Episode 60 of HIPAA Critical features an interview with Brian Fritton, CEO of Havoc Shield.
Hannah Trum: I'm Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. You don’t need to be reminded that October is cybersecurity awareness month to know that the cyber hygiene of your organization is important. We know that bad actors and data breaches are around every corner in healthcare because personal health information or PHI is so valuable. We also know that if you aren’t proactive in finding the vulnerabilities in your infosec stack or your attack surface, you can bet that a bad actor will exploit it. But how do threat actors decide who to attack? Are there criteria that make your organization more valuable than another? Or is it a one-size-fits-all sort of thing? Has the COVID-19 pandemic changed the way data breaches and ransomware work? Does using transparent or easy-to-use security technologies really make a difference? These are all topics that my guest, Brian Fritton, and I discuss today. Brian is the CEO and Founder of Havoc Shield, a Paubox partner and infosec company that as they say “is kind of like TurboTax for cybersecurity.” Hi, Brian, thanks so much for joining me on HIPAA Critical today. As we both know, October is cybersecurity month, but any organization should really be looking at their cybersecurity stack or any vulnerabilities that they have more often than now. Why do you think that organizations continue to struggle with having such good cybersecurity hygiene?
Brian Fritton: That's a pretty sticky topic.
Honestly, I think the reality of the security responsibility inside organizations, not the role, but the actual responsibility, especially in smaller organizations that maybe don't have a security team or maybe even one security hire is that it's still seen as a cost center.
And that's across organizations. It's not the revenue accelerator, customer converter, or reputation asset that really it is. And that's just not the way that it's seen. And, unfortunately, a lot of organizations still think we're getting better, but that's still a lot of the way a lot of people see it.
So set the scene: cost center in a lot of places gets pushed to the back in favor of a lot of other priorities. I think also that security awareness campaigns where a lot of the hygiene sits, is with employees, and not just necessarily the security team or IT.
But the employees that the awareness campaigns are too often pushed out to must do this. Rather than positioning it as a personal resource or benefit, because we all have our own personal risk online.
We all like to learn. All humans like to learn. Companies could get a lot better at positioning. This is something that we're doing for you. We're offering a 401k, we offer catered lunches.
If you can position security awareness, and some of the resources or benefits that you have in your security program for everyday employees, especially now that a lot are remote, I think you'll get a lot more people paying attention to that and actually “brushing their teeth.”
Hannah: Definitely. Because, as you know, practice makes perfect. So if you're practicing cybersecurity at work, then you'll obviously bring it at home with you. How does your organization approach risk management and employee training?
Brian: When it comes to cybersecurity, we look at where our data lives first. We think about where that's going to be stored and on what assets we have. And then we think about the risk of that information being breached. So however it gets out, the tactics don't really matter.
But what happens if that information gets out? This is a pretty well known process, looking at the data.
I think the risk management piece that sometimes is missed is, how do I think about the accidental disclosure of that. Great, we've got this risk management process that looks at the data that understands what the tactics attackers might use to try to exfiltrate it, but when it comes to that employee hygiene question, how might it be accidentally disclosed? Or just systematically exposed?
Email is for better, for worse.The keys to the kingdom and one of those channels which a lot of employees, even though they shouldn't, share a lot of sensitive information.
When you think about the hygiene question, the risk management topic attached to IT, I think about that second layer. Which is how they accidentally send PII, personal health information, social security numbers, company secrets, accidentally, through email.
What controls do I need to put in place? Especially because human errors are so prevalent, it's everywhere. We could probably attribute a large number of data breaches specifically to human error. So going off of what you're saying, make sure your employees are knowledgeable and know what they're doing.
Hannah: What do you think is one thing, every CIO or compliance officer or whoever's in charge of compliance at an organization should start requiring from their employees today?
Brian: Multi-factor authentication on everything and anything at work. And again, it's that security as a benefit topic, show people how to enable multi factor authentication on their Twitter account, on their Gmail account.
Make it easy for them to do. Sit downs with them, record little videos, create a list of all the work accounts and personal accounts that they need to go and do this on. That's gonna take a little more time. But again, it's pivoting security hygiene more as a benefit than a must do.
Your employees being personally more secure and less susceptible to getting breached protects your company.
Hannah: Part of making sure your employees know how to enable two-factor authentication, or whatever it is, is making sure that you have like a list of guidances. Here are some blogs that you can read about all of this if you don't understand. At Paubox we publish everything about cybersecurity. What is two factor authentication? How do you turn it on for Google? How do you turn it on for Microsoft? Because we know that there are people out there looking for these resources. If you can provide them straight up to your employees, then it'll be better.
Brian: Yep, that's right.
I'm gonna cheat and give you a second because we're talking about email being the keys to the kingdom. That accidental disclosure. A lot of people miss out on protecting the outbound.
