Backups let you sleep at night. Backups are a way to reconfigure lost data, whether it was stolen or encrypted by ransomware. Backups allow a system to be reconfigured without losing key information or current data. Backups are preventative and need to be checked occasionally to ensure they are happening. There are several cloud-based backups that are easy to deploy and cost a fraction of the time and headache associated with the alternative of lost data or ransomware encryption. When backups are not in place, ransomware victims often turn to IT and ask: Why didn’t we back up? Why did this not happen? It’s insurance on what could happen. And it’s a key part of any strong cyber posture. Backups are also a way to reduce the anxiety level of a cyber team. Knowing that there is a backup plan in place should things go sideways is peace of mind.
As a part of my series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Heather Stratford, MBA, founder and CEO of Stronger International, Inc. a global cybersecurity firm focused on education and consulting. Heather is a thought leader in the cybersecurity field, keynoting at conferences and universities, and is a champion for attracting more women into technology and cybersecurity. Heather has spoken and written for the U.S. Department of Commerce, Goldman Sachs, Morgan Stanley and the 2018 G7 summit, to name a few. Heather is a national Tory Burch Foundation Fellow, alumni of the Goldman Sachs 10,000 small businesses program, and the recipient of the Women in Business Leadership Award from Whitworth University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in upstate New York and was the youngest of 6 kids in a combined marriage. I spent a lot of time outdoors on a lake in the Adirondacks called Lake George. I was also very focused on school and sports — I took honors and AP classes as well as played volleyball and ran indoor and outdoor track in high school. My family was active in their religion and I attended early morning classes on religion before high school each day.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I remember getting my first computer, a Texas Instrument — TI/99 4A. I was so excited to start coding and using the computer. Since most of my siblings were older and out of the house, my parents asked me if I wanted to go to two summer camps at the University. I chose volleyball and computer camp.
At the computer camp, there were lots of kids — all boys except for 2 girls. It was hard to be a girl that was into technology. By college, I was only taking software classes and not computer science. But my first job out of college, I was on a computer 8 hours a day running a production department for a publishing house. Over my career, I kept landing in new fields with new technology and new problems to solve. I always saw technology as how to make things more efficient and better.
I fell into cybersecurity because with technology solutions also comes risks and responsibilities. And I wanted to help people understand the technology but use it in a way that was safe and didn’t compromise the organization. My unique story about how I landed in cybersecurity was because of a long history of different jobs and industries that showed me the benefits and pitfalls of technology, and I wanted to help solve some of the inherent risks that I kept seeing. It was not a direct path into cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
The most interesting story might be my winning the National Tory Burch fellowship. I was unaware of the foundation and the fellowship. A business advisor made the comment that I should be a Tory Burch fellow, and I investigated. It was very close to that year’s deadline, but in a few days I put together an application. I was awarded one of the 2019 fellowships and am still involved with the organization. It is a great community of female entrepreneurs in different industries growing, learning, and changing their corner of the world. There needs to be more support for female entrepreneurs on how to start and grow a successful business.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I know it’s a typical answer but my parents are a large part of who I am. My father was a veteran of WWII and his values and focus on God, family, and country gave me a very solid background. But he was a lifer at General Electric and was very proud of me as I ventured into the entrepreneurial world and started to shape my own future — something very different than his path.
My mother showed me that helping has no limits. You help and volunteer wherever and whenever you can. When you see a problem, you were given talents to help solve it. So it’s your responsibility to do that. One story in particular was around building a covered dock at our lake cabin. We did all the work ourselves. We had to carefully float and drag lumber to the dock area, organize supplies in a limited space, watch the weather and timing because it was late fall. We had to lift and nail, support and brace, shingle and cover. It was a large project we did in a few days.
What I reflect upon is that I was an integral part of the team. I did as much work on the project as my older brothers did. My dad never saw me as a “girl” that could do “girl” things. He saw me as capable and I stepped up to the role. I have carried that attitude and philosophy into my career. I didn’t think I should be held back because of my age, or gender. I thought if I worked hard and learned the material that I could do it. I learned that from my father — ironically a man from a much older generation.
Are you working on any exciting new projects now? How do you think that will help people?
Stronger International has developed a new MicroLearning platform that is changing the cyber education landscape. A new way to help train employees in cybersecurity that creates behavior change. It’s an exciting new project that has several large enterprise supporters and will be a disrupter in the industry. behavior change in cyber is one of the number one problems to solve in the industry. Together, I believe we are creating the tools that will help make this change possible.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Understanding the difference between want and need. There are things that need to be done and things that should be done. Balance your home, physical, and work life. Being centered is critical to being sharp and able to handle many situations. Cybersecurity is an ever changing and highly stressful field. Balance is key.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
1. Cybersecurity is never boring. It’s not a field that once you learn a few things you’re done. The field is moving very quickly and is full of new developments and changes. That’s exciting.
