Blog

Business Continuity and COVID-19

Cyber technology and preparedness experts Lee Neubecker and Geary Sikich talked about a business continuity plan way ahead of the COVID-19 virus hitting the US! What does the next couple of weeks look like? Tune in to find out.

Business continuity! It’s official, COVID-19 is upon us and the country is basically on lock down. Government restrictions are everywhere. Just about 15 days ago, Lee Neubecker and Logical Management Systems, President, Geary Sikich talked about what was going to happen when COVID-19 landed on our shores. It’s like they wrote the sequence of events!

Lee and Geary are trained experts in the field of cyber technology and preparedness. They foretold businesses will have employees work from home if they have a job that allows them to telecommute. They discussed different unique challenges businesses will experience when executives and employees take work computers home and remote in. Check out this video interview to learn a few interesting tips on business continuity.

Part 2 of the Coronavirus or COVID-19 & Business Continuity

COVID-19 and Business Continuity

Lee Neubecker (LN): Hi it’s Lee Neubecker, President of Enigma Forensics, and I’m back on the show here with Geary Sikich, President of Logical Management Systems. We’re continuing our discussion on business continuity planning as it relates to the Coronavirus, thanks again for coming back Geary.

Geary Sikich (GS): Thanks Lee for having me.

LN: So, can you tell everyone what other businesses are actually experiencing that are now at the stage where they’re dealing with government restrictions, either in China, or even in Seattle Washington, and what the reality of the challenges faced by businesses in communities where the corona outbreak is magnifying and spreading.

GS: Sure, the big one everybody is surely aware of was China and some of the things they did, in what people were calling “draconian measures”, which is essentially the quarantine that they set up. They literally lock down roughly about 56 million people and it got to the point where it was from the household where you were staying. They would allow one person to go out and buy whatever food you needed for the day. If that person didn’t have a mask on they were sent back, so no food, so that’d be a big impact. The employers for those employees who are now locked in on a quarantine basis set with empty factories and at about two weeks into that a lot of these employers were saying, “I can’t pay my people because my factory is not operating and I’m about to go out of business”. So, the impact is big in that regard. Just recently in France, the Louvre closed, and it’s closed now indefinitely as of this morning in response to a protect the potential of coronavirus expanding. Italy, there’s closing schools in Italy, they closed schools in China, also in South Korea. They’re doing similar things what we’re faced with here in the States is a very similar situation that is yet to unfold in its dramatic effect. But if we start to see the Coronavirus expand in the States, plan on seeing things like school closures plan on seeing things that are not going to be available on the shelf because the grocery stores are going to be emptied.

LN: That introduces a whole other element of risk, because for those parents of kids that have to be home many of those parents are only going to be able to work from home if they have a job that allows them to telecommute, and there’s, you were talking to me earlier about some of the unique challenges that have happened when executives take work computers home and they’re remoting in, and the one example I remember you saying was that with kids home alone and they have time on their hands, they’ve sometimes gotten into their parents’ computers and if those computers aren’t secure and they go to a game site, and they get hit by malware, the corporate network could be taken out.

GS: Yeah and it’s happened we’ve had it with the clients in different parts of the world where the company organization said it’s a great idea. We’ll set up a mini situation where you can work independently from home here’s a secure computer and over a course of time not much is happening and so, the secure computer becomes something of well we don’t let the kids play games on it and nothing’s going on so I’m not too worried, not realizing the potential exposure that they’ve put themselves in from a vulnerability standpoint. One of the key things, and I think this is a point that we need to emphasize, is that the criminal element people who want to do bad things has really taken advantage of the Coronavirus situation in a lot of different ways. By actually being able to interject malware in posing as a legitimate information site so here you want information on the Coronavirus, I’m here, and the next thing you know you’ve got malware downloaded into your system. So huge impact areas and in that regard.

LN: Yeah, I think that the whole notion of planning and thinking through how your business would respond if your employees weren’t able to come to the office is something that every organization should be doing now because it certainly is it’s not a question of if the virus will spread, it’s a question of you know how quickly and how large of an impact. We don’t fully know what is going to happen in every community with the weather, whether there will be better treatments available or not but we do know that it’s a risk and it makes sense to prepare for not having to have your workers come into your office, and how would you respond to that?

 GS: If you think about it in this context to leader there’s some real issues that you need to really begin to assess it all in a lot of detail. So, from a risk assessment standpoint, one obviously you want to look at how do I build contingency plans for us to work remotely whether it’s you working at your home or at a remote location that the company hires to have you know staffed. That’s great if you’re in the Information and Technology business or you’re in the financial sector you’re in a nonindustrial sector, how do you close down a steel mill and tell your employees we’ll go to this other place and work because there’s not the same facility. Here’s the real interesting thing that it but I think it’s a critical point and this is where we begin to start to realize risk management needs to begin to look at some things differently. One, you’ve got a facility it goes into lock down because of quarantine, no employees there. What’s your vulnerability for that facilities now sitting vacant. You have people maybe who want to break in? You still got your computers and other systems there that I would assume can still be hacked into in some way shape or form and you’ve got a lot of potential sensitive information.

LN: And physical security becomes important in that case definitely.

GS: But how you do that if you’re under quarantine and you can’t bring in physical security per se.

LN: There’s a whole issue if you have in our next segment, we’ll talk a little bit more about what businesses should be doing now to be cyber ready for having employees where they can work remotely. We’ll talk about some of the strategies that you can take now to help maximize your readiness for such a circumstance where you have to either reduce your workforce and create space, or have people work completely remote. So, thanks for being back on the show.

GS: Thank you Lee, I enjoyed it.

To View Part 1 of the Coronavirus

Other Related Articles

Official Website of Homeland Security and their Business Continuity Plan

https://www.ready.gov/business-continuity-plan

Keeping Yourself Safe

Keeping yourself safe in these trying times is a tall order. Clerk Karen Yarbrough says to use your common sense and practice social distancing, wash your hands and don’t touch your face.

The Corona Virus COVID-19 is upon us! We knew it was coming and Cook County Clerk Karen Yarbrough says let’s practice common sense. The health and well-being is the utmost importance for Clerk Yarbrough. She recalls lessons from her mother, wash your hands, don’t shake hands instead fist or elbow bump, sneeze into your elbow and don’t touch your face. Clerk Yarbrough sits down with Enigma Forensics CEO & President Lee Neubecker to discuss the safety measures the County has installed to keep the polling places safe. Check out this video blog with transcripts.

Cook County Clerk Karen Yarbrough says the 2020 Election will be safe!

The Video Transcript Follows

Lee Neubecker: Hi. It’s Lee Neubecker. President of Enigma Forensics. We’re a Chicago-based computer forensics and cybersecurity consulting firm. And I have the pleasure, again, of having the Cook County Clerk Karen Yarbrough on our show, to provide some common sense advice on what you should do at home and in the workplace to keep yourself safe from this Corona Virus outbreak concern.

