Table of Experts: Creating Culture
Getty Images
The Minneapolis-St. Paul Business Journal held a panel discussion recently on the topic of cybersecurity. Panelists included Joseph Kingland, CEO of Blue Team Alpha; Eric Wilkens, Ph.D., director of cybersecurity at Arvig; Jenna Meeks, cash management specialist at MidCountry Bank; Kyle Hendrickson, director of cybersecurity at Eide Bailly; and Rohit Dhamankar, vice president of product strategy at HelpSystems. Dr. John Ebert, professor and cybersecurity program director at Saint Mary’s University of Minnesota, served as moderator.
John Ebert: What are the more common and serious cybersecurity threats, and how does that impact your cybersecurity programming?
Rohit Dhamankar: The biggest core problem that cybersecurity faces, if one takes a step back, has not changed for years. It has always boiled down to stopping intruders. Further, assuming that some percentage of intruders have gotten in, detecting them as early as possible, reducing the damage they cause, and ensuring sensitive data is safe with relevant compliance needs fulfilled. Why we have not squashed these problems is where the biggest challenge lies. We are seeing an unprecedented revolution of B2B and B2C technologies over the years. Cloud, IoTs, electric vehicles, SaaS apps, blockchain. Because security is generally still seen as a cost center, all these technologies may not heavily invest in making them secure from the ground up. When businesses or individuals adopt these technologies for growth and convenience, they add yet another challenge for security in terms of expanded attack surface, more configuration options that need to be learned for security, and more automation and incident response that needs to be readied for these technologies. The situation is that the security problems for long existing technologies still sit unsolved fully, and there are new issues to take care of introduced by rapid adoption of new technologies. Add to it the fact that threat actors can range from state-sponsored to completely profit driven — who are all constantly investing in defeating any protection technologies. The explosion of known attack surfaces that still need processes and mitigation — new attack surfaces that need learning, visibility, training, processes and mitigation, along with sophisticated hackers — creates a scenario that’s the daunting challenge of all businesses today. The analogy that comes to mind is a rapidly growing population in a poor country. There may hardly be resources to take care of current children, and a constant addition creates an unprecedented strain in the system where every child suffers.
Eric Wilkens: One of the main threats that we’re always concerned about is ultimately ransomware, because of the destructive nature of it. But ransomware normally starts with something around phishing. So it starts with a human and teaching your employees to recognize malicious activity. Ransomware progressed from simply being able to take a system offline and restore the backup to having them exfiltrating data and holding the data ransom and then threatening disclosure.
Joe Kingland: The other significant shift we’re seeing this year is ransomware-as-a-service groups. Business email compromise is one of the most financially damaging online crimes. The FBI identified it as a $43 billion problem this year.
Jenna Meeks: Definitely the most common cybersecurity threat we see in business banking is the email systems being compromised. Typically, that hacker is gaining access as an internal employee. Once those funds are gone, there’s pretty much zero chance that you’re going to get them back. It’s really important to have that dual control setup and multiple options for protection.
Kingland: There are so many things they can do once they have access to an email account, especially if it’s someone in accounts receivable or accounts payable. If money is fraudulently transferred, you can get it back, but you have to move extremely fast. You need to identify it within 24 hours, so you need a plan of who to call. Also, dual-authorization or another method of verifying the account information is a good idea. It seems simple, but so many people don’t do it.
Meeks: We just had a business who received an email from their customer stating that they had an outstanding invoice due along with the “new” account information where the payment should be sent, so they sent the payment as this was a customer they work with frequently. They found out a couple days after the wire was sent that this was a compromised email and they did not have a past due invoice at all and their customer did not update their account number but the money was already gone.
Kyle Hendrickson: We’ve seen a lot of fraudulent payrolls due to business email compromise as well. People forget about payroll systems as being a good way to move money outside of organizations.
Ebert: Joe, what are some early-onset activities you might be using in your organizations to try to combat email compromise and/or ransomware?
Wilkens: Cybersecurity awareness and training is a big part of it, but it’s not enough anymore to train your users once or twice a year. You need to continuously remind them. Conduct your own phishing tests. Try doing doppelganger-type email addresses where you slightly change the name of your company. Remind users of the importance that they play in protecting the company. Highlight success stories or other things you find in the news where this failed and what it cost.
Hendrickson: We want to look at reducing the blast radius around what can happen when malicious code gets through email filters. Then speaking to ransomware, it makes a lot of sense to think about all the different phases of the attack chains. How do they do privilege escalation, how do they get command and control and move through the network? That gives defenders opportunities to find these malicious actions so we can stop it early, identifying where those touch points are and where we can improve the control structure.
