Dealer Sign up

Level Up your Cybersecurity Legal Power_ Guest Blair Dawson, Attorney, McDonald Hopkins.

cybersecurity incident response planning Oct 20, 2022

West McDonald: Oh, hey, everybody. Good morning, West McDonald and Kenneth Edmonds here. How are you, buddy?

Ken Edmonds: I am fine. How are you doing?

West McDonald: I'm not doing too badly at all, and I know that you are down in your new location, broadcasting from lovely Florida.

Really nice to see you, Blair. How are you? I'm really well. Good to see you too. Yeah, and thank you very much for joining us today.


Blair Dawson: I am so happy that you engage in this topic. Obviously. I think it's really important, and I think it's important to your audience as.

West McDonald: Yeah, I really do. And the first time, just for our audience, just to give you some background, the first time that Blair and I met was actually. At a COMPTIA event, I actually had the good fortune of watching a panel that Blair was part of, in which a couple of real providers who had experienced some negative effects of, let's say, cyber activity.

And they were sharing what they went through and some of the things that they could have done differently. And one of the top ones obviously was making sure that you had somebody that understands what to do from a legal perspective when you're an encounter, something like that.

And it's funny, Blair, I was actually, before I go any further, I'm gonna let you introduce yourself to our audience, .

Blair Dawson: Sure. Obviously my name's Blair Dawson. I'm with the cyber security and data privacy team at McDonald Hopkins, and we're a full-service law firm. But my practice focuses on cybersecurity and data privacy, which means pre-breach services putting policies in place, incident response plans, and that kind of preparation table tops as well where you do the role-playing to get acquainted with the process.

And then, should a crisis happen, we assist with the incident response itself. We work with companies to navigate that, whether it's a business email compromise or a ransomware event...

West McDonald: Yeah. I love it. And we'll get into some of those topics in more detail. And one of the things now that I've let you introduce yourself that I found fascinating about the panel discussion was that I hadn't really thought much about What to do when dealing with security.

Security is an offering is one thing. We've all been to panels where they talk about the different things we can do to help our customers stay safe. Some loopholes where we can never keep people entirely safe, all that kind of stuff, but never really got into the legal ramifications and some of the other stuff that's involved, which I'll get into before I go any further.

We always start. Where are you watching from? So Blair, you are our guest today. Where are you joining us from?

Blair Dawson: I am in the Chicago area.

West McDonald: Nice. I do love Chicago, and I cannot wait to get back there. And for anyone else watching today, make sure you share with us where you're from.

Greg Walters, I know you're on the call today, so I would love to know which part of the world you're from. And Ken, this is your favorite part. We get people from all over the world, including the United Arab Emirates, the United States, Canada, and Australia.

Ken Edmonds: What about the EU? Because we have several folks that will join us from time to time.

We see Greg is still in Michigan. He hasn't gone back to Oconomowoc, I like that word, so I say it a lot.

West McDonald: Welcome from Michigan, and thanks again for joining in. And, of course, I'm in lovely Canada, right across the border from Buffalo, close to Niagara Falls. And there's a rainy day here. And Ken, where are you from?

Ken Edmonds: I am now in central Florida

West McDonald: That's right. A brand new move. And Sarah Henderson joins us from Des Moines, Iowa. Midwest is the best. Love it. Absolutely. All right, we're going to dive right in. So one of the first things I want to discuss is the concept of a carrier. And I know in some of the talks we've had, you'd said; obviously, that's who you should start with. If something happens, you suffer some incident. So what is a carrier, and why should folks start with those?

Blair Dawson: Yeah, I talk about the carrier relationship a lot. I think it's essential that if an organization if at all possible, can avail themselves of cyber security insurance, they should do that.

The carriers have access to a panel of different vendors, including legal, like my team and me, forensic investigators, data mining companies, and so forth. They're constantly vetting them for performance, and they'll be able to get those pieces in place very quickly, which is probably the most important thing for businesses.

You want to get operational as quickly as possible and be in compliance and make sure you don't miss any deadlines if they're regulatory or in your contracts. So the first call, if you have cyber insurance, is to look to your deck page, look for the notice instructions, and give notice to your carrier.