Clerk Karen Yarbrough: Thank you, Lee, for opportunity to be here. I think we need to get across to people if they use their basic common sense and remember what mom used to say, they would probably be just fine. Now, 80% of the people who would even contract this, they’re going to be fine. It’s the folks whose systems are compromised, are the ones that probably are going to have some trouble. But, listen. When you sneeze, don’t sneeze out like that. Do it in your arm. Do it in your arm. Okay? Don’t touch your face. Don’t touch your face. I do it all the time. But, don’t touch your face. Don’t shake hands. We’re doing the bump these days. And the hand-bump. Yeah, we’re doing all of that. You know, some of this is basic. Okay?

LN: It’s space.

CY: Yes.

LN: Normally, you give me a big hug when I come in.

CY: No hugs.

LN: We did the elbow bump.

CY: Yes, that’s right. No hugs right through here, okay? Sorry, I’m a hugger, but I’ve just kind of pushed away. And the other we thing we just implemented today in our office, we usually have our meetings and everybody comes to the meeting, and everybody’s in the room. Everything’s closed up. So today we decided that we weren’t going to do it that way. We’re going to do it remotely. So, wherever you are, you tune into the meeting, and we’re going to have the meeting. So they have a name for that. It’s called social something…

LN: Social distancing.

CY: Distancing! That’s it, That’s it! So, that’s what we’re doing. And, little by little, as people get used to things, we’ll be fine.

LN: I think it makes sense to try to do this stuff before you have no choice.

CY: Yes.

LN: You can work out the kinks.

CY: Yeah, yeah. So far, so good. In our office we’ve had our challenges with some folks who have called off, said they’re not going to vote. I mean, they’re not going to… They can’t participate, they won’t be judges and that kind of thing. But we’ve been able to backfield them in. So I feel real good about March 17th. I think too, everyone should prepare for the likely event that as this thing continues that schools could be closed. That hasn’t happened yet, and it’s been evaluated on a case-by-case basis, but that’s a logical decision but that’s a logical decision that might be necessary in the future. And, so thinking about that now and thinking about if that happens, can I still answer my call at work maybe on my smartphone?

LN: Yeah. I think we’re going to adapt. I think we’re going to adapt to using smartphones

CY: Thank you Lee!

Other related videos in Cook County Clerk Karen Yarbrough Series

View CDC on Coronavirus Symptoms

https://www.cdc.gov/coronavirus/2019-ncov/symptoms-testing/symptoms.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fabout%2Fsymptoms.html

View this website to learn more information on Coronavirus

https://www.hopkinsmedicine.org/health/conditions-and-diseases/coronavirus/coronavirus-social-distancing-and-self-quarantine

Keeping Offices Safe

Clerk Yarbrough sits down with Lee Neubecker, President & CEO of Enigma Forensics to discuss the current state of affairs. Clerk Yarbrough assures everyone voting on Tuesday, March 17 voters will be met with a clean and safe environment. Come and Vote and March 17!

Cook County Clerk Karen Yarbrough Gives Safe Voting Practices

Cook County Clerk Karen Yarbrough would like voters to know her staff is taking every precaution to make all voting stations a safe and clean environment. On top of her list, everyone should wash your hands! She says all voting staff will continuously wipe down all surfaces and are trained to keep the stations clean. Clerk Yarbrough urges everyone to remember the rules your mother gave you!…Wash your hands, sneeze into your sleeve and if you have a fever stay home from work, don’t go out and stay in and take care of yourself. Clerk Yarbrough sits down with Lee Neubecker, President & CEO of Enigma Forensics to discuss the current state of affairs.

Check out this video interview to find out what precautionary steps the Clerk’s department has taken to make sure each voting office stays safe.

Election Day is on Tuesday, March 17

Clerk Yarbrough says Keep Calm, We are on the Job!

Lee Neubecker: Hi, this is Lee Neubecker, president of Enigma Forensics, computer forensics firm based here in Cook County in Chicago. And I had the pleasure of having our very own Cook County Clerk, Karen Yarbrough, here on the show to talk a little bit about what her office is doing to help keep people safe, in light of the recent corona outbreak. Karen, thanks for being on the show.

Clerk Karen Yarbrough: Thank you, Lee. Well, you know, this is a really busy time for us and we have a number of, we have our regular employees and then we have a lot of people, almost 8,000 people, who will be involved in the election on the 17th. So we want everyone to be safe. So in the office, what we’re doing is, first of all, we’re educating people. Now, some of this stuff is just common sense. I mean, people should know to wash their hands. They absolutely should know that. They also should know that if you have to sneeze, you don’t sneeze out like that, you go like this, okay? I mean, didn’t your mom teach you that? I mean, mine did, so. So the education or bringing it back to people on how we can keep safe. So our people have, they have obviously Purell. They have the gloves if they want to wear them. They also have, they clean their work stations. So we have everything that they need and we have a big influx of people for several reasons and especially in vitals and in elections and so we want everyone to be safe.

LN: So with the election fast approaching, I know that previously you were on the show to talk about early voting, in trying to get people to pull a ballot so that they could vote from home. It’s too late for that now, but what would you advise that people should do as they’re heading to the polls?

CY: Well, hopefully they’ll have a card or some information on who they want to vote for. They’re going to find our brand new voting machines there and it’ll probably take them all of two or three minutes to vote this time. So the ease of voting, they’re going to find friendly faces there and people who are willing to help them. We have the touchscreens and we also have paper ballots if people want to use ’em. But we’re encouraging people to use the touchscreen. If you want to use your finger, then you can wipe your finger off with, and we have everything there. I mean, absolutely.

LN: Like Purell?

CY: Absolutely, we have everything there. They could use a pen to do this, you know. They could use their, bring their own pen if they want to fill out a paper ballot. So, you know, again we’re telling people use some common sense here as it relates to, you know, today and all through the last few days, what I’ve been doing is going to the early voting polling places and so I’ve met all of the judges and I see the way that they’re greeting people. They’re not shaking hands, they’re doing fist bumps or arm bumps. Yeah, like that or whatever, but they are not shaking hands. So, you know, as I’ve looked, and we’ve been looking at, watching what’s coming out of Washington, what’s coming out–

LN: Even here in Chicago

CY: Absolutely.

LN: Yesterday we had the Prudential building had their first case.

CY: Yeah, how about that? How about that? But you know what? For the most part, 80% of the people who contract it in the first place, they’re going to be fine. Children are going to be fine. It’s people who have compromised systems that have the problems. And older people. I get all of that, but people can be safe and they can be competent, use common sense and be safe.

LN: Yeah, like not jumping on an airline when you know you’ve tested positive. I don’t think you should do that if you have Corona Virus.

CY: Don’t come to work sick. We’re sending people home. Anybody’s around there sniffling or what have you or they don’t feel well, if they have a fever. If you got a fever, you ought to be at home. You shouldn’t be with us.

LN: And just because you have a fever, you shouldn’t be flipping out thinking you have Corona Virus.

CY: Not at all, not at all.

