For the next interview in our series speaking to technology and IT leaders around the world, we’ve welcomed Co-chair of Cybersecurity, Data Protection & Privacy at Clark Hill, Jeffrey R. Wells to share his views on the state of cybersecurity today.
Jeffrey has over 25 years of global experience leading cybersecurity engagement, he has also led a Joint Inter-Agency Task Force countering transregional organized cyber-crime and violent extremism while addressing current and emerging risks impacting national security, commerce and critical infrastructure.
He has also previously been appointed Cyber Czar by two Maryland governors and was responsible for aligning commercial, federal and military cybersecurity initiatives with NIST, NSA, U.S. Cyber Command and other military and government entities. Jeffrey also served as vice-president of the Maryland Cybersecurity Roundtable, was a founding partner of the NIST and the BENS Cyber & Tech Council.
Tell us about the business you represent; what is their vision & goals?
I am incredibly lucky to be part of the team that is the cybersecurity, data, and privacy law business unit. We address many issues on a global scale because the threat landscape is changing so drastically, and compliance requirements are evolving.
I never imagined that as a security professional, I would end up working at a law firm, but, several years ago, it became evident to me that in this ever-changing space with the variety of actors and services involved. We're not here to bill hundreds of hours on issues that may be difficult to understand. Our goal is to build a relationship of trust while operationalizing security and compliance to keep our clients out of misfortune or get them out of a bad situation.
We can impartially figure out what is needed to prevent issues from occurring, whether it's a product or a service. Now, many organizations are starting to realize that while they may do business in only one state, if they have an online presence, they are in the global cyber environment and are at risk, both from threat actors and from the various international and local regulatory requirements around data, security, and privacy.
What inspires and energizes you within your work?
I view all businesses and entities with a digital presence as our collective critical infrastructure. It plays a vital role in our economy and national security. Whether bad actors or faulty design, getting into a challenging situation with ransomware or a business email compromise can have wide-ranging effects.
It doesn't matter if you're a Fortune 100 company or a sole proprietor from where I sit. You can become a victim. Trying to prevent, reduce, or mitigate the impact of an incident or a particular issue is energizing because we're getting to know and build that trust relationship with a client and make the world a little less risky, one connection at a time. I've been working in this space for a long time, and It's nice to be a defender against the bad actors. It's rewarding to work on a team with my colleagues focused on preventing issues and solving problems.
Can you share a little bit about yourself and how you got into cybersecurity?
I've always been very fascinated and interested in where the intersection of technology and humans meet. So much so, I was building my own computers, devices, and code early on. I always understood technology, fibre optic, digital and cellular networks, developed data hosting centres, and built infrastructure.
Fast forward in time, I’ve spent most of the last 20 years addressing both the operational and cyber aspects of warfare. Dealing with adversaries during my military experience provided genuine examples of the use of technology as weaponry. I saw how commercial implications and the bigger world beyond the battlefield became very real during that time. What happens in cyberspace is not crucial until someone sits down at their keyboard or picks up their phone. Technology is just the enabler to influence human behaviour.
I spent a good portion of my career in government and military, arguing with lawyers about what we could and should be able to do. It's nice to be on the other side where I appreciate a different perspective. Now, I’m focused on the defensive side of things. After leaving government, I joined Clark Hill, where I could use my understanding of the techniques, tactics, and procedures of criminal gangs and third-country adversaries and the schemes they're using to assist clients.
Can you give an example of security issues at your jobs, and how you and your team fixed them?
Probably the hottest topic at the moment is business email compromises. It’s one of the most significant issues businesses and individuals are forced to address. Part of the reason is the pace of life and the use of mobile technology that has everything in “urgent mode” as we work remotely and in hybrid situations.
People don't always have time to look at and study an email for integrity and look for mistakes. In some cases, messages may come from an address similar to a known sender with a sense of urgency, like a need to wire funds. These types of messages create a need to be opened, which triggers the installation of malware that allows for account takeover.
As I call it, working remotely brings your home to work instead of just bringing your own device (BYOD). Your home networks are not necessarily secure. Alexa and many types of other connected devices can be quickly taken over. Home network environments are typically not as robust. One of the most straightforward security solutions that we tell everyone is to use multi-factor authentication or at least a minimum of two-factor authentication for everything. Additionally, it is essential not to use the same passwords for multiple accounts and to use a password keeper. Those three things will significantly reduce compromised accounts.
If you do the following, the risk to your organization goes down significantly. Take that extra second to hover over a link to make sure that that is really what it should be. Look at and double-check email addresses and content for anything suspicious. Pick up the phone and call if it's unusual for a colleague to send an urgent email, especially with bank information change.
Human hacking is perhaps the most significant piece of cybersecurity the adversary understands. Our attention spans are down to seven seconds at best, we're multitasking, we are in a hurry, and our attention isn't there.
So, when something urgent, like a request for a hundred-thousand-dollar wire transfer, is received, especially when seen on a mobile device, the recipient may not realize the routing number and bank account number have changed.
One of the biggest problems with securing people in organizations is that it is cumbersome. Multi-factor authentication is an extra step. It requires employees to do more. It’s imperative to have different passwords for different accounts.
Few of us have the brainpower to remember all the passwords we use. So that's why we suggest utilizing a password manager. Adding an additional layer of protection by changing passwords four times a year will help keep an organization safe. Everyone has a responsibility and a role in securing their business, whether it's one, two, or 20,000 employees, every person plays a role.
Does your organization use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
We do use logs externally with clients. They’ve proven to be an excellent tool for lots of different things. Indeed, for forensics, we need to look back on what happened. Also, looking at them periodically is a great way to look at individual and organizational behaviour to see if risky actions occur.
