Recently, Critical Insight’s CISO Mike Hamilton spoke on an expert panel at the inaugural gathering of the Cybersecurity Legal Institute at the University of South Carolina School of Law.
Mike joined national cybersecurity and privacy experts from across all industries sharing their experiences and insights on the rapidly evolving cyber threat landscape, emerging technologies, risk management best practices, preparedness, and resilience strategies.
Related article: Learn how law firms are addressing these 5 cybersecurity issues in their industry.
In this video, Mike explained the top three outcomes to avoid when developing and maintaining cybersecurity programs: unauthorized disclosure, theft and extortion, and service disruption.
On Summarizing Risk into the 3 Outcomes to Avoid for Your Organization:
“There are three things that go wrong, and you can really package it this way.” (00:55)
On Ransomware:
On Using the Risk Expression to Manage Cybersecurity Risk:
On the Need for Monitoring the Network for Unusual Activity:
On Protective Controls and Preventing Human Error:
On Having a Plan to Put Out the Little Fires
Read on for the full transcript below.
The 3 Things Outcomes to Avoid
Good morning everyone… check, check… should never give the drummer a microphone. My name is Mike Hamilton, I am the founder of a company, Critical Insight. We kick the bad guys out of computer networks.
I was a policy advisor for Governor Inslee in Washington state, I was a vice-chair of the state, local, tribal, and territorial government coordinating council for Homeland Security. I was the chief of information security for the city of Seattle for about eight years. I was the managing consultant for Verisign's global security consulting, and I'm a drummer in a punk band in a blue-collar shipyard town, so buckle up.
I'm going to try and demystify things here and take these away from scary cyber Russian buffer overflow SQL injection. I've briefed a lot of attorneys. In fact, we have some pretty big law firms that are clients, and elected officials, senators, etc.
There's an unauthorized disclosure of protected records. The dreaded records breach, the thing that everybody thinks is the worst thing in the world. And there's a cost associated with that, it's about $200 a record unless you're in the health sector, it's about $400 a record.
Theft and Extortion
There's theft and extortion. There was a session on business email compromise. That's theft. I'm fooling you into sending me money. Here's an invoice from somebody you never know to pay it. Do a wire transfer, etc.
Extortion, there's a session on ransomware. Ransomware is another one of the dumb words that we have in our business. It's extortion, that's what it is. It's not ransomware. It's not identity theft. It's fraud.
Service Disruption
So, unauthorized disclosure of records, theft and extortion, and the last one is service disruption. So if your service is a maritime port, and you're moving trillions of dollars of goods in and out of the country, disrupting that operation has an immediate financial impact on the entire United States.
And I know this because back in my state, I'm going to be on a flight back to Seattle here in a couple of hours, we had a longshore slowdown, and it took about 24 hours across the country for that to be felt.
So my point here is, you can package things that go wrong very simply into these three things. There are costs associated with every one of these, and when you turn the conversation away from scary Russian cyber stuff to dollar amounts of liability, you start to have the real conversation you want to have.
Cybersecurity and Risk Management
So, we're talking a little bit about managing risk. Risk has two parts: the likelihood of a bad thing happening, and the impact of that thing happening. That's what the risk expression is... it's that simple.
Buying down the risk in the likelihood that something bad will happen is done through preventive controls: firewalls, anti-virus, URL filtering, email security, employee training, vulnerability management ... that's all trying to make something not happen, and it will never, ever drive the probability of that event to zero, ever.
And I know this because part of our company is consulting, and we do penetration testing, and we always win, we always get in. We get into your hospital, we get into your bank. Doesn't matter. What's that tell you? You're secure until your ticket is punched, and then you deal with the other term, the impact.
Monitor the Network to Reduce the Impact
So if you're watching that network, and Mark made this point, and you're a managed service provider, you're watching that network. If your wire transfer system is talking to Ukraine, you should probably know that, and you should probably take immediate action.
So if the impact of that ... because people are going to be people. Doesn't matter what controls you put in place, there is no firewall for stupid, and there never, ever will be. Somebody's going to do something. I'll get you to bite on bait, I'll throw USB sticks into your parking lot. It's not that hard.
That impact can be the help desk cleaned up a workstation, or that impact can be ... the FBI just called, and all of our records are for sale online on the dark web. You get to choose which one of those.
Put Out the Little Fire Before the House Burns Down
So, my point here is, this is more easily packaged than all of the media and the spookery would lead you to believe. It has to do with money, not bits and bites. And there are two things you need to worry about, making something less likely to happen, but being prepared that when it happens, you got a plan, and you put out the little fire before the house burns down. And I look forward to a great conversation too. Thank you.
The University of South Carolina Cybersecurity Legal Institute is a one-day conference sponsored by the law school’s nationally renowned Cybersecurity Task Force and co-sponsored by the Federal Bureau of Investigation. Business executives, lawyers, law students, legal professionals, CISOs, government officials, academia and others responsible for protecting their organization’s security infrastructure and sensitive information attended this year’s inaugural event on April 4th, 2019, to share best practices on cyber.