2. Cybersecurity is needed. I believe there’s a war between the good and the bad. That we have a responsibility to help protect and defend people, businesses, and government from people who would steal, lie, and commit fraud.
3. Cybersecurity has opportunity. The field is still in its infancy and that gives space for new ideas and ways of doing things.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Having our lives and businesses focused and run by technology is both a blessing and a curse. Our electrical and energy grid is the lifeblood to almost every business there is. And all those businesses use technology to manage employees and produce products and services. Without both energy and technology, business and government would not continue as we know it. The number one area that businesses need to prepare for is having a 72 hour incident response plan and back up system to make sure that with disruption the core services of the business can continue. I plead with people to take cyber seriously — it’s not a matter of if, it’s a matter of when. And if your team and organization are prepared enough to combat the threat.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We worked with a regional health district on educating their employees through onsite education as well as periodic continual training. The district had a significant attack on an administrator of their organization. This director was spear phished and the attack almost succeeded. The attack was prevented through a mandatory dual factor authentication process for this particular high-level person. The near miss avoided significant HIPAA and state and federal fines and regulations.
A few extra steps and minutes can be the difference between a normal day and a day that defines the organization for several years. The person later stood up in an onsite training and explained the near miss through their eyes. It was a sobering tale that could have happened to anyone. The IT team of that organization started using stories of employees to help humanize the situation and make the topic less taboo to discuss. The main takeaways included:
1. Dual Factor authentication is important and here to stay
2. Education of employees is key to security
3. All employees on every level of the organization need to be trained
4. Humanizing cybersecurity can be an effective tool for instructing
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
My team consults with organizations on cybersecurity and we use lots of industry tools from penetration testing tools to policy reviews to help reenforce and strengthen an organization’s security posture. Most of these tools are very specific and have cool names like Nikto, Catfish, Aircrack-ng and Metasploit. For our security monitoring services we use a compilation of software and most have been internally developed or modified.
On a personal note, I use several basic tools to help keep my life and businesses secure. I use a well-known password manager called Lastpass. They are one of the original and largest password managers. I believe this is a key part of security and is very helpful if used regularly. All employees have LastPass and we have the ability to manage thousands of secure passwords.
I also use a VPN which is specific to our company. Before travel restrictions and the Covid-19 Pandemic I used to travel more. Today I am often working from home or out of my main office. I make sure I use a VPN to encrypt the communication I am sending when outside the company headquarters. VPNs are an important part of basic business security. The company uses a private WiFi provider that has more security features and puts my team on a different bandwidth than most business accounts.
We also secure our emails with Domainkeys Identified Mail, commonly called DKIM. This is a technical standard that helps protect email senders and recipients from spam, spoofing and phishing attacks. I also make sure that my remote employees have tight WIFI security.
We have written security policies for remote work, personal device usage and caring for personal and client information. There is a coding system for what information is deemed more sensitive and most have additional security. Our corporate offices are in a perpetual state of lock-down. Physical security is part of cybersecurity. The front door is always locked and an appointment is required for people to enter the offices and be escorted at all times.
If documents are printed we have a shredding process for paper within the office. No flash drives or external harddrives leave the offices. All computers are password protected, have auto locking and have regular backups. We use a popular cloud solution called Carbonite to run backups on all computer documents. My personal computer is set to back up every 15 minutes.
We also have backups and redundancy on all shared files and are common work documents through large platforms like Google and AWS. We spend time regularly educating and helping all employees know what is expected and how to be more secure. Education and consistency are the key to security.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Cybersecurity is becoming more and more of a specialty. It is hard to find and retain a full team to run cybersecurity on a full-time basis. Using a hybrid model is the new trend. Having one or two people that are internal and focused on security and employing an externally monitored firewall, or outsourcing the 24/7 monitoring. Using an outsourced specialty firm is the best of both worlds. Unless the organization is very large, it’s difficult to have the right expertise internally.
