Cyber Defense: Robert Stines Of Freeborn & Peters LLP On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Assess security before adopting the technology. Companies are going through a digital transformation that relies heavily on connectivity. There is a mantra for companies — digitize or die. But business leaders need to demand that security is designed into the technology before allocating financial resources to adopt the technology. Technology and information officers should ask the question of vendors: Is your technology secure? Because if it is not, we won’t buy it. This should force software developers and device manufacturers to see the financial benefit of making security a priority.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Robert Stines.

Robert is a partner at Freeborn & Peters LLP specializing in cybersecurity, privacy, data protection, cyber insurance, e-discovery and emerging technologies. Companies concerned with tackling legal issues related to privacy and data protection rely on Robert as a trusted advisor and litigator.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Sure! I was born in Miami but moved to Jamaica when I was three. While there, I grew up around what some might call Afro-Caribbean arts and culture. The best parts were the beach days, going to rivers, lots of live music and great food. Very enjoyable, but as a third-world country, we did not have some of the luxuries of the United States. But, as they say, I grew up where most people vacation.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My career path in cybersecurity started when I joined the U.S Army Military Intelligence Corps in 2003. Everything changed when I read the book Future Crimes, by Marc Goodman. I realized that with the information age and the digitization of everything, our society will face legal challenges that our legislature and judiciary are ill-equipped to handle. I started reading more about cyber laws, warfare in cyberspace, and cyber threats, digitization, privacy issues related to data, and securing the internet. I went to law school, and eventually handled my first internet-related lawsuit about a software glitch in an online insurance application that caused the company to issue unauthorized insurance policies. This wasn’t the-run-of-the-mill kind of case where you look for the paper application, figure out who signed it and who approved it. This involved digital forensics and reviewing code, which all had real-world implications. At that point, I was thoroughly convinced I had found where I wanted to focus my career — cyber-related laws and cybersecurity.

Can you share the most interesting story that happened to you since you began this fascinating career?

I wish I could, but that case is ongoing, and I can’t share anything yet. I will say this, though — just when I think nothing can top my last experience dealing with cybersecurity issues, the next case tops it.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

1. Continuous Learning. There are lessons everywhere — travel, school, books, nature, colleagues. You are never too old to learn something new, and you should be open-minded to change what you thought you knew about something. This has helped with my journey in cybersecurity. This is a rapidly evolving area, and what may have worked a year ago might already be outdated.
2. Listening. This goes hand in hand with continuous learning. You can’t learn if you aren’t listening. Listen to colleagues, mentors, and even adversaries. Sometimes we can learn the most from adversaries.
3. Taking Action. Learning and listening are great, but it amounts to nothing if you don’t do something with it. Don’t get caught in analysis paralysis. As a leader, once you have sufficient information, make a decision and act on it.

Are you working on any exciting new projects now? How do you think that will help people?

I just finished co-writing a book published by the American Bar Association, A Practical Guide to Cyber Insurance for Businesses. This project came about because most advisors in the cybersecurity space will tell you that one of the tools for cyber defense is a dedicated insurance policy to mitigate or shift some of the risk. Well, that’s great advice, but cyber insurance is a fairly new concept, and the book provides business leaders guidance on what to consider in a cyber insurance policy.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I’m always a bit shy to toot my own horn, but not only am I a lawyer who has dedicated significant time on this topic, my background is in military intelligence, and I have advanced degrees in cybersecurity and digital forensics. Also, I have written about and been asked to discuss this topic on many occasions. In a nutshell, I have the legal and technical training as well as years of experience in this field.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

When I get this question, I have to think about who is asking the question, but let’s assume most of your readers have heard of ransomware and data breaches. Ransomware is the encryption of files that can only be decrypted with a cipher key or a password. Some will know that the unauthorized encryption was caused by malware, which is short for malicious software, but sophisticated encryption software exists to protect and secure files. Even modern personal computer systems allow for encryption of specific files or the entire storage device. Unfortunately, bad actors have used the technology for nefarious purposes.

When it comes to data breaches, a simple example is when data is exfiltrated and accessed by the bad guys. Note that I said exfiltrated and accessed, because if the bad guys exfiltrate an encrypted file and cannot decrypt it, then under most laws there wasn’t a data breach. Similarly, if bad guys access a file, but did not exfiltrate it, that also may not be considered a data breach.

An information security professional will hear the terms ransomware and data breach and think that was the end result. The real question is what type of “vector,” or method, used for ransomware or the data breach. This is where we hear terms like brute force attack, man-in-the middle attack, masquerade attack, or sniffing. I won’t bore your readers with defining these terms. But, by far, the most common vector is phishing emails, which is a type of social engineering to deceive people into divulging login credentials or confidential information. Social engineering is targeted to insiders that have the information, most likely employees.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Here’s is my simple answer — both! But, let me explain.

