All About vCISO Panel View - ThreatAdvice
Steve Hines:
All right. Welcome to the NXTsoft's What's NXT user conference. We're thrilled to have a lot of very knowledgeable people relative to cyber security on our panel today. I'd like to introduce the panel first, before we get started, Kevin Minton is Information Security Officer with First Bank of Alabama. We have Mitt Schroeder, who is CEO of Central State Bank. We have Grantland Rice, who is Chief Operating Officer for Cobbs Allen Insurance Company, Jason Falconer, who is IT at Mountain Brook Schools, not an enviable place to be these days, at least from my perspective. And then also Chip Moore, who is an IT systems engineer at First Bank of Alabama. And once again, thank you guys for spending a few minutes today just talking about the challenges, and maybe some solutions that y'all have relative to all the matters you face day to day and minute by minute for cyber security.
Steve Hines:
And thinking before we start it a little bit about cybersecurity, something that's interesting to me, and I'm sure to all of y'all, because everybody's been around for a while. Think about 10 years ago, and how different cybersecurity looks today. Or think about five years ago, or even two years ago. I remember not that long ago for me, it was an IT issue, and as long as the IT person knew what they were doing, I didn't worry about it. And now it's an issue that affects everybody in every single organization, because there's so many challenges relative to the security risks.
Steve Hines:
And thinking a little bit about why that is, if I thought about technology, if you think about technology back just not that long ago, it was increasing and there were some cool things coming out. And you think about some of the things Apple has been coming out with over the last 10 years or so as an example. But that pace of new innovation has increased so rapidly, and along with the new innovations from a technology standpoint has come new risk from a security standpoint. And that's something that's kind of been an afterthought in a lot of respects. If you think about things like Internet of Things devices, for instance. You think about, you banking guys have security cameras in your lobbies. Well, you think that's a good thing, but really that's a security risk for you.
Steve Hines:
And so as the advances in technology have happened, a lot of security risks have increased. And along with that, what makes sense, cybercrime. You think about what's happened relative to the amount of cybercrime that's around, and the amount of people that are involved, it's just increased exponentially. And so I know you guys all think about this stuff every single day. And so I wanted to start, and we'll start with you, Mitt, what keeps you up at night from a security standpoint? Just kind of an open discussion. What keeps you up at night in terms of worrying, from a security standpoint?
Mitt Schroeder:
I think primarily I would say kind of the unknown. And that is one of the historical ways fraudsters have gotten in. We have found ways to block and not allow them in, if you will. But the unknown, the zero day is, in the IT world, those are the things that kind of keep me up at night and have me concerned over cybersecurity. And just making sure that we continue to have layers and layers of security. And then also on the employee side, most people, most of the fraudsters get in because of an employee that let them in. And so the constant education, which ThreatAdvice has certainly helped us, the constant education of our employees. Those are the things that keep me up at night, is what else can I do to make sure that we keep a safe environment.
Steve Hines:
Right, right. Kevin, how about you?
Kevin Minton:
Yeah, I think Mitt kind of got my big one there, is just knowing one wrong click from an employee can put us in a very bad situation. Obviously, education's important, but it's just so... It seems like that's kind of like Mitt said, that's the way people seem to get in. I think that, and just knowing that there are people who spend every waking moment trying to figure out a way to get into the network. So those are the kinds of things that keep me up at night.
Steve Hines:
And Grantland, you're in an interesting industry with insurance, because you not only have to worry about your network, you have things you have to worry about, about other people, are they secure? And we'll talk in a little bit about the cyber insurance, but just overall, what's your concern?
Grantland Rice:
Yeah. As a broker, we're in between our clients and their carrier partners, and so our clients trust us with a ton of sensitive data that we've got, and we've got to make sure we're handling that appropriately. So that's probably my biggest thing that keeps me up. I mean, for example, we've had frustrations where we've tried to use secure portals, but either our clients or the carrier's security systems won't allow it. And so people end up sending us information that's very sensitive, but it's un-encrypted, and it's always a challenge just to try to stay on top of those things.
