic I hadn't thought about. But, you know, I looks at every single piece of text. Of course, when it looks at it's not constrained by font size or where something is. So you can you can imagine somebody could pretty easily insert instructions into, into a document that maybe somebody is going to use or scan that, that we don't notice because it's written in like a font of, you know, .01, and white.
Right. Like, on the page. Right. That, that could be, sort of scanned by the AI and used, anyway, just ever evolving, ever evolving tricks and issues. And then of course, there's the, inadvertent disclosure, risk as well, when people start to use AI a little loosely. And so, you know, we talked a little bit about the costs, monetary costs, but we wanted to also highlight different costs that sometimes, again, you think about during an incident.
But a lot of these costs occurred after an incident has occurred again months and years later. And I wanted to highlight a couple of them. The first one, corporate relationships, oftentimes, particularly in business email compromise situations, we come in as the attorneys and we help try to negotiate, the payment where it went, who's responsible, and trying to come together to keep companies continuing doing business because they may have a project that they're still doing together.
1st May be a vendor over another. And so the ongoing business relationship is really important, but there's maybe a couple million dollars that went to a threat actor went to the wrong person. That's a lot of money still. And so there's a lot of, things to think about and some very, specific and sophisticated conversations that have to be to have to have happen with those, those companies.
And then another one I wanted to point out are the enforcement actions. And fines and things like that. There's been with the number of breaches, as you can imagine, there's been a lot of focus from the regulators on particularly breaches that have personal information involved. And so those fines are getting increasingly more hefty. We have to notify regulators of an incident again when personal information is involved, depending on the regulator.
But they're becoming a lot more sophisticated. And the questions that they ask, they want to see your incident response plan. They want to know how you handled the breach. And if you don't provide a response that they're expecting to see, then you might be getting some more detailed investigation and or a fine or a penalty. And so I want to just to highlight a couple of those.
Yeah. And then let me emphasize that a little bit too. Like so you're on the North Carolina Attorney General's website doing what you have to do, like Haley says, very like, put in all the information about your breach. You upload your notice letter. This the notice that we sent, they might ask you, like, have you notified the consumer reporting agencies if you've got a lot of people.
Right. But then they're going to ask you like Haley saying you're too like, you know, very specific questions. And it's it's not like, well, we didn't have a contract with that vendor, but that nobody's really going to ask that question. Hopefully, like, somebody is probably going to ask you that question like one of these attorney generals, like so, so, you know, we'll talk about this a little bit more later.
But it's it's worth noting this is not the old days when maybe you had to notify 2 or 3 AGS, and all they really wanted was a copy of your notice letter. That's not that's not today. And one thing that I've been seeing here over the past couple of years, I work for CRO. It's a CPA top ten CPA firm.
So, certainly have, a lot of business in the audit space. And I will say up until a couple of years ago, I got my first phone call from one of the audit partners who never want to talk to the IT or cyber folks. Right. They have no reason to talk to us. But got a call and said, hey, I have a client that, I'm doing the external audit for on the financials, and they had a ransomware incident and it hit their accounting system, and maybe it was down a month, maybe it was down two months, maybe they had to go back a month or a few weeks for, to
get to the data backups where they were clean. How do I rely on this data in order just to complete my external audit of the financials? So that was the first call I got. And I think I our team has handled now five of them this year alone in terms of when we go through that April, May, June, filing taxes period of time.
I just know that those questions are going to come from our clients that have experienced a breach. So something you may not think of, certainly short term is going to have an impact on ancillary items that, you probably never thought of long term. I mean, we were dealing with a very similar situation where there was, and health care company that was involved in a breach.
And there thankfully, their patient records were not as impacted, but their financial records were impacted. And now when the breach happened, it was very immediate. They couldn't be paid. They couldn't receive payments. They didn't know who owed what. And they are still dealing with that two and a half years later because they can't recreate their financial statements if they're ever audited by the federal government or, you know, insurance companies.
And so it is a very it has long term impacts. And so thinking about having backups in place to your vendors have backups in place. This just happened to be a vendor incident. The vendor held the data and the vendor did not have good backups. They thought they did. They moved on. Try to recreate the data from the backups and it just didn't come together.
So let me ask one quick question. Does anybody know what the first thing I want? But I'm pretty sure Haley would say is the first thing you should do in a business email compromise. So somebody says, hey, wait, we just wire transferred, you know, $2 million to somebody, not the person that was supposed to get it right. What do you think?
