Cyber Defense: Paul Rohmeyer Of Stevens Institute of Technology On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Cyberattacks continuously change, and therefore, the study of particular threats is probably not as important as establishing a discipline to continuously monitor the environment, study emerging events, and formulate your response.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack,” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Paul Rohmeyer.
Paul is an adjunct professor in the School of Business at Stevens Institute of Technology and a cybersecurity risk consultant. He has provided advice and guidance on cybersecurity challenges to senior leaders in banking, financial services, healthcare, telecommunications, government, and other industries since 2000. Paul has written and presented extensively on cyber risk management.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Early in my career, I had an internal audit and compliance position for a large pharmaceutical company. One fateful morning the head of internal audit called a colleague and me into his office where he shared his concerns about growing reliance on information systems to facilitate critical business processes and opined that “something needed to be done” to make sure the systems functioned as expected and could not be manipulated. He shared a wide range of concerns, clearly uncomfortable with the unfolding march towards increased connectivity and information systems development across the enterprise. You might say the rest is history, as from that moment, my career pivoted to include a series of assignments that involved all aspects of ensuring confidentiality, integrity, and availability in the emerging systems landscape. Each new assignment gained in scale and complexity, and ultimately, led me to move into consulting to gain even greater exposure to increasingly challenging projects.
Can you share the most interesting story that happened to you since you began this fascinating career?
Anyone who has worked for decades in cybersecurity undoubtedly has many fascinating stories to share, a testament to what makes the field challenging and rewarding. The projects I performed that ultimately had the greatest impact were not those that may be exciting to technologists. Rather, they were focused on managing cyber risk uncertainties in new technologies that promised to enable new business strategies. In other words, the focus was not on responding to disruptions from a single cyber incident, but instead in helping businesses deal with uncertainties introducing untested and overcoming the actual fear of moving forward with plans that could potentially prove disruptive to essential business processes.
Recently I was engaged by the executive leadership of a bank to provide guidance on cybersecurity risk management and compliance. The project expanded rapidly. However, it became apparent the institution was struggling with the formulation of an entirely new digital strategy and that was the more significant concern to the board. They found themselves challenged to make decisions within a miasma of market, business, technology, compliance, and risk uncertainties. They recognized specific challenges faced by their somewhat unique business model and were feeling competitive pressures apparent to all banking institutions today to remain relevant in the increasingly digitized consumer finance environment. As often occurs in the pursuit of technical innovation, risk emerged as a stifling factor and fears of technology risks paralyzed the organization. Working alongside the executive team, we were able to improve our understanding of the cyber risks in the current environment, as well as within the envisioned, “to-be” architecture. Projects like these extend far beyond the operational cyber concerns that tend to dominate media reports on cyber but ignore broad, strategic impacts.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The most important traits for any aspiring cybersecurity leaders are those that help us to make sense of the dynamic and increasingly complex environment of interconnected systems and processes. Of these traits, I would prioritize motivation, curiosity, and continuous learning, and these should be viewed as complimentary.
We are individually motivated by a variety of factors that change throughout our careers. Sometimes we seek professional development, often as a stepping stone to increased responsibility and perhaps compensation. In other phases, we seek to maintain current skills and perspectives to solve the most difficult problems. Ultimately, perhaps later in the career cycle, we appreciate the intellectual value of theoretical concepts in the field rather than focus on present challenges. The constant, however, is a sustained level of motivation to work outside of defined job parameters, often at significant personal cost in time and money. This highlights the practice of continuous learning that seems to be evident when speaking with distinguished leaders in the field. There is a value of knowledge, a drive to improve our understanding of the technological underpinnings and to do so within a variety of technical and organizational contexts. Continuous learning is a lifestyle habit, it is the pursuit of knowledge in many forms including books, organized courses, informal networking and mentorship, and other avenues. A common thread is the third important trait — curiosity. A functional knowledge of technology is not adequate in this field. Success in this field is driven by curiosity and a healthy questioning of the stated capabilities of systems and architectures. In fact an eagerness to “break things” is essential — prove the designer, developer, or user wrong and demonstrate technical limitations and the sometimes not so obvious risks.
