Cyber Attacks And Data Breaches – The Official Podcast Transcript

Cyber Attacks and Data Breaches: What Associations Need to Know

If you received an email demanding hundreds of thousands of dollars in ransom money or else your members’ private data would be released on the dark web, what would you do?

According to the Sophos 2022 Threat Report, three of the biggest threats businesses can expect to see this year are ransomware, malware on mobile devices and attacks on internet infrastructure. To fight these challenges, both your employees and your systems must stay vigilant to a growing and ever-changing threat landscape. (The Washington Post.)

According to a February 17th article in Fortune, governments worldwide saw a 1,885% increase in ransomware attacks in 2021, the healthcare industry faced 755% increase in those attacks in 2021 according to the 2022 Cyber Threat Report.

Ransomware also rose 104% in North America, just under the 105% average increase worldwide, according to the report.

Why are we seeing this surge in these types of activities? Association Chat talked with two cyber security experts from The Trust Bridge about these threats. Links to the interview and transcript are below.

Listen or watch the interview! Or you can read the entire transcript below.

Tue, 4/5 10:32AM • 47:46

LINK to REPLAY (VIDEO)

SUMMARY KEYWORDS

people, organization, data, policy, data protection officer, data breach, company, ransomware, risk, governance, talking, staff, happen, david, association, problem, data sharing agreements, place, lost, protect

 

All podcast episodes are available on Apple Podcasts!

SPEAKERS

David Clarke, Penny Heyes, KiKi L’Italien

KiKi L’Italien  00:06

Welcome to Association Chat on online discussion where we warm ourselves by the virtual fire with topics of the day welcoming, thought leaders and trailblazers alike to join up in this online home for the association community. And you’re here too and we’re going to be talking about today, a topic that I think a lot of us hear about, hopefully don’t have to worry with. In our immediate however, we might, because I want you to imagine this. What if you received a message that told you that your association members private information was going to be released to the dark web unless you paid $847,000, I’m just pulling that figure out from the air unless you paid this exorbitant amount of money to the ransomware gang, holding your data hostage.

It sounds like a nightmarish scenario. And maybe some of you have actually faced this. Because more and more we are seeing that these ransomware attacks, data breaches, all kinds of different attacks on your organizations that they’re happening, and they’re increasingly happening exponentially worldwide. And the likelihood of you facing some kind of issue like this is increasing every single day.

So today, I’m talking with two experts in data security issues who are known for their work at the trust bridge, I’m going to bring them up. Here we go. I have. I have Penny Hayes, and I have David Clark with The Trust Bridge. And let me just say a Penny, you are the Chief Commercial Officer and co-founder of The Trust Bridge, David Clark, Chief Technology Officer for The Trust Bridge and leading authority on security issues with experience across finance telecoms in the public sector. Welcome, Penny and David.

 

Penny Heyes  02:13

Thank you, KiKi. Nice to be here with you.

 

KiKi L’Italien  02:16

I am thrilled that you’re here. I’ve talked with you both before – I think the last time we were talking on Association Chat, we were talking about GDPR and what people need to do to, you know, be forgotten if they need to be forgotten where the onus of responsibility fell.

But today, we’re talking about cyber attacks and data breaches. And I want to share that I read this article in Fortune, published in February of this year, that said, and I’m going to just read for a moment, governments worldwide saw a 1,885% increase in ransomware attacks, the healthcare industry faces 755% increase in those attacks and 2021 According to the 2022 Cyber Threat Report, ransomware. Also Rose 104% in North America, just under the 105% average increase worldwide, according to the report. Wow. Wow. So that’s pretty intense.

Why are we seeing this surge in these types of activities?

 

Penny Heyes  03:30

Well, what’s actually quite interesting, Kiki is that ransomware is not actually the biggest threat. Yes, it gets a lot of PR gets lots of attention by the media. But actually, it tends to be things like what’s known as business email compromise, or B EC, you know, three letter acronyms. And that’s really a lot of things that happen inside an organization that could have been avoided.

I think it was the FBI. David to correct me if I’m wrong that said that 64 times more money was lost on business email compromised and actually was paid out on on ransomware attacks. So yes, ransomware gets a lot of attention. But we find that actually, it’s not the key issue that people should be looking at. There’s some things other things that are more, more important. But going back to your point about ransomware.

The easy answer there would be well, you know, look at the world today, look what’s happening. And yes, we are seeing things happening from Russia and various places like that. There’s some extremely strange activity going on. People will have heard about Facebook or they used to be called Facebook meta. Apple had a an attack last week. But there’s other scams that are going around.