And they will respond very quickly, it's not a matter of days or weeks; you will get a response very quickly.

West McDonald: Yeah. And I have to think, and you mentioned that if you have a carrier that offers cyber insurance. If you're thinking there's a lot of folks to be watching this, different channels, the office equipment channel that is looking to diversify into additional services. And they may not have ever practiced cyber security, but we offered to their customers. And I think having a carrier should be one of the first considerations they should make.

Oh, absolutely. Because just the risk transfers the cost of having a crisis happen and be, and having the capital available to shoulder that may exhaust an organization's money depending on how deep the situation goes. So it's just good practice to be able to shift the risk just like you would for property crime.

Yeah, and it's funny. Indeed, we have insurance for the rest of our businesses, right? For many other aspects, be it liability or inventory, for any of those things. So this certainly would seem like a no-brainer to me. And are they called anything else, or is it like strictly a carrier?

Blair Dawson: It, just in, in the insurer insurance carrier. You're working with the London market. It'd be syndicates, but yeah, those are the major ones.

West McDonald: And I have to think how important this is, right? Because one of the stats I'll share, I've been working on a blog on this, and one of the stats that I looked up said that folks in the managed IT and MSP space it wasn't the clearest stat in the world, but it said 50% of them or more had some kind of interaction with a cyber incident, right?

So and I'll talk a little bit about that because I'm trying to be careful with my words right now. But they had some kind of interaction, not necessarily that they were hacked or breached or anything else, right? So those odds seem pretty high that something's going to happen, right?

And it has to be a tough job because they have to think that by the time you get busy helping clients, something has happened, right? Obviously, that relationship must start pretty early to ensure you're comfortable with each other when something like that happens.

Blair Dawson: Unfortunately, most of my work comes from referrals of organizations already in crisis.

West McDonald: Oh, wow.

Blair Dawson: Usually, after that, they appreciate and understand the importance of doing the preparation, so then we will, we'll look at doing the pre-breach services, which is a misnomer given that they've been through it, but just in preparation for the next time.

Because it's if you are as secure as you believe that you are, along the lines of the analogy of us being the COs in a prison, the prisoners have 24 7 to try to figure out ways to get around your security. You have other things as a business that you're dealing with. To pretend that you're too small or that obscurity is your security is just not going to work.

It's easy for them to automate their searches for gaps in your security and hit you. I think it's a misnomer that people think that it's going to be these big whales that these threat actors are going after quite often or, quite frankly, smaller. They'll make small payments because it's easier to get it from you.

And they know that you don't have the capability to fight back in a lot of ways. Getting that planning and preparation in place it's good for an ins from an insurance standpoint, and you're a better risk, but also do your team a favor. Having them go through baptism by fire and try to figure this out while in crisis and save the business rather than having a plan in place and practice it puts you at a disadvantage.

West McDonald: Yeah, I like what you say there because it reminds me of the natural world, right? And that wolves as strong as they are, even when they're heading in a. They're not going after the biggest elk in the herd, right? They are looking for stragglers and weak ones that they'll have a better opportunity to take down, right?

If you're in business and, as you said, they will probably assume correctly that some of the smaller to mid-size providers have fewer resources to deal with those things. So yeah. Rest of a payout. But I was reading another stat that these threat actor incidents are increasing by 10 to 15% a quarter.

So it's astounding to think that they're not slowing down, that they're increasing the activity that they're doing. And that has to mean they're spreading a wider net. Not sound alarmist, but this isn't going away.

Blair Dawson: Yeah, I think it's a realistic perspective. I'm. An optimist, but some of that comes with the idea of having your preparation and planning in place, so you come out at the end better than when you first went in if you weren't prepared. I also think something to touch on is that when you're talking about they're not going for the largest elk, it reminded me to mention that some of these are ransom as a service.

So you don't have to be skilled. You buy the software. Hopefully, not you, West, but you go out, buy this software, and run it. And you don't have to be that sophisticated. And in some respects, that's almost worse to deal with an unsophisticated amateur threat actor than somebody that knows what they're doing. They run it as a quote-unquote business because then they're all over the place in negotiating with them can be difficult.

