Cyber Defense: Martin Tully of Redgrave On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Avoid the common data security and cybersecurity mistakes listed above. Shockingly, I have encountered mature and otherwise successful organizations that failed to implement any of the basic measures that can be employed to minimize and mitigate cybersecurity risks, for which they, unfortunately, paid dearly once they were breached. Although it may be yet another cliché, an ounce of prevention here truly is worth a pound of cure.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Martin Tully.

Martin Tully is a Partner at Redgrave LLP in Chicago, Illinois who is a nationally recognized litigator with over three decades of experience representing companies and individuals in complex and high-stakes commercial litigation. Martin’s extensive knowledge and skill concerning eDiscovery, information governance, and data privacy and cybersecurity have established him as a force in the information law space. His work focuses on advising clients regarding the applicability of, compliance with, and best practices regarding data privacy and security laws requirements and representing clients in investigating, responding to, and remediating various data breach and data security incidents, as well as related litigation. Outside of his legal profession, Martin is actively committed to community involvement and public service and served as the Mayor of his hometown, Downers Grove, Illinois, from 2011 to 2019.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

A life-long Illinois resident, I enjoyed a very blue-collar upbringing in the western suburbs of Chicago. A third-generation immigrant, I was the first in my family to graduate from college, as well as graduate school. I was the guy who was friends with everyone in high school, partly because I was a high school athlete (soccer, wrestling, and track), a member of the chess team and the wargaming club, and also hosted a heavy metal radio show. But it was being a successful member of the high school debate team that inspired me to pursue a legal career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As a huge science fiction fan, I have always been fascinated by the promise of technology and its intersection with the law. Following years of handling complex commercial litigation at large national law firms, I was drawn to the emerging fields of electronic discovery and information governance in the early 2000s. However, after I became involved in the multiple class action lawsuits filed in Illinois following the 2013 data breach of Target Corporation’s computer systems, I was inspired to dive deeply into cybersecurity and data breach litigation. It was clear to me then that this area of the law would explode and that the opportunities to be on the leading edge of helping organizations minimize and mitigate the risks of data breaches were enormous.

Can you share the most interesting story that happened to you since you began this fascinating career?

It is not just one story, but a common theme that emerges from a number of stories. I am constantly amazed by the elaborate lengths that hackers will go to trick people into gaining access to a company’s computer systems and the fundamental lapses in judgment that very educated people will suffer that unfortunately result in data breaches. On the one hand, I have seen companies breached because a hacker did extensive social media research and posed as the CFO of a company to gain access to non-public financial information, something like what you’d expect to see in an Ocean’s Eleven movie. On the other hand, I have seen employees click on the absolute dumbest, most obviously fake links in the world, despite extensive training about the need to “think before you click,” or who continue to use passwords such as “password” or “123456.” Despite increasingly effective technological defenses, this is why the vast majority of organizational data breaches still stem from some human lapse of judgment. The finger remains mightier than the firewall!

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Many people list public speaking as one of their greatest fears or anxiety-inducing experiences, but the exact opposite has always been true for me. Give me a microphone, and you might not get it back. This trait stems from my early years as a radio show host and a high school debater. Being excited about standing up and convincingly speaking to a room full of people has served me very well in my career as a trial lawyer and as a local politician.

The ability to build and maintain relationships with just about anyone, anywhere, and always having an appropriate sense of humor. This trait was integral to my success as an elected official, especially in tense or confrontational situations. A little wit and levity can go a long way to diffuse extraordinary stress.

I firmly believe that the true definition of a leader is someone who inspires others to achieve their full potential. I have always taken that philosophy to heart, and it has resulted in several extraordinary people that I have had the privilege to mentor going on to become very successful on their own and, in turn, helping to mentor me.

Are you working on any exciting new projects now? How do you think that will help people?

In my current role at Redgrave LLP, I am helping large, established companies and startups navigate tricky data privacy and security environments to do business successfully while also being conscious and respectful of their customers/clients. We’re also assisting clients with improving their data security posture to minimize the likelihood of a breach and better respond to and remediate one when it occurs. This process helps not only the company, but it also helps the people whose information may be put at risk by the malicious threat actor period.

As a member of the Sedona Conference, a think tank that focuses on issues such as data privacy and security, I am helping lawyers and judges better understand data privacy and cybersecurity risks in the context of civil litigation.