Steve Hines:
Yes. Chip, anything to add?
Chip Moore:
Well, I think a lot of people forget about the, what did you miss factor? We've got so many tools nowadays, devices monitoring this, devices monitoring that, software monitoring this device that's monitoring that device. That sometimes the amount of information that comes in, you can miss something small that might actually have a big impact down the road. And that's where having a team, I think, really does a whole lot more for you than trying to put everything on one person's shoulders.
Steve Hines:
Yep. You're spot on. And Jason, I'll kind of let you answer that question, and also lead with another question. It's just so interesting to me what you do relative to the schools. And I see what a huge challenge it's been for you guys to figure out, do we have school? Is it hybrid? Do we have all virtual? And there's so many issues. And as I mentioned earlier, I saw a note today on the internet that Miami-Dade County, which has got to be one of the biggest systems in the country, I would think, first day of school, their virtual learning was breached. And so they don't have their first day of school. I don't know if they'll have their second and third day of school.
Steve Hines:
And so from your standpoint, Jason, I'd love to hear what keeps you up at night, and then also talk some, and then we'll circle back to you other guys on this too, about the whole COVID issue and the remote... You know, for us remote working at NXTsoft, we went from no remote working to a pretty high percentage now, and I'm sure most of you are the same. So just the challenges that COVID, which led into remote working, kind of address that too, Jason, in your answer if you would.
Jason Falconer:
I think both of those questions entail, first of all, what keeps me personally up at night involves sort of a situation where you hear about these situations where school systems get targeted, government entities get targeted by hackers, by people who are attempting to phish to get personal information. And so to me, ransomware is still, I think for the past 10 years has been number one, if not top three issues that schools face. And you hear on the news, you hear in a paper, you hear on the websites you go to that this school got compromised, they had to pay. A hospital got compromised, they had to pay.
Jason Falconer:
And backups. I mean, I think a lot of people in my field, they've had one situation or maybe two situations where backups were critical. And let's say, for example a couple of years ago we actually got attacked by the Locky. I think it was the Locky virus, it's some kind of virus that we got hit by, and backups were critical in those situations. And I'm almost checking my email every single day just to make sure that we have backups, it was successful, nothing got compromised.
Jason Falconer:
And that sort of leads into the factor of this COVID situation. There were a lot of challenges that we had to deal with initially. Luckily for Mountain Brook, there's something called E-days we've sort of had planned since 2009. And it's a situation where obviously you cannot plan for this pandemic, this COVID, to effect into a sort of an every day type situation. But E-day, we at least had one or two days during the school year that we've had some kind of weather, school got canceled, state of emergency that we had to do some kind of E-learning E-day. So we have a foundation here in Mountain Brook. So our parents, our staff has some way to teach and to educate students when they're at home.
Jason Falconer:
But the problem happened is when it's an everyday thing now. It's like when the COVID hit, you have to keep your distancing. Logistics, like I mentioned earlier, the logistics that's involved in trying to have kids here in school, staff here in school, and make sure everyone's safe. And that's very difficult. But luckily we have a great staff here. We have great administration, we have great parents. We have a great community here. So we've been able to make sure that we still keep that standard here in Mountain Brook. And there's expectations here in Mountain Brook that we've got to continue.
Jason Falconer:
And so I think that's been a big key. You've got to have communication. Communication is key. Without communication, you're bound to... To me, you succeed if you communicate. And so we still have challenges here in Mountain Brook. We still have, I think across any school system you talk with, I think they still continue to have challenges. Like you mentioned, it was a big county, they have an issue, they got compromised. We use Google Meets for our way to communicate with classes, they way they have meetings. We were going from Zoom, we had a debate almost between Zoom we were going to go with, or Google Meets. And since we already implement G Suite for education, we just decided to go with that.
Jason Falconer:
But there've been situations where we have to educate the teachers. When they accept people in their meeting, that they know who they are, because the last thing you want is a student or somebody else attempting to join that meeting and put up images that could affect a kindergartner. So we've got to be aware. We've got to still educate the staff. And we've got to make sure that as far as what I do, make sure everything is secure.
