Stuart Lerner of Segal: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
An Interview With Jason Remillard
Purchase cyber liability insurance, it will help limit your cost exposure and mitigate your risk.
Encrypt everything so that in the event your data is stolen, it can’t be read. While somebody may have accessed your data, if they can’t read it, your exposure will be limited.
Perform regular phishing tests of your staff. Since users are the weakest link in the information security chain, phishing tests are extremely important. Train users on to how to identify phishing emails and what to do and not to do after receiving a phishing email.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Stuart Lerner, Senior Vice President, Administration and Technology Consulting Practice Leader, based out of the New York office of Segal, the employee benefits consulting firm.
He focuses on cybersecurity strategy, business process analysis and redesign, systems implementation management, creating operational efficiencies and IT assessments. Stuart received a BBA in Finance from Hofstra University and an MBA in Finance from Long Island University. He has completed the Dale Carnegie Leadership Training Program and is a member of the Association for Work Process Improvement. Stuart is a key member of Segal’s IT Steering Committee and serves on Segal’s Board of Directors.
Our readers would like to get to know you. Can you tell us a bit about how you grew up? Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I am a native New Yorker: born in Manhattan, moved to Queens and then Long Island where I still live today with my wife, two daughters and two dogs. My father was the comptroller for one of the largest unions in New York City and always told my older sister and me how important union labor is to our country. My parents always stressed the importance of having a strong work ethic, leading by example, respecting others and being humble.
Starting at the age of 13, I held numerous jobs from building pools and landscaping to valet parking cars, caddying at a local country club, working at a local appliance store and even assembling screwdrivers at a manufacturing plant. I played many sports growing up and learned the importance of teamwork at an early age. Through college athletics and working part-time, I learned a great deal about leadership, commitment. discipline and accountability from coaches, teammates and coworkers. The attributes and characteristics I learned then are still applicable today in both my personal and professional life.
I have been working at Segal for over 23 years and leading their Administration and Technology Consulting Practice for the last 18. One of our main areas of focus is working with clients that administer employee benefits. Financial security and health are two of the most important benefits today. Bad actors are especially looking for that type of data so they can exploit it. We help organizations avoid that scenario. No one wants to get a call from the FBI about a cyber breach for their company’s health plan or retirement fund, so we provide a variety of services to our clients such as cybersecurity risk assessments and we also assist clients with next steps in if a data security breach takes place. While cybersecurity was not a career I set out to pursue, my involvement in this field evolved organically over time because this is so important to today’s organizations, due to the nature of the sensitive information they collect and maintain. I take great pride in helping our clients service their customers and participants. Every day I get excited about helping organizations protect their data.
Can you share the most interesting story that happened to you since you began this fascinating career?
Cyber criminals are becoming more creative and advanced each day. The most interesting story actually took place while I was on site at a client. I was in the midst of talking to the CIO about their IT staffing. While we were sitting in the CIO’s office, we received a call from an entity related to that client stating that data was being stolen from both of these entities in real-time. They could not tell us much more since there was an ongoing law enforcement investigation taking place. We got to work and with the little information we were provided we were able to quickly track the leak and shut it down. They say timing in life is everything–that was certainly true in this case!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I learn something from the people on my team every day, whether they report to me or I report to them. I feel that the values that have been instilled in me at a young age as well as the coaches I have interacted with through sports have contributed to who and what I am today.
That said, there was one person I reported to who provided great advice and wisdom around building and leading teams that I have tried to follow throughout my career. Their advice was to surround myself with responsible, hard-working and ethical people and let them do their jobs, be there for them when they need you and guide them to the answer — don’t give them the answer. Don’t be afraid to hire people who are “smarter” than you, lead by example and listen more and talk less. They also said employees are more dedicated to the person they report to than the company they work for. Many leaders have a hard time recognizing those things, including me at earlier stages of my career.
I had one athletic coach during college that said something that didn’t hit home with me until I started managing people. After a game, one player told the coach that it wasn’t fair that he was treating one player on the team “differently” than the others. The coach simply agreed that he was treating one player differently. Several years later, after I started my first real job out of college, I ran into that coach and I brought up that event. He said all people are different and should be treated differently. Each person is unique and motivated by something different and good leaders find what motivates each individual. You have to treat people differently in order to achieve the results you desire. They all must be rowing in the same direction, but how you get them to row is up to you.
