Bryan Pearce Interviews Nate Gravel of GraVoc Associates

Show Notes

Host Bryan Pearce, Director of Strategic Business Planning at Gray, Gray & Gray, interviews Nate Gravel, Vice President of Information Security and IT for GraVoc Associates in Peabody, MA. Gray, Gray & Gray recently announced a collaborative venture with GraVoc Associates to provide comprehensive cybersecurity services to organizations across all industry segments. During this episode, Bryan and Nate discuss a variety of important topics relating to cybersecurity, including common risks, threats and misconceptions that middle market business owners should be aware of, how to test and assess a company's vulnerabilities, how to approach cybersecurity initiatives, and more.

Transcript

Bryan Pearce 0:12
Hello. My name is Bryan Pearce and I'm here today with Nate Gravel from GraVoc, Vice President of Information Security and IT and a Cybersecurity Partner with Gray, Gray & Gray, working with many of our middle market clients. On our strategic thinking series today, we are going to really be looking at a number of important questions around the field of cybersecurity and vulnerability in our middle market companies. Obviously, this is a topic that has really come to the forefront over the last few months because of world events but also we're seeing escalated to the boardroom and to the C-suite and no longer just the domain of the IT people in the company. And so Nate, thank you for joining me today and we really look forward to hearing your insights on cybersecurity and information security, generally. So, Nate, just to start, we hear the term cybersecurity and I wonder if you might just sort of articulate some of the more common risks and threats that particularly middle market business owners should be aware of?

Nate Gravel  1:27 
Sure. Thanks for having me, Bryan. This is a great opportunity and I'm happy to be here. So, there's a lot of different risks and threats out there, but we can kind of boil them down, especially for middle market businesses, into what I think are three major categories that seem to be recurring themes year over year in terms of the threats facing businesses today. First and foremost, I think would be phishing, any sort of social engineering attack really, but phishing in particular. The way we see it, especially when we deal on the forensics incident response side, over 90% of breaches that you hear about have some aspect of social engineering, and most commonly phishing, just because it is the easiest for an attacker to perform, because it can cast the widest net in the quickest amount of time. So we see a lot of businesses dealing with some level of phishing on a day to day basis, but we see successful phishing attempts and exploits pretty regularly in our line of work. The second would be destructive malware, most commonly ransomware. And this is an evolving threat that really dates back longer than I think most people think. But it has really been at the forefront of cybersecurity discussion in the last five or six years, just because of the some of the major headlines that have come out, that have been related to ransomware attacks. And we see a lot of companies still struggling to keep up with defenses against malware, and not just antivirus, but other layers of security that need to be baked in to really successfully defend against and respond to a ransomware event. And the third, I think, and most recent, most common that we've seen, particularly over the last several years, as more and more companies move to cloud based applications, software as a service based applications, is credential theft and account takeover. Most commonly, with email accounts. A lot of companies have gone and moved away from on premise email servers into cloud based email applications, most commonly, Microsoft 365, or Office 365. And in doing so, obviously, there's been an exposure open up to who can access the email accounts and from where, and without taking kind of the initial steps to lock that down, companies are finding themselves a little bit more vulnerable to attacks in that space, and particularly takeover of legitimate email accounts that are then used to either do phishing attempts, or commit fraud of some sort, in a financial manner. So those I would say, are the top three threats and risks that we see facing the middle market today.

Bryan Pearce  4:51  
Yeah, that's very helpful, and also very frightening, Nate. So thank you very much for starting us off with a better understanding of those items. In my conversations with many small and medium sized businesses, often they really don't think that they are potential targets for these cyber attacks, such as you've just described, because what we hear in the news are really more the large retailers, large financial institutions, utilities, that kind of thing that have a lot of sensitive client data, in many cases. And, the expectation that these small and medium companies have is that those are really the big guys that the bad guys are after. And I wonder is that reality? Or do you see these small and medium sized companies also being the targets of attack?

