Cyber Defense: Stephanie Benoit-Kurtz On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Invest in your layered defense strategy. Setup a strategic plan over the next 36 months and identify the areas that need to be addressed as the threat landscape changes. You will never have enough money, time, or resources to do everything. A solid strategic plan will assist in getting to the point where your posture can move to proactive rather than reactive. If you are an executive in an organization, ask to see the 36 month rolling cybersecurity strategy and plan. If the organization does not have one, it is time to start creating one. Environments alone do not improve without measurement. By creating a plan and communicating it the measurement is in the execution of the plan.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Stephanie Benoit Kurtz.
Stephanie Benoit Kurtz brings over 25 years of industry experience in Information Technology and Security Solutions and Consulting. As a cybersecurity consultant, Stephanie’s expertise spans multiple areas within compliance and a broad range of technology and security disciplines and she has held numerous leadership positions in these areas. She is a PHOENIX. Stephanie is also a Lead Faculty for the College of IS&T at the University of Phoenix and has taught IT-related courses over the past 20 years. Stephanie specializes in working with clients to educate, instruct, and inspire them to better understand their information, risks, security posture and devise methods to protect data, infrastructure and realize value through the enablement of security technology, processes, and principles.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a middle-class suburban setting in Las Vegas. Being born and raised in Las Vegas, I watched a small town of 150,000 grow to over 2.5 million in the last 30 years. I attended public school and knew from a young age that I wanted to excel at something that would be recession proof. Remembering the down turns in the economy growing up and how my parents worried about their livelihoods, I wanted a career that could provide stability no matter what the state of the current economy.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I fell into cybersecurity as part of a role that transformed out of IT Operations and Compliance. I was responsible for securing environments and making sure that those same environments were compliant for Sarbanes Oxley. At the time that I started collecting certifications I was unclear how much those would mean beyond the governance, risk, and compliance areas. As these roles continued to grow in importance with organizations cybersecurity soon took on a life of its own. I first realized that I enjoyed this type of work while working as a manager of academic computing working on a project for joint use facilities: community college students would use the facilities at night and high school students would use the lab during the days, merging two very different networks with different policies and doing it securely. This particular project was replicated a number of times across the Las Vegas valley, drawing national attention, and was nominated for the Smithsonian Institute of American History Innovation Award. Although this project did not win, it was an amazing example of how innovation in the community could change the way organizations and students utilized resources securely, and leverage partnerships.
Can you share the most interesting story that happened to you since you began this fascinating career?
Creating opportunities and changing lives is where my passion lives. As I think about my career, my mentors, educators and prior bosses I reflect back about how important those interactions changed my life. How each investment of time by others, even if brief, had a profound impact on the direction and velocity of my journey.
At 25, and as a single mother and already a manager in IT Operations, I was told by the president of the organization that if I did not go back and finish my degree I would not be promoted again. At the time, it was a big weight to understand that my options were now limited by the educational goals which I had not been able to complete. I had 150 credits, no degree and no pathway for a working mom with a two-year-old child to continue to work, be home at night, and finish a degree. As a single mom working 60–80 hours a week, I had to find a way to finish a degree and continue to move forward: this is how I got connected with the University of Phoenix. I needed a pathway to completing a degree. Once in a program I was able to finish and gain a business degree and was promptly promoted for that effort. This degree made me very aware of several things:
1) Value of a degree program translates to improved skills that are applicable in any field.
2) That I needed to continue my educational journey because the day would come again soon where a woman in a male dominated field needs to standout.
I went back to school for an MBA and still use those skills that I learned in that program every day. That MBA was monetized very quickly, and I was able to also find my calling in creating opportunity and changing lives by teaching technology at the graduate and undergraduate level.
These interactions demonstrated that grit is a critical part of growing as an individual and necessary in my particular circumstance to deliver on providing for a family. In reflecting back this is where I began to understand that mentors, educators, and leaders all have a role in the community to foster the next generation of security professionals.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
There are so many characteristics that are important as a leader.
The first is having GRIT. In order to lead others and make change you must have GRIT and the desire to get stuff done (GSD). Being an agent of change is not an easy path and as a woman in a male dominated field it is often met with resistance and frustration. I don’t ever remember hearing any of my male peers being told they should put their broom down or be snarked at for sitting at the executive table. I proudly hung a broom over my door after that comment and to this day gladly will take on anyone who asks by sharing that it is the ride of your life if you are up for the adventure.