What should you call your lawyer is a good thing. But what else? Sorry. Pardon me. I like the SoC. Yeah, internally. Internally. What should somebody do? What? What's that? Treasury. Treasury's good. Yep. For enforcing law enforcement. Getting closer to what I'm thinking of. Yes. We'll have the CFO determine if it's material. Well, you have to determine materiality.
That's right, that's right. If you can't stretch, if you can't get it back. But what's your best shot at trying to get it back?
You call it banking. And the way that the shortcut to all this I'm going to bring this up is the is the FBI has this this IC3 form. Right. And the IC3 has built into it, a, kill chain, right. Like, so if you if you immediately, notify the FBI through the IC3 and, you know, it's enough money, hopefully, or part of a pattern.
Right. You should still do it, even if it's a lot of money. Could it might be part of a bigger pattern then, in all likelihood, there's going to be a kill chain initiative. And you want that to happen, like, as soon as possible, right? Like so the and the and they're the ones that can do it, the most quickly.
And then you do all that other stuff you just said, like as long as you go along with it. But like the, the, the first thing that we do is we file it. I see through all that, I see the and then give it to your bank because that's almost an attestation saying this was fraud because a lot of times banks, we get our clients to say, well, the bank doesn't know and they're not doing anything about it.
Why don't you give them that FBI report and the IC3 report that stops them from forwarding on the money you're transferring on the money, and it starts a lot of different protocols. Yeah, it turns out it's not cool to lie to the government. So, so the, so the idea is that if you've taken the if you've gone to the trouble to file and I see three point, I see three form and you and you stand behind that, that's, that in itself carries a lot of weight.
When you give it to a bank or somebody else, there's a time period from the when the wire was initiated to the wire. Yeah. They can, they can sometimes get exactly, exactly.
Can we advance to the next slide. Hey Bart while we're advancing to the next slide, is there usually a time period in which you say hey like okay, there's a reasonable chance we're going to stop this or kill this particular wire versus kind of a cut off to say, yeah, you're probably not going to get that back in your experience.
You know, it varies. You know, typically if you act right away, you have a decent shot. And if you don't, you don't. But, you know, but it might be like these things actually do happen. You know, the Wednesday before Thanksgiving or Friday evening, as you know, like all the all the threat actors, they're there's no coincidence, in that so sometimes, you know, like, you might be able to catch something if it was the Wednesday before Thanksgiving and it's towards the end of the next week because the bank was slow peddling it because something about it was suspicious.
So, you know, I would never tell somebody not to give it a shot. I also wouldn't count on it coming back, you know, like, it's sort of like we we kind of just say, like, let's definitely do that. And then and then move forward with, with addressing the situation, you know, perfect. So let's talk a little bit about what the threat actors are doing.
You see on the top of the screen, they're out in the job market looking for talent. Remote work is available for talented individuals. So it's not just our companies that are honest and forthright that are out there looking for talent in this space. They are also actively recruiting, individuals to come help them work, with the with their cells.
The other thing to mention from this slide is they're going to great lengths to get access, nontraditional lengths to get access, to be quite honest, at the bottom right, Igor flew to us to bribe, a particular employee, $1 million just to insert a USB into their into their work station, in order to procure access. So the things the days of 5 or 10 years ago where it strictly was fingers to keyboard and targeting, companies in that manner, they're gone.
Right. They are going to great lengths because this is a business for them. And we talked about this earlier. We're going to we're going to start some sort of a clearance program where you can like, certify that you're actually a criminal and, have a better chance of getting getting one of these jobs. The the other item to note, one of the, one of the more recent things that's popped up that I've seen just a probably a couple months ago, one of my clients received a U.S. Postal Service package that basically was a sheet of paper printed out with demands on it saying that they had their data and that they were going
to release it to the public, blah, blah, blah, blah, blah. I'd never seen that before. It was something definitely new for our team. Now, over the course of the investigation, it was determined that that was fraudulent, that they didn't actually have access, to any of the data. But these attackers are getting creative and throwing a lot of stuff up on the wall just to see if it sticks.
Can we go to the next slide, please?
So let's talk a little bit about the evolution of ransomware, because it is one of the greatest threats that we face. And so if we go back ten years ago it was really hey, can I get access to the data? Can I lock it out? And then I can hopefully get paid? The cat and mouse game between the red and the blue teams always is.
