June 30, 2021 | 27 minutes
Cybersecurity attorney Shawn Tuma shares his experiences and best practices about what to do once you’ve been breached.
About the Guest
Shawn Tuma is a cybersecurity and data privacy attorney at the law firm of Spencer Fane. Having practiced in this area of law since 1999, he is widely recognized in cybersecurity and data privacy law. He is frequently sought out in the legal arena for advice these issues.
Ep. 15 | Reimagining Cyber | So You’ve Been Hacked, Now What? | Shawn Tuma
Shawn Tuma 0:02
I view the CISO role as really one of the most important people in the organization, and I say that because cyber in my view is the biggest risk companies face today. Even COVID didn't shut down operations overnight in most cases. One ransomware attack, the CEO goes to bed the night dreaming of profitability and numbers and vacations, and wakes up with a call from the CISO tomorrow morning going we are now technically out of business unless we can recover.
Rob Aragao 0:37
Welcome to the Reimagining Cyber podcast where we share short to the point perspectives on the cyber landscape. It's all about engaging in casual conversations and what organizations are doing to reimagine their cyber programs while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Strategist, Robert Aragao, Chief Security Strategist, and this is Reimagining Cyber. So Stan, who do we have joining us here today?
Stan Wisseman 1:07
Rob, our guest today is Shawn Tuma. Shawn is an experienced cybersecurity and data privacy attorney and partner at Spencer Fane, where he serves as a co-chair of the firm's cybersecurity and data privacy practice group. Having practiced in the area of law on this cybersecurity and privacy space since 1999, Shawn is one of the most experienced and well respected cybersecurity and data privacy law attorneys in the United States. Shawn, it's great to have you with us today. Could you spend a few minutes expanding on your background, as well as share some of the focus areas that you have in your practice?
Shawn Tuma 1:46
Sure. Thank you, Stan. Rob, it's a pleasure to join you guys here today. And thank you for having me on. As you mentioned, I've been practicing in cyber law since 1999. I got into it when I graduated law school in ‘99. With the Y2K issue, I started studying and researching that while in law school in 1998, and really thought that was going to be my ticket to stardom, and that I would have been retired about 10 years ago, and living on my own private island somewhere, you know? It just didn't quite happen like that. And it really turned into be of a fizzle or a dud. But, it got my foot in the door in cyber. And it's something that I've been able to continue working in ever since. Much, you know, for the first couple of years as, you know, I had to support myself as an attorney in a in a young attorney and a large law firms. And it really wasn't until, you know, the mid 2000s that I dove into the computer hacking type work. And, and as I studied and learned more about that, it kind of dawned on me that with every hack we were dealing with, somebody's personal information in many cases, or businesses, sensitive business information, were being disturbed, and we're being, you know, violated, if you will, the confidentiality of that, and so that's what got me into the data breach side of things. And I remember in 2011, writing a blog post that 2011 is the Year of the Data Breach. You know, once again, I mean, we saw an uptick, but it was still kind of a dud. And it wasn't really until you know, 2013, with Target, Home Depot, Neiman Marcus, all that, that it became headlines. That was the watershed event for many of us in this space, where data breach or you know, incident response became the dominant part of our practice. And really, that that's when I began able to transition to doing nothing but cyber and privacy, you know, exclusively. And so these days, my practice involves kind of three components: 1) Continued litigation of cyber and privacy issues, 2) Would be the proactive risk management side of things. The third bucket of what I do day in and day out and probably 70-80% of my work is incident response and serving as what we would call a “breach quarterback” or coach or privacy counsel or whatever the term desour is.