Are you working on any exciting new projects now? How do you think that will help people?
Our team is currently working on several exciting projects. We are assisting one client with building an entire new data center and have been engaged by another client to implement a new, secure, cloud-computing environment. In both of these cases we are addressing privacy and security compliance as it is being built, instead of after the fact.
Additionally, we have taken steps to make the cybersecurity training we provide to clients more interesting for the “regular” user. Since users are usually the weakest link when it comes to security, we need them to be focused when being educated on this incredibly important topic. We have found that it helps keep users more engaged and focused during the training when we convey real-life examples as to what happens when a cyber incident occurs.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
While “burn out” has always been an issue for people, COVID-19 took this to an entirely new level. When everyone is working remotely, it is more challenging to “escape” work. Parents are coping with children learning remotely who need help during the day. People are now sharing a work environment with their family or roommates. Instead of talking to your co-worker or customer face-to-face, you are now spending endless hours in virtual meetings. People are forced to learn new technologies in order to perform a function they have been doing the same way for 20 years and in many cases, people have been asked to completely transform the way they do business. Then add racial unrest, hurricanes, fires and a highly-charged political environment, all of which increase uncertainty about the future and contribute to increased stress levels and burn out.
The responsibility of avoiding burn out not only rests with the employee but with the employer, their leadership and managers. My company’s leadership, especially HR, has been great about working with managers and employees on this front. We have been encouraging people to take vacation, even though people have found it hard to go anywhere. We have been offering flexible work arrangements so that people can work around scheduling challenges. We have been communicating our well-being program as well as our EAP offerings, encouraging employees to take advantage of the programs already offered by the company.
Managers need to be more empathic towards employees during tough times to help reduce stress and burn out. If you feel that somebody on your team is stressed, reach out to them, engage them in conversation and see what is going on. If a high-performer isn’t meeting their normal performance metrics, that may be a sign that they are having personal challenges. Look for signs that people are struggling and then help them address it. I know that many managers may not be comfortable having these conversations with employees because much of this is may be new to them. Companies should be training managers how to have these conversations with their staff as well.
It is essential for people to schedule some time out of their day to take a break. Step away from the work environment. Go for a walk, run, go exercise or just sit outside and have a “socially distanced” lunch with your neighbor.
Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain (do you have an anecdote to share)?
What is most exciting in the industry right now is that most people are finally starting to take cybersecurity seriously. With all of the phishing and ransomware attacks, people are now really “getting it”. Cybersecurity involves a huge criminal enterprise that requires significant focus from companies and C-suite level leadership in order to protect their organization. It is now on everyone’s radar which has put the industry into focus. In many companies, cybersecurity has been elevated to the Board level. A year ago we had talked to the IT decision maker at a client about performing a cybersecurity risk assessment. The IT person tried to get approval from the COO to perform the assessment and the COO said absolutely not. Less than 10 months later, we received a call from the COO asking if we could come in and perform the assessment.
Secondly, I am extremely excited about our ability to help people and companies. People are now seeing the value and importance we bring to the table and are much more appreciative of our assistance.
Lastly, the impact that Artificial Intelligence (AI) will have on the future of the industry is also exciting. Since there are so many ways that systems can be compromised today, AI will play a major role in detecting potential threats. With the use of AI it will allow systems and people to detect issues sooner and will also enable an automated response to these incidents.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
There are many threats on the horizon, some we know about and others are likely in development. Part of what I do is to force myself to think like a cyber criminal. One threat on the rise is the use of realistic fake identities. Hackers are creating automated profiles that include fake videos, pictures, activities, friends and simulate years of an online presence to then execute a significant one-time fraud activity before deleting the fake identity and then moving on. Also, with the rise of the connected home, the Internet of Things (IoT), there are a significantly greater number of new points of entry into the work environment that these criminals can take advantage of unfortunately.