Nate Gravel  5:43  
Yeah, no, it's really not reality anymore. Unfortunately, yeah, there's juicier breaches and events that make the news. And typically they do involve higher numbers and bigger targets. But on a day to day basis, we don't see any difference in the approach that attackers are taking, based on the size of the company. And I'll give you a few examples that kind of tie back to my first point. But generally speaking, what we call this is security through obscurity. In other words, smaller companies hoping that they won't be targets, because they're not big enough for attackers to be looking at. But, barring targeted attacks, most attackers are looking for the path of least resistance. Then a lot of times, because of the fact that smaller and midsize companies don't have the security and technology budgets that some of the bigger guys do, they're often the better target because they're a little bit more vulnerable from the outside looking in. In particular, ransomware has kind of turned this whole dynamic on its head, where it doesn't really matter the type of information that you have, whether it be financial or personal identifiable information or something that is generally classified as sellable on the black market or desirable in a way of making a buck off of it. What is happening is that every company has data that's valuable to them and ransomware, in particular, is exploiting that very notion. So companies are realizing without their critical systems and data, whether they're sensitive or lucrative in any way to the market as a whole, they are very important to the operation of that particular company. And so what attackers are doing is using ransomware to basically exploit the need for that information to run a particular business, and getting people to pay the ransom so that they can simply get back and running again, and turning a profit, or at least not facing a considerable loss. So, yeah, there's no or very little truth to the fact that attackers are only going after bigger targets. I think it's really just they're grabbing at whatever they can get and making money off of that in whatever way they can.

Bryan Pearce  8:30  
Yeah, that's a great explanation. I think your point about there really being no security just because of obscurity is very valid. And I'm sure that if you're a hacker and you can pick off 10 easy target ransoms instead of one elephant ransom, then that might be the easier way for them to go. And at the end of the day, I guess that's what they're all about. So I get it. Thank you. Next question I want to explore is, taking these things that we've just been talking about - these three different main areas, how does a middle market company really test and assess the vulnerabilities that they may have as it relates to those three areas, because most people don't employ cybersecurity experts on their IT team, and so they don't necessarily know how to go about figuring out the kinds of risks that they are exposed to. How should they do it?

Nate Gravel  9:30  
Yeah, I think a term that you hear a lot in the cybersecurity space, which really came out of the military space is defense in depth, and having layers of security in place. I think, for a long time, traditionally, most companies spent the majority of their money if they were spending any money in security, on perimeter defenses, and protective measures to keep the bad guys out, so to speak. And while that can be relatively effective, the unfortunate part of that type of strategy is that once that perimeter is breached, oftentimes through an employee in a phishing attempt, there are very little controls in place to detect that an attacker has in fact gotten inside of the system, and to respond in a timely and efficient manner to minimize the impact of that particular attack. And so I think today what the common problem is, is that we're still spending too much time and energy worrying about just that first layer of defense, as opposed to, trying to build the strength and maturity of those other layers, that are really more geared towards detection and response. So if there were certain areas that I think, where we're falling short, generally speaking as a business community, it's probably in those two areas - the ability to say, alright, somebody is on the system, because there was this activity that we weren't expecting and they're creating an account and now they're talking to something that's external to our network from an internal device. And we have no way of stopping that, essentially. Because we have no way of detecting it to begin with. One of the, I think, most eye opening statistics, because there's a lot of statistics around cybersecurity that that we read about today. But one of the most eye opening statistics, in my opinion, is that it still takes on average, a company, regardless of size, roughly 180 to 200 days to detect that a breach has occurred, since its inception. So you're talking in some cases, over six months of an attacker being inside of a corporate network, or whatever system it may be, before they're even detected, and before incident response even begins.

Bryan Pearce  12:34  
That's incredible, Nate. So you've got this attacker kind of working away in there, and really figuring out what they want to do and extract or take from the company. It's an incredible statistic. Nate, how does the firm then I assume, the solutions, these layers of security, the defense and depth, are both hardware and software based solutions on the network, as well as on your stack of software, how does somebody who is in a small to medium sized business, get around the understanding that is needed to be able to put the right controls and the right security in place? Is this something that you do? Or how do they approach the problem?

Nate Gravel  13:21  
Yeah, this is a common conversation that we have with clients, because you can spend a lot of money in security and technology and still not be much better off if it isn't well implemented. Or if it isn't the right type of security and technology for your organization. So really, what our approach is, is always to first do what we call a gap assessment. Some might refer to it as an audit or a risk assessment. The terms are relatively interchangeable in terms of the methodology that you use, which is essentially looking at kind of the threat landscape, if you will, that your organization is facing, and then look at the control environment as it currently sits and where the holes and the gaps might be. By doing so you're able to kind of understand what the biggest threats are, in terms of the level of mitigation that's currently in place, and then start to plug those holes with sound and smart security and technology investments. And I don't want to get too explicit in terms of the types of technology because it's different I think, for each organization, there's obviously some baselines that most organizations are putting in place. But I also don't want to put a focus too much on technology. I think a lot of times it's a fallacy that the latest and greatest security control, the best malware protection, the best web filtering, the best firewall, the best encryption, is going to be what protects us and what enables us to be cyber resilient. I think people and process are a big part of a defense and security strategy as well. So that's the kind of triad that we always look at and use as a lens, is the people process technology triad within a security strategy. Because if you kind of hark back to to my initial kind of opening remarks, phishing while a lot of that activity can be snuffed out by a really good email security system, not every system is going to block 100% of those attempts. And so if you don't have trained people on the other end of that equation, all the money you spent in that email security platform, essentially goes by the wayside.