I have also been advocating for years on how our industry can leverage existing eDiscovery tools to better assist with remediation and notification requirements following a data breach.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

Leveraging over three decades of experience as a litigator representing clients involved in commercial litigation and government enforcement actions, as well as my experience in helping organizations to identify and minimize data security risks, I’m in a unique position to advise clients on how to best avoid and respond to a data breach incident in a way that minimizes harm to the organization and consumers whose information may be put at risk. In this regard, I’ve worked with clients on a proactive basis, in the moment as part of an incident response team, and after the fact in defending them in litigation and enforcement actions stemming from data breaches. I’ve also advised clients on evolving landscape of data security laws and regulations, as well as the nuances of shifting risk through the use of cyberinsurance. Finally, I have frequently published and spoken on the topics of data security and incident response, all aimed at mindfully moving the law forward in this area.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

There are many forms of cyber-attacks, but I will focus on just three for now:

Phishing and Spear-Phishing Attacks: Spear phishing is targeted and personalized to a specific individual, group, or organization. Conversely, regular phishing emails use a broad-strokes approach that involves sending bulk emails to massive lists of unsuspecting contacts. These are the “click bait” impersonation traps that all too many of us still fall for. It usually takes the form of an email or a text message either enticing or scaring you into clicking on a link or providing personal information that can, and will, be used against you. Aside from vehicles to steal data, these are gateways for the introduction of viruses or ransomware that threaten to take over or lock-up your systems and data unless you hand over a bucket of bitcoin. More recently, the ransomware threat is not only to lock you out of your data but to make it available for sale on the Dark Web if you don’t pay the specified ransom. (Whether such ransom ever should be paid is another conversation altogether.)

Spoofing Attacks: A spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data to gain an illegitimate advantage. These can come in the form of an email or a text that pretends to come from, say, the chief financial officer of the company, instructing a direct report to take some action that the company will later regret. Spoofing attacks have become increasingly sophisticated. Some threat actors scour social media and other publicly available information to sprinkle their deceptive communications with information that appears to be unique to the individual they are impersonating. At its simplest, these attacks can be text messages from “the boss” asking a subordinate to purchase an Amazon gift card for $500 and send it to a supposed “client” as a gift.

Man In The Middle Attacks. This is a cyber-attack where the attacker gains access to one party’s systems and secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves in the conversation between the two parties. Most commonly, an attacker will breach a victim’s email system and set up rules that forward emails with certain key terms only to the attacker. For example, if an incoming email mentions a wire transfer, the attacker will receive that email and then insert themselves into the email communication, unbeknownst to the legitimate participants. The attacker will then pose one of the participants to the conversation and redirect the wire transfer to an account of its choosing. This type of attack is a major source of wire transfer fraud.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone. Everybody. All of us. Seriously, people ask me who my target clients are for data security advice, and my answer is “anyone with a computer.” There is a cliche that it is not a question of whether you will experience a data breach, but when. Unfortunately, that’s true. The real question is to what degree. Another cliche says that if you have nothing to steal, no one will try to rob you. That one is only partially true, as threat actors will use ordinary consumers as test cases for their ransomware or even take over their computers to use the computing power to help them illegally mine Bitcoin. (This is called cryptojacking.) In short, the creativity of the malicious threat actors out there has no boundaries. If only they put all that evil energy to good, we would already have human colonies on Mars!

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

For businesses, the first outreach — after their IT department and incident response team — should be to their cyber insurance provider, who can often garner much needed resources in a hurry. Outside computer forensic experts and legal counsel are also typically part of an incident response team, as may be a communications crisis team. While law enforcement can be excellent allies when it comes to larger cyber-attacks, or those performed by nation state actors or syndicated crime organizations, they often have limited resources to address attacks on a smaller scale. That said, for some types of attacks (wire fraud), you are required to file a report through the FBI website (www.ic3.gov) if you want to have any chance of convincing your bank to freeze or unwind a fraudulent wire transfer.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

• Failure to use multi-factor authentication
• Failure to require strong passwords and mandate that they be changed every 90 days
• Failure to properly train (and test) employees on cyber safet
• Failure to regularly update security patches, virus and spyware definitions, etc.
• Not using encryption for sensitive or personal data
• Not having a data back-up/recovery plan in case of a ransomware attack
• Not having (and testing) an incident response plan
• Not periodically conducting (and then acting upon) a vulnerability assessment