The second characteristic is that all leaders must be mentors at heart. In my spare time I teach at the University of Phoenix at the graduate and undergraduate level. I believe that the next generation of cybersecurity professionals are mentored and trained by the current generation of professionals. The journey down the yellow brick road of technology and security is often unconventional, rough, and undefined. To lead a team, business or group you must be willing to share knowledge, be a lifetime learner and mentor those that travel that path. Certainly, being in a male dominated field there have been times when the seat at the table seems a bit daunting. Making sure that I actively share those stories and encourage diverse company to grab that seat at the table is so important. It is a diverse workforce in the future that will fill the skills gap in security.
The third characteristic is compassion: to have the ability to be compassionate, display empathy and provide an environment where others not only want to join you in the journey but are invested in the outcomes. Understanding how to create balance, family first, and have a good time must be part of the adventure. Cybersecurity can be a stressful, and a tough environment but learning and teaching others how to have fun along the way is important. Creating a place where others are interested in spending their time, investing their talent, and growing together as a team is a critical part of the fabric that makes the defense strategy work. Organizations that invest millions on tools, training and defense strategies and failure but fail to invest in a compassionate and fulfilling environment will result in a void that is impossible to fill.
Are you working on any exciting new projects now? How do you think that will help people?
I enjoy the road less travelled. I am always working on something. I get into trouble if I can sit around without something to do. Personally, I am finishing up a Doctorate in Information Technology with an emphasis in Cybersecurity and Data Assurance. As part of my passion of mentoring and teaching others I thought it was important for me to take the next step academically to continue teaching and contributing to the academic field.
Professionally, I am working on a variety of projects that assist organizations on how to close the gaps strategically within their companies that are created by security risks. A strong layered defense strategy is critical; however, the headcount and resources rarely match the required need to fully deploy necessary strategies. At Trace3 I work with companies across the country to create strategies that improve security postures. Working on projects associated with resolving tough security issues and creating proactive postures is part of my passion. All organizations are at risk with this rapidly changing landscape we are navigating and figuring out how to be less reactive and more proactive is the challenge.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
There are lots of thought leaders in the Cybersecurity space. I am one of many that have dedicated their entire career, now of over 30 years, to investing in how to protect, secure, remediate and defend IT environments. Certifications, degrees, education, and lifetime learning is all part of journey. Actively performing research, engaging with technology providers and looking for innovation that could change the way organizations identify, and deal with threats is a critical part of the puzzle.
The cybersecurity field is so vast — there is an endless amount of information, content and technology that can be part of the security fabric. There is no real way to understand everything there is to know about cybersecurity but investing in specialized areas is useful for assisting others in creating the strategy. Having experiences that can be shared about how processes, policies, procedures and technology work in a real world environment is an important part of the story.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
Think about the entire motivation for most hackers is to monetize the engagement. So, if the goal is to make money, then think about that concept every time you look at technology and your interaction with hardware, software and applications.
Identity is the key way that most bad actors get access to machines, accounts, and information that then is monetized. Reusing passwords, and logins is an extremely bad idea and users often reuse the same passwords from social media, personal email, and streaming accounts that they use at work and for personal finance access. STOP REUSING CREDENTIALS!!!!! All of the social media and personal email providers have been hacked with user data exfiltrated a number of times. This means your credentials are on the dark web for sale and can be purchased for pennies. Bad actors then just find ways to leverage the information to gain access to accounts. Implement multi-factor authentication with your financial accounts where possible.
The second is to stay away from texts, emails and links from organizations and individuals you do not know. Even if you think you know the individual do some homework before you click links. Often these links have bad things associated to them. Malware, ransomware, and different types of code that can spy on your machine, capture keystrokes, and steal private information.
Make sure that all your devices are updated and protected. This includes phones, tablets, laptops, and workstations. Bad actors are now moving to mobile devices as the shift is made on society transitioning to a mobile world. Make sure you are scanning and updating all your devices regularly. Do not download apps you don’t need and remove the apps you don’t use. This makes your active environment easier to keep current and identify issues if apps show up that you are not responsible for. Bad actors sometimes use apps to infiltrate mobile devices.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Both!!! Individuals proportionately have more to lose as well as less IT and Cybersecurity professionals to assist with the defense and response to an incident. Individuals have to stay informed and diligent on how to protect assets that matter by keeping software updated, running endpoint protection and staying vigilant. Individuals can still be attacked with ransomware, face social engineering attacks and other threats that can cost thousands of dollars. As an individual consumer it is essential to stay informed, and question engagement from other individuals and companies even if you know them. Use websites and other publicly available information to validate requests for information and overdue accounts. Never provide any type of payment transfers via Venmo, PayPal, Zelle or by gift card to cover some type of request. Always go to the website that you entered in a browser, and call to talk to the organization before validating money transfers.