We’ve got one over here, all over Easter eggs at the moment and chocolate, chocolate Easter eggs and how you could actually win, you know, a year’s worth of easter eggs if you did something clicked on a link and of course these kinds of things, hook people in realize that they’re actually getting, they’re losing their data. So, but for Association’s clearly holding a lot of private data about sort of their members, it’s absolutely critical to make sure that they’ve got the right data protection in place.

 

KiKi L’Italien  05:12

And having the right data protection in place, it sounds like, or I think it could sound like, Okay, well, you know, we have a really great, IT director, we have a really great, we have a really great group of people, I’m sure they’re on top of it.

But how does how does something like remote the remote workforce play into this? Because, you know, it’s one thing, if you have something suspicious going on on your desktop, and you’re able to call for someone to come to your desk, it’s another one, we’re all spread out so many different places, so many different configurations. What are organizations supposed to do in this case?

I mean, how does the remote workforce actually impact some of these dangers?

 

Penny Heyes  06:02

But David, we quite often, when we’re talking to individual clients say it’s actually not just up to the IT department to make sure that everything’s in place, neither is it up to the Data Protection Officer or the Privacy Officer, to make sure it’s really up to everybody to make sure they’ve got their their own case involved.

And we actually ensure that our clients have a data breach as well as a data protection policy in place, just in case something like this happens. But David, there are some key elements that we actually are tips that we give people, do you want to run through some of those?

 

David Clarke  06:38

Yeah, I think that they’re all good points. And I think, often they lead to the same thing.

Because often cyber protection and data protection ended up being actually, we’ve just got a bigger problem than the cyber problem. So give you an example. We had a client, they got hit by ransomware, the phone system went down, because obviously it’s based on IP technology rather than the old kind of wire. But actually, the real kind of cost of that problem is they had 1000s of employees, that the employee’s data is obviously hit by ransomware. They’ve now got to get their business up and running because they couldn’t pay those members of staff because they are running payroll locally on their own servers, which, you know, probably realistically, they’re not patched, they’re not updated. Their firewalls are out of date not patched or updated.

Sharing admin passwords, which didn’t help so they pretty much lost control of where the admin was. And now you’ve got a double problem, because A, you got to get the business up and running, you got to make sure you can pay staff, and then three, the way that a lot of this now works is okay, your data is encrypted, you might get it back from a backup, or if you’re lucky, you might be able to decrypt it.

But if that data has been exfiltrated, easily taken out of the company, and put somewhere safe by bad actors, often that is then released, you know, over a period of time, and you have to pay to stop it being released.

And obviously, there’s no real formal agreement or SLA or enforcement, so you can’t guarantee that’s not going to happen or is going to happen. So effectively, it becomes, you know, a very costly effect you’ve got

 

Penny Heyes  08:20

during the pandemic, when we all rushed home, and everybody was then working from home or using their own devices, there was a massive problem with with data security, because people were using their own devices at home, possibly share devices, even just sitting in a kitchen with children around or spouses, you know, there was there was an element there of panic, because we were sharing data that we didn’t realize we were sharing.

So bringing that back onto control is something that a lot of organizations are now trying to do, putting in place things like making sure everybody has Company A devices, which they don’t use for their own personal use, but also having a multi level factor for eyes, these sort of phrases that you’ll hear JB can explain better than I can.

But you having various levels of security for people to use when they’re working from home, but ensuring that they’re not using perhaps a shared shared devices, which they would have possibly visiting right at the beginning of the pandemic.

 

David Clarke  09:19

Yeah, shared devices is a difficult one, because how do you maintain that they’re patched and updated? How do you make sure that someone’s got a PIN code on it, you know, to protect access to corporate data?

And of course, what’s happening now is manufacturing is now target. You know, we’ve had numerous targets over here. Where if anyone kind of remembers 1940s Yeah, ball bearing factories were the target for every military operation bearings. Historically, yeah, you know, bearings don’t sound like they’re very important, but they keep they keep all the vehicles right running without ball bearings, you can’t do it. And so because what we’ve now seen is, we saw, though not necessarily due to cyber attack chip shortages, because they’re only made a few factories in the world. But we have seen other, you know, the the targeted oil supply in the US.

We’re now seeing and most of the manufacturing, unfortunately, they’re not necessarily kind of spend a lot of resource on protecting their digital assets. We’ve seen lots of companies, you know, give me a drinks company.

Why do they need to protect against cyber war? And you think it through? How did the lorries get the deliveries? Who did the deliveries go to? How do they take payment?

So suddenly, all of that is now easily targetable. Not difficult to do, because potentially, they’ve not really done much for the last 10 years. easy targets, then has a knock on effect. So because work income cannot be affected. So he wants to disrupt an economy. Disrupt manufacturing?