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Other than adopting the lifestyle of Henry David Thoreau, there is little that most of us can do to limit the frequency and increasing sophistication of cyber-attacks. What our leaders in the public and private sectors can do is to more clearly and uniformly define the minimum standards that organizations should adopt and employ to resist and respond to cyber-attacks, including ransomware. A national, uniform data breach notification statute, for example, would go a long way to reducing cost and uncertainty and improving consistency and effectiveness in consumer awareness. In this regard, the Sedona Conference Working Group on Data Security and Privacy Liability (WG11) has proposed a uniform, model data breach notification statute that would greatly improve the current, disparate environment.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

1. Avoid the common data security and cybersecurity mistakes listed above. Shockingly, I have encountered mature and otherwise successful organizations that failed to implement any of the basic measures that can be employed to minimize and mitigate cybersecurity risks, for which they, unfortunately, paid dearly once they were breached. Although it may be yet another cliché, an ounce of prevention here truly is worth a pound of cure.
2. Have a well-thought-out incident response plan and incident response team in place, and then test them periodically. I was once asked to assist a client with running a tabletop exercise for their incident response plan and team. Although the company had invested a fair amount of time documenting what they would do and who would do it if a data breach occurred, running a data breach drill in real time quickly exposed things that might have looked good on paper but were actually flaws in the plan. By running a “live fire” tabletop exercise, the company was able to identify gaps and remediate them in advance of a real data security incident occurring.
3. Have a well-understood cyber security insurance policy in place and revisit it regularly to make sure it meets the needs of the organization. I am periodically called upon to review and assess cyber insurance policies for clients. Too often, a company believes that simply because they have purchased something labeled as “cyber insurance,” they are covered for all contingencies. But this is often not the case. It is very important to understand the scope and coverage of cyber insurance policies, which continue to evolve and may not cover all the types of harm that can be inflicted by a data breach. Effective risk management requires understanding these limits clearly.
4. Understand your legal, regulatory, and contractual data breach reporting obligations — before the clock starts ticking. Currently, there are many state and federal laws requiring organizations that have experienced a data breach involving the exposure of personally identifiable information to notify affected consumers and, in some cases, state or federal regulators. The deadlines for giving such notice vary across this patchwork of state and federal laws. In addition, many organizations have contracts with customers that require notice to be given within a certain time if a breach occurs that exposes the customer’s data. Understanding in advance who you need to notify of what and when in the event of a data breach is critical to not running afoul of legal, regulatory, and contractual obligations.
5. Make clear in your service provider contracts who is responsible for what should a data breach occur that involves personal data touched by the vendor. It is common for organizations to work with vendors or service providers to outsource various business functions. Some of these outsourcing arrangements include sensitive data and personally identifiable information for which the organization is responsible. Unfortunately, the contracts between companies and their vendors too often do not speak clearly, if at all, to who is responsible for what should an organization’s information be compromised due to the actions or inactions of their vendor. This can cause unnecessary delays and costs when an organization is attempting to respond to a data breach incident, especially when time is of the essence. It can also lead to undesirable disputes, and even collateral litigation. The better practice is to clearly spell out roles and responsibilities between organizations and their vendors in the event of a data breach that exposes personal data touched by that vendor.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I would love to see the establishment of a national clearinghouse for the centralized reporting of data breaches involving personally identifiable information. Currently, every state in the union and a patchwork of federal laws mandate varied and disparate data breach reporting obligations regarding who needs to be informed of what, when, and how. For breaches affecting a large number of consumers across multiple states, the reporting obligations alone can be cripplingly costly, especially coming on top of the other detrimental impacts to organizations that fall victim to data breaches. Indeed, some sources have reported that 60 percent of small companies go out of business within six months of falling victim to a data breach or cyber-attack. Creating a centralized, national reporting system for data breaches involving personal data would allow organizations to more cost-effectively give one notice — in one place — that would then be readily available to consumers (and regulators) everywhere, increasing consumers’ awareness and allowing them to take better steps to protect themselves from potential misuse of their personal data by unauthorized third parties.

How can our readers further follow your work online?

My LinkedIn page: https://www.linkedin.com/in/martintully/

Redgrave LLP Website: www.redgravellp.com

Redgrave LLP LinkedIn page: https://www.linkedin.com/company/redgrave-llp

This was very inspiring and informative. Thank you so much for the time you spent with this interview!