Kingland: You should call and ask for help when you need it. People tend to try and hide or bury these things, but it just festers and gets worse with time. The faster you can suss it out and contain that threat actor or malicious software, the better off you will be. You can’t have a playbook for every little thing out there, but you can have a plan with some generalities and escalation points.
Meeks: On the financial side, businesses can set up account alerts so they can be notified of any odd transactions on the account. If possible, set up dual control, especially when moving funds, or have an internal callback system to know that the person in the email is truly whoever is requesting the funds to be sent. Review your transactions daily; it can be difficult, but it will allow us to return items in a timely manner so you don’t take a loss.
Kingland: The email systems that most people use have controls where you can get notifications for things like forwarding rules or privilege escalation that would indicate that you have somebody in your email. Make sure to turn on notifications for those things because it is not set as a default.
Ebert: Rohit, the average organization today is running dozens of security tools, with some companies running 50 or more tools. How did we get to this point, and what can be done to make security more manageable for organizations?
Dhamankar: According to certain estimates, we have 4,500-plus security companies worldwide. You can think of many of these as creating a tool to solve a certain special problem in cybersecurity. As new technologies evolve and get adopted, there is great innovation in the space with regards to cybersecurity, as well. Often, established large vendors are not swift to innovate, and businesses turn to a solution that solves the problem with a specific technology under adoption. There are examples galore from cloud or SaaS space. Take, for example, a space that is seeing innovation post-Covid- the VPN technology and its next generation avatar. As more and more employees continue working from home, the current network architecture and technologies are in question across many environments. The initial solutions to the market with a better alternative than existing ones will bag new businesses. And, bingo, businesses have one more security tool in their arsenal to take care of now. This is how it generally happens. This cycle is inevitable. However, organizations need to spend cycles to conduct periodic reviews of their existing security technologies, assess the business needs based on company strategy, and periodically consolidate security technologies. This needs careful planning and a disciplined approach to operational security. Investment in expertise and retaining the talent that has been with the company for some time, who can learn from the past mistakes and evolve a solid security strategy for the business, is a necessity to reduce the complexity of too many tools.
Ebert: Let’s talk about general strategies that mitigate that risk to the supply chain.
Hendrickson: Focusing on the attack chain, what is available to our vendors when we’re working with them, understanding and putting controls in place on service accounts, understanding the permissions that we’re granting to our applications, what we’re allowing those vendors to go to on the internet when they have products installed in our environment, and then putting controls in place to be able to understand what things are changing and what’s different in your environment.
Wilkens: You have to trust some vendor, otherwise you can’t run your business. You also have external vendors like your HVAC or other building control ones that do monitoring on the systems on your behalf. So, how do you ensure that you have them segregated off in their own network environment where they can access the devices they need to, but they can’t get access into your company? You also have your third-party risk management, where you have to start looking at trusted vendors and then categorize them- Tier 1 trusted vendors, the ones that have a network connection to us; this is our second level; and you have to rank those down and find out what their security looks like. You can base access or cooperation between networks and companies on those risk factors.
Hendrickson: One of the things we’ve found very beneficial to demonstrate risk to clients is assumed-breach or assumed-compromise type of testing. We’ve used that to help customers understand what can happen from a compromised supply-chain issue and helping them mature their environments.
Kingland: When doing those tests, you can show them what the attackers could access. If a particular service becomes unavailable, what does that mean to the people, processes and technology you need to conduct your business? And what does that look like monetarily? Security is still generally seen as an information technology problem by business executives. For many, it hasn’t completely hit home yet with many that this is a business risk issue, not an IT issue. Security is not just a cost center.
Ebert: Jenna, you mentioned some tools that you were using to help combat cybersecurity risk, and planning.
Meeks: The online user, especially one who can send funds outside the bank, should be using multifactor authentication to log into online banking. This makes it more difficult for a threat to access the bank accounts directly. The most helpful tool that any business can use is Positive Pay or ACH filters and blocks. Positive Pay is a fraud prevention system that protects companies against forged, altered, fictitious or counterfeit checks. ACH filters and blocks prevent unauthorized ACH debits and credits from posting to an account. They act as a form of cheap insurance on your account. Some banks even offer it for free, because it also protects the bank.
Kingland: If you don’t have something like that in place, Jenna, how long would it take to reverse an ACH? At least a few days, right?
Meeks: Yes, and typically it depends on the type of ACH code that the transaction comes through with. So usually if it’s a CCD, which is a corporate ACH or business transfer, that has to be returned within those 24 hours, otherwise, the bank can deny the returned ACH. That’s why Positive Pay is so important, because it is catching the fraudulent transactions within that 24 hours.