Rob Aragao 4:47
You kind of hit upon this. It's the you know, when you look back at the year of the data breach, it seems like it's been over a year since right and then that watershed moment. That watershed moment of of Target to me was a bit of an eye opener when it finally got to this sea level, right, the CEO actually losing their job and people starting to pay a little bit more attention to it. So I hear you. So Shawn, you know, one of the things is you're engaging with your clients that we'd be interested to hear a little bit about our, you know, the recommendations of kind of the key elements that they should be focusing their attention on at the highest level, if you will, that help them in being as best prepared as possible. But knowing that, you know, there's the inevitable cyberattack cyber breach that's going to occur, about top level, right? What are those things that you're consistently seeing and having those conversations and guidance for your clients around?
Shawn Tuma 5:32
To me, reasonable cybersecurity is not a definition, it's a process. It's a process of evaluating your risks, which are all unique to each business, assessing you know, your risk assessment, and then developing a strategic plan for addressing those risks, and then executing on it and then continuously reevaluate. And you got to have that process. If someone called me right now, and they said, ‘Shawn, what are the top couple of things, you know, the key elements of that, that you're going to ask me about that will lead to a bad, bad cyber case?’. First thing I'm going to ask is, ‘Are you using RDP access into your network?’ Because what we're finding is nearly 50% of the ransomware cases we're handling involve RDP access. And you've got all air quotes, you know, the IT guy who says, ‘Yeah, but I changed the port, so it's good.’ And I'm like, ‘Yeah, no, it's not. Nice try, but not quite.’ But, but that's a problem we see open, you know, RDP access. The other thing is your backup process, your, how you handle your backups. Are you using something like a three to one, you know, type of backup process? And, and not just in principle, but are you testing it and validating that it actually worked? You know, ransomware attackers, these guys, they know they're not going to get paid if they've got if you've got backups. So, they go take out your backups first. And so we've had several cases where the organization thought they were backing up appropriately, but they couldn't be restored because of misconfiguration at some level. So you got to test that. And then the third thing I would say is, you know, for folks who use Microsoft Office 365, or Google web-based type email, are you using multi-factor authentication (MFA)? Because if you're not, you're going to get one of those business, email compromised situations, and you're going to be scratching your head going, ‘it's not our fault. It's theirs.’ But I'll tell you, probably 90% or more of the cases we see dealing with business email compromised. Somebody is using Office 365 without MFA, bad guys got ahold to an old username and password ranted against the account got in and boom, that's how it happened. And then finally, phishing, and we all know phishing, you know, the problem we have with that. And it's not easy to address. But you've got to educate your workforce about this. Because we love to wring our hands and talk about, oh, it's always the people. That's the problem here. Well, of course, because the people are the ones that are doing everything, right, so they're going to be the problem. But how do we expect them to do a good job with something if we don't teach them? And, you know, we push out policies, we even penalize sometimes, but but we never teach. And so, it's got to start with teaching, and then put your policies and educate them on the policies and cover that, ‘Why?’ You know, ‘why are we doing these things?’.
Stan Wisseman 8:51
You have that risk management framework, and the processes supporting it, but you also are highlighting specific weaknesses and controls necessary to shore those up. And so, you know, in addition to that, you also are talking about the culture, enabling the employees to actually, you know, be part of that human firewall, and helping the organization be secure as some of the weakest points, which is, again, the phishing attacks are probably one of the prominent ones. So, I really like the combination there.
Shawn Tuma 9:30
Well, you know, I appreciate that, Stan. I tell you, it's not, um, I've never been the smartest guy around, but I do try to work hard. And I try to learn from experience. And, and, you know, one of the problems that that I saw back in 2014, I was speaking at Secure World, I was doing a talk at Secure World and, and I was doing the ‘Oh, it's not a matter of if but when’ routine, you know, kind of what we were all doing back then. ‘And it's not a matter of if but when and when it happens, it's going to be catastrophic. So you better prepare today.’ And I had someone asked me, they said, Well, so what you're telling me is, it's inevitable. There's nothing I can do about it. And when it happens, I'm done. Okay, nevermind, then that's a risk, I can't do anything about - next issue. And it hit me hard. I was like, Whoa, that's a great point. And so we may not be able to get them to 80% secure. But if we can get them from 5% to 40% with some basic foundational kind of things, we're helping a whole lot in reducing that risk.