 

KiKi L’Italien  11:02

Yeah, and I just want to say that for those who are listening to this as a podcast and audio podcast later, some really wonderful comments that are coming up on the screen, as we’re talking, my good friend, Ron Moen, and who is out there talking about his own experience at his association and what they’re doing, you will want to go and watch the replay over on YouTube so that you can see some of these comments that we I’m not, I’m not mentioning all of them that are going across the screen. But that’s, that’s what’s happening for our audio listeners. And, you know, I have to say that it is such a challenge.

You know, one thing Ron was mentioning was talking about how they’re moving toward a policy where no organization assets are allowed to be accessed from a personal device. And I think that, you know, that that is, that is obviously the wise way to go that’s that is, you know, a direction that you would want to advise everyone and try to enforce.

But enforcement of that, you know, we’re talking about visitation industry, where there are a lot of small staff or medium staff size associations where, you know, you might have 10, people who are on staff, and the idea that someone is going to be able to monitor that activity and ensure that those protocols are being met, it’s just it’s, it’s highly unlikely that that is something that is going to be happening.

 

David Clarke  12:36

Exactly. So there’s always going to be those types of scenarios.

So quite often, and this is not an extensive list. But we’ve kind of recommended maybe the firm or the association pay for proper virus checker, maybe a secure token. So when they log on, you can’t be compromised or have account takeover much better if you’ve got hardware tokens rather than mobile phone applications. And, and the one that we definitely kind of saw a lot, you know, the last couple of years is that people didn’t realize it, if you’re accessing company data on your mobile phone, or your iPad, or whatever, if you lose it, if you should tell your company so they can disable your accounts.

And of course, we’ve had to highlight that a few times. Actually, yes, you don’t really want to have to tell the company you work for you’ve lost your own phone. Sure, accessing company assets, it protects everybody, they can disable your account, get your password reset. So at least you know, there is there is a limited amount containment that can be done quite quickly. But

 

Penny Heyes  13:37

this is this is really part of the best practice that any organization should be putting in place is having a data breach policy, as well as a data protection policy. Clearly, a lot of different states in the US now are bringing in their own data protection policies. California was one of the first that they’re becoming very popular, lots of which are based on the European GDPR. That was introduced a few years ago. But having a data breach policy that is updated on a regular basis, and everybody knows about is absolutely critical. Because as David always says, you know, if you’ve if you’ve identified that there has been a data breach, who do you call? Who’s the person that you get on to to say, I’ve lost my phone, or I think I’ve just clicked on a link that I shouldn’t have clicked on or people panic. So who is it that we need? Oh, absolutely.

 

David Clarke  14:25

And going back to that example, with the company with 1000s of employees. The problem is not only getting the company back up and running, you’ve now got to potentially have a hotline to staff can reach out if they have any issues. You’ve got to have financial monitoring on potentially all their bank accounts. There may be other issues that we haven’t thought about. Some staff can get extremely distressed and upset. How do you cope with that? How do you kind of keep that going? And there’s also the potential you know of group and class actions. So he may not be the regulatory authority that does too much about it, but class actions are getting very popular. Oh, They’re in the UK as well as the US. So suddenly you, you’ve got all these extra personnel you need in the company to help you manage it. And it doesn’t stop. Yeah. And

 

KiKi L’Italien  15:11

you know, when I, with Tecker, international, I end up working with a lot of boards and thinking about governance and, you know, fiduciary responsibility, you know, where where does the board come into play as far as responsibilities for ensuring that that data is protected, that they’re taking the appropriate steps, and that the organization is being responsible in the way that they’re going about ensuring that that members data is protected, and that, that they’re doing what they’re supposed to be doing? And I know that there’s a lot of question about where does that responsibility really fall? Where does it fall legally? And what can an individual do? If they feel like they’re looking around? And they’re saying, Look, we don’t I don’t think that we have enough of these safeguards in place to make sure that we’re actually doing what we need to do to keep keep information safe. What does an individual do in that situation?