Ebert: Eric and Kyle, are there any specific tools or utilities you might recommend using?
Hendrickson: Microsoft Sysmon and making sure that it’s configured correctly along with using canary tokens, these are things that can give us an indication that someone from outside the organization is performing malicious actions. It can allow us to focus on an intrusion before it becomes a breach.
Wilkens: Using good passwords or passphrases and using MFA on every single thing you can. Most everybody today has gone to the ability to do an MFA. I do it on all of my accounts. If you’ve done that on your account and you’ve protected it, and the bad person, it’s harder for them to take over your account. And then if you have it on your online banking account, now it’s harder to get into your bank. Some people protect themselves by freezing their credit to prevent nefarious activities.
Hendrickson: MFA everywhere outside of your organization, 20-character plus cap character passwords or passphrases for logging into workstations, and setting service accounts to 100-plus characters where possible. Just those three items would stop a lot of attacks.
Kingland: Ialwayslockmydoors-whenileavethehouse – you don’t have to worry about grammar, punctuation, or crazy characters. That is an outstanding password.
Ebert: Given the war in Ukraine, how is that changing some of your positions in the cybersecurity arena?
Hendrickson: I think the government has become a lot more proactive in what they’re trying to push out through the CISA organization, in making sure that the public is aware that these global conflicts can cause problems at home. Personally, we haven’t seen from Eide Bailly a dramatic increase in volume of attacks due to the war in Ukraine.
Kingland: Many ransomware groups like Conti and REvil operate out of Russia. They also hire a lot of Ukrainians to help with ransomware attacks. So, when Russia invaded Ukraine, they stopped and started fighting with each other. Conti aligned itself with Russia and received a lot of backlash. The other thing we’ve seen on the threat intel side is that they’re attacking European nations that support Ukraine, like Poland, Germany and the U.K. In Q1, we saw a massive spike in attacks targeting Poland, where many Ukrainians fled. It didn’t last long, but if you compare Q1 of 2021 and Q1 of 2022, you’ll see ransomware cases were down about 27%. Attackers didn’t stop attacking. They changed their target to Ukrainian businesses and critical infrastructure. However, targets are swinging back to the U.S. as attacks have increased in Q2 of this year. The targets are shifting somewhat in 2022. We are seeing significant increases in attacks on professional services, financial institutions, health care, manufacturing and government. Now a lot of the authorities have been hitting back in the past year. They have succeeded in disrupting operations and making arrests in some ransomware groups.
Ebert: What happens with insurance policies? Are you able to get them or renew them given the rates, the increases of various attacks?
Hendrickson: Rates have more than doubled and coverage has more than halved. The cybersecurity insurance industry is looking for certain key pieces to be in place before they even consider as an acceptable risk to reissue or issue cybersecurity insurance. They’re looking for multifactor authentication, vulnerability management program, a trusted EDR platform for enterprise risk and detection, the next-gen antivirus. There are key things you can do to reduce your premiums. Working with your cybersecurity insurance carrier and making sure they’re involved when you are doing tabletop testing of your instant response plan, if they have a preferred partner you can work with, that gives them assurance that you know what you’re doing if an incident should occur. Make sure that your cybersecurity insurance carrier is baked into that plan, because they’re going to want to set you up with a breach attorney to make sure that any communication in regard to the breach is handled under attorney-client privilege to shield you from legal liability, along with having trusted providers for going through that breach recovery or ransomware negotiation.
Kingland: Even with cybersecurity insurance, carriers are getting out of the market because it’s become a costly business. Your renewal process is not simply filling out paperwork and sending it back. Don’t be surprised if they don’t renew your policy at all. Make sure you check the sub-limits! You may have a $2 million policy, but it most likely has sub-limits, little carve-outs for individual services.
Hendrickson: Work with a trusted partner to reduce your risk as much as possible, so you don’t need to rely on the cybersecurity insurance policy. Most businesses can’t survive the three to four weeks that it takes to recover from ransomware fully. Make sure you stay close to your financial institution and know that if you have the option to pay certain ransomware groups because of [Office of Foreign Assets Control] OFAC or other types of concerns you may have.
Kingland: That’s a huge point. There are sanctioned threat actors where paying them is a federal offense. Make sure that you’re working with a negotiation firm or someone to help you if you have to make a payment and do those OFAC checks. It’s also essential to report the information to law enforcement because that helps everyone understand the problem’s significance. Also, don’t use your insurance policy as your instant response plan. That’s the most common mistake I see. If I get a door ding or a tiny fender bender in my car, you don’t want to send that to insurance because you may not meet your deductible, and your premiums will go up. In the cyber world, calling in with a claim will put a mark on your account. Make sure you have an incident response plan with a trusted provider who can take care of the bumps at night.
