Full Transcript

George Kamide:
Welcome to the Zero Hour brought to you by SafeGuard Cyber. This is a special episode dedicated to understanding how businesses are coping with the COVID-19 pandemic. Our guests today are Aaron Pritz and Tim Sewell of Reveal Risk, which is a management consultancy out of Indiana that specializes in cyber risk and privacy. Welcome, gentlemen, to the show.
 
Aaron Pritz:
Thanks for having us.
 
Tim Sewell:
Pleasure to be here.

 
George Kamide:
All right. And as ever, I am joined by my colleague Ashley Stone. So thank you for the time. We are recording remotely, as everyone is now working from home. So, you know, things have changed very dramatically and very suddenly. I think since we first met, which is at RSA, and if you can believe it, that was only just a little under a month ago. So let's first check in and just understand how is the Reveal Risk team doing? I assume you are also all remote.
 
Aaron Pritz:
Yeah. Our business really is fairly remote friendly. We do consulting across the U.S. and while we do make client visits, we've gotten really good at being remote facilitators to save on the client travel expenses and also to meet them where they're at wherever that may be in the U.S. or world. So for us, it's a little bit of business as usual. The only difference being our physical office in Indiana or Carmel, Indiana, specifically - right outside of Indianapolis. We usually do a lot of collaboration there onsite when we have the opportunity, but we're taking advantage of all the remote tools that offer some of the same abilities. So it's not too out of the ordinary for us to be remote, but I guess we're also learning as well along with the rest of the world right now as they adjust to the new normal.
 
George Kamide:
Absolutely. And you know I want to sort of retain the seriousness of a pandemic, which is a word that, you know, wasn't in the common parlance until a few weeks ago. But at the same time to keep our sanity, I also want to just ask do you have any lighthearted stories that have come out of this? I would say for myself we have been cycling through various illnesses in the house, fortunately not Coronavirus. But what that means is we are both trying to homeschool a kindergartener and a three year old, if you can believe that, and then both do our work. And I feel like the last two days I have done everything poorly. Disney+ has definitely stepped in a few times while I'm in meetings. So that's sort of how we're coping here and I think everyone at SafeGuard has been good about understanding, you know, demanding 100% productivity in this environment is probably asking a bit much, but I'm curious to know if you guys have any war stories already.
 
Aaron Pritz:
I don't know about war stories. I guess I look sometimes to Twitter for my comic relief and I saw a really great theme about spouse, husband, and wife that were forced to work in the same co-located home office which has probably happened to a lot of us, including myself and the meme basically alluded to the couple needs to make up a fake coworker so they can have somebody to blame stuff on. So that was an interesting strategy to pass the buck when you don't have anybody to pass it to nearby.
 
George Kamide:
Well, that's right. Tim, how about you? Any war stories so far?
 
Tim Sewell:
Yeah, actually we had an interesting time last night. So my wife stays home full time with the kids anyway, and she is a teacher by training. So having the kids home and having to, you know, teach school for them, she's actually been enjoying most of that. But it's the being on constantly - not having a break with the kids. So we ended up, we just kind of threw in the towel last night. I think we were up til about 2:30, just watching stupid YouTube videos, which I don't think I've done since college. Very therapeutic. But times they have a changed man for sure.
 
Ashley Stone:
One other fun fact about the SafeGuard team while working remotely is we've gotten a chance to get to know all of our team members' four legged friends, many dogs have made their appearances on our webcams,
 
George Kamide:
K-9 cameos in the zoom meeting.
 
Ashley Stone:
So, you know, we're talking about what our teams are experiencing, but Aaron and Tim, what are your customers most concerned about these days?
 
Aaron Pritz:
Yeah, I can start. This is Aaron and really I would say that there's different types of client personas and really across the US are all in very different places. So the easiest example is companies that have invested heavily in remote work prior, or even the flexible work spaces where you don't have defined desks and a lot of the tools have been put in place. So that's some of our clients, and then on the flip side we've got some clients and that are, that are more focused on work in the office and they hadn't really made a big push for remote work. So I think they've got the most drastic change and some of the biggest learning curve to overcome as they rush to get laptops and new security set ups and things like that to enable safe remote from work from home, as well as just rapidly standing up the needs to actually make it technically viable.
 
Tim Sewell:
Yeah. One of our clients in particular we just had our standing status call with them yesterday and they still have some folks that are still going into the office because they haven't figured out the remote work stuff yet. So that's certainly a growth opportunity for them and they're learning new ways of working. But it is definitely all across the spectrum, one of our other clients as almost completely virtual already. So we see quite a breadth of reaction to the kind of the new normal here of working remote.
 