LN: They say that you need to have three specific symptoms combined to worry about it. You need body aches, fever, plus respiratory problems. So if you don’t have all of three of those, don’t bug your doctor. The doctors are under control.

CY: Don’t panic.

LN: Unless you, if you have a fever that runs awhile, call but don’t. Then you should assume that you have Corona Virus.

CY: I’m hoping that we get some better information out of Washington, though. There have been mixed messages there, so let’s hope that we can get better information out of Washington as well as what we need. I noticed that out governor was pretty frustrated about his inner workings with the federal government on what we need in Illinois. So let’s hope that they get that together.

LN: Yeah, absolutely. Well, thanks for being on the show again.

CY: Thank you.

Watch related videos to this series with Cook County Clerk Karen Yarbrough

Other Related Videos

Voting Tips with Clerk Yarbrough

Cook County elections are on Tuesday, March 17. Cook County Clerk Karen Yarbrough assures everyone voting will be efficient and safe Check out these voting tips!

Every Vote Counts

Cook County Clerk Karen Yarbrough says tip number one – be prepared! Tip number two-do your homework on the candidates before you come in and vote. Lastly, it’s ok to bring your notes with you. She ensures that every precaution will be taken to make sure everyone is safe!

Clerk Yarbrough is excited to report, Cook County has all new voting machines that will streamline the voting process. She adds if you would prefer to use the old paper ballot they will have those available too. In addition, the new barcode system will accurately tally and record of voters ballot, which will make counting votes extremely efficient. After the election, Clerk Yarbrough says the office will do a full audit and confirm that every vote is counted She assures everyone voting will be safe and there will be plenty of antiseptic and gloves available! Watch this video as Lee Neubecker interviews Cook County Clerk Karen Yarbrough and asks about voter tips.

Tuesday, March 17 Vote for your Candidate!

The Video Transcripts Follows

Lee Neubecker: Hi, it’s Lee Neubecker, President of Enigma Forensics. I’m a cyber-security and computer forensic expert witness, and our firm’s based here in Chicago within Cook County, Illinois. And I have the pleasure of having our very own Cook County Clerk, Karen Yarbrough, appearing on the show today to talk to all of you about what you should know, what you should do, as you head out to vote in the next few days. Karen, thanks for being on the show and thanks for sharing these tips.

Clerk Yarbrough: Well, thank you Lee. Thank you for the opportunity. We wanted to be able to tell people what they can expect when they come to vote. For people who come to vote each and every time, they usually know. They, you need to be prepared, and one way you can prepare is by having your own notes on who you want to vote for. We have brand new machines this time, and those machines, it’s going to be a whiz. Everybody has told me they love the new machines. For those who are uncomfortable with using touch screens, we’re going to have the regular paper ballots. But, if you’re prepared to vote, it should take you a few minutes to just go straight through that ballot. And, you know, usually people have problems with all of the judges, do your homework before you come in.

LN: Well, it certainly will help speed up the lines and reduce congestion.

CY: Certainly, certainly.

LN: Also wearing gloves, if you’re really concerned, there’s nothing that prevents you from wearing gloves to vote.

CY: Not at all, we’ve seen a few. You can wear glasses. We’ve seen a few people with gloves on. We’ve seen a few people having their own pens because they plan to pull a, you know they want a paper ballot. So we’re going to, you know, bring your own pen if you’d like. We’re going to, at every station, we’re going to have the bacterial .

LN: The Purell?

CY: Yes, we’re going to have that. We wipe down the stations after each.

LN: You must have got yours early.

CY: Yes we did, yes we did.

LN: You were prepared.

CY: Yes, we wanted to be prepared. We wanted to be prepared. We were hearing about what was going on, and we know that we have one day to do the election actually. We have all of these days for early voting, but we have that one day and we got to get it right.

LN: Now, I’ve heard that there were some concerns regarding the barcode on some of the ballots that gets printed that that could be.

CY: I have no concerns about that, okay. The great thing about our new equipment is while you’ll put your ballot through and the barcode is there, but we have a record of each and every one of those ballots. If we have to go back, and we do, we go back and we review to make sure things are right.

LN: So, on paper it’s doing more than just the QR code. It also has the friendly names printed out.

CY: Yes

LN: Is that correct?

CY: Oh absolutely, yes.

LN: So the concerns that some people had were that, I think the concern was that the barcode could be different from what’s printed. But if that were the case, you’d be able to audit that after the fact.

CY: And we do a full-blown audit at the end of every election just to make sure.

LN: So someone voting, they’ll be able to actually see the print out on paper.

CY: They will be able to have that in their hands. They’ll be able to check their choices and then they will cast their own ballot, not us but them.

LN: And so it gets scanned and digitized, but then the physical ballot gets locked in the box, correct?

CY: Yes.

LN: So, there’s a dual system.

CY: Absolutely.

LN: I think that makes a lot of sense.

CY: It does, it does. And it gives people peace of mind. You hear all of these stories about well, my vote may not count, and this. I mean, all kinds of things. So to prevent those kinds of things, we have new equipment, and we have a new process, and I think people are going to like it.

LN: Great, well everyone get out there and vote. And, thanks Karen for all your work on this to help make sure election day goes smooth.

LN: Thanks.

CY: Thank you.

Cook County Clerk.com

https://www.cookcountyclerk.com/agency/2020-elections

Other related articles

Access to Justice with Jacob Meister

Jacob Meister vows to help those who don’t have access to electronic court communication to enable them to help themselves. He is running for Cook County Clerk of Circuit Court. Access to Justice is what Jacob Meiser stands for!

Election Day March 17

Cook County Clerk of Circuit Court Candidate Jacob Meister vows to bring access to justice. He’s concerned for those who aren’t represented by a lawyer in the system, who don’t have access to electronically file in the court system, who can’t afford internet access, or they simply don’t have a computer or most of all they don’t know how the electronic filing system works. These are folks without financial means and denied access to justice. Jacob Meister has a plan that will ensure everyone has access to justice.

Cook County Clerk of Circuit Court Candidate Jacob Meister, the real deal! Lee Neubecker interviews Jacob Meister to learn more about what makes him tick. Check out this video to learn more. You’ll be glad you did!

Meister says…Access to Justice to those who can’t afford it!

Part 4 of our 4-Part Series on Cook County Clerk of Circuit Court Jacob Meister

The video transcripts of Access to Jacob Meister follows

Lee Neubecker: Hi, I have Jacob Meister back on my show. Jacob, thanks for coming in again.

Jacob Meister: Thank you, Lee.

LN: So Jacob’s running for Cook County Clerk of the Court, which is one of the largest court systems in the U.S. One of the things that you talked about before is bringing about justice and access to resources necessary. What would you do to help those incarcerated have access to the information they need to defend themselves?