 

Penny Heyes  16:18

Under a GDPR, certain organizations, depending on the size of the organization that usually recruits a data protection officer, and that data protection officer sets reporting to the board of directors, directors, and that they are protected. So any suggestions that they make, are protected and can be put before the board without any personal implications for them. So if an organization has a Data Protection Officer, that’s the person to channel anything like this through, what we have often found is that the data protection officer and the IT team don’t necessarily speak the same language. Data Protection Officer quite often comes from a legal side and legal, very good at telling us sorry to have lawyers that are very good at telling us what the law says, but not necessarily how to do things and how to implement certain policies and that sort of thing, processes. So we try and help those data protection officers to translate really what they need to say to the IT people in order to get the positions in place. But you’re absolutely right about governance and sort of ongoing governance of any policies really needs to be taken very, very seriously as training. And that’s an area that we’ve worked a lot with clients on is making sure that everyone in the organization understands the implications of what they’re doing on a day to day basis, and the data that they control, that they’re not not controlling the data controller, aspect, but that they’re actually having access to on a daily basis to make sure they understand the consequences of them misusing that information in some way. So governance and training are two things that we feel very strongly should be ongoing. Under the policy that anybody puts in place.

 

David Clarke  18:01

Sorry, runs just kind of put a good point in there, about maybe staff being afraid of being blamed. And that’s kind of why we try when we talk to companies that they put in what we kind of call a risk committee. And the reason for that is that committee is there to manage the risk and to protect staff and the company and their customers, rather than one person taking, you know, responsibility. And, you know, it’s a bit like a car. Yeah, who has responsibility for it? The mechanic who repairs the tires and the engine, etc? Yes, he certainly does. But what about the driver, and that’s the board, the driver still has a responsibility to stay within speed limits, don’t park in the wrong place, try not to run anybody down. So, you know, they have a lot of responsibilities of using the technology, even though they’re not involved, you know, that the driver doesn’t need to know how the engine works. But he certainly needs to know how to use that engine and where to position it. And it’s pulling all these components apart. You know, legal will have an input, it will have an input, sales, marketing, all have a component to this HR, and it’s pulling all that together. So then the risks are kind of managed, and it’s very easy to say, Okay, we’ve got a list of risks, what do we do now? And what’s the probability of having this risk happen? You know, what, it’s impossible to work that one out. So what we tend to do is, we say, Okay, so you’ve got a risk of losing a personal device. How do you rank that? Well, we go, well, it’s probably going to happen. Yeah. But what have we done? What have we got in place to help mitigate that? So the first thing we would say is, well, actually, maybe the company should have a policy a whether you can use a personal device, yes or no? If the company says you can, there’s a shared responsibility component on there. And then how do we make that policy work? So the policy will be yes, you can use your mobile device. Each maybe should be of a certain standard and same configuration, and we’ll, we’ll, we’ll advise staff on how to do that. And then the bit that when they lose it, okay, if you want to use it, it’s a benefit to the company, we appreciate that. And if you do lose it, we’d appreciate you kind of telling us a call. So we could do that, then the risk is shared. And there’s actually then we can evidence as a mitigation plan in place, rather than just saying, yes, you can use it. We’re going to say, yeah, there’s a policy, and we’ve got guidelines. And then I think, as Ron kind of said before, you know, they can put mobile device management software that’s acceptable to the staff. So you can then lower the risk by your actions rather than going you know what I think this is a point 608 probability. Yeah, sure. That doesn’t make any sense. It but it does make sense that the More Actions that align with mitigations must reduce risk. So then the discussion is, by how much should you reduce that risk? And that’s a much easier conversation than saying, I don’t think this will happen with my stuff,

 

KiKi L’Italien  20:55

right? I know, it’s that it’s that whole, hold your breath, cross your fingers and close your eyes, like, please don’t let this happen to us. And and we all know that that’s just, that’s not good for any approach. For it for pitching any problem, it usually doesn’t work. So we can just kind of skip past that one and try to figure out how how we can mitigate

 

David Clarke  21:20

is kind of what we mean by governance. Yeah, I’m actually using risk as a real tool rather than, than a list. And when you spoke to loads of CEOs, and they love risk, because they basically they just give it to their risk manager, and it’s not their problem anymore. But actually, if you align it with mitigations, then it makes sense.

 

KiKi L’Italien  21:39

Well, so what are some of those key questions that the senior executives should be asking their IT teams?

 