This is an evolving thing. So we said, okay, let's make sure we have good data backups. Let's make sure they're immutable. Let's make sure that if we need to go to those backups, we can restore. And then we don't have to pay. Well, as I mentioned from our previous penetration testing, we then, pivoted to the attackers, pivoted to say, okay, I want to encrypt the data, but I also want to encrypt the backups more likely to get paid.
This is a business, right? From there, we kind of shored the controls up on that side, and they moved to things like extortion. Right. Which is pretty common in this day and age. One of the things that we're seeing, from a lot of these cells, maybe the unethical ones, you could argue that are all unethical, is now they're getting to the point where recently we've seen, harassment of individuals at the company.
So you can expect your employees to get phone calls from the attacker saying, hey, you've been breached, blah, blah, blah, blah, blah. You need to prepare your employees for those phone calls. But probably the worst thing we've heard of here recently is some of the bad actors actually calling the children of the CFO the CEO, and harassing them into trying to coerce their parents to pay the ransom.
So it's getting bad out there. I mean, when it goes into those types of areas and this is something we've just started to see, like I said, over the past couple months, I imagine it's going to get even worse than that because I didn't I didn't five, ten years ago. I didn't envision a day in which I would hear that story.
And unfortunately, it's happening. And like Chris says, it has definitely evolved into, the point he's making, too, about the about the backups. And like, people, you know, companies largely do have better backups today. Right? So you're the ransom that's being paid often is not to restore applications and data from, you know, which the companies can often do on their own.
Not always, but but often it's not. It's about about the data. And in some sense, you know, it depends on who you're dealing with. I think the, the character, that's why you always want to, you know, professional negotiator who negotiated with criminals all day long, working with you because they want SegWit, because they, they can kind of tell you what to expect.
And, and, you know, so we've gone from kind of like large syndicates to sort of more rogue outfits. And then like today, we're seeing some lone wolfs because it's very easy to get the, technology. And lone wolf can be good or bad, right? Sometimes they don't know what they've gotten, so they're cheaper to pay them off. And, but there's always that moment when you pay, right?
You're like, holding your breath, like, because they could just go away. You think that there's no like there's no contract, there's no recourse. You can't, like, find them later and beat them up. Like, you know, you know, there's that moment where you're like, go buy pay. Right? And then they're like, are we going to get the key or are we going to get the data?
It is a dark web after that. And then you do need another another credential. We need to work on to the honor among thieves. Credential for for integrity. But but do your negotiators again, we'll sort of know that too. That's why, you know, given the choice, I'd probably rather be dealing with a known commodity because that known commodities got to be, you know, face the negotiators and the insurance companies and the, lawyers and whatnot.
Again, yeah, you mentioned honor among thieves. And there are reports going back a few years where there were folks that were paying the ransom and not getting the key back, and a lot of the the cells went to target those those individuals that kind of broke the code of honor because it ultimately breaks their business model that if that word gets out there that I paid and I don't get the key, their business model completely breaks.
So they are doing a little bit of self-policing, around that particular topic. Yes. Can we go to the next slide, please? Oh, one thing we were going to say on this to this last slide, you'll need to go back to the one just just to sort of keep in mind, like all those bad things can happen to your business, or they can happen to the business of your service provider or vendor, right.
Like so kind of, you know, you kind of have to always have both hats on, like, what if this happens to me? But then also what if this happens to my key service provider, right. Like the, just food for thought as we go along or your critical IT provider. Yeah exactly. Your MSP yeah yeah yeah exactly. Bummer, right.
Yeah. Yeah. The next one. So you know we've been talking a lot about incidents there obviously going to happen. It's just kind of a matter of when and to what extent they're going to impact the company. And so we wanted to focus now on how do you mitigate some of that risk thinking about pre incident. What can you do pre incident and what can you maybe do post incident.
Learn from. But the things we wanted to focus on here are again as Bart mentioned your vendors your key vendors. And we look because we're the lawyers are always looking at the contract. So if there's ever an incident, we're always asking where's the contract with the vendor that had the incident and what are the terms in there? What does it allow us to do contractually?
Can we ask for the incident report? Can we ask them to do certain things, you know, protect our data x, y, and Z way? Did we have specific terms in there? I mean, most of the time when we're pulling up the contract and it's an incident, it's it's not usually a good thing, unfortunately. Sometimes sometimes the contracts are good, but a lot of times they're missing those key things.