George Kamide:
Yeah, I would say with that, and we've talked offline about this a little bit, but with this sudden and rather dramatic shift to these work from home environments and in some cases, as you said people haven't fully transitioned. Given that you have this broad spectrum of clients some who have already transitioned, it sounds like some who are still going into the office trying to figure out how to transition. I'm curious as to what is Reveal Risk's take on the broader operational and security risks to migrating to a fully virtualized environment?
 
Tim Sewell:
Sure, Sure. So from, from an operations perspective you've got two kinds of organizations. You've got organizations that are really comfortable extending trust, and then you've got organizations that struggle to to trust their employees to work remotely. So I've seen examples, not one of our clients, but a friend of mine works for the company that as they've transitioned to more remote work is requiring employees to log in to a video chat session and just leave it open the whole time they're working. And if it shuts off, they don't get paid.
 
Aaron Pritz:
Wow. Interesting.
 
Tim Sewell:
I mean that just creates a real sense of distrust that they're struggling to be productive both for technical reasons, because it's a lot of bandwidth that they're losing. And then from a workplace culture of, "well, nope, nobody's even looking at this feed. They're just watching to make sure that it's logged in all the time." And then you've got organizations that are of course, much more comfortable with this remote environment where even though you may not see a person for a couple or three days there's trust that the work is getting done because you can see the output.
 
Aaron Pritz:
Yeah. One of the biggest things I worry about from a security standpoint is those organizations that have the hardware such as laptops and those that are trying to rush to find anything that will work, whether it's, you know go to a Best Buy or Amazon and get a laptop or even potentially worse, you know, use your home computer, and here's the way to log into the environment. I think as security practitioners, there's a lot of ways that you can do both of those things in the right way, but they do take some process and time and time is really not what a lot of companies are afforded with as they try to rush to get out of the red from a nonproductive shutdown standpoint.
So I think one thing that we can't do is just say, "Well, we gotta have everything buttoned up a hundred percent secure, or nobody's going to work." That's not a business reality, but I think teams need to work in parallel. Maybe they would have to cut some corners to get some initial productivity up and running. But I think the risk of just kind of assuming that that's okay and not doubling back to make sure that the environments are hardened and the connection methods are secure is, is really critical these days. And I do worry a bit about the workforce members kind of defaulting to home tools that they know. For example social media chat that may or may not even be protected from a data ownership, but what's being typed in there, but also not necessarily secure and - was talking to a, an attorney a couple of days ago about records management concerns where specifically legal holds are required for certain industries under certain litigation. And if people are working in non visible environments and that can increase some or can cause some legal risk from that perspective. So lots of different, I think, risks to think about. But I think in this crisis, you've got to think about what are the most important things that you need to get, right. And then stay, stay with it as you figure out how to dial in the security as the crisis starts to subside.
 
George Kamide:
Indeed, I think an all or nothing approach is not conducive to very agile or emergency planning.
 
Ashley Stone:
Right. And when you, when you talk about those non-visible environments, that also includes things like collaboration tools, if you know Microsoft teams or Slack hadn't been in place before, what are some of the risks you see with teams adopting these tools so quickly so that they can keep business moving forward, but they need to be aware of? What are those risks?
 
Tim Sewell:
So there are a couple things with those collaboration platforms that jumped to mind. First of all, is the configuration. When deploying either of those tools, you'll see dozens of different configuration options available. Some of them work at the tenant level, so apply to the entire company. Some of them work on groups some of them work on individuals. Some of them work on endpoints. If you're rushing to deploy these tools, you're not able to take the time to thoughtfully go through all of these different options and understand how you're configuring your environment. For example, some of these tools allow anybody else in the world that's got that tool to talk to you. So if you don't want that functionality, you can shut it off for yourself. But if you've deployed quickly you probably didn't. And these tools are designed to increase communication, to increase collaboration. And when you're talking about sensitive content or things that need to be protected from unauthorized users, or that need to be retained for intellectual property or regulatory reasons. When you go to that default: open that default: share on, on one end, you can actually be giving up your legal protections of that data because you've now made it public and intentionally or not, but you can also inadvertently disclose. And that can be particularly damaging in the case of regulated data, like FERPA student data or health information.
 