Stan Wisseman 10:44
Do you see another driver out there, as far as helping with some of that block and tackling some of the fundamentals, expectations of insurance companies, if you want to have cyber insurance, you need to have some of those fundamentals using some kind of recognized industry standard? Is that something, one, are you seeing more companies explore, you know, cyber insurance and two, is that helping raise the bar in some cases?
Shawn Tuma 11:12
Yeah, absolutely, to both questions. So, we are seeing an increase in cyber insurance. And I'm a huge advocate of cyber insurance. I mean, look, if you don't have the money, or the budget, to put in an incident or a security program, or better your security, you're not going to have the money or budget to manage an incident response either. And, and poorly managing an incident response can lead to to having it be much worse than it could have been if you'd have done it the right way. To the next part of your question, there is a strong trend of insurance companies becoming more and more engaged in in deeper evaluation of what those what a company's risk is. So like, five years ago, you know, we saw one page applications, you know, that would be like three or four basic questions. Now, we are seeing much more detailed questions. We're seeing much more informed questions too, and we're seeing, you know, when we're looking at larger policy amounts, you know, up to $5 million or so the underwriting team for that carrier, they're gonna want to get people on the phone and talk to them, and go in and maybe even ask for, you know, pen testing, or risk assessments or things of that nature. And they are incredibly knowledgeable people. From what we're hearing, they've been hit so hard this past year, with, you know, ransomware, in particular, that the, they're going to become much more stringent here, you know, as we move forward. So, companies need to be ready for that. And they need to learn from it too. Because what the insurance companies do, they use the same process that I use, it's what have we seen that has caused our losses? Those are the things we're going to look for and ask about in our diligence process. And so, you need to listen to what the insurance underwriters are focusing on, because they're looking at data and statistics of all these events they've had in the past through their, you know, actuarial process and it's incredibly informed. And, and it's a great learning opportunity for the company to be able to, you know, to get the right people involved. And I say the right people, because far too many times, you know, I talked to a CISO of a company, and they don't even know if they've got cyber insurance, they weren't even consulted in that process, and brought into the discussion. And how the heck do you do that, especially now, these days, when you've got to start answering all these technical questions?
Rob Aragao 14:04
You've worked with hundreds of clients, right, over the over the course of your career. And when you look at the CISO, kind of, you know, even if it was five years ago, but to where they are today, right? Have you seen that true pivot of reality where it's a critical need for whatever type of business an organization is going after to ensure that they have a CISO that's focused in what the right investment and voice at the table versus that kind of, you know, nice to have checkbox approach for compliance. Regulatory needs mean is that evolution, you know, something you're actually seeing day in, day out and your customer engagement?
Shawn Tuma 14:38
It is, Rob. It's something I'm seeing, IT's something I'm advocating for very strongly, And, and I'm hoping the trend continues. It's still not enough. I'll come back to that humility point I made earlier that we all have to remember, we got a lot to learn, you know, and we're going to always have a lot to learn. But I view the CISO role, or that whatever the equivalent is within that organization, as really the most, one of the most important people in the organization. And I say that because, number one, cyber in my view is the biggest risk companies face today. It's, I mean, look, even COVID didn't shut down operations overnight. In most cases, one ransomware attack, I mean, the CEO goes to bed tonight, dreaming of profitability, and numbers and vacations, and wakes up with a call from the CISO tomorrow morning, going, we are now technically out of business unless we can recover. I know, we all like to talk about the lack of funding and the lack of resources and all these things. But in my own personal experience, the biggest problem I see in companies is not really a lack of funding, or a you know, even of manpower many times, or of not having the right tools, gadgets, gizmos, or whatever, it's a lack of a strategic vision, of strategic leadership. Because somebody, you've got to have a head coach that sees how the whole playing field is working, how all of these resources are working together, and developing that strategic plan. That's, that head coach is your CISO. You know, and so having that CISO in that role, I believe is of critical importance. And I also believe they need a seat at the table with your board of directors, or your upper management or whoever that decision maker is. Because that will, say the board in many cases, because that's what people typically like to talk about. You know, I've counseled many clients on on their reporting to the board and, and the engagement between security and the board. And if you just ask your CISO, for a written report, to provide to the board, you, you're gonna get something very simple, you know, all risks are being managed, and the company is doing well. BOOM. Maybe a paragraph or something. And what does that mean? You know, it, it either means you don't recognize all the risks to recognize that we can all be attacked and hit, or it means you're too aloof to, to appreciate it, or too arrogant to think you can be hit. Or it means you're too intimidated by the board, you're scared to death, to tell them what the real situation is, because they're going to come down on you and fire you.