So thinking about data loss prevention, and the relative ease of configuring common sense rules about scanning outbound email. And seeing, “Hey, does this have what looks to be a social security number in it?” Or something like that. Those are really easy to configure. It really can help pare down those accidental disclosures.
Then on the inbound side, you need to have a robust inbound security so that you can block phishing attempts or other ways that employees can click on something. Then data gets leaked that way as well.
Hannah: What have been the most common upgrades or changes that you've seen among organizations seeking compliance over the last year?
Brian: Email security is obviously a big one.
Both the review of malicious messages as well as encrypted email and DLP. Not just for companies that have to encrypt email or provide those types of controls for compliance reasons. People are realizing that these are pragmatic controls, or business protection, reputation management purposes.
Again MFA. A lot more companies are getting really serious about access control and an MFA is a part of that. Going through some of the more difficult processes to organize. Role based access needs to work in your organization. As well as rolling out some new requirements for that and getting the company to get used to, “I don't always have administrator access. What does that mean?” Those types of things, they’re culture changes.
Then last is all of the organization seeking compliance. Sometimes it's a little bit different than an organization seeking a healthy security program. And one of the things that I see with companies who are really focused on the compliance piece is like the policy stuff.
Don't get me wrong, policies in the compliance world are wildly necessary. They're necessary as part of a healthy security program. But earlier on for a lot of companies, I'd rather see more people focusing on building muscle memory and how to respond to an active incident. How to detect it, how to recover from it quickly. Because the reality of it is, it's a question of when and not if. And it’s great that you have the policies, but if you don't know how to respond to an incident and recover from it effectively, it doesn’t matter.
Hannah: Mmhmm. I'd like to talk about ransomware for a minute. It's a very hot topic lately, but it's not a new concept. We both work in information security, so we see ransomware attacks all the time. Why do you think that ransomware has been so prevalent in the news lately?
Brian: I think it's emotional. It's the human element of it. The shock factor of it. You don't think it'll happen to you, but when it does, that's gonna blow up your whole day, your whole week, possibly.
Hannah: Even longer than that. Kaseya was breached long time ago, and we're still talking about it at Paubox.
Brian: That's right. That first person who got it on that endpoint, and the shock factor of all that the personal stories that the employee inside those companies go through. That bubbles up to the organization having to respond to that.
But I really think it's that like the emotion and shock factor of, “Oh crap. This happened, what do I do now?”
And again, it comes back to a lot of companies don't have that incident response muscle memory to really know how to do that. You pair that with the fact that a lot of these malicious actors are targeting places like hospitals, and it makes for a pretty juicy story.
Hannah: Yes, it does. What kind of qualities or I guess open doors do you think criminals look for when trying to deploy a successful ransomware or any kind of malware attack?
Brian: One thing that I wish a lot of companies would remove from their about pages or contact sections is email address listings for employees. If you make it easy for attackers to find email addresses, they're gonna phish you. They're gonna try to get you to download weird stuff. Exposure is a big thing out there, information exposure.
Hannah: Cyber criminals are already lurking on people's LinkedIn to use social engineering to get you to click on things. I never even have thought about all of those people who put their employee emails, which is opening you up for an attack.
Brian: After that, it's the more technical, but easily scanned for, stuff. These attackers have a lot of tools that can go out there and spider for these victims, unfortunately. Open ports, easily enumerated known vulnerabilities, and software packages or infrastructure that companies use.
Open s3 buckets on authenticated email. If you don't have SPF on your email, they know it's gonna be easier to spoof your organization. So all these things are super easily scanned, for I know that we scan for them for our clients in the background as part of our service.
Hannah: Attackers have the same types of tools that you have. Know what your attack surface is because I can guarantee you that cyber criminals do. What are some practical or universal ways that an organization can approach risk in the workplace, other than thinking that knowing you're going to be breached, no matter what. It's a when not an if.
Brian: Risk is everywhere, in every organization.
I have to first come to that human element. Train employees early and often. You have to build that security culture early. If you're a larger organization, it takes longer to permeate the work base as well. You'd have to think more strategically about how you message security being treated as a benefit as a personal resource. Giving your employees antivirus that they can install on their personal computers sponsored by the company, ensuring that they have a resource to have malicious looking email that made it through the filter reviewed.
Whether it's sent to their personal email address or working address, having a scan that they can do on their personal network to show them if they have open ports or not, especially with remote workers. You have to treat it like something that they're going to benefit from.
Hannah: Definitely. How do you apply these concepts to your personal risk assessment, your personal cybersecurity?
Brian: It's a different model. On the awareness side, you have to know what types of attacks are occurring because you got to know what your attacker looks like. What types of tactics or protocols or content or messages and channels they're using? Which ones are accelerating? How they might occur. So you can spot them and that ounce of knowledge is a huge, huge, huge defense of its own.