JM: Well, you know access to justice is one of the principal themes of my campaign because as Clerk of the Circuit Court, I’d be presiding over the second-largest court system in the country as Chief Operating Officer. And as we’re moving towards, for instance, electronic filing, there are efficiencies that are achieved. But at the same time, for those people who aren’t represented by a lawyer in the system, all of a sudden they find themselves where they used to be able to mail in their court filings, all of a sudden they’re required to file electronically into a system. It’s very bureaucratic and hard to use. So as a result, those individuals, maybe they don’t have internet access, they don’t have a computer, they don’t know how the electronic filing system works. They’re denied this access to justice unless they travel down to a courthouse during business hours, and stand in line for sometimes an hour or two, just to get assistance to file into the system. One of the things that I will do as a clerk is to provide computer filing kiosks in every library in Cook County, so that individuals who are faced with a lawsuit that they have to file a response, can do it on evenings and weekends, they don’t have to take time off of work. They can go down, and we’re going to be training reference librarians who understand the electronic filing system, and will be able to provide assistance, showing individuals how they can upload into the system so that people can file and access 24/7.

LN: So you’ll be partnering with other governments that are there, the City of Chicago, other municipalities, to actually train their staff, so that if someone doesn’t know, they’ll have the convenience of going to their local library, instead of having to take off work to come downtown.

JM: Correct, correct. And we’ve got hundreds of libraries in this county. And they’re all potential points of access to our justice system. And as we move to an electronic system, we can increase the number of points of access, and start allowing people in their own neighborhoods to access justice. And that’s really important.

LN: What about those incarcerated that are in the Cook County jail, and what not, is there access to resources there presently?

JM: Absolutely, well absolutely. You know, one of the big problems we have is that the Illinois Department of Corrections has around 600 prisoner appeals pending in Cook County alone, where prisoners appeal their convictions. Maybe they’re trying to overturn the conviction or change the sentence. And right now, records access is so limited that some of those prisoner’s appeals have been pending for more than a year without the clerk’s office being able to get the record to the appellate court, and the appellate court can’t do anything without a record. That is a travesty. So accessing justice is important. I want to have a robust case management system so that those records are accessible, and can be assembled, and that we’re keeping complete files electronically so that they can be transmitted up to the appellate court, and won’t be getting lost.

LN: Great. Thanks for being on the show, this is really helpful.

JM: Well thank you for having me, Lee.

Watch the whole series on Jacob Meister

Part 3 of our 4-Part Series on Jacob Meister
Part 2 on our 4-Part Series on Jacob Meister
Part 1 of our 4-Part Series on Jacob Meister

To Learn More about Jacob Meister

http://jacobforclerk.com/

Cook County Clerk of Circuit Court New Website

http://www.cookcountyclerkofcourt.org/NewWebsite

Cook County Clerk information on Voting

https://www.cookcountyclerk.com/service/view-all-candidates

Keep the Public Safe – Vote by mail!

Lee Neubecker, President and CEO of Enigma Forensics has a chat with the Cook County Clerk, Karen Yarbrough, on how to stay safe during the epidemic when going out to vote.

Request your vote by mail ballot today from the Cook County Clerk’s website before it is too late!

Lee Neubecker, President and CEO of Enigma Forensics has a chat with the Cook County Clerk, Karen Yarbrough, on how to stay safe during the epidemic when going out to vote.

The transcript of the video follows.

Lee Neubecker (LN): Hi, it’s Lee Neubecker from Enigma Forensics. I am a computer forensics and cyber consultant. And I have the pleasure of having Karen Yarbrough, our very own Cook County clerk here on the show to talk about today’s deadline for voting early. Karen, thanks for being on the show.

Karen Yarbrough (KY): My pleasure. So Lee, what I’d like to do today is just simply tell people, please, go online, like right now. Don’t put it off. Don’t wait until March 17th. Now, you know, that’s Saint Patrick’s Day, but it’s also election day. And we just asked if people take the time out today and go online and order your ballot, right now. Just right now, go to cookcountyclerk.com. It’ll come right up on the screen, click the button and you’re in there. And all you have to do is put your information in. We’ll send you your ballot, and we’ll also send you a return addressed envelope, no postage. We’re going to pay for it.

LN: So in light of all the concerns about the coronavirus outbreak, this is a great way to help protect yourself, especially if you’re elderly. Everyone should be doing this.

KY: Absolutely, they should. And I have to tell you that we’re kind of ahead. I’m just looking at the numbers when I was coming over here today, and we’re at record numbers right now for voting. You know, we have our early voting sites all throughout Cook County, and they’re open until seven o’clock. And so people can actually show up there today too.

LN: But right now, if someone wanted right now to do this and get a ballot sent to them at home, what address do they go to do that?

KY: Cookcountyclerk.com.

LN: And right on the homepage, physically.

KY: Absolutely. It’s right on the homepage. They can’t miss it.

LN: And it only takes what? A minute?

KY: Oh my goodness, if it takes a minute. I mean, if you know how to spell your name and your address and your zip code. I mean, that’s what you have to do.

LN: So then I’d encourage anyone that is in a nursing home or works in a nursing home, to help those people get their early ballot, so they don’t have to go to a polling place where they’re going to be around other people. And that way they get their ballot and vote.

KY: Well people who are in nursing homes, we usually have a nursing home election. But this year because of this coronavirus, we’re not doing that. Everybody who wants a ballot, we’re going to take the ballots there to the nursing home and have them to complete the ballots, and then we’ll bring ’em back.

LN: So all of you, it just takes a few minutes.

KY: That’s all.

LN: Go to the Cook County Clerk’s website. Click the link and sign up. And you’ll have a ballot and you can still vote from home. You don’t have to worry about going out to the polls.

KY: Not at all.

LN: And that will help reduce the crowds on election day.

KY: Yes, that’s my message today. Vote, yeah. Vote at home.

LN: Vote early, and often, but from home.

KY: And at home. Yes.

LN: Great. Well, thanks for being on the show.

KY: Thank you.

Cloud Cyber Risk

Cloud-based storage of an organization’s data attracts cyber hackers like bees to honey. Hackers take time to study and find flaws to breach, extract and sell personal information data. Data Experts Lee Neubecker and John Blair discuss cloud data compliance and legal regulations put in place to protect cloud-based data.

Compliance and Privacy Laws

Cloud cyber risk goes hand in hand when storing data on the Cloud. New compliance and privacy laws have been enacted to protect this cloud-based private information. The State of Illinois has passed a privacy law that specifically addresses how companies gather and store private data.

The Illinois Policy Group, an independent organization that generates public policy, explained that in 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints. This law forces companies into compliance and makes them more responsible for the collection and storage of private data ultimately, decreasing exposure to cyber risk.

Data Experts Lee Neubecker and John Blair say because of BIPA companies are now more aware of how they secure and store data. They discuss other data compliance and privacy laws such as; California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) and how these laws help regulate the healthcare industry and other organizations when storing consumer data, and vendor data in the cloud ultimately protecting the consumer. Watch this video interview to learn more.