Steve Hines:
Right. Did you guys work remotely? And what challenges did you have from a security standpoint in the banking world?
Mitt Schroeder:
Yeah, we did. We probably went 70% of our staff is working remotely now. And there was... I wasn't able to hear a second ago, so if I repeat something somebody else says I'm sorry. But now the biggest challenge was moving everyone to remote. I mean, taking what we had, probably 10% to 70% in a week's time span. And that was certainly a challenge. It was a challenged in many ways. One, you had that many people that were not used to working remotely, using remote apparatuses, et cetera. And then just getting the computers and getting everything needed was difficult. And then making sure, which we did with our vCISO, making sure that we were all authenticating and doing everything that we needed to from a security perspective. It did pose challenges, but it was amazing how well I feel everybody did. And I'm so grateful and feel like our staff and everybody.
Steve Hines:
Right. Chip, are you guys still about the same place you were, relative to staff working remotely? Or are you starting to move back to more normal?
Chip Moore:
We have a most everybody back in the office now. What we're seeing is challenges along the lines of parents needing to stay at home because kids are only going to school part-time. We have people who are helping take care of other family members, and things of that nature. So like Mitt, we did send everybody we could home fairly quickly, we pulled most of that back over the last month and a half or so. Got pretty much everybody working back in the office, but we do have a lot more interest in people wanting to be able to work remotely when they can.
Steve Hines:
Right. Kind of circling back to something Jason said a minute ago, and Grantland, I'll let you kind of address this, and also Kevin. You mentioned ransomware, and everybody, I think, knows what ransomware is. If not, it's when one of the bad guys locks your network up says, "Give me so much money in Bitcoin, and you can have your stuff back, or you can have your network back." That's been the attack du jour for quite some time, and one thing I've noticed, and it's been fascinating just from a commerce standpoint on how the cybercrime guys work. It's not the guy in his mom's basement in Russia eating pizza and playing around on a computer. These are organized crime syndicates, or state-run crime syndicates, nation states.
Steve Hines:
And there's actually something called crime as a service, where you can go on the dark web and you can engage with a company that'll help you launch a ransomware attack, and you pay them X percent, kind of like fee in a litigation kind of same scenario. They have 800 numbers where you can have help if you don't know how to get past a certain point. And it's been interesting to see the amount of ransom that's been being asked. You think about Atlanta just a couple years ago or less, they were hit. And amount of ransom asked was 52,000 bucks. Well, you fast forward a year and a little more later, and I think to a couple of small cities in Florida, and they paid both were around 500,000 or over in ransom. And so the amount of ransom that's been being asked has gone up quite significantly, which is really worrisome to me.
Steve Hines:
So I don't know. I'm sure Kevin, for you guys, that's a big thing you worry about. So I'd love to hear your thoughts on that. And then Grantland, you as well. And then Grantland, after your answer, if you want to take just a minute to kind of educate us all including me on the cyber insurance world, because I know ransomware is part of the cyber insurance equation, and what you're seeing in cyber insurance world. So if you want to address the specific topic of ransomware, Kevin, how that affects you guys, and then Grantland you do the same, and kind of fold that into what you're thinking from an insurance standpoint, maybe relative to ransomware and just the industry as a whole.
Kevin Minton:
Yeah, for us, it's absolutely something we worry about. I think people get the mentality that people are only going to go after the big organizations, the big institutions. We're a $600 million bank, we could be targeted just like anybody else. Just a few weeks ago, I was reading I think there were three fairly small towns in North Alabama that got hit with ransomware. I don't know the exact payout, but I think one said they were going to pay it, like you said, I want to say it was like $300,000. And they did it as a precaution, they didn't know exactly what they had. They wanted to feel safe. So it's absolutely something we worry about.
Kevin Minton:
I know you're going to talk about this later, but I think to get back to the education employees, please if something doesn't look right, please contact us. Don't just go clicking around. Please let us know. But yeah, it's definitely something that we worry about.
