PREX Preview: Advice from the Cybersecurity Expert

PREX 2018 Conference Speaker Chris Wolski

Chris Wolski is the Head of Information Security for Perdue Farms Inc., where he is responsible for the information security, industrial cybersecurity, and data privacy programs.

This September he’ll be at PREX to talk about developing and implementing a response plan in anticipation of a data breach. We talked with Chris about where to start, the biggest mistakes companies make when dealing with a data breach, and what resources he uses to keep up to date.

Cyber threats to corporate entities vary according to industry. An underlying threat that spans all organizations are the cyber-criminals that invest in low cost methods to gain a high return on those investments. The most prevalent threat right now is business email compromise where attackers are gaining access to the email of a company. This occurs usually via phishing an executive or an individual involved with financial transactions. Once the compromise is complete, the attacker mimics the normal communication and attempts to get another victim organization to send money to a mule bank account instead of the normal financial institution. More and more companies are preparing for this by instituting specific policies that provide instructions on how to validate financial requests received outside of normal channels. There are still many organizations that are falling victim to this threat that affects them financially, sometimes deeply.

What are the key components of an effective cybersecurity response plan?

The key components to a cybersecurity response plan is to identify the why, who, what, and how.

Why – A clear definition of the purpose of the incident response plan provides the basis for the reason for having an incident response plan. The definition of events and incidents must be defined so that appropriate actions based on the severity of the event or incident can be taken. It is the executive overview of the entire process and the goal of the plan.

Who – Identifying (and letting them know that they have been identified) is the key to the plan. Incident response requires human resources to gather, analyze, and take action to address the incident that initiated the plan. It also identifies any outside resources that the organization can reach out to for assistance (law enforcement, analysis organizations, third-party agreements, etc.)

What – Knowing the resources available during an incident will reduce the time necessary to perform the overall process. Developing a “Go Kit” with the necessary items will help facilitate a rapid response. More importantly, you need to know what data you have at your disposal to help with the analysis. Developing a collection management framework will help you connect the dots.

How – Just as the best sports teams have a game plan for challenging their opponents, incident response teams need to have playbooks for responding to events and incidents. Develop playbooks that describe what to look for and the steps necessary to remedy the situation.

In your opinion, what are the biggest mistakes companies make when dealing with a data breach?

The biggest mistake a company can make in dealing with a data breach is not being prepared for a data breach. An uncoordinated response when dealing with a data breach can lead to further unwanted attention from outside organizations, especially if the organization processes data or infrastructure that is regulated.

In addition to the unwanted attention, an unprepared organization may face higher costs when dealing with a data breach if they are not prepared. This coupled with lack of cyber-insurance or an insurance policy that has gaps can cost an organization as remediation costs may not be covered and will have to be borne by the organization.

What risks exist within the ediscovery process, particularly when comparing outsourced ediscovery work to matters handled in-house?

Ediscovery presents unique risks as it collates information that may be considered sensitive into a central location. It is a target for anyone that has interest in the organization as it may contain information about the crown jewels or the jewels themselves. Every company has information that they depend on to be successful – if this information was leaked, it may have damaging effects on the organization’s brand.

Placing that type of information into the hands of an outsourced provider introduces new risks. The provider has to provide assurances that their infrastructure is as secure, or more secure, than the organizations. Monthly it seems there has been at least one disclosure of data that can be attributed to the lack of security of an outside provider, especially if that outside provider is using cloud technology.

A security plan is only as strong as the people who implement it – what steps do you think are necessary to make sure company members and contractors consistently follow prescribed guidelines? Which positions play crucial roles after a breach occurs?

Every organization has a culture. Security needs to be integrated into the organization’s culture. When security is part of how the organization operates, then everyone develops a sense of responsibility for protecting the organization. This is accomplished through meshing security operations with business operations. Providing training that can be easily related to. This allows it to be absorbed and lets every member in the organization become deputies of the information security team. When needed, employees know they can depend on the information security teams as a resource to assist in building security into the environment.

After a breach, it will take a team to resolve the issue at hand. It will take the incident response team headed by a capable team leader that can guide and direct responders and maintain the overall view. It requires a communication officer that can interface with the public. It requires a legal team to interface with law enforcement. A breach may require a finance officer to ensure the smooth transition of acquiring necessary resources (i.e. third party assistance, etc.)

How do you stay up to date in terms of security measures?

Conferences, reading and podcasts. Daily I listen to podcasts such as the SANS Internet Storm Center and the CyberWire. A few weekly podcasts that I listen to include Down the Security Rabbit HoleRecorded FutureRisky Biz, & Paul’s Security Weekly. The combination of all these podcasts provides me with what is going on the world on a daily basis and provides me the opportunity to hear other thought leaders on what is going on in the industry.

The reading I do comes in the form of books and articles from industry leaders such as Dr. Mansur Hasib, Dr. John McCarthy, and Robert M. Lee. These authors provide great leadership insight and a ground-based truth in the areas of cybersecurity and industrial cybersecurity.

Some of the best learning opportunities come when meeting with peers at various cybersecurity conferences where we discuss common concerns and potential solutions based on the broad experience that is at these events.