View Part 2 of our 3-Part Series on Cloud Data

Part 2 of our 3-Part Series on Cloud Data

Lee Neubecker: Hi I am back again with John Blair. We’re continuing our discussion on cloud security and helping to minimize your cyber risk of having data in the cloud. And today, we’re going to be talking more about some of the compliance and regulatory issues and legal issues that companies face that are having their data and customer data, vendor data in the cloud. So, John, can you tell me a little bit about some of the regulations that impact the healthcare sector specifically?


John Blair: Yeah, the primary one is going to be HIPAA and associated as subsequent acts like HITECH and things like that that augment HIPAA and some of them more clearly defined some of the rules and regulations, primarily Security Rule and Privacy Rule. So those are going to be the ones that primarily come into play, but there are also individual state versions of healthcare acts that you need to abide by and each state has one so you also need to abide by the state regulations as well.

LN: Interesting. So it really, if a company’s operating in multiple states, they have a lot of issues to be looking at.

JB: They have a lot of regulations to be aware of and to be compliant with, yep.

LN: So I know here in Illinois, we have the Illinois Biometric Information Protection Act, otherwise known as BIPA and that’s been creating a lot of stir with Facebook recently had a settlement.

JB: Yep.

LN: And apparently Illinois Residents that have Facebook accounts might be entitled to around $200 per person.

JB: Yep.

LN: If you are in Illinois and have Facebook, so possibly you will be notified.

JB: Yeah, Illinois is the only one.

LN: And do you think it will be through Facebook Messenger?

JB: I do not but Illinois because of that law, Illinois residents are the only ones that are getting anything out of that lawsuit because of that, specifically because of that law.

LN: Got it.

JB: So I don’t know the details of the law but on the surface, it seems to be headed the right direction.

LN: Right, essentially they took the position that your biometric information, unlike your cell phone or your social security number, you can’t change it.

JB: Right.

LN: So if that data becomes compromised such as your facial vector map,

JB: Yeah.

LN: Or your fingerprint or your DNA, that you can’t swap it, it’s part of who you are.

JB: Right and those, you know, we’re finally headed in the right direction where it’s being considered personal.

LN: Yeah.

JB: So which I totally agree with.

LN: We also had just last month the California Consumer Privacy Act, known as CCPA went into effect and that’s got a huge impact on anyone who does business with California residents.

JB: Yeah, that is yet to, I think people were preparing for that prior to that but it’s going forward, I’m sure there’s going to be a lot of repercussions from that because there’s going to be obviously companies and entities that don’t prepare well for that and are going to get caught up in it because it covers, California is a huge state, a lot of people so there’s going to be some lawsuits.

LN: So it’s also been such that if you’re making medical devices for consumers and you have that information, relaying over 3G, 4G networks, we’ve got CPAP machines, pacemakers, all other types Of information. LN: All kinds of monitors

JB: Yep.

LN: And that information going to the cloud, if you’re a California resident and that information gets breached, it could be used by marketers or it could be used In other ways to target people.

JB: Yeah hospitals are going to need to really step up their game with respect to that particular regulation. Hospitals traditionally are a little bit behind technically speaking from an IT point of view, they’re very much on the bleeding edge from a medical device IT point of view but they tend to lag behind because you can’t, it’s hard to afford both

LN: Yeah.

JB: But this is going to, you know, how they allow individuals or access to their networks, what they allow in and what they allow out because that’s the channel these medical devices use is going to be very, very important that they get more control over those things.

LN: So as it relates to healthcare, what are some of the concerns about when a data incident is discovered to actually turn out to be a data breach, what types of reporting and notification requirements are unique to the healthcare sector?

JB: Well, first and foremost, you need to evaluate the situation and then have in conjunction with your legal team and compliance teams, establish whether or not you do officially declare it a breach which means you need to investigate it, you need to involve any vendors that were involved with that data because it may have been the vendor that you’ve contracted with that actually had the breach of the disclosure and not you but since they’re your vendor, you’re also on the hook and that flows all the way up from business associates, which is what those two entities will be up to the covered entity who actually owns the data. So after a thorough investigation and consultation with legal and compliance, a determination needs to be made whether or not you’ve formally declared a breach. And if so, then there’s all kinds of HIPAA standards that come into play about notification to the government, notification to each individual affected by the breach, what needs to take place with respect to that notification, there’s a timeline involved that needs to be met. So there’s all declaring it a breach is a very formal and arduous task.

LN: Yeah, not a pleasant one.

JB: No.

LN: In our next segment on securing data in the cloud, we’re going to be talking more about when a breach is discovered, some of the issues related to reporting the breach and what that can mean to an entity, especially if it’s not handled correctly. So thanks for being on the show again.

JB: Thanks, Lee.

View Part 1 of our 3-Part series on Data Cloud Storage

BIPPA Laws

To learn more about HIPAA

https://www.hhs.gov/hipaa/index.html

Illinois BIPPA policy

https://www.illinoispolicy.org/

Coronavirus: The Global Impact

Coronavirus is here and leaving death and destruction in its path. Lee Neubecker and Geary Sikich uncover the Coronavirus and its global impact on businesses worldwide and what it means for us here at home in Chicago.

Coronavirus is here and globally impacting our world. Human beings are dying and the toll keeps rising more and more each day. That is the horrible truth of disease! Besides causing human pain and suffering the Coronavirus is also causing disruption and impacting many businesses that are dependant on each other. What does the impact look like? Forensic Expert Lee Neubecker and President of Logical Management Systems Geary Sikich dissect Coronavirus and the huge global rippling impact. For example; Chicago recently canceled the Housewares Show at McCormick Place which typically draws over 60,000 attendees. Everything associated with that conference will feel a significant downturn. ie. hotels, travel, transportation, local food, and beverage. As a result of this global business disruption, there will also be an increase of vulnerability and these experts anticipate an increase in cyber activity. Watch this video interview to learn more about other global industries impacted by the Coronavirus.

Part 1 of our 2-Part Series on Coronavirus

Coronavirus Series: Part 1 is about The Global Impact

Lee Neubecker: I’m here today with Geary Sikich. He’s the president of Logical Management Systems, a cyber and business continuity consulting expert. And I’m Lee Neubecker, the president of Enigma Forensics. We’re a computer forensics firm that provides investigative assistance with matters involving litigation or otherwise investigations. Today we’re going to be talking about the Coronavirus and the global impacts. Thanks, Geary, for being on the show.
Geary Sikich: Thanks, Lee, for having me back.

LN: So, Geary, can you tell everyone what’s happening right now globally, as it relates to the business environment in impacted nations?