Bryan Pearce  16:14  
You know, one thing that's been on my mind, Nate is, as we've seen so many people over the last couple of years working remotely, either full time or working remotely for a significant part of their workweek, how has that impacted security, because obviously, they're accessing email and other applications at the home office, and I'm sure that poses its own set of risks and concerns.

Nate Gravel  16:44  
Yeah, it's definitely caused us all to try to be a little bit more agile in our approach to security, but just functionality of systems in general. I think we all had a traditional kind of view on how to keep things secure. And again, mostly focusing on that perimeter and well, if they're inside of this perimeter, it's all good. If anybody's trying to come from the outside in to this perimeter, then we know, unless it's this subset of people that work remotely, we know that it's not a good attempt, and we should block it or deny it or whatever. I think that we are in a hybrid workforce now and so now we have to kind of shift our approach to the technology that we use, but also the process that we use to secure our environments. So I mean, just from a threat perspective, I mean, the attackers follow the market. So back in March 2020, when they knew that most people were in March and April 2020, when they knew most people were trying to figure out what this new operational rhythm, if you will, was, we saw a spike in the number of phishing attempts related to kind of remote work or COVID-19, in particular, by almost 600% by one study. And so you can imagine that the likelihood of a successful attack also spiked in that time period, because while shifting, were we doing the things to educate the employees on how to connect safely, and what's expected behavior, and what's not, and acceptable use and all those things. So, it's evolving, still where we don't have it completely figured out. I mean, you'll hear a lot of conversation now about zero trust environments and treating authenticated employees versus non authenticated users basically in the same way, in terms of the security checks that are performed, because you're looking more at behavior than you are looking at who is performing the action. So, yeah, this is still a shifting landscape and a lot to consider, when you're talking about security strategy as a whole.

Bryan Pearce  19:30  
Yeah, it just kind of underscores, I guess that you're never really at the finish line, because it keeps moving. One thing I wanted to go back to a little bit, because it was a very interesting point that you made, which is it's no longer just having sensitive client data that you're trying to protect. But really, any kind of business information and systems that you're using to run your business on a day to day environment are now vulnerable to various types of attacks, including ransomware. And that can impact business interruption and continuity, it can impact your reputation of a business, it can certainly lead to lost revenue if you have to shut down for a period of time to reconstruct data and so on. How do you see the impact of what I guess is referred to as a hybrid environment weakness in these areas and others that I may not have mentioned?

Nate Gravel  20:30  
Yeah, so there's a lot there, where we have to, again, consider what we have, what's valuable to our particular organization, and how that's protected in a scenario where we're under attack. And I think a lot of times, we lean and I think we'll get into this discussion, because ultimately every discussion about cyber security ends up in "what about cyber liability insurance", so I'm sure we'll get there. We can't lean too heavily on looking at that safety net to bail us out. We have to do all the things that are appropriate for our own cyber security hygiene, if you will, to make sure that the business is protected. I think you see today, a lot of times, business continuity planning, disaster recovery planning, and incident response planning, were actually kind of siloed from each other. One was really more consideration of environmental and biological types of problems and incidents that were occurring that we said, okay in those events, this is how we're going to resume business operations. And incident response has always traditionally been something that considers more human made events like hacking and cyber attacks and things like that. But I think more and more companies are kind of melding the two together because they realize the same principles apply. And that those attacks are really just another form, another category of disaster that we have to kind of deal with when they happen. And so a lot of the controls that we build around disaster recovery, business continuity, most traditionally when people think about those plans, they think about backup and replication and keeping things fully redundant. Those are all principles that apply to cyber attacks as well, because sometimes, in events like ransomware, you do have to roll back to the latest clean version of your data or clean install of your environment. And work it through that way, in terms of a resumption plan. So there's a lot that companies are doing, to try to kind of look at cybersecurity or attacks in a new light and apply some old principles that have been around for a while. I mean, we started doing our first DR and business continuity plans back towards the end of the 90s, when everybody was worried about y2k. Some of those same principles still apply today. They just have to be modified for today's landscape. 

Bryan Pearce  23:44  
Everything old is new again. You touched on the topic of insurance, which I did want to cover, because I guess there's always companies that believe that, hey, I'll take my chances and I'll just carry some insurance on this. And if it happens, it happens and I'll claim from the insurance companies. But I think insurance markets are changing a lot. And some of the things that you can do, as you've articulated already can really help with being able to secure insurance in the first place, or certainly secure it at an affordable rate. Want to just talk a little bit about that?