Grantland Rice:
Yeah. I mean, I think Jason hit on it earlier that the backups are such a crucial part of that. And there's so many people that run backups, but they don't check them, and then you end up, you hadn't checked it in a year, and it's not any good. And those, you're right. I mean, the organized syndicates are really smart about where they're setting the amount, because it's a number that people really think about paying. If it was $5 million, people would be like, "No way, I'm not paying that." But if it's 300,000, and you're like, "Well, it's going to cost me a million dollars to get all this back," then people might pay it. And even the insurance companies will pay it in some cases. So yeah, we're seeing that all the time with clients. And unfortunately, too often.
Grantland Rice:
But yeah, talking about cyber insurance, still a relatively new field, and a lot of times in insurance, when a new product is developed, it's coming because there are gaps in existing policies. And so the insurance companies will just exclude those coverages on other policies, and then they'll create a new policy, like a cyber policy. But they're still... All cyber policies are not created equal. You've got a lot of carriers that I don't really think understand the risks that they're taking. So pricing can be all over the board. And so you have clients that might get a quote for something that seems really affordable, but at the end of the day, it doesn't really cover much of anything. So that highlights the importance of having a good broker to help you evaluate that.
Grantland Rice:
But yeah, ransomware is definitely a big part of that. And then social engineering is another one, where you have someone mimicking another person, and instructing the accounts payable to send a wire, something like that. It looks like it's coming from the CEO. And in a lot of cases, it did actually come from the CEO's email account, because that account was compromised. And so it's not even just that it was off by one letter in the email, but it could actually be from that account. And that's something to watch out for too, because a lot of times social engineering can be excluded on a policy. So all sorts of issues there, but still an evolving field for us.
Steve Hines:
One interesting thing I saw not too long ago, once again, I'm not an insurance guy, but there was a ransomware attack and the carrier refused to pay it, because in the overall policy they excluded acts of war. And they said this was an act of war because it came from North Korea, or wherever. And so that to me says it's obviously in its infancy as far as an industry goes, and y'all are trying to figure it out from the carrier standpoint and all that.
Steve Hines:
But I'll also say I see, and we work, in NXTsoft what we do is security. And do a lot of different things relative to it, but we have a ton of clients that we work with, and it's surprising how many, I'd say personally that do everything else pretty much that they should be. And then if I get into a conversation about insurance, they're like, "Well, I've never really thought about that." Or, "Yeah, we have a $50,000 rider on our E&O," or whatever it is. And so we won't get it spending more time on insurance, but that is definitely something I encourage everybody to take a look out and find somebody that's knowledgeable. And review those policies, because you can do everything that you should be doing, you can still get breached, and if you get breached and you're not insured correctly, you'll get burned.
Grantland Rice:
I'd throw one other thing in there, I mean, we've seen, we talk to a lot of people that say, "I don't have any real cyber exposure. We don't do business online." But then we had one claim where a company over the last five years had probably 1,000, 1,500 employees. And the HR department sent out all of the W2s for all 1500 of those employees to a bad actor. And they filed early tax returns to try to get refunds on them. And that company was like a manufacturer, didn't do anything online, but had a cyber issue.
Steve Hines:
Right, right. And it's also been interesting to me it, you would think, "Well, who's a bad guy who'll go after banks?" You guys, that makes total sense. Probably medical. But one thing I've noticed is almost an equal opportunity in terms of industry, Jason, what you do in schools. I've seen a ton of schools get breached. We work a lot with municipalities, lots of municipalities get breached. We also do, interestingly, a good bit in the trucking industry, which you would think, who cares about that from a cyber standpoint? They're getting hammered.
Steve Hines:
And what we mentioned earlier, a couple of you guys on the education, just real briefly, Jason, you can take this one in the importance of educating employees, because I forget who it was on the panel that mentioned that's where most of the breaches happen. How important do you see that in your overall security, Jason, in terms of just basic non-technical education for every single employee?