Organizations are at risk due to just the nature of how an attack can be monetized. The more critical in nature the business or the more money involved in the organization the bigger the target. Bad actors have found that ransoms are an effective payday. They infiltrate an organization, take some juicy data, and then lock things down and wait for a payday. Organizations that don’t have a large cashflow are not as attractive as those that are either very dependent on their data, face large fines for the loss of that data, or are unable to function after a lockdown of ransomware has taken place. Organizations that pay ransoms do so because they feel they have no choice. The key really is to avoid the entire situation by proactively taking steps to ensure that the organization can resume business after an attack. Long gone are the days of IF we will be attacked; now it is a matter of WHEN. How long it takes for an organization to resume normal operations is the real measure. Organizations and individuals must have solid backup plans to restore operations after an attack.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
There are a variety of cyber attacks. An email breaches and malware attacks of a small company or individual does not merit the engagement of local police or the FBI. Find a cybersecurity company to assist you with those types of issues.
Individuals that are a victim of an attack that resulted in monetary loss, should contact the local police department. In some cases, the individual might not even know their information was stolen until the file their Tax Return, or receive a notice that they have claimed unemployment benefits for a claim they did not make. Contact the specific agency associated to those claims to start resolving those types of issues.
Organizations that are experiencing a ransomware attack should engage local police and the local FBI cybersecurity divisions as soon as possible. Time matters so do not delay the reporting of an incident. If you are not connected with the FBI, local law enforcement can assist with that connection.
If you are an organization and you have experienced a data breach or other type of loss associated to what you believe is hacking, contact a cybersecurity company to assist in an assessment to understand what has happened, and what needs to be done to remediate the situation.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
It all comes down to identity and access. The worst mistake is an IT professional with elevated privileges that reuses passwords from social media to access work accounts. Implement strong identity passwords, and multi-factor authentication to reduce the risk of credential theft. Using a password vault that actually rotates the passwords that IT professionals never know is another way to reduce the risk. If the password is rotated everyday randomly it is more difficult to gain access.
Delete UNUSED ACCOUNTS. Very often a dormant account is leveraged in attacks. If they are not in use, delete them. Disabling a service account for example is not good enough. Keep in mind that the key is to get in and make as little noise as possible while exfiltrating data and installing code to lock down systems. Leveraging a forgotten account is the perfect tool since no one is watching it.
The other most common mistake is the failure to patch and have a real vulnerability management program. Organizations want to push the EASY button when it comes to investing on a vulnerability management program. Patching is HARD. But it is necessary as the failure to patch is like leaving your front door open and expecting that nothing will come in that open door. Even if it is a little door, things can come in and once inside the goal is to monetize whatever the hackers can get their hands on. Data, systems, real money, and information that can be sold.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Take away the ability to monetize attacks. The reason that attacks have exponentially increase is due to the number of dollars attached to the activity. Billions of dollars annually are paid to bad actors because of ransomware attacks. Organizations need to do a better job of securing assets and developing disaster recovery plans that will allow them to recover fully if attacked. Years ago, the virus challenge was malicious but rarely had any type of real financial impact with the exclusion of just down time associated to the attack. Now the attacks come with the sale of information and the ransom payday associated with a lockdown.
Identities need to become stronger without complication to the end users. Most of the activity of a breach happens through credentials that were hacked or stolen. Finding a way to create a combination of items beyond just a password is part of the solution. There are some technologies on the horizon that are looking at solving some of these issues.
Data security is a big issue. Once the data is taken from an organization it is generally sold for profit. Making the data useless as it leaves an organization, I believe, is key to stopping the issue. The technology exists today to at least make it more difficult to access data. Manufactures and the industry need to accelerate the innovation in this area to find ways to secure data at a higher level. If there is no profit in stealing data, then the investment time to do it becomes an opportunity cost.