George Kamide:
Yes. I think it's going to be particularly challenging for the education institutions that basically were all asked to stand up university-level online learning with three days notice. I think that the FERPA issue presents a very unique risk. Again, they, they took up these tools very quickly, but they didn't have time to thoroughly rollout any review and it's probably easier to miss putting controls in place.
 
Tim Sewell:
Absolutely. My daughter's school is actually a great example of this. They were rapidly going down the path of a particular platform and I actually sent the teacher a text and said, I'm not sure you want to use this platform and gave a couple of reasons. One of them was the privacy component. And so they're not using the platform, but they haven't picked another one. So we're still working through that.
 
George Kamide:
I think what, we'll also see what we were just talking about this yesterday, internally, we naturally went to the security risks first, but also if you take an entire workforce and you take it out of the office and this ties back to what you were saying about workplace culture and you put it online. Have you become liable for an environment in case there is cyber bullying or harassment or inappropriate content? There was for example, a company here where there was a Slack channel in which some staff members were sort of joking about the eventual coronavirus death toll here. And that had to be shut down, but you know, if you are taking enormous organizations or school systems and you're putting them on Microsoft Teams, for example, where previously you had a bit of a a legal shield -  I can't control what the students do on Twitter outside of school grounds, but now you have created a digital communications environment. What is your risk exposure there? How do you police that behavior?
 
Tim Sewell:
There's a lot of risk for the organization under those conditions. As soon as it looks like it's a work sanctioned or school sanctioned environment you know the legal precedent is that there is monitoring or there is an ability to control. So again, if you haven't configured the platform properly, and even if you have, you still have to monitor it.
 
George Kamide:
Yes. I mean, the scale is crazy. We have a client, it depends on the day and the activity, but in their Slack environment, we are monitoring anywhere from 30,000 to 70,000 messages a day, depending. So you can just imagine what that's like without any sort of automated process.
 
So Aaron had mentioned looking at risk from a business continuity standpoint and you may not be able to do all of the things now, what I think what's interesting is we have also seen some of our own customers shifting resources in interesting ways. So for example event's budgets are out the window and they have this money and they have to find ways to use it. And so we have a pharmaceutical client that was taking the money that they would normally have to host HCPs to now securing their field force, to use WhatsApp, which is something that they hadn't done before. So I just thought that was a very interesting pivot. It's sort of making, getting a silver lining out of the situation, but I think it's interesting that we may see decisions being made that under normal circumstances, an organization couldn't afford but now they have to make very real revenue driving decisions. I was wondering if you were seeing any similar lines of thinking among your clients.
 
Aaron Pritz:
Yeah, no, I love the solution that you guys provide in that it does allow you to monitor some of these everyday social tools. I spent some time in the pharma industry and definitely there were use cases where you had to meet the client, whether there was a crisis or not, in the environment of their choice. And it varied by country. Some tools were more secure than others from an end to end encryption encryption standpoint. But what we didn't have historically was a way to monitor those channels for legal hold like I mentioned earlier, but also for malicious behavior, data exfiltration, harassment, you name it. And I think there's also some, you know, been historical confusion on what you mean when you say the word monitor that can obviously stoke some fears of people thinking that this is like the FBI listening into phone calls or something like that.
 
And, and really most of the monitoring technology that I see are really preventing external bad things from happening. And in certain cases, insider threat related monitoring, you know people attempting to steal stuff. But for the most part, I think the push forward in technology and being able to monitor on what's going on can allow companies to push a little bit faster in they're using some of the cool tools that we viewed as off limits prior, or really difficult to get comfortable with the risk. I've historically said from a risk management standpoint, you can do almost anything that you want to in business, as long as you have the right controls and the right ability to measure. So I think as more tools or more monitoring tools and more controls start to pop up on some of these really cool tools that are out there it will allow more and more of the environments to blend and really companies to take advantage of the tools that are working for their employees and their customers.
 
George Kamide:
For sure. And it also for these global organizations will take a very regional approach, right? So you may be a global organization. Maybe you haven't stopped work in some countries. I doubt that at this point, or maybe you did institute it early, but those communication channels may differ from, for example, Latin America vs Southeast Asia. And then you sort of get this Confederation of tools, but I think as long as you agree that the reason you're enabling them is to drive business, that those differences can be overcome. It just takes maybe a little bit more thinking,
 
Ashley Stone:
Right, and what's, what's clear from that is that we're able to change and adapt to the new environments that we're working in. You had mentioned that some of your customers have already enabled remote work so it's not really much of a change for their employees day to day. But for other companies it's new and in some ways this pandemic has really forced transformational moves that maybe would have been delayed in normal circumstances. So if we're thinking about these companies that are transforming pretty quickly, do you think that there's going to be a "return to normal?"
 