As well, the practice angle. You have to set up a SOC for yourself, in your basement. Ask yourself some questions. Do you have a plan if someone successfully phishes you or impersonates your email address and sends a message to your coworkers or family appearing [as you]? What would you do?
Hannah: Cry probably. That's probably most people's plan. Risk is everywhere in healthcare. A lot of that comes from the technology we use. So many organizations are still using fax machines, which are extremely outdated. Ease of use is extremely critical for technology used in healthcare because there are so many different levels of tech savviness within the industry, between employees, and patients and providers. How does your organization approach the ease of use when working with your customers?
Brian: So Havoc Shield, specifically, we designed our product like how TurboTax made tax prep easier, right? We took that ocean of complicated form fills and see this line, add that line. “If this, then that” types of stuff, and we turned it into something that feels like TurboTax. A step by step plan that non experts can follow.
There's some component pieces, or some rules that we obey from a user experience point of view. One is plain language. The security industry and compliance requirements are just filled with Latin, right? And like, I don't read Latin, and most people don't. And, and there's just, there's just a ton of jargon.
So we spend a lot of time maybe not, the layout and color and flow of something in the application. Of course, we work on that, too. But we actually spend a lot more time on content. What are we saying here? How do we make that simpler without risking a lack of understanding?
Another piece is, security products are notorious for being overly configurable?
Hannah: Yes, they are.
Brian: And that's great, in a lot of cases when you need them. But most organizations need something that maps to best practices, and that meets their compliance requirements. And you've got a few options. If you think about mobile device management, what types of controls are you requiring people to have on their mobile device in order to access your organization's data?
It's okay to take a lot of the mundane, highly customized configuration they're under and configure it appropriately. You can hide a lot of that behind the scenes. That's what we do. We take our opinion, our expertise, about how to configure a lot of these things, roll them out, run these processes into fewer common sense plain language options that we do show our users. I think that that helps people actually take action rather than just get swamped in.
Hannah: Oh, definitely, you're taking things and putting them in a layman's terms. You're taking SAT words and picking a synonym everyone can understand. What other factors do you think are essential for organizations to consider when vetting technologies?
Brian: So I think that in any type of technology, even outside of security, but especially for security, number one is implementation difficulty. How difficult is it to actually get it done, inside your organization and talking to your other technologies. If it's going to take an overarching large campaign to implement, then it's likely that it's going to get pushed to the back for other things that come down to the roadmap. Can you get at least your first phase of the thing implemented, in a smaller time [frame] that's appropriate for your organization?
The next is cost. Can you afford it? Does it make sense financially? And the evaluation there. The math. What's the risk? Then what's the likelihood of that risk? And if that happens, what's the cost of that? Can you do the math there?
Then who's gonna maintain it. You have a vendor, from a professional services point of view, implemented. But now, how easy is it for you next month, or next year to maintain the thing? It comes back to that ease of use. How much is your vendor doing for you? Because it might just sit there and actually not protect you, because you haven't appropriately maintained it.
And then lastly, the big one we see and a big reason why we started Hacov Shield is the question of, does that solution actually meet your priorities of your security program and your threat model? But we see a lot of point solutions that represent themselves as “this is the next thing you should do. It applies to you no matter what.” And the reality is, the security industry is guilty of doing that, in a lot of cases, no matter what the priorities or threat model of an organization is.
And so we'd say evaluate what your model needs, where your functional strengths are in that program, what your compliance requirements are, and then prioritize the different solutions that you need to evaluate. Look at and implement, and then start from that list. Don't pay so much attention to the fear, uncertainty and doubt that some vendors might give you to try to get you to buy the product.
Hannah: Yes, I agree. And I think going back to talking about like the price and justifying the ROI. For me, I always talk about how much an average HIPAA violation or HIPAA breaches are. It’s like a million dollars. Can your company afford that plus a reputation hit? So you're right, you need to really vet your technologies and see how it works for you and if it's actually compatible for you and your employees. Brian, do you have any last-minute comments, question, tips about cybersecurity for our listeners?
Brian: MFA on everything. And since we're all at home right now, log into your router, check if your firmware is updated. Make sure that you're protected with reasonable antivirus, anti malware. If you're not, reach out to your company and say, “how can you help me here?”
There is a lot more organizational data going through personal networks and personal devices now than there ever have before. It's in your company's best interest to help employees at home or at work or wherever they might be. Keep your data secure, because whether you like it or not, probably some of it's on that old computer.
Hannah: It definitely is. Well, thank you so much for joining me today, Brian. I really appreciate it.
Brian: Thanks a ton, Hannah.
Hannah: Head to paubox.com/blog for all the cybersecurity and HIPAA compliance tips you need. You can listen to every episode of HIPAA Critical on paubox.com or subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, Amazon Music or wherever you listen. Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.