What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
Invest in your people. Your cybersecurity team is your defense strategy. Make sure that you invest in their development, create work life balance and mentor them to continue in the career with YOUR organization. The GREAT RESIGNATION was not an accident. For cybersecurity professionals it has been lack of work life balance, stress and failure to compensate employees that have resulted in the mass evacuation of talent from organizations. Those employees get two to three real offers a month. Know that your best defense is just one good offer from walking out the door. There is an insane amount of money in the market due to a shortage of cybersecurity talent. Create an environment where your talent is not looking. All it takes is one conversation and your best and brightest are moving on to a different organization. A great example of this was a young lady that I know, a complete ROCK STAR took a role with the understanding that she had a vacation coming up in eight months that she needed to take for a family wedding. Two weeks before the trip the employer started giving her a hard time about taking vacation. She took the vacation and when she came back she quit and went to work for a competitor for more money and better benefits. Her offer was more than she asked for and 20% higher compensation than she was making in the prior role. She never would have been looking had the employer kept their original bargain and invested in their talent. If you want to keep your ROCK STARS take care of the simple things, and they will not have a reason to be looking.
Invest in your layered defense strategy. Setup a strategic plan over the next 36 months and identify the areas that need to be addressed as the threat landscape changes. You will never have enough money, time, or resources to do everything. A solid strategic plan will assist in getting to the point where your posture can move to proactive rather than reactive. If you are an executive in an organization, ask to see the 36 month rolling cybersecurity strategy and plan. If the organization does not have one, it is time to start creating one. Environments alone do not improve without measurement. By creating a plan and communicating it the measurement is in the execution of the plan.
Continue to find ways to put money away for the day when the attack comes. Cybersecurity insurance is becoming more difficult to obtain. If you no longer can afford coverage, or if you have been dropped by your insurance organization look to fund a budget item for a breach. Resuming operations after a breach is very expensive. Have those funds sitting somewhere ready to use should a breach happen. Also be aware that just because you have cybersecurity insurance doesn’t mean that your claim will be accepted. Failure to comply with the standards and processes outlined in the policy will create a situation where insurance companies will not pay. For example, you state that you patch all critical patches within 30 days. The organization is breached, and the cause of the breach was a device that was not patched in the last 180 days. Guess what??? That breach will not be covered by insurance because of a failure to implement reported controls. For every control that is stated in the insurance questionnaires, if you fail to implement those controls consistently there is a good chance a claim would be declined and or your coverage might all together be dropped.
Be OK with emerging technology. A number of organizations in the security industry are coming up with innovative ways to use for example AI to address cybersecurity issues. For example, if my credit card was used in Las Vegas five minutes ago buying gas and it is now being used in New York for parking there is something wrong. If I am a user that always logs in from Los Angles, and now I am logging in from Brazil there is an issue. These types of AI tools are looking for associations and correlations which will change the way we think about security in the next couple of years. Invest a little in emerging technology. Not only is it a challenge for the team, but it provides some visibility into trends for new tools and solutions that can impact your security strategy.
There is no such thing as a 100% secure environment. The idea that there is some way to keep from being attacked is a fallacy. The real concept is when you are attacked how long will it take your organization to respond, remediate and restore operations? Investing in Incident Response Plans, Business Continuity Plans and Disaster Recovery Plans are critical. But the investment can’t just be on paper. The organization must hold drills, exercises, and tabletop activities. The IT teams need to go through attack simulations and incident response a couple of times a year. Executives need to understand how and what to do in a situation to assist and reduce impact. Business operators need to understand how to resume business as fast as possible even at a manual level until technology services are restored. These are activities that, if not practiced, are difficult to understand how to carry out in a real situation. Practice, process, and continuous improvement in this area will assist organizations recover and restore more efficiently. I recently talked to an executive that experienced a ransomware attack. She shared that they did NOT pay the ransom and were able to restore quickly. The key was regular critical infrastructure disaster training for the team, and the time to detect the attack. The attack was detected within a few hours, and the training provided the organization a very clear process and procedure on how to resume critical functions.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
Cybersecurity professionals are being fought over by organizations. We shamelessly steal from each other rather than investing in the future. Organizations, educational institutions, trade schools and outreach programs need to find passionate individuals that are looking for a chance and find ways to harness that passion through the investment of cybersecurity training and development. Inclusion and diversity are also part of the key to improving the labor shortage. Women, minorities, and underserved populations need to be part of the strategy. All the investment in cutting edge technology will not work without resources to implement, manage, and maintain these solutions. Organizations need to proactively fund development and continuing education for cybersecurity professionals, leaders and executives to understand the threat landscape and the vehicle we need to navigate the very bumpy yellow brick road.
How can our readers further follow your work online?
Check out my LinkedIn profile.- https://www.linkedin.com/in/stkurtz/ I share news, trends, and other security items online.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