Penny Heyes  21:47

Well, I think that the first key element, there really is what happened? Have we got a defensible position? You know, what, what happens if a data breach does happen? What do we do? What do we do we have a defensible position? Can we deliver the rights that are our members in associations, scenarios that the data the data subjects, as they’re known in data protection law? Can we deliver their rights? Can we look after them? And all the data that that potentially has been exposed? Do we transfer data from one country to another have we looked at what our third parties are doing? After our third parties that we share information with? Do they have a secure environment as we have? Do we have proper data sharing agreements with these people, there are lots of things that we can put in place that CEOs should be asking their their teams to make sure that we’re making as much a secure environment as possible for guarding the data that we that we bring in from members and employees stay that said employees are isn’t as important lately, because you hold a lot of very sensitive data about employees. I know in association world, you may well have things like membership details with credit card and financial information. But clearly, with employers, you’ve probably got health information, you’ve got credit card, financial information, all sorts of pension information. So making sure that you can deliver the rights on those is absolutely critical. And that involves having a data protection policy. And policies shouldn’t just be written down on a piece of paper, they should be reviewed on a regular basis. Getting back to governance again, one of the things people ask us is should we test out our data breach policy, by having a sort of fake scenario? Well, David, and I have run fake scenarios, and they can actually be quite fun for us. But they can be quite scary. And sometimes, you by putting in a fake scenario, we’re actually over, over exaggerating some of the things that can certainly happen. But having having a really good idea of the types of things that could happen. And where there are vulnerabilities in the organization is absolutely critical. It all comes back back down really to looking at a risk assessment and seeing where potentially, some of the holes are in your policies and in your, in your security. So there are there are key questions like that. I think David, a massive percentage of data breaches tend to have to happen in the third party supply chain. And that, you know, that that’s something that you do, all organizations should be very, very attentive to having data sharing agreements with anybody that they share data with. And I know in the association world, people like sponsors are always looking for, to have information on delegates at events and that sort of thing, where you need to be very careful about the data sharing agreements, and make sure that those sponsors have in place the sorts of policies that you would expect them to have in order that they don’t misuse or put at risk any data that you share with them. So there are a list of certain things that we do advise CEOs to check with that with you.

 

David Clarke  24:49

And we work with companies a lot on what we call their escalation procedures. You know the gold goes Ghostbusters he gonna call and you know that That’s that really what it comes down to. So, you know, does everybody know who to call? Is that person always available? Do they have a backup? Do they know who to call? Because certainly there’s going to be business decisions need to be made, they need to have, you know, we’ve had breaches where the CEO kind of doesn’t want to be on the call, we’re going no, no, you got the other cool, there’s some decisions here that are gonna cost your company big bucks, you probably should be part of this. And eventually, you know, they get them on the call, and they understand why they need to be part of it. And we are sort of companies do think sounds very simple. But companies are getting more and more complicated. What are your critical assets? Eg if they went away for maybe more than 10 minutes? Would it cause you a problem? Could you survive for four hours? could you survive for a day, for it becomes a problem. And it’s not just having the application or service backup is maybe the service with the data that you’ve developed over the last three years, you may need access to that as well. So it’s working out those types of times. So kind of give you an example, you know, maybe a company is very dependent on teams, you know, the user for chat, the use of sharing files, that’s for some reason is not available? What else are you going to use? What’s your alternative plan? Could you use another technology? Or do we have to go back to phone and text and paper, you know, they’re all realistic options. And then who’s in charge of that, who then decides when is the time to go back from paper back to teams is teams stable. So there’s a lot of decisions to be made. And that’s just one application. And bearing in mind, you know, average company’s gonna have between five and 10, super critical applications that if it’s out, it could cost them revenue, business and their customers revenue and their business. So it’s kind of managing it.

 

KiKi L’Italien  26:50

So one of the questions that comes to mind is, you know, when you go that you at this point, you’ve worked with so many different types of organizations, associations of every size of every type in like, all kinds of different industries. What’s probably the top issue, the top mistake, that is like a glaring error that you see when you first go into work with with an organization? Is there is there consistency is there like a promoted common problem,

 

David Clarke  27:25

probably, you’re kind of right. Let’s not kind of go kind of too technical. But the main thing really is kind of what we call governance, or maybe the definition that I suspect, and everybody’s heads, governance means something different. And if we go back to the car analogy, who is responsible for checking the tires on board, and there’s oil in the engine on a regular basis, because you know, he drove that car every day, for a certain period of time, something is going to go wrong with it, he checks it. And it’s the same with it, who who is coordinating these hundreds of components, that they’re patched, they’re outdated, they’re fit for purpose, joiners, movers, levers, who’s got access, who shouldn’t have access, it’s an ongoing process, it’s not a one off, and then we’re okay, for the next 10 years. It’s ongoing. So it’s really putting that level of control. And as we said earlier, that’s a shared responsibility, because sometimes he may not have enough money resources on staff. So they’ll say, You know what, that’s a risk. And that’s something we’ll either have to accept, or we have to find the cash to fix it.

 

Penny Heyes  28:28

But actually, what’s really been really quite surprising to us over the last four years really is that we go into an organization is actually who knows where all the data is, and where it’s going to be even more. So in the last couple of years when we’ve been working from home is, you’ve heard the expression, a data map, having a data flow and understanding where that data is not just within the organization, but also out into the third party supply chain, you know, that’s talking about suppliers and sponsors and anybody that you share data. And it’s been quite astounding to us how few organizations that we’ve worked with actually understand that, and therefore can understand where the potentially there has been a compromise.