My philosophy is that you have to get a sense of where you are, have a game plan and then move in the right direction. Paying for an external vulnerability or risk assessment are great ways to start. These services will assess what is being done, how well it is working and give you a roadmap to reducing the risk and fixing the gaps that have not likely been addressed. The organization needs to have a certain number of employees or size to warrant a CISO position. And good CISOs are hard to hire because there is a lack of senior qualified people for the role. Using outsourced help is a good way to strengthen the internal security. Vet the partners well and make the decision slowly over time. Start with one service and see if they are a good fit for your organization. Ideally you will find a long-term partner that can be trusted and will be there for the quiet days of mundane monitoring and resets and the chaotic days of potential breach containment.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
There are several ways that an organization can see clues that there has been or there is currently an active breach. One is to note that a system within the network has repeated system failure or applications crashing. Two, configuration changes that cannot be traced back to any person or specific approval — especially on the firewall or regularly scheduled tasks. Three, high levels of activity on the network when most applications are idle. If there is a shift or spike that is not normal, investigate it. Four, unexpected user account lockouts that might require password or assigned group changes.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The number one thing is to get help as soon as possible. A company that has recently had a breach is statistically much more likely to have a second breach. The issues that created the first incident might not have been remedied and attackers know that. Take action with a valued partner to get more monitoring and remediate the issue. Making sure the breach was contained and fully remediated so it cannot recur or persist with a continued attack.
The organization’s 72 hour incident response plan should go into effect. This will tell each team member what needs to happen. The problem is most organizations either don’t have a 72 hour incident response plan or they have one that was written years ago and is boiler plate. It is only as good as the time and detail put into it. An ounce of prevention goes a long way.
Stronger International is very aware and teaches other companies about these new and evolving privacy regulations. Our goal is to help empower organizations with knowledge and resources to both be compliant but also understand the security postures behind the rules and run a more secure organization.
But the real question is how the new privacy laws are affecting businesses. Businesses are trying to figure out what applies to them and what does not. They are also having to reorganize their systems and the way they treat data. We work with a lot of organizations that are large, decentralized, and have many legacy systems, like higher education. They are a good example of a common problem: not knowing where and what data they have.
With the complexity of interconnected networks, personal information is hard to trace and track if your system was not designed to track this information in the first place. There are a lot of projects currently in process to better tag and identify where and what information is being kept. And if that data is not essential to the business then why is the organization keeping that information. There was a time when all information was kept because there might be a “use” for it in the future. Now management is understanding that keeping data involves both responsibility and risk. The privacy regulations are putting defined rules around that risk and responsibility that each company then can weigh.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake is to assume that what worked five or ten years ago is still going to work today. Ignorance, complacency, and underestimating the real issues and risk are all huge common factors. It’s not a matter of if you will be breached, it is a matter of when and whether you are ready to contain and mitigate.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Since the world changing events of Covid-19, we have seen dramatic shifts in cybersecurity. Attacks are shifting and cyber defenders are trying to adapt their defenses to meet the new needs. Having a majority of workforces remoting into offices is a dramatic shift for many organizations. This has opened holes in security perimeters and increased the need for better cyber education of workers.
Privacy has taken a back seat to the practical daily routine and what people are demanding in terms of functionality. Privacy is becoming a large issue and will become a hot topic of conversation in 2021 as the Covid-19 pandemic becomes more controlled. The largest increases in phishing were in health-related information spoofs and attacks. It’s sad that when tragedy strikes, opportunists will exploit those new vulnerabilities.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
5 Things every company needs to know to tighten up its approach to Data Privacy and Cybersecurity:
1. People can be the strongest part of the defense.
Generally, the cliché says that “people are the weakest link” — but I don’t believe that has to be true. Train them well, empower them with skills, encourage positive behaviors, and invest in continued growth and people will become your strongest defense — even if “people” is just you.
Our company consults with a wide variety of clients. One Regional Newspaper and media company had a near miss attack. The company was owned by a family for generations. One of the family members with senior access was spear-phished and a request for money to be sent to a new bank and location was approved. After the person approved the transfer and went on with their day, they had an unsettling feeling. Something didn’t seem right. He picked up the phone and called the IT department and explained the situation. The IT team immediately investigated and determined that it was indeed a fraud attempt. The bank was called and the transfer was in process. The bank immediately put a stop on the transfer and was able to pull back the money. They later said it was within 60 minutes of being completely gone. The amount of money was in the 6 digit range. Potentially crippling for this organization.
What really matters is that education of all employees including senior leadership is critical. And having an organization that will not be demeaning and punitive about reporting suspicion is key. The news is full of large breaches that are reported because of mandated reporting regulations. What is not reported is the dozens of near misses that are caught right before the breach is successful. That’s why cybersecurity teams are in a burn-out stage. There are a lot of near misses.
2. Physical environment, WiFi, and VPNs are the new priority.
Physical security within an office or manufacturing building was standard for most organizations. What has changed is that more people are removing both electronic and hard copies of files from the physical premises. People are working from home, using home devices, and home computers. Working off of home WiFi and home routers. Most employees are working under less than ideal home security situations. Kids are on the same network doing remote schoolwork. People are carrying laptops in cars more than ever. Employees are working in halls, garages, and even walk-in closets to find privacy for calls. Security is not the top priority — pure functionality and practical application of time and duties is the most critical thought on most employees’ minds.