So please don't assume they're going for the big ones.

West McDonald: Yeah. And, I've had conversations with people in the security space, and they've been talking about this as the service stuff. And I can go onto the dark web, and you can get this stuff. Just paying a fee to access the tools and everything you know is as a service now, not just the good guys, but you know the bad guys too, right?

So that indeed spreads out the risk there right Now. One of the other things that I remember us talking about was this idea, You were joking, and in one of the other calls that we had, you said the first person you call, obviously, is your carrier.

Don't call the media, which raises an important question. So if the carrier is first, and then obviously once you're in touch with the carrier and someone like yourself, which specializes in, in the legal side, that there certainly are words to be careful with as we're starting to talk with our customers to try and let them know what's going on, right?

Wh why do we have to be careful with words? Why can't we just say that we've had a ransomware attack or we've been breached? Right out of the gate, why do we have to be cautious?

Blair Dawson: Yeah, I think you're touching on probably the second most important aspect from my perspective: communications, whether with your employees, customers, or regulators.

Breach, for instance, that's a term of ours. It talks about actually compromised sensitive data or PII, personally identifying information that's to natural persons. If you start using language as a company that you've been breached or that you're under a ransom event or something like that, Those are very salacious terms, and you're in the, you're in the embryonic state of trying to figure out what happened.

There have been instances where clients have made statements along those lines, and it turns out that it wasn't that at all. It was. Perhaps a software glitch or something like that. Now they have to clean up that mess. So there, it's walking a line between your business interests of being transparent with your staff and your customers, not undermining trust, and not painting yourself in a corner where you engender more scrutiny, interest, or bad press.

So going out there and making suppositions or guesses about what happened before you have concrete evidence from your forensic investigation team, for instance, can be a terrible move. Because one bad statement or one statement that you think is very carefully crafted but misinterpreted by your audience.

They'll hold you to what they thought you said, and if it changes over time, which it always does, they'll hold you to that. And then question your motives question, your credibility question, your professionalism, and whether you can respond to the incident in a good way.

Ken Edmonds: So I had to kick Wes because I can't get a word otherwise.

Blair Dawson: I wonder what happened to him.

Ken Edmonds: But I wanted to go back to something you said because I am such a big proponent of planning, and so the pre-incident discussions you have with clients, I'm sure you go through. And create a strategy so that if they think something's happened, here are the steps they should go through and try to build out a response so that you don't inadvertently say something you shouldn't have or don't overreact. A part of that has to be employee training.

Blair Dawson: Absolutely. You've touched on so many things there. You're a man after my heart, so if you have an incident response plan, you can plug in the communications, have a template, and you can modify that template.

For the incident itself, tailor it to what occurred and then modify that over time. The training piece is in tandem with that and would be broader than just the incident response team, who would be knowledgeable about the specifics of the incident response plan. The training is vital.

This is just a reminder to folks who don't click on links and give concrete examples of what that looks like. Sometimes they don't understand what the email addresses might look like. So give them examples that an l might be turned into a 1, extra letters might be there.

Talk to your IT department if you just suspect for a second if you have to ask, then you should pause. Yeah, I think the training is absolutely vital. Because especially in the business email compromises; I think every time I consult with a client during the first call, a scoping call, they say they wish they had training in place, and they suspect somebody probably clicked the phishing link.

And, most of the time, that is the case.

West McDonald: Yeah, and I'll share two stories there. One was that I worked at an organization, I won't name the name of the company, but the person that was in charge of accounts payable got an email from the president of the company saying, Hey, just to let you know, Blah, blah, blah.

We need to send this payment. She thought something was fishing, and when she looked at it, sure enough, the email link was almost the same except that it had an extra letter in it, and if you weren't paying attention. So they went as far as to buy that domain. And two years ago, I was really fascinated with some of these new fishing campaigns they're doing, some of which are either text base or voicemail. And I found an online voice generator, which I played around with for about three days to get used to my voice. And then I typed out an entire message, and then I dubbed it over a video of myself where I wasn't speaking.