Additionally, as we have seen with so many organizations, just as firms get better at improving their security, the cyber criminals will look for other avenues, and offering insiders money to help the criminals is a scary thing to have to think about as a company. It is also within the realm of possibility to imagine internal activists becoming significantly greater security threats as political polarization increases across our society. Organizations or corporate leaders who publicly tout one political party or cause, may feel the wrath of disagreeing employees through vengeful leaks of sensitive data. It is a no-win situation for organizations as activists may attempt to punish an organization if it does not support their cause or agenda.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We are in the process now of assisting a client that was completely unprepared for an attack. This organization had no plan and no cybersecurity insurance. This ransomware attack is so recent that we still don’t know what data, if any, has been taken. That said, we did help the client select and secure the necessary forensic firm to conduct the actual investigation. We are helping them with the recovery process as well as helping them strengthen their cybersecurity footprint going forward. The biggest takeaway from this situation is that without a plan or cyber insurance, it’s hard to know what to do in an attack. If they had developed an incident response plan, they would have been able to act more quickly. If they would have had cyber coverage, their carrier would have immediately provided a resource to help with the forensic investigation. The takeaway: be prepared because the chances of this happening to you is high.
My favorite stories are the ones where we help end attacks in progress. Stopping an attack while it is happening is key to limiting the actual damage. Most damage is caused by perpetrators that are inside of a company’s network for days or sometimes months.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The bulk of our work is around performing risk assessments and helping clients mitigate risks on their network. Nessus Pro is considered the industry standard when it comes to performing internal and external scans. It automates assessments to help quickly identify and fix vulnerabilities, including software flaws, missing patches, malware, and misconfigurations, across a variety of operating systems, devices and applications. When it comes to internal penetration testing, Metasploit is a commonly utilized tool. The Metasploit Framework is a suite of tools that is utilized to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. In addition, the National Institute of Standards and Technology (NIST) guidelines are used to outline best practices for operating a secure network. Also, if you’re on Microsoft 365, by looking at your Microsoft Secure Score you will get some visibility, insights, and guidance to maximize your security. But having a risk assessment team take a deep dive is going to pay off in dividends.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Those are all really good questions and common challenges for smaller companies and companies with smaller IT teams. The good news is, we work with clients of all sizes, including smaller organizations. Most of these questions really tie back to the question — what level of risk is an organization willing to take on? The easiest approach is to identify the potential cost and likelihood of an incident occurring and make a return-on-investment decision. Cybersecurity insurance is a wise choice for organizations because the cost to recover from incidents can potentially put them out of business.
An important note is that organizations are measured against other peers of similar size when the lawsuits appear after an incident occurs. The courts and regulatory agencies don’t expect small organizations to have the same resources as large federal departments so they do take that into consideration. Though even for small organizations, it costs almost nothing to do the basics of cybersecurity protection, such as training employees, installing antivirus software, backing up data, and encrypting workstations.
Organizations should also offload expertise and risk to the large cloud providers. In addition, if a company doesn’t have significant IT resources internally, they should contract with a technology advisor to provide guidance in this area. It’s also important to consider the industry your company is operating in as there may be more regulatory challenges depending on the industry such as HIPAA regulations.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
If you are missing expected emails, getting reports from contacts about strange messages received from within your organization or seeing more phishing emails in your inbox, something may be amiss. In that case, alert your IT department or managed service provider immediately. In addition, a slow computer, slow network or if things just stop working all together would also be signals that something isn’t right.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
You should start by following the steps that are outlined in your breach response plan. If you don’t have a plan, you should develop one now, before a cyber event takes place. In the absence of a plan, you should do the following: Shut down any system that has been compromised. If you are not sure which ones have been compromised, then shut all of them down. Then contact your cyber liability insurance provider as they will provide assistance. You should also make sure that your in-house or external legal counsel is aware of the incident. You would then need to work with your breach counselor and have qualified outside professionals begin an investigation.
Be sure to record all of the actions that you have taken in the event that this information is needed for future exercises or for any potential legal action. Once the investigation is complete you can begin remediation. Depending on the nature of the breach, you may need to start notifying regulatory agencies and customers.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
These regulations have not really impacted our business as all of our clients are in the U.S. and most are smaller than the ones typically impacted by CCPA. Should CCPA impact smaller clients in the future, we would work with our compliance team to educate those clients to help them prepare and perform assessments.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The first one is denial. People think that they will never be attacked. Nowadays, everyone should act as if they are a target of cyber criminals. In addition, company leadership needs to understand how damaging and costly a cyberattack can be — both monetarily as well as the cost of reputational risk. Many organizations do not perform regular simulated phishing tests of employees and they don’t have an incident response plan in place. The organizations that have a plan in place usually don’t test the plan often enough or update the plan. In addition, there are still many companies that don’t have cyber insurance. From a more technical perspective, we still see organizations that are not encrypting their data, not patching their systems or failing to keep their endpoint protection up-to-date. Some companies think that because they have a firewall, they don’t have to secure their internal networks. Criminals have proven that assumption wrong.