Are you working on any exciting new projects now? How do you think that will help people?
I’ve focused recently on exploring risks in cyber physical and industrial settings, including the oil and gas industry and the maritime transportation system. This was a pivot from my prior focus on financials and has given me new perspectives. The importance of addressing cyber risks in both information technology (IT) and operational technology (OT) has never been more apparent, and this will increase as does society’s reliance on growing automation in essentially all sectors. Complex architectures such as smart cities will present new cyber risk challenges.
At the consumer level, the rate of adoption of internet of things (IoT) is significant and growing, and so aspects of the cyber physical risk challenges will become even more important. Interconnectedness is increasing, and therefore vulnerabilities in even simple devices can ultimately have profound impacts. The problem of risk accumulation is particularly concerning due to the large scale of emerging IoT architectures that consist of many small components.
A simple example of the user-level impact is the adoption of smart home devices such as the artificial intelligence enabled voice control system, Amazon Alexa. As we’ve seen in the past with some new tech, Alexa is positioned as a consumer convenience device but is making its way inside of organizations where it now “listens” to business discussions. Business usage opens obvious concerns about confidentiality and consumer privacy. The functional goals are clear. The capabilities of “Alexa for Business” are certainly convenient and should have a positive impact on productivity. However, the privacy, data security, and regulatory compliance concerns have yet to be adequately addressed in my opinion. Consider potential use cases of Alexa for Business in regulated industries and how your enterprise can maintain compliance with HIPAA, GLBA, GDPR, and other privacy regulations while allowing confidential discussions to be captured by a device and streamed to cloud storage.
The answers are not clear. Amazon’s primary control suggestion in their product description is for the user to “turn off” the microphone as needed, essentially building a reliance on preferred user behavior, which historically, has proven entirely inadequate as a control design. Should organizations explore Alexa for Business? Absolutely, but realize the potential risk challenges and be prepared to establish meaningful controls that don’t rely on end user cooperation.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I’ve been very effective helping organizations identify and respond to technology risks for more than two decades across a wide range of industries, at the same time internet technologies have evolved. During this time, I’ve built a substantial knowledge base by establishing a disciplined, continuous cycle of conducting research, socializing my research with industry and other researchers, networked with others in the field to combine my knowledge with new developments in the field, then returned to research armed with new knowledge to restart the cycle. As reflected earlier, my interests extend beyond the edges of technical cyber to consider security with respect to organizational processes, systems, markets, and technology innovation.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
The key is to recognize and manage risks and not let the possibility of cyberattacks stifle innovation or disrupt creativity. Understand and treat the risks, don’t be the “voice of no.” Industry voices have sometimes fallen back to stressing aspects of “fear, uncertainty, and doubt” to raise awareness and ultimately sell product. That is not helpful as it disconnects the reality of the nature of cyber threats and ignores the concept of risk management as a driver of decision making by leadership.
There is a wide range of attack categories and numerous specific tactics under each. Adversaries continuously adapt to emerging countermeasures, and in turn, organizations seek new countermeasures. The result is a never-ending cycle of innovation on the part of organizations seeking to protect assets as well as the attackers seeking to steal or disrupt. Businesses and individuals should be concerned with the potential for threat patterns such as the following:
Malware — Malicious code can be delivered to a target by a variety of mechanisms including email phishing. Once the malicious code is resident on a device, the attacker can assume a range of capabilities to steal information or disrupt processing. Anti-malware software is available to reduce the threat and impact of this attack type.