I was mouthing the words and then afterward said that the entire thing you had just listened to wasn't me speaking. That was computer generated. And it's shocking, right? Like the tools that they have available now to fool us. So

Blair Dawson: Absolutely, social engineering has gotten so sophisticated, and the tools available to everyday people are frightening.

It's fascinating and frightening.

West McDonald: Yes. Now one, one of the things we talked about when we're looking at this incident response planning is, and I remember one of the dealers on the panel had mentioned this, is that they had a hard time getting, they had a plan, but they had a hard time getting to it.

Yeah. Because it was on a computer, it was locked down. So what kind of advice do you have? Make sure you have access to it.

Blair Dawson: Yeah, He had a couple of challenges. One was that it was on an encrypted system, and then secondly, he was the only one who knew about it. The advice is to go old school once you go through the process of getting an incident response plan.

Have it in a binder, and print it out. And sometimes, people have a misconception that these incident response plans are only a thousand pages. The idea is to keep it quick and concise because you have to be mindful that you will look at this in a crisis. So you want to be able to reference it quickly and assimilate the information there.

So you might have a few pages that you're printing off. You'll have the phone tree for all the key people, especially those that are designated roles in the incident. On the plan, you may want your insurance policy copied with that, so you can refer to that, especially to give notice to your carrier at the outset.

Let's see. I think one of the things that, it sounds like a joke, but I'm not joking, is like the key people should have a copy in the trunk of their car. So as they respond, they're not leaving it at their house and they have to go back or they're joining a call from their car.

And because they forgot it, having it on paper is going old school.

West McDonald: Yeah. Hey, Ken, how do you think the office equipment channel feels about that?

Ken Edmonds: They're probably okay with people printing it as an industry. We're not very good about having that. Because to carry along with that, I believe every manager should have a copy of their disaster response team plan somewhere with them at all times.

I asked the question to service managers. What would you do if you drove up and your building burned to the ground? The deer, the headlight look isn't going to work. You have to have a plan, and you need to have it where you can get to it and get started because you have hours to get things started, or you could be out of business.

Blair Dawson: No, that's exactly right. Because of the example that Wes gave, they couldn't recover the plan until halfway through the response to the incident. You're so far behind the eight ball you might be able to pick it up at some point, but you've already done ad hoc band-aid with getting people involved.

I think another challenge if I remember right; he might have also mentioned that it had been so stale at that point, right? With personnel changes, most of the people on the roster weren't even there anymore, let alone familiar with the plan. So that's another challenge.

Once you put it to paper, revisit it at least annually. Maybe more if you have a lot of changes going on in your organization or just a moderate amount of changes because you lose one key person in your incident response plan, it could be vital.

West McDonald: Yeah. And I love this concept. It's kind of like the karate kid. What was it? Wax on, wax off. The more you know that you practice, the better you are at the actual event. So in karate and life, the more we practice. And, I think that's one of the other things that I like to, that you've talked about in the past, was this idea of table-topping it, right?

Like actually going through the scenarios and getting a feel for what it might be like. Heaven forbid that day comes.

Blair Dawson: And that can be, that can be a fun exercise. It's not just dry going through page by page, but you come up with a scenario; maybe there's a CISO on the team or a tech person who understands the business and what might be most harmful and realistic.

And then we, as the legal team, put together a scenario, and you work through that. And it's fascinating to see as thorough as a business might be, once you start going through the practice of it, you identify gaps. One that pops up will be who will sign the pay the checks to our employees if that payroll is locked down. Who's going to pay?

Who's going to have the authority to pay our vendors? First, identify that person. Are they going to be the point person? Are they going to be the CFO? And then what if they're not available? Like having those are key for some businesses, especially in keeping their employees paid. That's really key.

West McDonald: Yeah. And on this idea of gamification, I'm just doing it's not a plug. I just love these guys. It's a gamification of a bunch of different sorts of cyber scenarios that you could encounter. And if you play it as a game and this idea of education, I know that you have shared one with me before.

It was through one of the universities that people could play.