I’ve trained hundreds of people over the past few months and about 50 percent are not using a VPN. When I asked them when they last changed their home router password, most responded: How do you do that? And I didn’t know a router had a password. Big tip: if you have an employee working from home, help them with IT resources to get their set up more secure. It will be worth the time and effort.
3. Passwords are still the key to everything.
Password hygiene is a huge issue. Mandating password resets is one forced measure companies try to keep passwords strong and updated. But the real issue on passwords is being able to manage the huge volume of passwords in a consistent way to prevent weak passwords, repeating passwords, and the sharing of passwords or admin credentials. Purchasing a company subscription to a password manager and training employees on how to use and protect passwords is a huge step toward a more secure organization.
I’ve trained organizations on password construction and strength. There are normally three groups of people within the audience:
1. IT people who use password generators and understand that using the word admin as a password is wrong in every sense.
2. The majority of regular, non-IT employees who grasp that passwords are essential, but complain about multi-factor authentication and having to reset their password at regular intervals.
3. The employee who knows very little about passwords and cybersecurity. I’ve had this third group of employees sit in training and ask, “So how many passwords do I have to really have?” For these people, they generally use the same password with just a number or character changed and call it a new password. And they use the same password between personal, personal finance, and business. These are technically the weakest employees in terms of security, but I prefer to see them as the ones that can have the biggest gains when properly trained.
4. Backups let you sleep at night.
Backups are a way to reconfigure lost data, whether it was stolen or encrypted by ransomware. Backups allow a system to be reconfigured without losing key information or current data. Backups are preventative and need to be checked occasionally to ensure they are happening. There are several cloud-based backups that are easy to deploy and cost a fraction of the time and headache associated with the alternative of lost data or ransomware encryption. When backups are not in place, ransomware victims often turn to IT and ask: Why didn’t we back up? Why did this not happen? It’s insurance on what could happen. And it’s a key part of any strong cyber posture. Backups are also a way to reduce the anxiety level of a cyber team. Knowing that there is a backup plan in place should things go sideways is peace of mind.
5. Shifting mindsets — stop selling fear, start building skills thru real learning.
To say 2020 has been a difficult year is an understatement. Burn out, emotional exhaustion, and a sense of being perpetually overwhelmed are rampant. These feelings are perhaps even to be expected because “How do you adjust to an ever-changing situation where the ‘new normal’ is indefinite uncertainty?… It’s important to recognize that it’s normal in a situation of great uncertainty and chronic stress to get exhausted and to feel ups and downs.”
From a security perspective people who are exhausted and emotionally stressed take short cuts. They try to simplify their stress and often cut things like security. Passwords are a key example as well as skimping on backups or using public WiFi. Everyone does it, but just because everyone does it doesn’t mean it’s safe. Education matters — but so does understanding that the cyber industry can’t keep selling fear. Fear is exhausting. The unknown is exhausting. It eventually leads to burn out or numbing out.
There are businesses out there that know the stats but think, “Since I haven’t been attacked yet, I won’t be” or “I’m too small to matter.” Those answers are focused on minimizing their fear. When the real solution is based on empowerment — in knowing what to do when something goes wrong, just as much as knowing what to do to minimize the risk of something going wrong. Education. Education. Education. But in a way that works, that creates growth, that supports change, that reinforces positive behaviors, and that empowers with skills.
Few people learn well sitting in a lecture for an hour, especially when they have a pile of work they’re not getting to during that time. That hour of “training” is coffee and donuts, ‘be afraid’ lectures, and checking a box. That’s not training. That system doesn’t work anymore — if it ever did. But there are things that do work. Gamification and MicroLearning increase retention, are fun to do, don’t take large chunks of time people don’t have, reinforce learning, and really create behavioral change. This is the future. And I’m excited to be taking my company into that future and giving others a better option than “fear-based” motivation.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Support a woman to get involved with technology. Whether it’s a relative or a friend, support women of all ages to get more involved in learning about business and technology. Our whole world is dependent on technology, and women need to be involved in the creation of the new solutions that will help solve our world’s problems. Ask a young woman about a career in technology.
How can our readers further follow your work online?
Your readers can find me at HeatherStratford.com and on LinkedIn ( https://www.linkedin.com/in/strongerceo/ ). Or if they prefer me coming to them, they can sign up for Stronger’s newsletter — there’s a box at the bottom of the homepage at Stronger.tech.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!