Wilkens: You need to understand what your policy covers. Do you have X? Well, you only have Y for BEC, and you only have Z for ransomware. The incident response plan ought to have a playbook for certain events. At the top of that list ought to be, after a couple of steps, “After immediate containment, call the insurance company.” Have a good relationship with your broker. Your broker is going to become important around renewal time and if you have an incident. You may go through an interview with the underwriters, and they may want to know your cybersecurity program. Last year, the big push was MFA, and a lot of carriers were asking people to sign attestations of MFA for remote access to the network, for anything that has to do with administrative accounts for all servers. Then you get into EDR, endpoint detection response, and XDR, the extended piece. If you don’t have these things, the carrier’s going to start to go, “We have enough business, we’re good.” It’s a marketplace, like anything else, and if they can’t make money, they’re not going to be in it. That’s why you’re seeing a lot of carriers exit the market. Those still in it are being much more selective about who and what they’ll cover.
Ebert: Rohit, there are currently over 3 million cybersecurity job openings around the world, with several hundred thousand openings in North America along. What can the industry do to help fill this gap?
Dhamankar: The industry has tried to address this issue in multiple different ways. There are specialized training and certification institutes like SANS that have been offering a wide range of courses. Many universities have now created courses or degrees in cybersecurity. All these measures are solving the problem, but not as fast or not in the volume needed. One may never have the millions needed for fulfilling cybersecurity jobs. As a result, the next natural solution to seek is- How can we do more with the talent we have? How can we reduce their workloads and automate those workloads? How can we capitalize on the huge advances in artificial intelligence and machine learning towards cybersecurity? These ways will reduce the dependency on more cybersecurity staff and make the lives of the current cybersecurity staff better.
Ebert: If you were to list one critical thing that you could advise an organization to do to help protect itself from hackers, what would it be?
Meeks: Multifactor authentication is so important. Before anybody is able to send funds outside of the bank, they are required to use a soft or a hard token, plus the customer’s personal password, and their username. It makes it impossible for [hackers] to get in.
Wilkens: Follow a cybersecurity framework, something like the National Institute of Standards and Technology framework, to help build an overall effective program.
Kingland: Everyone needs to have a plan for what happens when attacked. Everyone looks at prevention; hardly anyone looks at what you do when this happens. Make a plan and practice it.
Hendrickson: Focus on how we can reduce our attack surface, primarily around people who have access to our data and systems; the data in the cloud; our internet-connected systems; and the connections we have with our business partners.
Ebert: What advice would you offer someone going into the field? Skills, knowledge, things of that nature?
Wilkens: A lot of cybersecurity is curiosity. There’s a threat here, what happens if I pull this thread? People who have a mind for programming tend to do well in this industry, people who like puzzles, but that’s not the only people. If you’re looking to get into cybersecurity, take whatever job you can get in IT. You’d be surprised what you learn starting at the help desk or in system administration or networking. It’s really hard to defend what you don’t understand. People need a breadth of knowledge, but it doesn’t necessarily need to be miles deep.
Kingland: I would say that you need to be very collaborative. The people who will succeed want to talk to other security professionals and share information so that collectively we can create a much better knowledge base and defense.
Hendrickson: When I’m looking to hire someone, I want someone who can work hard, who is nice and can fit in with the team and will show up when they’re supposed to show up. Diverse experience is needed to solve problems in cybersecurity. We don’t need everyone to go through the same path, because then we’re going to get people who try to solve problems the same way. We need diversity in our field. We’re all unique, and we all solve problems differently, and when we work together, that’s what will allow us to succeed as a team.
Dhamankar: For the technical folks, self and rapid learning has always been a key in this field as the threat landscape is always dynamic. Thinking out of the box is a respected skill. No amount of learning in a formal university course can substitute the everyday hands-on learning that happens through any job in cybersecurity. For the people on a managerial track, they need to learn to keep a pulse of their team members, devise ways to fulfill the needs for their staff for a longer-term retention, and create a culture and growth environment for the wide variety of personalities encountered in this field.