Stan Wisseman 17:54
The unvarnished truth sometimes as a scary thing to share with the board.
Shawn Tuma 18:00
It really is. And the only way you can overcome that is, is by a dialogue, a conversation and by talking and explaining to them look, you know, I know what you want to hear, you want to hear that we're fine, and there are no risks. But that doesn't exist in today's world. So let me tell you the real state of where we are, we're in a process of continuously trying to reassess what our risks are, you know, and go through your process and explain it. And and say, you know, we're doing the best we can, under the circumstances, here's things we could improve upon if we have more resources.
Rob Aragao 18:41
When you look at the role of the CISO, right, there's there's been a forced, if you will, maturity in that role, right? A lot of the historical kind of build up was, you know, how technically sound are you to secure environment? The reality is that that doesn't that doesn't solve the problem to your point. It's like I can give you a list. It says, ‘We've assessed the risks. And we feel pretty good about this stuff.’ What does that mean? Right? So, it's that translation of going into each different type of business could even be in the same vertical, you need to assess right? What's most relevant, what's most important to them. And as you've been talking about, you know, one of the themes that we've discussed many times in this up in this podcast is that focus around that mindset and pivot to being more resilient, right, cyber resilient. And as you've said, even as you've gone through, and you've learned for yourself, and in different client engagements, you know how to evolve and make it better and understand kind of what's next that we need to be paying attention to. It's the same thing, right for the CISO, to be able to say I now understand the given business I'm in and what you actually are desiring of us to ensure we're doing the best we can to make this a resilient environment when a security incident occurs. Right? Does it mean that, that's what I'm seeing a lot about, there's finally this evolution of that road coming into a more business minded individual.
Stan Wisseman 19:55
So Shawn, one of the things I wanted to ask you about another prominent player in these incident responses, typically is law enforcement. And you've probably seen their capabilities evolve over the years, and how they deal with cyber as they've gotten up to speed as well. But how do you set expectations with the firms that you have as clients on what they can expect from law enforcement and their role in an incident response?