Nate Gravel  24:19  
Absolutely, yeah, when we talk about shifting landscapes, that's one that's probably shifting the most. Obviously, when Cyber Liability Insurance first came out as similar to professional liability, errors and omissions and they had a questionnaire, and it was relatively brief. You have these basic four or five, six things in place. Last summer, we saw a wave of ransomware that was pretty profound. And as a response to that, I noticed that in the Fall of this past year, in 2021, all of a sudden, those questionnaires are 5,6,7, 10 pages long. And they're asking a lot more in depth, a lot more pointed questions. And in some cases, they're actually asking you to provide evidence to support your responses. And I think, obviously, part of that is not only the level of activity, but the amount of claims that have been paid over the last couple of years. And realizing, hey, you know, some of these companies that we're covering aren't really doing their due diligence in terms of establishing a good security baseline. So why would we continue to underwrite insurance for them? Let's make them have a little more skin in the game. And so that's exactly what we've seen in the cyber liability insurance space is that in order to even be considered for coverage, you have to prove that you're worthy of that coverage to a certain extent. I've seen more of those applications denied in the past few months than I ever have.

Bryan Pearce  26:16  
Very interesting. So final topic I wanted to explore with you, Nate, and you mentioned people, process and technology and we've talked a fair amount around process and technology, but how should a middle market company kind of create a culture and understanding among its employees, the need to focus on and stay vigilant against various types of cybersecurity threats? How do you embed that and educate your workforce around that?

Nate Gravel  26:45  
Yeah, I think it's an evolution of the mandatory once a year security awareness training, that a lot of us said, well, it's kind of a necessary evil, and we'll lump it into some of our other compliance related training on workforce etiquette and other topics of that nature. But I think we have to rethink that approach as well. And it's really not a, you're in front of that audience once a year and that's sufficient because these attackers are in front of that audience every single day. So you can imagine who's going to win out in that equation. So that's not me saying that we have to provide cybersecurity and security awareness training daily to our employees. I think we all know that that is not feasible. But we do have to evolve from doing this type of thing once a year to doing it on an ongoing basis, and also implementing our own testing to make sure that that training is effective. So there are a lot of platforms now, where you can actually simulate your own phishing attempts on your employees, which sounds strange, but it is a way to check to see where you're going to be vulnerable, and how vulnerable you will be against a phishing attack. And then, by identifying some of those gaps, being able to tailor the training to specific subject matter and material, so that you can effectively kind of bridge those those gaps and what I consider to be every organization's first line of defense, which is its employees, and a strong security culture. I think, like with any initiative, you need buy in from the top down. It does have to be something that is being discussed at senior management and board levels. I've seen in regulated space, many comments, findings, if you will, from regulatory exams, saying that the board is responsible for information security and cybersecurity, but not doing enough to keep up on those matters, whether it be through their own training, or having it on their agenda for a discussion often enough. So it is something that I do think you have to start at the top, and make it a part of your culture as an organization. So, there are ways to obviously, incentivize as well, I've seen little kind of challenges, interdepartmental, company wide challenges of who can have the cleanest record on some of those simulated phishing attempts after a quarter or a year, or whatever the time period might be, and they award those employees in some way for performing well on those tests. So there's ways to make it a little more fun and engaging for employees, as opposed to kind of draconian and you have to do this and we'll take disciplinary action against you, if you fail more than, you know, two tests a year or something like that. That approach, while may work for some, for the vast majority doesn't really work in terms of getting people to buy into the security culture.

Bryan Pearce  30:34  
That's great, carrot and stick. Choose which works best for you. Well, Nate, thank you so much. This has been really insightful. And you've made a number of excellent points. And I think, as I said at the beginning, this is a topic that really should be on the minds of company boards and advisors, as well as certainly the CEO and owner of the business and making sure that the right steps are being taken with people, with process and with technology. And as I mentioned, Gray, Gray & Gray has recently entered into a partnership with GraVoc Associates to provide these cybersecurity services so if there's things that we've covered on this podcast that you want to learn more about, or that you would like to investigate how to have this gap or risk assessment as a starting point, and so on, please reach out to me or to Nate Gravel. And we would be only too happy to get you involved in looking at this more seriously for your company. So Nate, thank you for joining, appreciate all of the insights. Thanks to the audience for joining our podcast today and I hope that this has been helpful and I look forward to seeing you soon on another Gray, Gray & Gray Strategic Thinking Series Podcast. Bye for now.