MODERATOR
Dr. John Ebert
Professor and Cybersecurity Program Director; Saint Mary’s University of Minnesota
John Ebert is a core professor and director of the Master of Science in cybersecurity program, cybersecurity management and technology certificate programs, as well as the data intelligence and geoanalytics program at Saint Mary’s University of Minnesota. He has been with Saint Mary’s since 2002. In addition to directing multiple programs, Ebert maintains a full-time teaching load and serves other programs — including the marketing undergraduate program and the business intelligence and data analytics graduate program. Ebert is passionate about the use of technology and the related impacts of cybersecurity in various industries and enjoys working with graduate students on their research projects. He has written grants and partnered with Mayo Clinic on research initiatives and has also presented research at Google headquarters, Minnesota GIS/LIS Consortium, state of Minnesota, Upper Midwest GEOCON, and the Saint Mary’s University of Minnesota Business Intelligence Summit.
PANELISTS
Joseph Kingland
CEO; Blue Team Alpha
Joseph Kingland is the CEO at Blue Team Alpha, leading its mission of defending American businesses from cyberattacks by partnering with organizations to prepare them for and respond to cybersecurity incidents. During a time of exponential growth for Self Esteem Brands, Kingland was the chief security officer and chief privacy officer. During this time, Kingland was responsible for the international IT and security vendor management team, corporate infrastructure team, information security team, data privacy team, and the retail technology team. The organization grew from two brands and 1,000 locations to over six brands in 30 countries and 4,000 locations. A Navy veteran, Kingland served active duty in the U.S. submarine force serving on the USS Pennsylvania as fire controlman, lead information systems administrator and sound silencing officer. He earned his bachelor’s degree in information security systems from Metropolitan State University and is a certified information systems security professional.
Dr. Eric Wilkens
Director of Cybersecurity; Arvig
Eric Wilkens is the director of cybersecurity at Arvig. With more than 20 years of experience in Information technology, Wilkens’ role provides visionary leadership to Arvig’s cybersecurity functions to assure the execution of cybersecurity and incident response initiatives in a manner that ensures the confidentiality, integrity and availability of Arvig resources and services. Wilkens earned a bachelor’s degree in management and a Master of Science in computer information systems from Bellevue University, and a doctorate in information technology specializing in information assurance and security from Capella University. He holds several professional certifications, including certified information systems security professional and GIAC certified incident handler. Wilkens also serves as a flight chief with the North Dakota Air National Guard and is a member of the NTCA-The Rural Broadband Association’s Cyber Security Working Group and the Minnesota Telecom Alliance’s Cyber Security Committee.
Jenna Meeks
Cash Management Specialist; MidCountry Bank
Deepening relationships with customers comes naturally to Jenna Meeks, who started her career in the banking industry 15 years ago. Since that time, she has played instrumental roles in deposit and loan operations service teams and has built a hands-on knowledge base that is invaluable to the clients she supports. Cash management is a critical service to many businesses today. As technology evolves at an increasingly rapid pace, it offers efficiencies in money handling for the business owner, but also fraud prevention options designed to offer tools to protect from cybercrimes. With Meeks’ firsthand experience of banking systems and operations, she embodies a wealth of insight that can guide clients to manage their processing and payment systems’ needs safely and proactively.
Kyle Hendrickson
Director of Cybersecurity; Eide Bailly
Kyle Hendrickson has been in information technology leadership roles for the past two decades, spending the past 15 years leading cybersecurity teams and providing strategic guidance for C-suites. During this time, he built multiple IT and cybersecurity groups from the ground up, creating the vision and enabling the resources to keep important data and systems safe and secure. Most recently Hendrickson was responsible for building the cyberdefense capability at a regional financial institution focused on improving visibility to all systems, while reducing the attack surface of the organization.
Rohit Dhamankar
Vice President of Product Strategy; HelpSystems
Rohit Dhamankar is vice president of threat intelligence at Alert Logic by HelpSystems. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Prior to Alert Logic by HelpSystems, Dhamankar served in product roles for Live Oak Venture Capital at Infocyte and Razberi Technologies. Dhamankar has previously worked in senior roles at several startup companies in the areas of security analytics, intrusion detection and prevention, end-point protection, and security risk and compliance. These include VP, Click Labs Solutions at Click Security (acquired by Alert Logic), and he was a co-founder of Jumpshot (acquired by Avast). He has spoken at several security conferences and customer events worldwide, including BlackHat and RSA, and has been quoted in many industry publications including The Wall Street Journal and USA Today. Dhamankar has also worked with the SANS Institute to drive awareness around the latest security vulnerabilities and attacks. He holds a Master of Science in electrical engineering from the University of Texas Austin and a Master of Science in physics from IIT in Kanpur, India.
© 2022 American City Business Journals. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated January 1, 2021) and Privacy Policy and Cookie Statement (updated July 1, 2022). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of American City Business Journals.
