Cyber Defense: Tim Redfearn of ADS On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Zero-day Exploits — A zero-day is a computer-software vulnerability either unknown to those who should be interested in its mitigation or known and without a patch to correct it. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Tim Redfearn.

Tim Redfearn is an accomplished senior information technology leader offering 30 years of demonstrated career success developing and executing operational strategies to promote organizational growth and optimal utilization of emerging technologies. He is currently the Command, Control, Communications, Computers, Cyber (C5) Intelligence, Surveillance and Reconnaissance (ISR) category manager at ADS, Inc., a military equipment supplier that provides tactical equipment, procurement, logistics, government contracts and supply chain solutions. Prior to this role, he was the Chief Information Officer and Senior Vice President at Navy Exchange Services Command (NEXCOM). He has previously held information technology roles at Clark Nexsen, Cox Auto Trader, Swimways, LifeNet and NorShipCo. Tim holds a B.S. in business administration and management information systems from Old Dominion University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Virginia Beach, VA, but I spent a lot of time on the Outer Banks of North Carolina as I loved to surf. In my early years, I was also a wrestler and enjoyed competitive sports in school. Despite enjoying time spent playing sports, I took my first computer class in high school and immediately realized that I had found my calling. This newfound passion continued into college when I started as a computer science major, but quickly switched to business when I realized that I didn’t want to program full-time. I really enjoyed it, but I didn’t want to pursue that as my only career. Ultimately I received my degree in Management Information Systems from Old Dominion University.

Is there a particular story that inspired you to pursue a career in cybersecurity?

Once I graduated college, my first job was working for a defense contractor as their first IT employee. I worked on a contract on base all day and did corporate IT after hours. The company grew and I eventually took over their IT as my full-time role. This was in the early 90’s and I didn’t realize at the time that I was working on the cutting edge of technology by getting the company on the Internet, using email and building their first web page. I continued to work in IT and IT management for multiple companies and ended up working for the government in a senior IT position for eight years. Technology and threats have drastically evolved since I started my first position, and cybersecurity is mandatory in the government and the level of compliance was nonnegotiable.

Can you share the most interesting story that happened to you since you began this fascinating career?

Having worked in the Technology industry for as long as I have, you see a lot that reinforces the need for policies and procedures to regulate and control environments. The assumption can easily be made that the threats and advisories we face in the cyber world are external and trying to get in, but the most dangerous advisory can be from the inside. The protection of sensitive information is critical. I have experienced many incidents in my career and it’s the little things that can explode. I once requested a list of my employee’s birthdays from HR so I could recognize them on their birthday. The list that was sent to me was a spreadsheet with every employee in the company with all their most sensitive data included. The person who sends it “hides” the columns with sensitive data and the rows of the other employees but did not secure or lock the spreadsheet. This wasn’t done with any mal intent, just an unawareness that the data was still there and the seriousness of what they had done.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Integrity, patience and communications.

Integrity should be obvious; without it, you have nothing as a leader. Patience is important but waiting too long to act can cause issues. However, reacting and not waiting for the right moment could also be just as devastating. Communication is more critical now than ever because we have so many obstacles and ways to communicate. Email is out of control, in person meetings are limited so, texting and social media are the main options. Leaders must be able to effectively communicate in whatever situation you are in, and you need to be able to adapt.

Are you working on any exciting new projects now? How do you think that will help people?

There is no shortage of new projects in my current role. At ADS, we continually respond to the needs of our customers. We are part of a group of The Defense Logistics Agency’s Tailored Logistic Program (DLA TLS) suppliers who rapidly procure goods and technologies for the Department of Defense (DoD). The ability to rapidly procure items is critical in an industry where requirements change so rapidly. Traditional procurement processes can drag out for so long that it’s likely that the technology would be outdated before the acquisition process is complete. ADS has almost 200 business development professionals working with personnel in all areas of the DoD and federal government where we actively listen to the needs of our customers and then connect them with one of the 3,000+ suppliers to provide them with options to find the right solutions.

Not only do I love what I do, but it also helps keep our country safe by providing the latest technology to the warfighter. We also have multiple shows each year throughout the country including our two big annual trade shows — Warrior East and Warrior West — where we gather our top suppliers to showcase their new technologies to decision makers within the DoD, keeping innovation top-of-mind for our troops.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I started in the information technology industry before the Internet was considered “mainstream” and have seen threats evolve over the last 30+ years. My job as the CIO for the Navy Exchange Command (NEXCOM) combined what I think to be the two hardest industries — IT and retail for the DoD by focusing on protecting sensitive data from outside and inside threats. In my current role, I am an active participant in the industry by engaging with our DoD and government customers to provide them with exactly the technology they need and delivering as quickly as possible. I have a deep understanding of cybersecurity and what companies, individuals and our government can do to actively protect themselves.

