While announcing the topics at the first session of the 2021 Iowa Technology Roadshow, the host read “cybersecurity” and then looked around the room. “Everyone just got out their pen and paper,” she noted. Pratum gets that a lot these days. Every on-task business leader is looking for answers to the run of ransomware attacks pressing down on the summer of 2021 like a heat wave.
To help leaders navigate of-the-moment changes in the tech landscape, the Technology Association of Iowa hosted five days of presentations across the state in late June. Pratum Founder and CEO Dave Nelson joined each day’s discussion with other tech leaders to talk solutions for business interruptions, securing employee data access and dealing with the hackers knocking on your system’s door every day. Here are top takeaways from the roadshow’s kickoff panel.
On the first morning, Dave drew attention to two frequently neglected elements in the classic cybersecurity pillars of confidentiality, integrity and availability. Most cybersecurity conversations fixate on confidentiality. But overlooking integrity and availability could leave you in a tough spot when a breach occurs.
Data integrity ensures that information you access tomorrow is exactly the same as it was when you accessed it yesterday. Dave used the example of a nurse administering medication. “You have to guarantee that the data about how that medication was administered in the past is completely accurate so that you can make sure the dose you’re about to give is accurate.”
Recent ransomware headlines illustrate the critical role of data availability. “I can guarantee that your data remains confidential if I put your server in a hole in the ground and pour concrete over it,” Dave said. “No one’s going to get to that information—including you.” Safe, but not realistic. In the Colonial Pipeline ransomware attack, a lack of data availability meant Colonial shutdown for several days, cutting off much of the East Coast’s gasoline supply.
But your data backups will save the day, right? Maybe eventually, Dave warned the roadshow audience. But are you positive that you can quickly restore everything you need from backup? And what is “quickly” in the case of your business? What if it takes a week or two weeks to restore your critical systems? “Now you’re scrambling to run your business,” Dave says. “How will you do payroll? Will you back up a Brinks truck and pay everyone in cash? How do you pay vendors? How do you track inventory and raw materials?”
To be truly confident in your backup strategy, you’ll need a written incident response plan and enough test runs to confirm that you can restore your systems in an acceptable timeframe.
How fast is fast enough for restoring data? “You can’t answer that without looking at what’s going to happen to your business,” Dave said. “Cybersecurity is not just a technology problem. It’s a business problem. If you take one thing from today, look at security from a risk-based perspective. Don’t just throw technology at it.”
Sticking with the theme of supporting good technology with good policies, Dave told the audience that much of your risk may be a relatively simple matter of giving too much access to too many people. Reduce everyone’s access to only what they absolutely need to do their jobs, and you’ve just limited what’s exposed to a dishonest employee or a hacker who gets the credentials of an honest one. “All of a sudden, you solved a big part of your problem without spending any money,” Dave said.
This scenario applies even to the titans of classified information. Consider the case of the National Security Agency, which controls data at a level most of us can’t dream of. And yet one person—Edward Snowden—invalidated a giant swath of the agency’s expenditures on securing data.
Panelist Laura Smith, CIO of UnityPoint Health, urged the audience to understand that their organization is under siege by hackers. “Even if you think you aren’t being attacked, you are,” she said. “So assume you’re being attacked and figure out how to mitigate it.”
Laura noted that her healthcare organization sees literally millions of threats a day across its large system. The massive volume of threats stopped by firewalls and by e-mail filtering reveals the scope of the threats. Hackers use automated tools to constantly scan the Internet looking for vulnerable systems. When they find an opening, they may attack with ransomware without even knowing what kind of data they’ve locked up. Don’t think you’re safe just because you don’t consider your information valuable enough to attract a hacker’s interest.
Laura acknowledged that securing all of your data at the same level isn’t realistic or even necessary. Her organization looks at every business process on a spectrum of acceptable risk. “On one end, we say we’re taking no risk when it comes to delivering patient care, so we invest a lot there. There are other things where it’s a less critical business process, so we don’t invest as much there.” Her team analyzes every process to assign the proper mitigation within a variable risk range.
Laura also touched on how to win support for cybersecurity investments from executives who must constantly choose among competing budget requests. For starters, make sure you’re relying on a widely accepted framework such as NIST 800-53 to show that you’re seeking to follow best practices from trusted third-party organizations.
Investing in a third-party information security risk assessment provides a detailed list of your vulnerabilities and the risk associated with each one.
You can also support your case by gathering benchmarks on typical cybersecurity investments for your sector to offer proof that you aren’t keeping up. Organizations such as Gartner and IDC provide annual reports that help guide and support your security budget requests.
For help interpreting all of these industry trends and applying them to your organization’s situation, contact us today.
Cybersecurity conversations filled the halls when 400 Iowa business leaders came together for the first time in two years in early June. New breaches dominated the headlines as the Association for Business and Industry’s Taking Care of Business conference convened. In fact, throughout the gathering, Iowa’s largest community college was shut down while trying to recover from a ransomware attack.
All the breaking breach news put cybersecurity at the front of many minds. It was hard to find a conference attendee who still thought their business is too small or their data too boring to draw a hacker’s interest.
To help leaders across industry sectors understand how to ramp up their organizations’ security posture, Pratum Founder and CEO Dave Nelson joined a panel discussion on best practices for business cybersecurity. Here are key tips highlighted during the discussion.
Dave Nelson: "Get an IT risk assessment. That keeps you from spending so much money on the wrong areas that you don’t have money left for the important ones. If you don’t start with a risk assessment, you’re just throwing darts—and you don’t even know if you’re facing the dartboard."
Brian McCormac: "Map your data. Invariably, you have info you don’t know you have. Businesses are very siloed. HR doesn’t know what marketing has, and legal doesn’t know what anybody has. One company was collecting racial info in Europe, which is a big no-no. Why? They didn’t know. They just said they always have. So pursue a plan for data minimization. Have only the data you need and make it available only to those who must have it."
For help in understanding how any of these areas affects your specific situation, contact Pratum today.
In the last six months, every week seems to bring a major new cybersecurity headline. So when the Secure Iowa Conference returns in person on October 6 after a two-year, pandemic-induced hiatus, one day will barely contain all the updates.
At the event tailored for Iowa’s security, privacy and audit professionals, keynote and breakout speakers will cover:
Pratum has helped organize and sponsor Iowa’s largest information security conference since its inception. Pratum Founder and CEO Dave Nelson helped start the Secure Iowa Conference in 2012 when he served as president of ISSA Des Moines Chapter. So as the conference reached 400 attendees and outgrew the management capacity of ISSA Des Moines’ volunteer board, Pratum was the obvious choice to purchase the event in 2021.
Pratum is the right team to take the conference to the next level. The company has had a lead role in sponsoring and operating the conference since its beginning. As Pratum fully takes the reigns on the conference, our board can focus on creating additional educational opportunities for members.Kevin Seuferer President ISSA Board of Directors
ISSA will remain involved in the Secure Iowa Conference by:
Return attendees should note the new location for Secure Iowa: Hy-Vee’s Ron Pearson Center in West Des Moines. After several years in Ankeny, the event moves to the Pearson Center to take advantage of spaces built to handle keynotes, breakouts and exhibits. The 5-year-old venue also provides cutting-edge lighting and presentation systems fitting for the tech-focused conference.