GS: Well, the current state of affairs is that Asia is in a situation where Coronavirus continues to kind of expand. It’s expanding at a lesser pace in China, but it’s accelerated in places like South Korea and in Japan. And we’re starting to see it, obviously, move from those Asian countries into the Middle East. Iran has a huge issue with Coronavirus. Italy has another big amount of people that are confirmed cases versus cases under observation. So there’s a significant amount of human impact there. On the business side, this has disrupted a lot of businesses in just about every way you can imagine. So, the shipping industry? Tremendous disruption there. Airline industry? Tremendous disruption there. A lot of flight cancellations and other things. We’re seeing now sporting events, conferences, conventions, all kinds of things that are essentially money-makers in the normal sense, but also dependent on a tremendous chain of support to bring off. Suddenly a conference is canceled, and now you have hotels affected, you have transportation systems affected, you have all the food services affected. This kind of rippling through a lot of areas is causing a very very big concern with, not only businesses but governments. How do you control it and what do you do in this situation?

LN: So, here in Chicago, we have the Chicago Housewares Show canceled. Recently many vendors were coming from other nations where there’s a travel ban. And that impact certainly impacts the workers that are at the hotels, The audio workers.

LN: And whatnot, their hours get cut.

GS: Yeah, the interesting part about that is that when you begin to look They had on the news the other day, They had on the news the other day, was talking about the cancellation of this convention. 60,000 people come. And obviously there’s a lot of work that’s done: Setting up booths, displays, and all the other things that go along with it. Suddenly, he’s out of work for a period of time until the next convention comes in or maybe doesn’t come in. But that ripples through to hotels, food services, restaurants, your taxi cabs, your Ubers, your Lyft, your everything associated with coming to a place for a conference or a convention. So a huge impact. But then you also have So huge impact.

LN: But then you also have and these deliveries are now delayed because of the dockworkers that load up the equipment

GS: Systems.

LN: And these deliveries are now delayed where they have restrictions in place.

GS: And an interesting sidelight to that is that you look at the shipping industry and the amount of material that’s shipped by the containers those ships carry are what they call 20,000 TEU which is a 22-foot equivalent unit. Or 20-foot equivalent unit. Anyway, it’s a size that they have. If you look at that aspect, one of the things that some companies are starting to encounter, and I think you’re going to see more and more of this, is that because of delays in shipping, suddenly the container supply is not as available because your container, Lee, that you shipped, full of your product is sitting out in the ocean waiting to dock at my port, but it can’t come in because it’s quarantined? And now that container is going to sit. But John’s company needs a container to ship his product. Can’t get it because your container’s the one he would’ve normally gotten. So huge impacts in terms of ripple effects in a lot of it. So the average time that the container holds goods, in terms of the number of days is increased markedly. And the existence of the containers largely

LN: So the average time that the container holds goods, so there’s a shortage. Right. And if you think about this in another context, the number of things in the containers, it’s not just computer chips,

GS: Right. Roughly, and I heard a figure that was kind of astounding to me, but about 80% of all the containers are full of perishable foods.

LN: Oh yeah, certainly.

GS: You’ve got your bananas, and oranges and things that we don’t necessarily get in Chicago in the wintertime ’cause we don’t grow them.

LN: Oh yeah, certainly.

GS: You’ve got your bananas because it’s no longer fresh. I’ve got to decontaminate the container. because we don’t grow them, in terms of how these all are impacted. Which gets us into looking at, from a computer security standpoint. These are tracked. Barcoding systems and whatnot. How easy is it for that to get disrupted because somebody decides it’s an opportunity to hack into a network?

LN: Certainly, when systems are constrained and overworked, it’s the likelihood of a failure or an attack compromising the system goes up. So it creates a real opportunity for a hacker to strike and have a magnified impact, So here in Chicago, we have a lot of companies that are impacted by this. We’ve got Boeing, We’ve got United Airlines. Boeing. Major facilities for companies that, while headquartered elsewhere, operate big hubs out of Chicago. Especially in the airline industry.

GS: United Airlines. still, kind of the shipping center for a lot of the country. And if you look at the Chicago area, if you will, you’ve got then industries in Northwest Indiana, you’ve got industries south of Chicago.

LN: Rail.

GS: A huge amount of rail traffic that goes through. The expressway between Indiana and Chicago, 80, 94, is one of the heaviest traveled expressways in the world. You’ve got a number of other businesses that suddenly have the exposure that they hadn’t realized. A huge amount of rail traffic that goes through. What would happen if you took the casinos in the Chicago area and closed them down for two weeks? It’s not just casino workers. It’s not just the amount of money the casino’s going to lose by not being in operation. It’s the day worker. It’s what we call the gig economy. Those people who live paycheck to paycheck that are dependent. So suddenly, they’re without. How are we going to deal with making sure that there’s a, if you will, an equilibrium or a safety net for those entities? One of the things we’re faced with, starting to see now, the City of Chicago’s just announced they’re just putting together a pandemic taskforce. They’ve had a few months watching it unfold in China. much like the rest of the United States, and, if you will, the rest of the world in some respects. Why has it taken this amount of time, and what do we need to be aware of from a private-sector standpoint as to what the public sector is going to do? So from a planning standpoint, this is critical. If you’re a business and you’re putting together a plan, and your plan suddenly conflicts with the City’s plan or the State’s plan, what happens then? How do you deal with that?

LN: Those are all great points. In our next segment, we’ll be continuing our discussion, and we’ll be talking a little bit more about what it’s been like for businesses that are going through some of these extreme measures that are being put in place to help protect and contain the virus from spreading. Thanks for being on the show.

GS: Thanks, Lee.

Other related articles

City of Chicago’s response

https://www.chicago.gov/city/en/depts/cdph/provdrs/health_protection_and_response/news/2020/march/public-health-officials-announce-new-presumptive-positive-case-o.html

For information about how you can prepare from the Center Disease Control.

https://www.cdc.gov/coronavirus/2019-ncov/community/index.html

Data Breach Response After the Fact

Your email has been frozen and your company website is down. Your IT department has confirmed a data breach. What do you do next? Incident Expert Lee Neubecker and legal expert Kari Rollins offer easy instructions about your next important steps.

It’s a fact! Your IT team confirmed a Data Breach or incident has occurred. What do you do after the fact? Forensic Expert Lee Neubecker and Legal Expert Kari Rollins say don’t panic! First, convene with your incident response team, start to investigate under privilege, and contact a 3rd Party forensic expert to help preserve vital information. Watch the rest of this video for further recommendations about data breach response after the fact!

View Part 3 of our 3-Part Series on Data Breach

Part 3 of our 3-Part Series on Data Breach

The Video Transcripts of Part 3 of our 3-Part Series on Data Breach follows

Lee Neubecker: Hi I’m back again with Kari Rollins, and she’s here talking with me today about data breach incident response. The Sedona Conference recommends, how an organization should respond to such incidents. And we’re talking in this third part segment about what to do after an incident has been reported. So Kari, please tell me what the initial issues are that come to mind when you get that phone call from a client that says something happened.