Jason Falconer:
Yeah, I mean, it's probably one of the most vital things you could do. And it's almost... I could probably, once a week we have an email that we receive, that it looks genuine, even to me. And I'll see this kind of stuff all the time, and I would think I'm pretty good at not clicking on a phishing link, but I mean, it's legitimate. And so we get the email, said, "Hey, can you verify this email?" And I'll say, "It's a fake." So we get that constantly. And educating employees, like I said, is one of the vital things you can do. And the thing is, and the reason ransomware to me is a big deal, and you sort of mentioned this earlier, school systems, they get targeted. And sometimes, like there's a second you ask yourself, why are they getting so targeted?
Jason Falconer:
And in my opinion, and from what I've witnessed and talked to, the funding that's not necessarily there. You have, let's say, one IT network admin there, and he has the demands that he has to work with server, he has to work with switches, he has to work with the printer, he has to work, like across the board he has a lot of responsibility. So it's very difficult for them to focus primarily on security when they have to do so many other things. And that's one reason why we ended up going with vCISO, because they focus on that. That's helped us us significantly with auditing, scanning and informing me on some of the security holes that we have. Because like I said, I have to do a lot of things, and we're limited on time and what we can work, based off of some laws and rules that we have here in Mountain Brook. So it's very important for me to know what holes and what vulnerabilities are within my school system. And to actually have dedicated a little time to mitigating those risks.
Steve Hines:
And you mentioned vCISO, and what that refers to for our audience, at NXTsoft, we have a product called, it's a virtual Chief Information Security Officer, which is CISO. So vCISO. And we're very honored and fortunate to work with all of our panelists as vCISO clients. And so since you've mentioned that, since we're getting short of time, I'd love to give each of you guys maybe a minute or two to talk about it, and it kind of goes into layered security. The thing that's important to me as I look out into the different industries you guys are in, is it's so hard to know everything you're supposed to be doing. You can have the smartest IT people in the world, and still they may not know everything from a security standpoint.
Steve Hines:
So the basis of our development of the vCISO product is we want to be kind of a security officer quarterback, look over your shoulder, et cetera, and help in a lot of different ways, which you mentioned a few of them. And we probably have impacted each of you a little bit differently, but Mitt, if you want to start, I know you've had some good experiences, and we'll take just a couple of minutes and kind of run through the panel and let you talk a little bit about how that product may have helped you.
Mitt Schroeder:
Well, yeah, I'll tell you, we've mentioned a couple of times about how do you sleeping at night, if you will. It is incredible what my sleep. And basically, what we want access to with our vCISO is someone that is constantly overseeing our environment to make sure that it's as safe as it can be, that have at their fingertips either A, themselves have that expertise, or they can lean on anyone at NXTsoft with that expertise. And it's almost you have your internal staff that you depend on and you think the world of, but they can't see everything. And it's like this blanket of a team that's back there overseeing your environment. And every move you make that has to do with IT, every third party vendor that you deal with that in perspective, they're reviewing and looking at and making sure how did they fit into your environment.
Mitt Schroeder:
And so it's given us an incredible amount of peace. And so that's where it helped us tremendously.
Steve Hines:
So that's awesome. That's great to hear. Kevin, you and Chip both with First Bank of Alabama, I'll let each of you take a shot at that question relative to how that relationship has helped you guys out.
Kevin Minton:
Yeah. I think for me, since we've talked about employee education, I like the ThreatAdvice side of it. I've been in banking 17 years, when I first got in, cybersecurity was not a big thing as far as training. And if it was, it was just an annual, Hey, we're going to do a couple of classes annually, you're good to go. What I like about ThreatAdvice is you do it quarterly. So it's constant on their mind, which I think is very important with the COVID, because people get home and they get lax, and they're working in a t-shirt and their shorts, and they forget about all the important things they would do at work. So I think for me, it's good. I can get on there right away and say, okay, who's done their training, who has not started their training and is due in a month? So that, for me, that part of it, I really enjoy.