Since the COVID-1919 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We have seen an uptick in both the number of cybersecurity events as well as an increase in cybersecurity awareness by our clients. A recent Crowdstrike report showed that there were more cybersecurity incidents in the first half of 2020 than in all of 2019. With regard to the cybersecurity events, we believe that cyber criminals have gotten more aggressive during the pandemic and are trying to exploit increased vulnerabilities of more people working remotely. Our team has been quite busy helping clients address this issue. In addition, our Segal Select cyber insurance team has seen an increase in cyber breach claims filed The good news is we have also seen clients being more aware and vigilant than they were before COVID-19 and are more cognizant about privacy and security issues than they were when all staff were in their offices.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
If a cybersecurity attack hasn’t succeeded against your business yet, the chances are high that one will eventually succeed. Cyber criminals are hard at work picking new targets. They don’t discriminate against just one type of organization. All entities regardless of size, industry, and geographic location are fair game for these criminals.
1) Establish a security program. At a minimum this program should include: aligning your program with your organization’s business objectives, implementing security policies and procedures, developing a security risk management program and a security awareness program. Smart organizations are also developing metrics to measure the success of their program, creating an Incident Response Plan, training staff, and periodically testing the plan. It also helps to continuously monitor your infrastructure and review your plan at least annually. And put controls in place that that log access to confidential data. Be sure to also keep security patches up to date because without patching, your cyber risk exposure increases significantly.
2) Purchase cyber liability insurance, it will help limit your cost exposure and mitigate your risk.
3) Encrypt everything so that in the event your data is stolen, it can’t be read. While somebody may have accessed your data, if they can’t read it, your exposure will be limited.
4) Have security risk assessments performed on a regular basis. These assessments should include penetration testing. And follow audit trails to help accomplish several security-related objectives including individual accountability, reconstruction of events, intrusion detection, and problem analysis. After the assessment, make sure that you take action on the findings to remediate any items identified in the assessment. We have been brought in to advise entities where they were vulnerable after having a cyber event, and have seen their prior assessment reports. It was clear they never remediated the issues from prior reports and criminals kept taking advantage of that weakness.
5) Perform regular phishing tests of your staff. Since users are the weakest link in the information security chain, phishing tests are extremely important. Train users on to how to identify phishing emails and what to do and not to do after receiving a phishing email.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Given the events of the world today, I would inspire everyone to have more courage. All of us have been impacted in some way by recent events and many have been impacted for the worse. Courage can give people the ability to overcome fears that they may be feeling. Many people fear the uncertainty that the future holds. Many people are feeling helpless and hopeless. People are generally fearful and frightened when they are not in control of a situation and the outcome is in doubt. People have lost their jobs or have had their businesses close. People have lost close friends, relatives and co-workers. People have been isolated and alone for significant amounts of time. To all of these people, I would inspire them to have the courage, the strength and will to overcome what has impacted them.
If you lost your job, have the courage to learn a new skill. Have the courage to go on social media and network with people that you may not know. If the business you owned closed, have the courage to go work for somebody else. If you feel that your situation is hopeless, have the courage to overcome those feelings and regain the hope that things will change for the better in the future. If you have lost somebody close to you, honor your loved one by finding the strength to overcome your grief and move forward. Look at all of the frontline workers for inspiration and find the courage to step out of your comfort zone.
For those less directly impacted by the world events taking place, find the courage to help others. Find the courage to reach out to somebody who lost their job and introduce them to a new opportunity. Encourage others who may be down or facing immense challenges to get back up and move forward. Have the courage to instill confidence in somebody that may be feeling despondent. If you are fortunate enough to have your job, find the courage to donate money, time or resources to others or a cause that will ultimately help others.
Courage doesn’t mean that you aren’t afraid, courage means you won’t let the fear you are feeling stop you from doing something great.
How can our readers further follow your work online?
I am a big fan of connecting with people on LinkedIn: https://www.linkedin.com/in/stuartlerner/
People can also look at our company website for additional information — and check out a short security article about third-party cyber risk on Segal’s site. I enjoyed speaking with you about the cyber issues everyone is facing right now and look forward to partnering with your audience to fight the good fight.
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.