Kari Rollins: Sure, so usually, as we were talking about in a prior segment, you may not know whether you’ve had a breach as defined by law. You are just told by your information’s security team, or an employee or a manager that you’ve had, there’s been an attack. Or there’s been, “I can’t get access to my email,” Or, “My account’s frozen.” So you immediately start to investigate. You want your.. according to your incident response plan which we’ll hopefully have in place, you’ll convene your incident response team; you’ll start to investigate under privilege. You’ll call if you need your outside forensic investigator to help you access it. Help you access what’s happened, right? That the facts in an incident are really, really important because they drive the legal conclusions. Have you had a breach, or have you had an incident that has resulted in the acquisition with just the access to personally protected information? Or are you.. did you have an incident where maybe the systems that house the personal information were accessed, but there’s no evidence that the malware ever made it into the room where the family jewels are hidden and they were taken out. And that’s an important part of understanding whether you actually have a legal obligation to notify regulatory authorities or consumers. So the first step is always convening the team, putting it under privilege, calling your experts, and starting to investigate the important facts. Was this an outside threat, was it an insider threat? I know you’ve had experience a lot with investigating internal threats, which are on the rise these days as I would expect.

LN: And a lot of these incidents, it may be reported as a data breach, and the question is well, how did it happen? And sometimes, it’s not too uncommon that IT staff don’t receive the resources they request, and that data incidents happen as a result of being under-resourced. And in circumstances like that, there’s still a lot of pressure on the people managing IT, to not only run the organization ongoing but to deal with this whole new layer of troubles. So having that team in place beforehand where those relationships are there really helps.

KR: Yes

LN: And the other thing too is, you know, if there is a failure internally, it’s more difficult and less likely that you’re going to get the facts quickly if you’re using the team responsible in some way for the breach to report on what happened. I always recommend that after that initial meeting that preservation of key data occurs, and is offloaded outside the organization. You know, log files, certain key computers, email systems to the extent that they were modified so that there’s the ability to do that analysis. Because when an organization has an incident, it’s quite possible that all the data disappears, and the effort to cover the tracks.

KR: Or it’s not even, it may not be as nefarious as that. It could be that the teams are working so quickly a lot of the remediation plans are to thwart the malware and to remove it. But, in a lot of instances, you need to safely remove it and keep a copy of it, because you need to reverse engineer it. And understand how it got there, understand other signatures it might have; so being thoughtful, and we talk about this being thoughtful about evidence preservation is really critical, especially if you get to the point at which you do have a breach that requires notification. And litigation regulatory inquiry ensues, you will have been expected to preserve that evidence and show the chain of custody. Otherwise, you could have allegations of spoliation leveled against your company.

LN: And I’ve seen circumstances too where a legitimate data incident happens and we’re able to get it quickly and identify the impacted individuals. And sometimes it’s just been a few people; in a circumstance like that, it’s much easier to reach out to those individuals, make things right, and resolve the issue. And be able to report to them what happened. It’s much better than having to publish on your website and report to the attorney general that you had some massive data breach. So, not all data incidences are massive data breaches.

KR: That’s true, some of ’em impact you know, one or two individuals, and you may still have an obligation to notify them under the relevant law. But they don’t have to be the big massive breaches. And again, I think the great thing about the Sedona Conference Guide is that it’s, you know, it helps companies navigate small to big breaches. You know, it’s not intended to be the ultimate authority on the law in this area, because the law is ever-changing. But what it does is it helps companies issue spot from a practical perspective so that they know what laws they need to consult, and why and what issues they need to address, like for example, notifying your insurance carrier. One of the big questions we always get is, Well, we’re the victims, here; the company X is a victim of this cyber attack. Who’s going to pay for it?

LN: Yes.

KR: And so, insurance coverage for cyber incidents has is a really hot button issue these days. And so it’s important for companies to know in advance what their policies say, what the notification requirements are. Even if they just have a sniff of an incident – maybe it’s not a breach. So that the third party and first-party costs are covered, and that you’re working with your insurance carrier, and you’re working with your insurance council to ensure that coverage. And to make sure that you’re getting the right information to your insurance carrier about your forensic teams. Are they approved? What rate are they going to be reimbursed? What type of reporting do you have to do from a cost an expense perspective to your insurance carrier? So.

LN: And, it true that if companies use their own internal IT resources to do the investigation, that the insurance carriers usually won’t pay out their own internal resources?

KR: It really depends. It depends on the policy.

KR: It really depends on the policy. There are, in some instances, some policies would cover the first party staffing costs, so for example, if you had to pay staff overtime to work 24 hours a day to try and investigate, you may be able to claim that. But it really depends on your policy. There’s certain.. there’s certainly reimbursement line items for business disruption and business interruption. Or, you know the loss of business, loss profits line items, as a result of ransomware tax. But again, knowing your policy is a critical step in preparing.

LN: Where do you see the benefits of using an outside forensic investigator as opposed to internal IT to investigate when an incident happens?

KR: You know I think it’s two-fold, one, a lot of internal IT teams are taxed as it is with their day to day obligations. And if an incident is one that is medium-high critical, you want to be able to dedicate the resources to the incident to investigate swiftly, and to ensure that there’s no delay. And so pulling in a third-party forensic expert alleviates some of that burden and stress on the IT teams. And then separately and secondly, it also creates a level of objectivity that is.. that benefits the company in the event. Or in the unfortunate event, someone in the IT group may have made a mistake that caused the vulnerability. There’s less likely that that mistake would be covered up. Or there’s going to be more candor from the third party expert, the to management team say like, “Hey, this issue should have been addressed”. And it wasn’t, and now you know what thwarts may be in the event. You have some litigation down the road and you need to defend. But so I would say really sort of time and devotion of resources where needed, and objectivity.

LN: Great, well thanks a bunch for being on this show; this was great.

KR: Absolutely, thank you.

Part 1 of our 3-Part Series on Data Breach

Part 1 of our 3-Part Series

Part 2 0f our 3-Part Series on Data Breach

Part 2 of our 3-Part Series
Data Breach Incident

To Learn More About Sheppard Mullin / Kari Rollins

https://www.sheppardmullin.com/krollins

Securing Data in the Cloud

Secure Cloud Data! Large organizations buy cloud services that provide storage on servers and other devices and connect with computer networking equipment throughout the world. So, how are they securing the data? Experts Lee Neubecker and John Blair say start with knowing what data is being stored.

What steps do organizations need to take when securing data in the Cloud?

The Cloud is digital storage that is physically secured and stored on big servers owned by big companies and made accessible through the internet. These big companies are connected with other computer networking equipment throughout the world. Does this sound too big to secure? Experts say there’s no time like today to understand where your data is stored and how it’s secured.

Today on the “The Lee Show”, Forensic Expert, Lee, and his guest John Blair who is cyber governance and information technology expert, explores the complexities of cloud-based security and storage. John suggests starting with obtaining a holistic inventory of your organization’s data and most of all be aware that some employees bring their own applications and use their own personal device to store organizational data. Check out this video on securing data in the cloud to learn more about cloud storage and cyber risk.

Part 1 of our 2-Part Series on the Securing Data in the Cloud

Part 1 in our 2-Part Series on Securing Data in the Cloud

The Video Transcripts on Securing Data in the Cloud follows

Lee Neubecker: Hi, I’m here today with John Blair. John is a cyber governance and information technology expert. He’s on the show here today with me to talk a little bit about securing your data in the cloud. Thanks for being on the show again, John.