So thinking about what you need in your contract beforehand depending on the criticality of the vendor. And also, you know, previously we as you know, lawyers have always put the have reasonable security measures. A lot of times that's not sufficient anymore. You need to be more specific about describing what security measures you expect for your provider to have in place, if you expect them to abide by a certain framework.
And having that all set forth, and you will get pushback. And then unfortunately, some contracts you are not going to be able to negotiate. And then you have to internalize that risk and figure out how do you maybe internally mitigate it or just address it internally, because there's going to have to be some the risk as is. Bart can talk more about the risk allocation between the parties.
Yeah. I mean that's that's right. So the because it if you say nothing, it's just going to kind of be a free for all right. You're just going to throw it up and the the data may not even be confidential. This is going back a few years. But, I remember an incident, there was a helpdesk incident and the, the helpdesk operator or, you know, provider, you know, configured their, their, ticketing system.
Wrong. And everything was available, on the internet. Right. Like I said, like we we obviously complained about that on behalf of our client, but the response was like, we don't have a contract with you. Like, you know, like this isn't even confidential as far as you're concerned. And, you know, back then, it was a few years ago, even it was it was harder to find a law saying you had to protect, personal information, basically.
So, you know, you you need to clearly think about how you're going to allocate. And then, like Kelly says, you've got to, deal with your risks. If you if your risk is, well, they'll have all of our data and we can't operate without it, then you've got to think about your backups. Right. And how how quickly those are put in place and, and whether it's tested and, you know, sort of Eric after or, you know, immutable or whatever the correct, current technology, is for that, but you've got to have the right systems in place or you've got to, you know, limit access or segment your data and,
there are a number of things you can do, of course, on your end. And then, of course, insurance, plays a role too, and insurance feeds right into that because, if you don't have the appropriate security in place, you don't have the contract with the vendors, you don't have, like sort of, you know, your policies and procedures and plans, you're going to have a hard time getting cyber insurance or it's going to be expensive or you're going to get it and then you're going to be in jeopardy if you ever have to use it because they started asking questions, it may be that they would take the position that you didn't fully disclose.
You know, what kind of cybersecurity measures you had in place when you, when they wrote the policy to begin with? Yeah. And one of the things we've seen in the past 18 months is going back five, ten years. We started to see an increase in need for third party risk management. Right. You talk about I'm shipping a lot of confidential data to vendor X, so I need to make sure that they have the controls in place.
We all get those surveys right that say he please document your your controls to kind of get that level of comfort to say okay this company is is reasonably securing my data. Well, now that's kind of evolved to the the availability side of the CIA triad, right? I count on this vendor for that. They're there and that they're going to be there 24 seven.
But we all know that's not the case in today's world. So those third party risk management programs have started to evolve to say, okay, from a business resilience, from a business continuity perspective, I need to be doing due diligence to make sure that that prop payment processor, that vendor that I the that SAS platform that I rely on, that they have addressed the availability side.
We see requests for tabletop tests, copies of business continuity plans, things like that, to make sure that that that piece of the or that component of the CIA triad triad is being addressed. Yeah. And and to the point about what is your contractual obligation with the vendor? What do you have in place? What are the security safeguards? That is very helpful for the story of when there is an incident and your lawyers are becoming involved, telling a story to the regulator?
Or for example, I was on a call yesterday where there is litigation that has resulted out of the incident. We handled the incident response. Now there's additional lawyers that are handling the litigation, and they ask all of the questions that we've been talking about today. Do you do you have a contract in place with this vendor that that, had the incident that allowed the threat actor to get into your your data?
What what kind of security measures do you have in place? Did you have more than just a firewall? Did you have any kind of, you know, vulnerability management and being able to have those stories and being able to explain what the security measures is a lot better than saying we didn't really have anything in place or, you know, even in litigation, because there's going to be litigation about who whose job was it to protect the data, and did they adequately meet that, the obligation.
Yeah. I mean, I think a couple of just fundamentals here with, I think touching on one is the sort of the in air right incident response. There's there's two things you're kind of judged on. One is the how did you respond. Right. Like did you sit on it for six months or were you forthcoming. Were you sneaky? Did you speak before you actually understood and knew the facts?
Did you know, did you just generally do a poor job of of communicating and dealing and following the, the law and, sort of best practices and responding, but there's also on the front end, like Kelly says, like you'll be asked and you don't automatically go to jail because you had a data breach, right? Like like the, the, you know, have to pay huge fine.