In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

Sure! There are multiple types of cyberattacks to be cognizant of, but I will outline a few below:

• Malware — Malware is intrusive software that is designed to damage or destroy computers and systems. Examples include viruses, worms, Trojan virus, spyware, adware and ransomware.
• Phishing — Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords, credit card numbers, social security and other personally identifiable information.
• Man in the Middle — This type of attack is different from the others since it appears a browser or item is trusted, but it is in fact, bad actors trying to steal your information. For example, people in coffee shops can share fake WiFi networks, and if your data is not encrypted, they can see what you are doing. This also applies to cell phone cables that look normal, but the second you plug in your device, it’ll be hacked.
• Denial of Service (DoS) Attacks — These attacks are meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash.
• SQL Injections — This is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. Examples of information include sensitive company data, user lists or private customer details.
• Zero-day Exploits — A zero-day is a computer-software vulnerability either unknown to those who should be interested in its mitigation or known and without a patch to correct it. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone has to be concerned about identity theft, their systems being compromised and sensitive information being taken, especially during rising global tensions. Lately ransomware has been the big issue, and business systems are being compromised. Data is being stolen and held for ransom unless companies pay big bucks. The Nvidia breach is just the latest example of this happening to a company, and their information is being released on the Internet since they did not pay the ransom.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

In terms of next steps, it will depend on what was taken from a company or individual. If you shared information in a phishing scheme, you should immediately contact your banks, credit card companies or other financial services companies. If your social security number is compromised, OIG and the social security administration are good resources as well. If your driver’s license or car registrations have been stolen, contact the DMV. You should also contact your local police so there is an official record should you need to pursue legal action in the future.

For companies, it sometimes makes sense to contact the FBI IC3 Internet crime complaint center or the FTC to identify threats. These experts will also be able to help you navigate getting your stolen information back without having to pay a hefty ransom fee.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Some common mistakes are not filtering web browsers and emails as well as not keeping all your equipment and software updated and patched. These are just the first steps to ensuring your network systems are secure and having this technology in place for your company is no longer an option but a necessity.

Email filters can block spam as well as review and replace links, helping to control phishing attempts.

Backing up your data is also necessary in case you are hit with a cyberattack. If hackers are holding your data for ransom, but you know that you’ve properly encrypted it and backed up the necessary information, it’s less stressful and easier to navigate.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

I am a firm believer in only giving individuals access to the required information needed to do their job. After working with sensitive data at NEXCOM, it’s critical to control sensitive information and only give access to those who have a need to know.

Most organizations, including the government, have virus protection, email and web filtering but that doesn’t mean sensitive information is safe. If an individual with access to sensitive information copies it to a cloud storage, then these tools don’t help, but there are tools that use AI to monitor employee behaviors reorganizing abnormal patterns and alerting appropriately.

What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

Train your staff.

Keep software and systems fully up to date.

End point protection.

Install a firewall.

Back up your data and limit individual access.

The first two steps seem fairly obvious, but many companies do not train their staff on cyber concerns or continuously update their systems. Employees should be your first line of defense, whether recognizing a phishing scheme or noticing abnormal behavior on a device. Keeping your software up to date is a must to patch any vulnerabilities and maintain strong security.

Installing a firewall and end point protection are two added layers of protection for business executives. If you do not have tools or systems to protect your data, you are vulnerable to hackers infiltrating your systems and stealing sensitive information. To minimize the risks of fallout from a cyberattack, backing up your data on secure and encrypted devices as well as limiting individual access to sensitive information will go a long way. While these five steps might seem like a no brainer, but more often than not they are overlooked which ultimately leads to most of the recent high-profile cyber breaches you read about in the news.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

This is an interesting question. There isn’t a silver bullet to fix this — there isn’t one thing that is going to solve all the cyber security problems. Its “Defense in Depth,” having multiple layers of security controls (defense) in place throughout an information technology system. So the “movement” has to be awareness because you cannot ignore it and hope it goes away. As more of our world goes online and we rely on technology more and more, this problem only gets bigger.

How can our readers further follow your work online?

To keep up with my current work, you can follow me on LinkedIn or check out the ADS website and Warrior homepages.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!