It makes it easy to correct unsafe acts by having a standard monthly security program pinpointing issues when they arise. Logs also show business activity that takes place between regular business hours and after normal business hours. It also provides insights on IP addresses viewed.
Logs can help keep tabs on those connecting remotely. And verify legitimate business work or if somebody is trying to probe the network and see if there's a way to get in or approach the systems.
What are common weaknesses in it? Security strategies that companies often overlook?
Most commonly, I see organizations believe they have a policy in place to address security issues. There's a thing called a WISP, which a lot of people call written information security policy. I call it a Written Information Security Program (WISP); a policy is aspirational.
A WISP provides information on what you intend to do, but policies alone do not help you address security concerns. Many organizations have policies citing Virtual Private Networks (VPNs). Okay, that's great. What VPN are you going to use? And how are you going to use it? When's it going to be used?
Typically, where we see a disconnect is putting effective policies and procedures into place. We’ve seen many organizations that bought a policy kit and put them together, so they could say they have them…and then place it on a bookshelf. More often than not, organizations didn't go through and look at what they have. It’s a labour-intensive process to customize this to an operational policy. And what are the matching procedures that will go with that to address the steps to make sure that when somebody works remotely?
For instance, practices and policies need to be in place to understand how and where a company can download proprietary or personal health information. Do you have suitable types of programs operating on your mobile device or your laptops? Are they encrypted?
Changing passwords four times a year and utilizing phrases that computers have a tough time unravelling but are more manageable for humans to remember. Having procedures that match the policies are vital things that we see. It’s essential to understand compromised systems are not purely an IT problem. It's everybody's problem. It's a training and human issue. That's really where the most significant issues come from.
What are your thoughts on companies looking to prepare for CMMC compliance?
The Cybersecurity Maturity Model Certification was established for government contractors that work with the department of defence. The CMMC process has been slow to get rolling. It was supposed to go into effect in 2020.
The advisory body couldn't get things moving fast enough. The Department of Defense has moved to third-party verification with the CMMC. This creates a secure environment designated by a level one, level two, level three, level four, or five, depending on what you do as a contractor, subcontractor, or supplier. On paper that makes perfect sense, implementing is another story.
If you're working with the Department of Defense and dealing with very sensitive things, they want to make sure you've got your items secure, not just technology-wise; human controls must be secure. This has become a highly complex process because it requires having third parties validate that the necessary controls are in place.
It has been a challenging thing for the advisory board body to put in place. And there's been a lot of confusion in the defence industry. There are probably 500,000 different companies that work in this space. Questions arise like, who's going to pay for this. It may cost $50,000 to $70,000 to get the certification and then register.
The process has become very bureaucratic. At the moment, trying to scale to get half a million companies compliant and train people fast enough is a big problem. The original idea was that organizations had to self-certify under the National Institute of technology requirements NIST 801 71.
Unfortunately, the Department of Defense discovered that more companies were self-certifying without doing real compliance work. So, it's essential to national security that companies do implement and maintain security controls. This is why the DoD recently announced a CMMC 2.0, which hopefully will be easier to operationalize at scale.
I think it's necessary for all governments, not just the Department of Defense, but across the board, to have a standard. Every business should be doing something very similar, and there should be both minimum and common standards.
If we can simplify security to the point where everybody can say, I need to do it at a bare minimum across the board. If we’re all doing essential cybersecurity and then building on it, that makes excellent sense. There's some effort to do that, certainly with executive orders that have been put out over the last couple of months and require critical infrastructure providers to put certain new security pieces in place.
Government can't do everything, but it certainly could put out guidelines, best practices, and common standards. Our adversaries worldwide are not just going to sit back and wait for us to get our act together. Small ransomware attacks on businesses, organizations, and government agencies can add up and cause significant problems.
This can turn into a dangerous “Death by a thousand cuts” scenario. It’s also a matter of dollars and cents. The longer we take to create uniformity in our cybersecurity policies, the more attacks and costly it will be to institute what needs to happen.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
The problem is not going away as long as we have electricity; ransomware, and extortionware, attacks will continue for the foreseeable future. I believe that the amounts requested in attacks will drop from millions to hundreds of thousands or less.
If an attacker can get 20 companies to give them a thousand dollars, it's more likely the company will abide. Do I pay a thousand dollars for a ransom, or do I not pay the ransom and restore from backups, but it's going to take me two weeks to do that? Also, no U.S. enforcement agency wants to go after the smaller amounts. The FBI does not encourage businesses to pay ransoms, encouraging more bad behaviour on both sides of the equation.
We’ll see a lot of commoditization in the security space when it comes to selling more software and hardware types of tools to gain a security edge. The problem from my perspective is that we need more people who understand the threats when something pops up on their computer or phone and how to handle these situations.
You can buy another endpoint detection and response system, then somebody who understands it will need to know how to monitor and take action when necessary. A lot of machine learning is being introduced into the space now, using artificial intelligence, which does help reduce the signal-to-noise ratio when defending yourself or your entity. That takes time, money, and people. And those are resources that we don't seem to have enough of.
We work with quite a few startups and seasoned enterprises. Most of them are not budgeting to cover compliance issues. You're either compliant, or you're not. I can help you get a little bit secure but not a little compliant, and you can decide on this unfortunate reality as your budget comes in.
Each day this becomes more complicated. I doubt that in the United States, we'll have an overarching data privacy law or data security law, even though bills keep getting introduced. I think we're going to end up with 50 states and 16 territories, each with its own version.
Right now, we've got hundreds of different types and some competing laws enacted on both the federal and state level. The European Economic Area, Brazil, Australia, and China enact some rather strict regulations when we look globally. It's just going to become far more complicated than it currently is.
If I had $10,000 to spend today, it would be spent on training and then locking down all the features on the products I already have. Beyond that, I would want to budget for the technology and tools to secure myself next year.