So the idea is, you know, it's like, was there a failure of reasonable security and sort of what does that mean? And then the other thing I think is worth unpacking just for me. I know you're all cybersecurity professionals, but I want to talk about CIA for just a minute. Like, you know, confidentiality, integrity and availability. So, you know, as lawyers, we could act, right?
Security. What I mean is confidentiality, integrity and availability. Right. Like so sometimes I assume that it's maybe not fair to do that, but but it's like or I'll say confidentiality integrity and security. I'm like what is that like the but like but the thing is that confidentiality is kind of where we started like like Chris was saying like, you know, integrity.
Come back to that for just a second. But availability is like the resilience point, like being having it and being able to count on it being there. You can make your payroll, you can send your bills, you can, you know, run your e-commerce platform, whatever you need to do. But integrity, I think is, you know, something kind of keep in mind because that's how I.
Right. That's where we live today. It's lots of other things too. But like if you have bad data like that sucks too, right? Like the so, you know, those three pronged from a security perspective are, worth worth always keeping in mind. Yeah. Can we go to the next slide, please?
And so we don't we have a lot of a couple more slides left. And I know we're, getting short on time, so we might start running through these, but we did want to highlight when there is an incident and say it's an incident involving a vendor, particularly because honestly, that's what we see a lot of these days.
The interests of the service provider or vendor are going to be very different from the interests of your business. And just these are just kind of highlighting a couple of the different things their investigation may be more about containment, trying to get an understanding of what the threat actor is doing. Their advice and whether they are privilege will be different because they may have their own set of lawyers that come in.
They may have their own set of forensic team that come in to investigate the incident. And there may be privilege over, certain discussions that are had and then also their focus on containment, keeping the lights on, continuing forward. Whereas as the company, if it's your data involved, then you're focused on who am I going to have to provide notice to the investigation?
You know, you're looking more about maybe what is the provider? What did they miss? What did they not do? Where are the gaps. And so there's some very different interests that are at play. And I will say it's it could lead to some very tense discussions, particularly when there's on lawyers on both sides. There's forensics teams on both sides.
And it's just some things to think about when you're in the middle or you're preparing for an incident. How are you going to respond? Next slide please. And this is a lot of words, but these are just a few of the frameworks that we wanted to put up. Framework standards, things that we look at obviously depending on the type of breach, or the type of security that needs to be in place.
So again. Yeah. And, and you can see this in contract sometimes to the people list out, you know, 100 standards or it's kind of impossible to comply with them. But we were talking about this a little bit earlier that like you know, if you have a good framework, some framework and you know, and you're looking to keep, and, you know, maintain and implement, solid security, and, you know, some really critical and Chris can do this better than me, but like, you know, MFA, like, if you don't have MFA, like, why not?
Right. Because, you know, if you do encryption, if that data is not encrypted, why not? Like maybe he needs to be encrypted with. But it doesn't need to be encrypted, but probably should be if if you don't have a good reason, why not. Right. They threatened vulnerability management plan. Like if you don't have a plan like that's going to suck right?
When you don't or you didn't patch something and it caused, caused or, you know, something to go very wrong, or there's a zero day and and you're not even up on that. When that comes back out, you know, if you don't have an information security program that's got like, sort of some basic things that you've got in it and some sort of tabletop, and a plan for that, as you go along, like the contracts with vendors, there's just sort of a, there's some, like, essential things you need to have in place.
And then, you know, you're going to probably have to comply with or you're going to voluntarily align with some of these standards, either, you know, because that's what you do internally as a matter of security or because you're it's imposed on you by, you know, by law or by contract. Yeah. And one thing that, I would say, our more mature, clients are doing is they kind of learn their lesson from, data privacy.
Right? GDPR came out first and everyone went out and slapped a Band-Aid on that one. Well, then Canada, California, now all the states have their. And the more mature companies said, man, that was painful. Right. And so this slide is going to get more complex as we go out throughout time as we travel on our journey. And they're saying, okay, let's not take that Band-Aid approach to the cyber controls.
Let's take a step back and strategically look at how we can comply with all of these, requirements. And test for Soc2 and Sarbanes. And I want to use the CSF for my framework. How do I test once and then make the the control owners life much easier because I can map across different, you know, frameworks, regulations, requirements, things like that.
So taking a that strategic approach is only going to help you be more efficient and effective as this landscape changes. And one other thing to do just quickly on that, you know, this is different for OT versus it to a certain extent, right. Like so you know, that's only sort of in the last, I don't know, five, 5 or 6 years or maybe, maybe the pipeline incidents or whatever.