 

David Clarke  29:13

helps, because all that should be reflected and controlled via, you know, we’ve got some data, how are we going to use it? Where should it be stored? Who’s control who’s controlling it? So it’s, it sounds worse than it is, but once it’s in place, it works really well. And we always sort of recommend, you know, depending on how big the organization is, every area has a risk champion, risk champion. And it’s, it’s their kind of role to kind of highlight that to their local team, or bring it back to the governance for them to make their decision so that the risks don’t have to be managed locally. And staff accepting risks they probably shouldn’t be accepting. Because I suddenly what I remember a long time ago, for a really big huge utility company I said I kind of need access to this. And they gave me a super user password. Absolutely fantastic. It really had access to every bit of data they had. And when I realized that I went back and said, Take this away.

 

KiKi L’Italien  30:13

Yeah, super helpful for me also super scary. This exists. Right? Absolutely. So

 

David Clarke  30:21

yeah, fun to have, but you know, great responsibility cause quite you Spider Man, but comes with it. Yeah.

 

KiKi L’Italien  30:28

Well, and I think I always think of, you know, my friends, who are the executive directors, and maybe there’s, you know, 10, eight to 10 people on staff, and they are trying to navigate at this point, they’re trying to navigate everything from, you know, what’s a hybrid meeting? Do we need to change our business model? How do I keep the board happy? How do I keep good talent, you know, and they have all of these different things that they’re trying to solve for in their associations? And then, you know, then there’s this, you know, and I don’t know, what kind of panic would set in when one of them received a an email that said, like, like, I talked about the very beginning, where it’s like, you know, we’ve got your your members data, or if they got a phone call from someone who works for them, and says, Hey, you know, I lost the laptop, and I’ve noticed some weird stuff happening lately. Not sure what to do. And I think about that panic, and I think, oh, my gosh, what do you do at that point? So how can we? How can we give them like a first step on

 

David Clarke  31:46

a great example. And I think the one thing that almost every company can do is work out their escalation process, exactly. When you see this, who you gonna call? You know, in some of the really big companies I work for, I kind of basically, sort of the policy that I kind of wanted, and I put in place, and any work was, if anybody suspects anything, and there’s no point giving staff a 15 page list of if it’s any one of these things call because the time you finish that list, I guarantee, the thing that you’re looking at won’t be on that list. It’s just if you feel it is if you think it is cool, because I’d rather deal with it quickly and downgrade it, rather than have something that’s really big. And then we’ve left it for two days and lost any window of opportunity to fix it. And I was kind of told, You know what, you’ll get inundated. You know what, it didn’t happen. And it didn’t happen with 10s. of 1000s of staff. Yeah, the the only bit that I kind of did get inundated and I did vanished, inverted commas, outsource it was when I kind of ran a lot more of the physical security, because then I’d get somebody ringing out, I’ve lost my scarf, or someone’s stolen my office chair or, and it’s like, Fine, you know. But other than that, yeah, I gotta say, everybody that every call was really sensible. And I would rather have someone suspicion, rather than they fully qualified it because by then it’s too late. Right? So the way that we always recommend treat it seriously maximum effort, then bring the level down. And then that way, you know, people get used to, you know, talking to you ringing you up, and they know, they’re not going to get, you know, shot or kind of made fun of or whatever, because everything, you know, people know their environments really well. And they, they will certainly kind of have this natural instinct, something’s not right. And I’d rather rely on staff who do this all day long, and then them trying to have a fully qualified problem. Yeah, that thing works. So well. Having a good escalation

 

Penny Heyes  33:47

process. And having that process in place also enables the organization to determine how serious the breaches and you know, under under the some of the data protection laws upon and you’re supposed to report or notify this, the regulatory authorities. And even in some cases, the actual sub data subjects have been affected. You don’t have to do that in all cases. So and also it can cause panic, most in the media, but also amongst employees. So actually going through that process to understand how serious the the breach has been. We’ve done a couple of breach processes for organizations where we’ve come to the conclusion actually, it’s not as bad as it seemed in the first place. Therefore, it’s not necessary to report it’s not necessary to notify. And actually we can sort it all out without everybody going into panic without actually everybody being told about it. It’s not necessary. So I think going through that process and having that policy in place, make sure that everybody understands exactly what’s going on at every stage, Mike, now it’s quite important to send us a communication.