We have to think about why the bad guys are using ransomware or committing data breaches. According to criminologists, the obvious answer is money. Yes, there are state-sponsored actors who engage in cyber warfare or cyber espionage for other purposes, but ransomware and data breaches are typically linked to financial gain. With that in mind you have to think: Is it more lucrative to attack a company or an individual? A good analogy is: Why rob an individual when you can rob the bank. So, with that logic, businesses should be more concerned because they are the more lucrative target.

That being said, businesses can only operate through individuals — officers, directors, employees, etc. So, going back to my answer on vectors, the most common vector is to send phishing emails to individuals. That means the most common vulnerability is people — officers, directors and employees of businesses. It follows then that individuals should be most concerned because individuals are the means by which the bad guys will attack businesses.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

A cybersecurity expert! Yes, you will eventually call the FBI, your insurance company, and file a report with the local police. But, when you first realize that you are the victim of a cyber attack, you should be thinking about damage control: preserving your computer systems and mitigating the potential damage. There might be a way to prevent further damage or to restore the system. You don’t get that information from law enforcement; you get that from a cybersecurity professional.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Well, specific to ransomware, the most common mistake is someone within the company falling for a phishing email. Officers all the way down to junior employees can fall victim to sophisticated phishing emails. The next common mistake is trying to hide the mistake. Like many things in life, owning up to a mistake to limit further damage is critical. You would be amazed at how many attacks can be stopped in their tracks by a cybersecurity professional who is aware of the problem before it escalates.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

That’s the billion-dollar question, to which there is no simple answer. It’s like asking how do we stop car accidents? One answer is everyone should stop driving cars. For cybersecurity, the answer is everyone should stop using computers, but we know that is not the correct or acceptable answer. Staying with the automobile analogy, after years of life-threatening safety issues, car companies and the government made safety a requirement. Governments started requiring safer cars with the use of seat belts, roll bars, testing, and educating consumers. Similarly with internet-reliant technology, we should think of security in the same way. Security needs to be built into the technology with adequate testing and consumer education.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

First let me start with a disclaimer, I don’t think we can completely shield against all cyberattacks, but we can take precautions to prevent most and mitigate others. That being said, if I had to summarize my advice into five points, here’s what I would advise:

1. Assess security before adopting the technology. Companies are going through a digital transformation that relies heavily on connectivity. There is a mantra for companies — digitize or die. But business leaders need to demand that security is designed into the technology before allocating financial resources to adopt the technology. Technology and information officers should ask the question of vendors: Is your technology secure? Because if it is not, we won’t buy it. This should force software developers and device manufacturers to see the financial benefit of making security a priority.
2. Train your people. Even with the best locks on a door, if someone leaves the keys out in the open or leaves the door open, the lock is worthless. The same goes with cybersecurity. Even with some of the best security in place, it is worthless if employees hand over login credentials through phishing emails and social engineering. Everyone in business should be trained on how to recognize phishing emails and red flags of a cyber attack.
3. Enforce cyber hygiene. Like personal hygiene, think of cyber hygiene as routines to keep your systems and networks healthy. Change passwords on a regular basis, encrypt sensitive files at rest and while travelling through the internet, determine who needs what privileges, and make sure people are not given more privileges than they need. Do routine check-ups and fix problems as they arise. Of course, just like we go to medical professionals for physical checkups, businesses should use dedicated professionals for cyber check-ups.
4. Make the spend. Cybersecurity should be seen as a necessary cost of doing business in the digital age. Companies have locked doors, fire extinguishers, and safety drills for the sake of security and safety. The cost-benefit analysis of paying for safety and security in the physical world is easy: Companies can’t operate if their products are stolen, if the building burns down, or if employees are constantly harmed on the job. All of these will affect the company’s profits and bottom line. The same analysis holds true for digital assets. Profits are affected if employees cannot access the files and data on computer systems, or if proprietary, sensitive or confidential data is stolen. Companies won’t make money if consumers don’t trust them due to data breaches and fraudulent activity. So, invest the money in cybersecurity just as you would in physical security.
5. Have a plan, practice it, and be prepared to change it. By now you probably see a theme in my answers — Know the risk, invest money to mitigate the risk, train your people to avoid/prevent the risk, and finally, have a plan to deal with the risk. The plan is pre-, during, and post-incident. And don’t just have a plan on paper that sits on a shelf with no further practice or reevaluation. Test the plan periodically to ensure it works in the time of an actual crisis.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 😊

It might be a bit controversial, but coming from the military, I appreciate how public service influences and changes people for the better. If I could inspire everyone to dedicate a year or more to some kind of public service in their late teens or early twenties before starting careers and joining the rat-race of life, I think we would have a better sense of community and would feel the compelling need to look out for fellow humans. I remember spending time in South Korea and every male had a special bond because they all had to serve in the military for short period of time. Now, I’m not saying bring back the draft and it doesn’t have to be the military. But voluntarily dedicate time to public service.

How can our readers further follow your work online?

My firm website is freeborn.com, my twitter handle is @StinesEsquire and I blog at TechLawX.com.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!