Blair Dawson: yeah. The one that I discovered was through Harvard Education. I'm doing my master's in cyber security through UW.

West McDonald: Oh, wow.

Blair Dawson: And that was one of the, one of the programs, One of the courses had that, So the one that you, you showed just that right now is slicker for sure. The one I had thought was very realistic because it would stress you out. It puts you out there as the new CFO, and you have to go through the simulation, but it's really helpful to get people thinking about aspects of a response they otherwise may not consider.

West McDonald: Yeah. And I think it's funny that we see a lot of ransomware is one of them, right? But there are fishing campaigns and so many other things. Bad actors can go after us, right? So I think that kind of education is probably the kid one, a critical one, right?

Ken, you mention it. I think we've got a good friend in the space. He started doing security services about five years ago, and education is one of his biggest things with his customers. It's just continuous because the threats change regularly.

Ken Edmonds: And, I would say, that's an interesting thought too. Because for people in our space, one of the things they can do after they go through this process themselves is help businesses learn how to do it, offer them the education pieces of service, and help them evaluate their disaster plan.

I talk about it with disaster plans in general. So many businesses do not have a disaster plan. And so it's not only something that you need to have yourself, but it's something that could become a service to your clients. So maybe they don't have security with you. Perhaps they're doing it all in-house. Have they thought about these things?

And so you could run maybe an assessment, your favorite word, but run an assessment of the policies and procedures they have in place. And then help them find ways to improve because that is something that could save one of their customer's businesses for them.

Blair Dawson: I completely agree because I think customers often don't know where to start.

A lot of times, when I have people approach me at conferences, for instance, or at a dinner party, they know that they don't know and don't know enough to formulate the questions. They know they have a clue of what is needed, but if they have somebody to partner with them to walk through some key topic, On where they might have gaps, that starts the conversation, and they can think about quantifying their risks.

And that's part of the process too. Another aspect is doing the risk assessment about what kind of data do you have? Where is your network component? What it is can go as granular as a client might want, but they may need guidance to get them started.

West McDonald: That's great.

And hey, listen, I always like to ask the impossible questions, so I'm going to ask that now just in respect for your time and that of our viewers. Because we typically keep this to about half an hour. But if you had one piece of advice for folks trying to get started down this path, not just to offer security services but to ensure they're protected?

Blair Dawson: Make sure that their clients are protected.

West McDonald: Maybe them and or their clients. Yeah. Yeah.

Blair Dawson: I think the first thing to do is to see if there is any framework in the first place. Has somebody already visited an incident response plan that maybe you're unaware of and then go from there?

Also, maybe going a tangent on that point would be on the preparation; if you have a carrier relationship, you already have a policy with an insurer. They are increasingly providing tools to their insureds to be better risks. So you might want to reach out to them and see what tools are available.

West McDonald: That's great. And I guess the other question is, it's not an impossible question, but how can they find you? Oh,

Blair Dawson:  That is easy. You can find me at I'm also on LinkedIn. Again, my name is Blair Dawson, and I'm with the cyber security and data privacy group.

West McDonald: That's great, and I just did put the website up there, so it's reasonably easy.

McDonald You can get in there and search around for the services. And I know that I did. Let's see if I can bring it up here. You can find Blair right there. I am also on the website, so I cannot thank you enough for joining us today. This topic has become really, I think, important in our space. I have been speaking with other security specialists who have said that the separation between managing a customer's data and securing it now is becoming almost impossible to separate. Agreed. And then this kind of topic will only get more critical as we go forward.

And yes, Greg agrees. Very cool. ,

Blair Dawson: thank you so much for inviting me. This was a lot of fun. I love that you're highlighting this topic.

West McDonald: Yeah, I think it's like I said, it's one of those that we're going to need to dig into more and more as time goes on, especially as technology service providers do and continue to merge and to converge, right?

So for everyone who tuned in today, thank you very much, and we'll see you next time. And don't forget to keep learning and level up.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras sed sapien quam. Sed dapibus est id enim facilisis, at posuere turpis adipiscing. Quisque sit amet dui dui.

Call To Action

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.