 

David Clarke  34:47

QUESTION And sorry, should I quickly run? Thanks for the question, Ronald, he’s asked if you know, a maturity model for cybersecurity and cyber strategy that we kind of recommend. There’s loads of good ones out out there that you can use, we’d probably initially kind of recommend that you start really simply, so you get the hang of it. And if you align it to your, your kind of risk profile, eg you get your risk, what’s acceptable to the company, and then monitor that over time. So you can see the risk going down for justifiable reasons, you’ll probably get a lot of initial benefits straight away. It’s kind of easy, you know, some maturity models, compare what you with other companies in your industry, that’s kind of like comparing your own car to your neighbor’s car doesn’t really have any value, you don’t really know how that companies run or what they do, even if they’re in the same industry. So you know, they’re, they’re kind of good ideas. But we kind of generally recommend that you, you maybe initially, just develop your own, and then see how that works. So you can say, You know what, we’re better last week than we were this way than we are last week. And you can monitor the progress on a regular basis. And then that way, you develop your own maturity, and you go, you know, what this is working for us, rather than, you know, looking at controls that don’t even have any relationship to your business.

 

KiKi L’Italien  36:12

I just, uh, you know, I love talking to both of you. Because, you know, you make me feel like, there’s the worst case scenario, and then I look at it, and I’m like, Oh, you there could be a better a better story there. Things could turn out, okay, I could feel like I have a little bit better grasp on making sure that I’m doing what I need to do. And that’s always such a such a good gift to be able to provide people. So I wanted to say thank you on a personal level like that you can, you can make me feel like at least I have a better grasp on some of the things that I need to do. I think for, for Association executives who are looking at some ideas for things that they can do next, we’ve given them a lot of them. I know that you you both have workshops and training and you have some that are coming across the United States in a couple of places. You’ve generously given a Association Chat members, discount code for us to be able to share for people who want to hear this and want to participate and sign up for some of these, can you tell me a little bit about some of these workshops that are coming up, because if somebody can attend and learn more, and actually get into the details and come up with some of the things that they need to do, to take back to their associations, it would be really great for them to be able to meet with you to ask their questions directly and to learn in person. So what’s coming up? And when are they happening?

 

Penny Heyes  37:49

Sure, are we running? several sessions are there half day sessions, we’re doing two in Atlanta on the 22nd of April, and two in Fairfax, in Virginia on the 28th, just checking my diary of 28th of April. And the idea of these is yes, come along with any questions, any problems, any issues that you may have. But we will go through a sort of not dissimilar to what we’re talking about here in terms of a updated breach policy that we’ve put in place. And we’ve actually to demonstrate things like the risk assessments that David was talking about, which then show development over time, again, as he was talking about within the maturity assessment. We ran one here a couple of weeks ago, for a private one for a client, we actually did a scenario for them. And the great thing about the scenario was It was similar to their own business. But it was it was it was expanding on certain things that they we knew that had happened to them. And what that was able to do was to identify gaps in their own organizational policies, and processes. And so they were all they were people from various different divisions that one organization and they were able to go away and put in place, additional techniques, additional policies and processes that they needed to do. So that’s really what our our workshops are about. It’s looking at an individual’s parent current problems and concerns, and actually helping them identify how they can actually mitigate some of those issues. So that’s really what our our databases are about. We’re going to focus on data breaches. But we’re also going to be looking at the regulations that are coming in across various US states in the in the course of the next year. And looking obviously at the ones that are in place at the moment. We’d love there to be a federal one, which would mean that we can all work together on the same one. They are all very similar. To be honest, there are some some differences but a lot of us in the reporting side of things so we’ll take a look at those and make sure that we that everybody understands what should be in place in their own organizations to mitigate to mitigate risk. So that’s really where our workshops are going to be very interactive. That’s That’s really where we’re hoping people will bring their own problems, if you like in their own scenarios. And we can talk through through those, obviously or completely confidential confidentially. But I can send you some more information about those as well so that people can see the the loose agenda. I mean, it is a nice agenda are certain aspects that we want. Obviously, we wanted some interaction from our, from our audience, our participants there as well.