Ransomware — An attacker uses a malicious program to take control of a portion of a device or network and demands a ransom payment. Usually, there is a social engineering component as the attacker often establishes a countdown that sets payment deadlines, and failure to pay by a deadline results in higher ransom demands. Attacker sophistication has increased due to “ransomware as a service,” where relatively low skilled attackers can pay to leverage hosted attack facilities. Maintaining updated systems, the use of anti-malware software, and frequent backing up of data can help lessen the exposure and impact of ransomware threats.
Password Attacks — Our reliance on user identifiers and passwords as the primary access control continues to leave us vulnerable to a variety of password attacks ranging from the very simple to highly sophisticated. We can address these by frequently changing our passwords, using “strong” passwords that avoid common dictionary words, and supplementing our access using multi-factor authentication methods such as smartphone-based software. Consider using a password manager instead of keeping passwords on a note taped to the back of your keyboard.
Social Engineering — This includes approaches via e-mail, voice calls, and even in-person. The social engineer attempts to craft a bogus narrative to lead the victim to provide system or facility access. The attacker often crafts a fictional crisis scenario to add pressure to the inspecting victim. Keeping your team aware of the various types of social engineering attacks is an important step, along with encouraging them to report suspicious activity.
Advanced Persistent Threats (APT) — Yet another broad category of attacks, this reflects the activities of a determined, skilled, and very patient attacker. Many cyberattacks are non-specific and often damage “targets of opportunity,” the APT uses research to find an “attractive” target and takes deliberate steps against their target. Defense against APT requires a well-designed, broad cybersecurity strategy backed by a layered control environment. The nature of APT may still eventually overcome many controls, underscoring the need to deploy controls that protect and detect, but also facilitate, efficient response.
Interconnection Threats — As organizations increase connectivity in attempts to link business models, exposures in a single participant place put all connected members at risk. Segmentation of systems and ongoing monitoring can help here but the challenge is complex.
Insider –System users, administrators, and engineers require a level of access to systems and information to perform their job functions. Just as the case with physical security, access granted to an approved, trusted party can eventually be misused. Threats from connected business partners can result from rogue insiders as well. Due diligence upon hiring and employee onboarding may detect concerns in some cases, but the primary controls over this threat are continuous monitoring with particular attention paid to controlling and observing the behavior of “privileged users,” those with the highest level of trusted access.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Businesses and private individuals are faced with essentially the same cyber issues, however the consequences obviously differ. The impact of a cyberattack to organizations can be process disruption, an inability to fulfill customer expectations, legal and regulatory damages, and more. For the individual, the consequences of a cyberattack are most often an inability to access systems and data and the potential loss of sensitive personal data. A key difference, of course, is scale as a cyberattack can spread within an enterprise and ultimately impact many individuals and organizations, while the attack on the individual is commonly (but not always) contained to the victim. Both should be concerned but follow different activities to protect their systems and data, detect incidents, and respond to them.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
Organizations should have well-defined breach response plans. Response usually begins with initial instructions to employees on reporting the incident internally. Ideally there should be technical guidance provided such as disconnecting the system from the network but not shutting it down, as doing so will disrupt any available electronic evidence. Escalation to local or federal law enforcement, or engagement of a cybersecurity consultant should also be stated in the response chain. A key here is to get the trained, designated internal experts to take over as quickly as possible to ensure the response conforms to pre-defined actions.
The situation is somewhat less clear for individuals. Suspecting an incident involving your employer’s systems should of course be reported to your employer and the corporate response plan should take over. However, most of us do not have a clear, individual response plan for a cyber event on a personal device. You could try to get guidance from your employer or conduct research online using an alternative device. There are a variety of businesses that assist with common computer problems who may be able to help. There is always the possibility you may know someone with IT experience who can provide guidance based on the incident. Engagement of law enforcement is a possibility but should ideally be driven by actual or suspected damages, such as theft of funds or other plain signs of a violation of law.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
As mentioned, ransomware is a substantial threat that continues to grow in frequency and sophistication. The first mistake is commonly a failure to maintain your systems. This includes using the most current versions of software and ensuring all updates and patches have been applied. The malicious code that causes ransomware needs to find a vulnerability in your system to be effective. Allowing vulnerabilities to remain unpatched is therefore, a problem.