But like there's, there's, you know, it's a real thing, right? Like, you know, controlling your operating, operational technology, is increasingly important and is the threat actors look for more and more things to do to mess with people. Like there's no reason not to screw with their operations as much as you screw with their data, right? Yeah.
And I don't want me to think that this is all of them, because there's a lot on here that we didn't include, for example, Nersc, CIP. But yeah, this is just a smattering of what's out there right now. Next slide please. So we'll cover this one pretty quick. Wanted to give you kind of the story of, what we do as attackers, during our internal penetration assessment.
And it really is kind of getting it's like putting a puzzle together, right? I start with nothing, and I get little pieces of information here and there, and I start to put that puzzle together to ultimately get to the center of the Tootsie Pop there, which is how do I get access to the money? But how do I get access to critical data?
How do I get access to critical applications? But as you mentioned, I would say the top three things that make our life very difficult when it comes to putting those puzzle pieces together. Number one would be network segmentation. If I can't touch it, I can't hack it. Right. It's quite that simple. We've had clients go to extreme lengths to say, hey, from an end user Vlan, one node on the network, you're only going to see 25 ports open, which, you know, usually there's thousands, right.
Number two, passwords in MFA. Right? Those are still in 2025. Password 123. Are you kidding me? Come on. It's not not in this day and age. And the third one is organizations can't eliminate risk. Right. So there's going to be known exposures out there. It's how you mitigate that risk. A real quick easy example. I've got a legacy system that I can't patch.
Let's make sure that the local administrator password for that particular system isn't reused on 50 other systems, because that one piece of information I just got, I put that puzzle together. I now have 50 systems, 100 systems, whatever the case might be, I am on my way to, you know, get it gaining significant access to your organization. So when you have those known exposures out there making sure that you're, reducing that risk to an acceptable level and putting those mitigating controls in place where possible really helps stop, it helps eliminate a lot of the pieces, the pieces of the puzzle, as we're putting it together to ultimately get to the the money
there. Yeah. And a company like the Equifax breach was not necessarily so remarkable in that, like, somebody got into an Equifax system. What was remarkable about that is that they could then access access like hundreds of millions of people's social Security. It was a data segmentation issue in my in my view, and I think most people's view, the, take on it.
And then the last thing I'll do is more it than I should do, but but the, this concept I think that you're talking about at the end, there's separation of duties, right? Like that, that like, you know, you shouldn't be using a full blown admin access account to read your email, right? Like the, you know, there should be specific uses for specific privilege access, as you go along.
Next slide please. I think a lot of this we've kind of gone over and I know we don't have a lot of time left, so I just wanted to touch on a couple of different things. And one of the things, it is kind of discussed here a little bit with the IRA documentation, but it's, it's having a whisk, having a plan in place because we will be asked about that in the event of a data incident.
And so kind of to what Chris is mentioning, there's a lot of different standards, there's a lot of different frameworks putting all of those together and buckets using where there are similarities, access controls, most of them have access controls, most of them have password MFA requirements. Now we're starting to see, the the level of involvement of your C-suite, of your board level, particularly if you're publicly traded.
But even if you're not, they they want there to be a say. And what happens, that you keep them, informed of the data incident. So there's a lot of similarities. And having a wisp in place that covers, you know, your program, your information program, including incident response is, is it's very critical. I don't know how to stress that enough.
And and segue into the next slide. No good technologist because they can help you with the next. The following. And at the bottom of this slide, no, a good lawyer. All right. I was doing a tabletop with a client, and I know we're running out of time here. Just a couple of weeks ago. And I said, hey, so, you know, this happens, first calls to the insurance company, and they're going to set me up with a lawyer and an incident forensics firm.
And I kind of challenge that a little bit to say, hey, you've got X vendor in here. They're on that insurance company's panel. Why would you not just have them on speed dial or a lawyer that you know and that you've worked with on speed dial, as opposed to relying on the insurance company to pick those pieces of the puzzle?
They're going to be critical in the response, right? So if you don't have that retainer with the firms, both on the legal side as well as the technologist side, it's something that you probably want to handle beforehand because, relying on the insurance company to make those choices sometimes isn't the best means. So I think, we can probably hang around for questions, but I think I've been hang around.
We've got, we've run out of time, so we appreciate everyone's time. Thank you so much.