John Blair: Hi Lee, good to be back, thank you.

LN: So we’re talking about cloud cyber risk. What do organizations need to be looking at to help secure their data in the cloud?

JB: I think first and foremost, you need to understand where is all the data and how do people get data in and out of their environment? There’s a lot of things typically called Shadow IT, where certain departments or certain users might you know, for example, start sending things to Dropbox to sync data amongst themselves to make it easier for themselves. But they might be syncing confidential information that’s not on Dropbox and the organization has no idea about it. You know, that scenario plays itself out over and over and over again, where there might be departments that actually use applications in the cloud that thus obviously, are processing data as well that the organization might not know about either. So you need to get an inventory of data. Where is it from a holistic point of view?

LN: And today you have the Bring Your Own Cloud, BYOC,

JB: Yes

LN: Many employees are bringing various apps with them that they’re used to using from their prior employers, and they’re wanting to use these apps. Sometimes they’re putting them on their smartphones and whatnot.

JB: And that’s driving a lot of the corporate action towards that. The cloud for first and foremost is a cost-savings for the most part. But what people are not realizing is that along with those savings comes certain responsibilities. And, from a user perspective, you know, people are used to as you said, people are used to certain applications, they’re used to certain things on their phone, or on a tablet or they’re used to working in a certain way with certain applications. And then you get in a corporate environment and those applications or that way of working might not be available. And so people start voicing that, and it becomes, you know, somewhat of a problem for corporate to adapt and keep up.

LN: So organizations, especially healthcare-related organizations, as well as financial services and other organizations that depend on intellectual property have a real risk here, don’t they with people bringing apps?

JB: They have a very big risk. Both of those sectors are heavily regulated. Data needs to be very tightly controlled. Breach notifications in the event that it happens become a very big deal, very public. And if you can’t explain where the date is, and where you know, who has it, then you have a problem.

LN: So isn’t there also risk not only faster dissemination of intellectual property and trade secrets, but what if the information becomes compromised by malware or a hacker to morph the data or destroy the data?

JB: Yeah, your only recourse at that point is to have really, really good backups. Because otherwise, you have no actionable direction to take. If you don’t have a backup of that data, you know, you have no ability to recover. It still might be considered a breach, a lot of times, and certain organizations or certain regulations. So you still might have to report it, even though the data has never left your organization, the fact you’ve lost control of it might be considered a breach. So that might be something you’d have to consider with your legal teams. But it’s not, it’s still a very big deal because you no longer are able to use it.

LN: So don’t you have a risk though, that if your backup is online, that the attacker could compromise your primary source and then your backup drive attached to your server?

JB: Well, hopefully, they haven’t gotten that far. But if generally speaking, your backups are always in the separate physical location, and not necessarily on the network.

LN: So you rotate them?

JB: and they’re separate, you know, media and things like that, but yeah, if you’ve gotten to the point where they’ve corrupted your database, they’ve encrypted your database, and they’ve also encrypted or destroyed your backups, you’re, in a very bad way.

LN: So knowing that hard drives sometimes fail, if you’re using a physical hard drive to write the data to, what do you think most organizations should be doing to ensure they have a certain number of versions that they can restore to?

JB: Well, normally backup systems are version controlled and so you do backups based on frequency. You do daily, you do hourly, you do you know, on the spot, so there point in time, a lot of times where there’s a lot of people, organizations, that can afford it have failover data centers, for example, that are mimicking the primary data center. So there is no loss of processing. but that’s very, very expensive to do. But yeah, you should definitely have you know, off-site storage of data. But those are all historical, and things that are not necessarily online that you can immediately refer to those lesser compromised to your point. LN: So when you’re considering bringing in a cloud provider to your organization, is it an official, non-shadow ware operation? What are some of the questions you ask of your vendors and things that you look for to help secure, ensuring those cloud providers are secure?

JB: Right. First and foremost, do they have some sort of testations with respect to the services you’re going to use for that provider? Cloud providers have hundreds and hundreds of services, not all of them are audited by an independent auditor, not that that guarantees anything, but at least if it’s the services you’re going to use or the applications you’re going to use. or the locations you’re going to use with that cloud provider, then you have something to point to say, you know, we did our due diligence, and they have these SOC 2’s or whatever form it might take. But you have to do something on them to ensure that, because the cloud is half their responsibility and half of yours, and you have to make sure they’re doing their half.

LN: So what other things do you think that organization should look for if they’re using data in the cloud, how to maximize the security of that data?

JB: First and foremost, I think they need to within their own organization, block these drop boxes and the Google drives and all that sort of stuff like that, so that people individually can’t make you know, downloads for example, from the database and then upload it to Dropbox or Google Drive or whatever, and then go home and look at the same documents. You know, from a personal perspective, that’s very convenient, it’s very nice to have to be able to sync and you know, you can use one, one central source of the information, but from a corporate perspective, that isn’t your data. It’s a corporation’s data. And so, you know, the corporation needs to be responsible and know where that data is going, and how to prevent it ideally, from getting there. It’s very easy to drop, you know, to block Dropbox at a network level, you know, but the problem is that there are hundreds of those types of things to block. And so you know, you need to do a lot more care from a corporate perspective internally to make sure that your users aren’t putting data someplace where you lose control of it.

LN: And are there any, any other things that you’d recommend adopting if you’re going to use these cloud platforms to help ensure that hackers don’t get access to user accounts?

JB: That’s an interesting one because as yours been, you know, almost all those user accounts have been hacked at one point or another. And so the only thing protecting me at this point is a password. I think multi factors in you know, bio authentication type of actions are the only thing you can do to improve your chances of those accounts not being used by inappropriate people. Because the accounts themselves are basically public knowledge, you know. Your, you know, your username is public knowledge, the only thing protecting it is a password.

LN: And so, you know, the multi-factor authentication actually addresses and requires that you have to have three factors. Something you know, something you are, or something you have.

JB: Right.

LN: So, for instance, many people know their password. They might have a thumbprint or they might have their cell phone.

JB: Right.

LN: That is something that they have. So you know, having that second factor makes it less likely that someone can simply get the password and get in.

JB: Right, where they send like to your point the phone, they send a code to your phone, you enter the code into the application–

LN: Exactly.

JB: And then you gain access. Until then you’re simply at the network border.

LN: So on our next video, we’re going to be talking a little bit more about, again about the cloud, cyber risk security and specifically we’ll talk about some of the legal and compliance issues that arise. Thanks for being on the show.

JB: Thanks, Lee. My pleasure.

Other related articles about securing data

National Institute of Standards and Technology on Securing Data in the Cloud

https://www.nist.gov/system/files/documents/itl/cloud/SP_500_293_volumeII.pdf

Academia Data Governance Information

https://www.academia.edu/37900938/Information_Governance_Concepts_Strategies_and_Best_Practices.pdf