The other major concern is a failure to perform backups of data. My observation is individuals have almost forgotten about the importance of backup, due in part, to the use of cloud data storage. Saving your files on the cloud means you don’t lose your data if your hard drive crashes or if your device is stolen. However, a ransomware attack could make your cloud drive inaccessible. A current, local copy on an external hard drive, or copying the data to an alternative cloud drive, could make the ransomware attack irrelevant to you.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Leaders need to ensure they have a well-designed information security management system to prepare for the wide range of activities needed to ensure cybersecurity. There is a great deal of guidance available to outline the necessary components. Adoption of a cybersecurity standard or framework such as ISO 27000, NIST CSF, HITRUST CSF, or others can rapidly bring an organization into alignment with prevailing best practices.
The need for investment in your team cannot be overstated. This includes providing training and education opportunities to feed continuous learning, consistent awareness messaging so employees are alert to evolving threats, and formally recognizing cybersecurity as a job responsibility throughout the enterprise. Conducting drills and tests should be prioritized to increase your team’s familiarity with the complex nature of cyber response and instill a sense of confidence in organizational preparedness. A lack of preparation and confidence should be expected to result in a panicked, unfocused response. Attackers take actions to drive uncertainty and create panic — your job is to anticipate and equip your team to make sound decisions under pressure.
Lastly, encourage peer leaders to recognize cyber risk can be managed, but not eliminated. The best prepared organizations with well-designed and implemented controls can still experience significant losses from cyber threats. This is primarily due to the evolving nature of cyber threats. Bad actors have proven to be innovators and they study the likely/common/emerging control strategies and adjust accordingly. There are no guarantees in this business but a layered, well-designed architecture can minimize exposure to threats, quickly resolve vulnerabilities, lessen the impact of an incident, and plan a robust response. Perhaps more importantly, use incident experiences to improve your technology architecture and, therefore, your resilience.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
Cyberattacks continuously change, and therefore, the study of particular threats is probably not as important as establishing a discipline to continuously monitor the environment, study emerging events, and formulate your response. The following steps are essential in this process:
Maintain a Strategic Perspective — Consider the example I shared previously about cyber risk management as an enabler of digital innovation. The best new technologies will fail without anticipation of technology risks and likely actions of threat actors.
Research — There are numerous formal and informal sources of knowledge on cybersecurity topics. Don’t settle for the incomplete soundbites given after every major incident. Read detailed analyses of actual events and study the organizational response. Webinars are a great and often free source of very detailed information on breaches.
Keep Current — Despite common shortcomings such as incomplete or inaccurate initial reports, keep an eye on weekly events including breaches, new technologies, regulatory changes, and related factors. Catch new waves on the horizon, don’t wait for them to reach you.
Socialize — Use your personal network to establish a trusted circle. Establish informal communications to test ideas and get knowledgeable feedback. Participate in roundtables, attend industry events, and get active in local chapters of professional associations.
Rinse and Repeat — Doing the above takes focus and dedication. Make time for it. Be consistent.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I believe there is a tremendous opportunity, perhaps an obligation, to improve cybersecurity education and awareness in K-12 education. In the short term, better information could help kids avoid common mistakes and misuse of technology and become alert to potential threats. Long term, this would establish a foundation to enable them to navigate future technology risk challenges. The internet was opened to commercial use in 1991 — more than 30 years ago — yet we continue to see indications of a lack of a fundamental understanding of basic internet architecture. We have an opportunity to improve this at the earliest levels where we can teach the next generations more about how it all works.
How can our readers further follow your work online?
Readers can find me on LinkedIn and I continue to produce papers and occasional media commentary. My most recent book, Financial Cybersecurity Risk Management, is available on Amazon.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