Kevin Minton:
Chip's definitely more of our technical guys. So I'll let him talk about all the technical stuff, but that's the part I've really utilized a lot, that and the policies. I can put all my policies in one place. I can get policies from NXTsoft as a template. So that helps a lot.
Steve Hines:
Right. Great. All right, Chip.
Chip Moore:
Another thing I've seen over the years is as the ISO role has come into play, most of the time we like to joke it's the person that's not in the room that usually gets appointed the ISO position. Normally because they know how to reboot a computer. And I think what our industry has started to see over this last decade is it's not necessarily a technical person you need in that position. You've got to have strong people to handle your systems, to keep everything operational, to keep everything integrated, but there's still much more that comes along with that ISO position.
Chip Moore:
From the administrative and the regulatory standpoint, the vCISO program, I think has given us a great framework to bring Kevin in, who's got a ton of banking experience, who understands the operational aspects, doesn't necessarily have the high-level IT experience, but it's not needed. He can walk right down the hall and ask me a question if he didn't know it. Where at the same time when I find something that I think maybe we need to fix or look at a different way, I can go and discuss it with Kevin. We can come up with a plan to implement it, and then make sure we're doing our due diligence, make sure that we're reporting it correctly up the chain, to senior management and the board.
Chip Moore:
Because what we're seeing at the end of the day from the regulatory standpoint is examiners don't want to log on to our domain controllers or our security appliances and look at it [inaudible 00:33:09] They want to see that our staff is taking that information and getting it to the people, and that we are monitoring it and documenting it and things like that. It's really taking a load off both myself and my team, and then bringing Kevin with this vCISO product has given him a ton of confidence and a ton of tools, and really let us kind of push things forward a whole lot faster, and make sure we're getting more done.
Steve Hines:
Right. And that's also, and you mentioned the regulatory aspect of your business, Grantland, we'll roll at you on this question. And me personally, knowing y'all's situation, if you want to address just the regulatory needs that were met, which we were just so thrilled to be able to do. And then we'll wrap up.
Grantland Rice:
Yeah. I think our... We were ThreatAdvice customers for a while, and then timing was just perfect. We were expanding in New York, and there's a very strict kind of first in the nation compliance law up there that we were going to be subject to. There was kind of a light version and then a full version, and we knew it was coming up. So timing was great. Our vCISO has been instrumental in helping us being be compliant there, but also a lot of it's just the best practices that we needed, we were working on, we needed to get there. And that's also helped us during COVID, having multifactor authentication has helped with our security with people working remotely. So it's really coming in handy in a lot of ways.
Steve Hines:
Well, that's awesome. Well, we have, as I knew we would, burned through our time quickly. I still have many questions I could ask, but I'm for the benefit of the audience, Steve Hines. I'm one of the founders of ThreatAdvice, and I just want to say on behalf of our company, NXTsoft, we're really grateful for you guys taking the time out today to provide just such valuable information to the audience. We're very grateful for the relationships we have with each of your companies and enterprises. And we really do look at it like it takes a lot of people to be able to beat these bad guys. And I call it a cyber war, because it is. It's basically warfare. And if you think about it, I think it's going to even get more and more so when you start talking about power grids and things like that, I think, and this may be kind of over the top, but I think the next world war will be fought as a cyber war, rather than boots on the ground.
Steve Hines:
So that may be a little drastic, but I don't think it's too much. So it's a really serious issue, we're honored to be able to help each of you fighting that battle. And if there's anybody that's been listening today that needs more information, you can visit us on our website at nxtsoft.com and we would be honored to answer any further questions. But Godspeed to you guys, we hope that the rest of the year normalizes a little bit, your business normalizes a little bit, and we can get through the rest of this year, hopefully we have college football and then in 2021, hopefully the world will be a little bit more sane. So thank you so much. Thank you if you're listening today to all of these wonderful panelists, and hope everyone has a great afternoon. Thank you so much.
Grantland Rice:
Thanks for having us.
Kevin Minton:
Thank you.
Jason Falconer:
See y'all.