 

KiKi L’Italien  40:23

Well, and I think I think that is, that will be really helpful. And if you go, anyone who didn’t see the links, or get a chance to really look at those I know, they flashed across the screen, I tried to put them in the comments. You can also go to association chat.com, after this, and if you check on the cybersecurity article that’s there that talks about this interview, then at the bottom, then I’ll have the links there and the code and you can go grab information over there, too. So Association Chat, calm, hopefully easy to remember. So, you know, I know that we’ve talked about a lot of the specifics about and generalities about cybersecurity the the cyber attacks and data breaches. What’s the overall trend that you’re seeing? I know, we talked about the GDPR legislation, we’re talking about the legislation that then happened in California and the New York. I keep hearing more and more, we’re getting more and more involved. It’s not going away. It’s not like it’s just getting more and more intense. Where do you see things going based on the trajectory of the legislation that we’re seeing happening? And the real world issues that are coming up having to do with some of these cyber attacks and data breaches, and I’m asking you to sort of be a psychic here, I realize I’m asking you to be psychic,

 

David Clarke  41:53

I think one of the trends that we’re seeing a huge amount, especially in the last couple of years, maybe say less than that is the amount of due diligence companies are doing on companies in their supply chain. You know, one time it was like, a couple of questions. We often now see it’s two or 300 questions. Sometimes it’s also an interview with a third party, as well to get through it. So we’ve seen that due diligence getting really, really tough. And not only do they want to see policies, procedures, they want to see evidence supporting it, which is quite interesting, because they’re obviously they want to protect their business. And I suppose one of the realities, most businesses only make money by selling to bigger businesses, all the same size. So it’s not like you can say no.

 

Penny Heyes  42:41

Yeah, we’re on call with one of our clients over here in the UK, as is a global research company that they’re based here in the UK. And I think we probably get a call from them at least once a month, because a new customer of theirs is putting them under the spotlight. So David’s absolutely right. It’s looking at contracts, that is reviewing data sharing agreements, it’s those things that are happening more and more. And of course, the due diligence goes not just across the supply chain, but for people who are looking for investment, or they’re wanting to sell their companies or merge with organizations. And there’s been some pretty high profile disastrous cases, in the Marriott Hotel, one being the classic, but that really spurred a lot of extra due diligence going on for any mergers or acquisitions out there. But yes, that that, in particular, I think he sounds to do absolutely right. That’s been an area that we’ve seen a lot of work happening in the last few years apart. cyber insurance is another thing that a lot of people have been taking out over the course of the last few years. We actually ran a webinar last year on whether or not we think cyber security, cyber cyber insurance is worth worth the money. We have to really come to a conclusion on that. But what we did decide is that having a data breach policy and a data protection policy in place was actually probably more practically a better solution than actually just paying somebody for some slight insurance. Definitely. So there are some key things like that, that we’re seeing people spending money on, but actually having the policies and processes there in the first place is really the key thing. And making sure everybody in the organization knows what those are.

 

KiKi L’Italien  44:19

Definitely. Well. I so thank you so much for joining me today. And for talking about these these issues. I have to say, I don’t think that they’re going to go away. I think we’re going to continue to have more I think I’m going to continue to have a reason to have you come back. So what I’m trying to tell you, Penny and David is that I feel like this is a long term relationship. We really need to continue to develop and invest in our relationship together because I feel like I feel like I’m going to have to have you come back to talk to the audience here at Association Chat. We certainly have Appreciate your help. I appreciate your information that you shared with us today. And so if there’s one thing that people can do, after they have listened to this after they’ve heard our interview today, what’s the one thing that you would suggest that people do obviously reach out to you? But one other thing, honey? David,

 

Penny Heyes  45:22

I think I did what David would say. I, I would suggest they take a risk assessment to look at what their risk appetite is, but also to understand where potentially the risks are in there for that organization.

 

David Clarke  45:38

Okay, yeah. And probably come to the usually is, make sure you’ve got a good escalation process, because then you can fix things. Otherwise, you have no chance.

 

KiKi L’Italien  45:48

All right. Well, thank you so much. And I have to say, Wow, what a fantastic, fantastic interview. I just love my time with the trust bridge. David, and Penny Carol Tolo who’s involved she wasn’t on today. But I’m telling you what an amazing group of people that are just very generous with their information, please go visit the trust bridge, find out more about their offerings, go to association chat.com. Read about the workshops that are coming up, take advantage of the lessons they also have.

They actually have some some education that you can enroll in online. So if you want to take your team through virtual training, they have online education as well. I’ll try to remember to put that in some of the the show notes so that you’ll be able to link to that in a little bit. But I hope you got something that that you can use something of value that will help you and protect your organization’s today and in the future. If you have any questions if you want to find out more if you want to connect with David and Penny, please look for their information connect there.

But also send me your questions if you want us to do a follow up episode because that’s something that I think like I said before, I don’t see this going anywhere. I think that in fact we’re probably going to continue to have more and more issues of this sort unfortunately. And and until next time, everyone keep asking questions to learn every day. Because as Joseph Campbell once said, The cave you fear to enter holds the treasure you seek. We got to stay curious everyone. Alright, have a great rest of the week.