Aaron Pritz:
I think it's a little bit of a mixed answer. I think you know, digital transformation has been a topic for five, ten years. Going back to Blockbuster needing to go digital and not seeing it early enough. I think this is kind of pushing everyone to digital, whether they had a vision for that or not. And I think some of the learnings will be applicable going forward and they'll want to keep some things in steady state and other things and certain types of businesses may snap back to more of what they looked like before. But I would be surprised if there'd be a single company that wouldn't have had an aha or a cool learning of something that was a positive silver lining through this, that they wouldn't apply to their steady state business
 
Tim Sewell:
There's an old proverb that I really like for this kind of a situation it's "no man crosses the same stream twice" because the second time he comes around the man is different and the stream is different. And I think that's the situation we're going to find ourselves in with these new ways of working that we're discovering as part of this pandemic. I don't think you can put the genie back in the bottle. Once a function can be done remotely. Why does it have to come back into the office?
 
George Kamide:
Yeah, I think that poses one, a real question for commercial real estate, so sorry guys. But certainly for a lot of those long haul commuters, the folks coming into metropolitan centers from way out. If after three months of not being in an office and they're just as effective and they're hitting their KPIs, it's going to be pretty hard to say like, "well, things are back to normal, Get back on the train ride in for an hour."
 
Aaron Pritz:
Well I don't know if you've been cooped up in a single house for a month or two, you might be racing to make that commute again.
 
George Kamide:
That's true. That's true. But also, and also to Aaron's point, if you've taken these regional field forces or whoever and said, like, you know what, yes, we have found a way for you to use WhatsApp. That is definitely a genie that's not going to go back in the bottle. Because, you know, everyone will always navigate and migrate toward the communication channels that are the most efficient. To give them WhatsApp officially and then take it back would be kind of a step backward for business.
 
Tim Sewell:
I think there's a generational component to that as well. You've got a lot of folks in the workforce that are used to doing business face to face who are now being forced to adapt. And you've got a lot of folks in the workforce that are very comfortable with this digital environment. So, as both learn the advantages. I've heard some, I hate to use the term millennial, but I've heard some millennials talk about how much they miss being in the office. And they never expected that they would because they felt so comfortable with the digital side of collaboration. At the same time, you've got folks that are more traditional, you know, boomers, gen X-ers, who grew up with more of this "face-to-face is how work gets done." They're learning the value of being able to work digitally. So I think if you've got both sides of the story are learning things about each other's work style that are going to be longterm impacts here as well.
 
George Kamide:
Yeah, that's interesting also because my armchair analysis would be maybe the millennials and the gen Z-ers feel more comfortable doing the work in a digital space, you know, chatting somebody when they need something. But from a professional development standpoint, if you had your supervisor or a mentor or someone that you could physically walk over and you had like a one-to-one or something, that's probably where that face to face was much more valuable.
 
Aaron Pritz:
Yeah. I stole an idea from my wife several of the groups that she participates in - her small group at church, as well as a business related group, started doing virtual happy hours this week. They still needed and crave that social connection, which is often softened by a nice smooth cocktail. But also they knew that they couldn't do that today. So what they have been doing that I'm going to steal, is doing like a Zoom or Teams meeting where everyone's on video mixing cocktails and having a chat really brings a little bit of the social. You can see more cues of how people are reacting versus just a phone call where you don't really know how somebody is reacting or can't really drive the empathy that you could in person.
 
George Kamide:
Yeah. That is also a good point. Ashley and I have been a part of SafeGuard's transition here, which also includes an all hands and typically, you know, one or two people had the video on. And most of these calls used to be dial-in cause we were physically together in the office, but now it's required to turn the video on. And in some ways I feel closer to people in the company than when I then when we worked physically, because now I can see the entire company at once. Cool. Also speaking of memes, yesterday on Twitter, I saw one that said your work at home wine tour, which was like an architectural rendering of a house, like a blueprint. And it just had a little wine glass in each room. So that would, that'd be a different sort of company get together. Well I think that's all the time that we have for today. Aaron and Tim, I want to thank you very much for taking the time out of your probably very busy work at home schedules. And, and thanks for lending your expertise.
 
Aaron Pritz:
Thanks.
 
Tim Sewell:
Thanks.