Shawn Tuma 20:30
I think they have a crucial role. But we also have to know when, when we're going to try to bring them in, and what role they play, which goes to your question of, you know, they're not your company's IT department, they're not your security team, you're not going to call them and then have three agents show up with, you know, bags to take hard drives, and go analyze and, and get you back up and running. That's not their role. Their role is to investigate crimes, pursue criminals and see them get convicted. And what that means is in a lot of cases, you know, they're overwhelmed. I mean, they are dealing with so many cases, they don't have the resources to come and investigate every ransomware case, we have. They don't have the resources to investigate every insider theft or whatnot. And so, they, they look for kind of a materiality requirement, and it's not like publicly stated. But, you know, it's got to be a big matter, it's either got to involve public health and safety, or some substantial amount of loss, that would justify their resources. To the question of expectations, I tell my clients look, in most cases, we're going to report to law enforcement, we're probably not going to see them engage back. We’ve got to do our work independent of them, because they're not going to come in and save the day. And the first step in that process is many times to file that IC3.gov report, which is what they will usually tell you to do. But, if you're in a case where you think it may be material or meaningful, I mean, not just some little phishing email. But you know, maybe it's a phishing that led to a business email compromise of half a million bucks, then you need to let them know quickly, right, because they have a kill chain in place where they can stop a lot of that. But following that, IC3.gov report usually isn't going to get you there, you've got to have a personal relationship with someone either in Secret Service or FBI or both. And you need to do that before you have an incident. Because, look, they want to work with the public, they work very hard, many times it's through InfraGard or through other, you know, just attending conferences or whatnot. They want to know, the security leaders in companies, and they want to have those relationships. But, but you've got to make it happen, right. And so, you need to reach out to your local field office, let them know, ‘Hey, you know, I'm the CSO of this company, we're here in your jurisdiction. And we just like to visit about maybe what we can do to be better protected, who we can call if a problem arises.’ And in my experience, they jump at that opportunity when they can. And, you know, if someone doesn't have the ability to contact them, let me know. I'll reach out, you know, connect you to my people local here, and, and wherever else.
Stan Wisseman 23:50
And that's part of what you do, Right, Shawn? You help connect folks to the right resources to pull them in.
Shawn Tuma 23:55
That's exactly right, Stan, you know, as I mentioned earlier, I'm not a technical guy. I'm a lawyer. But my most valuable role many times is the connections and the resources that I have to bring in the right partner, the right people at the right time, to help get done what needs to be done.
Rob Aragao 24:18
What do you think is the kind of concern that people have in building that relationship ahead of time, I don't get it?
Shawn Tuma 24:23
When I'm referring to law enforcement, typically, I mean, federal law enforcement, your FBI and your Secret Service. And there is something a little bit intimidating about that. You know, maybe it's the TV shows, you know, FBI Most Wanted or whatever the mystique we've built around it all. They're regular people out doing a job, and they recognize that they can do their job better if they have the exponential reach of the relationships of those of us in the private sector. I've heard of companies in the past who did not want to involve law enforcement at any level, because they knew they had something to hide. And so it's like, do not ever bring them into our environment. I've heard those stories. But by and large, if your company is not doing illegal activity, you don't have anything to really fear there. I mean, there are these fear stories up, the FBI is going to come in and seize your servers, and they're going to shut down your network for a week and blah, blah, blah. You know, I've never seen it happen. One thing I will say is, there's no privilege with communications to law enforcement. And so, you do need to be careful in what you say and how you say it, certainly, when you're providing written updates or whatnot. But other than that, I just, I've never experienced it. I hope I never do. Because I don't want to be burned by by sitting here saying this.
Rob Aragao 26:02
Agree, agree. Well, Shawn, hey, listen, I'll tell you, we're very excited that you were able to join us here today for this episode, and give us the different perspective, right? The legal aspects, your your your experience, and your passion for this space is very prevalent in the conversation we're having your multi- pronged based approach keeps pretty simple in my opinion, which I think is very key. And, as you mentioned, right, the blocking and tackling like just the good security, cyber hygiene. We've had those conversations for way too long. It's like just let's go do this stuff and let's be more business minded in how we approach how we're protecting the organization. So we really appreciate your time. And hopefully, we'll have you on again in the future.
Shawn Tuma 26:39
Hey, it's my pleasure. Anytime you guys want me you can tell, I love to just sit here and ramble on so I'm always happy to jump on. So thank you so much. It's been a pleasure. I look forward to next time.
Rob Aragao 26:52
Thanks, Shawn.
Stan Wisseman 26:53
Thanks, Shawn.
Rob Aragao 26:54
Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes and don't forget to subscribe.
This podcast is brought to you by CyberRes, a Micro Focus line of business, where our mission is to deliver cyber resilience by engaging people process and technology to protect, detect and evolve.