It may be a lot of effort to transition to new technology enterprise-wide, but it’s probably cheaper in the long run than policing the security gaps between combinations of legacy systems layered over time. This should be looked at on a case-by-case basis, but is more likely to be true in organizations handling large amounts of sensitive data, as newer systems will be better designed to create secure interfaces with “the rest of the world” such as with customers and key vendors.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Heather Clauson Haughian, co-founder and CTO of cloud-based Culhane Meadows, the largest woman-owned, national full-service law firm in the country (WEB). She is an IAPP certified privacy and data security attorney who advises corporate clients on a variety of cybersecurity issues, including data breach response and mitigation.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up the daughter of a manufacturing engineer dad who moved us all over the country about every 3 years as he was ahead of his time in getting manufacturing facilities computerized and automated, which only took a few years, and then they would send him onto the next manufacturing facility to do it again. I still remember in the late 70s going into the massive server rooms at his job at NCR where just a few computers took up these huge rooms and thinking how amazing it was that my dad knew exactly how it all worked. It wasn’t a tough decision after that to become an engineer myself, but I never thought I’d end up being an attorney who specialized in Privacy and Data Security law nor would I become my law firm’s Chief Technology Officer.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
When I started practicing in the Technology Law space in the late 90s, most people didn’t really know what cybersecurity was. Having previously worked as an engineer doing a lot of work with various databases, I saw first hand some of the major holes not only in the databases I worked in but also in the access procedures generally. Although access to the buildings that I worked in at the time was extremely secure and tightly monitored, no one really monitored those databases or who had the rights to even access them. Again, little did I know at the time that I would eventually end up in a career focusing on protecting the security of exactly those type of databases and providing advice on limiting access rights to the same.
Can you share the most interesting story that happened to you since you began this fascinating career?
I think the most interesting story has been taking on the role of CTO for my law firm when the three other founders and I initially formed Culhane Meadows over 7 years ago. As a former engineer and as an existing technology/privacy/data security attorney, it was the logical choice given my strong background in this area, but taking on the role of CTO in a law firm with a distributed workforce where the vast majority of the attorneys at the firm have been practicing on average more than 20 years was a uniquely challenging endeavor. Why? Because half of our attorneys did not grow up with a tablet in their hand or even a computer in their home or office and even those that did are very reticent to embrace new technology in the professional setting. And this is typical across the entire legal profession — not limited to our firm. But I like a challenge, and this certainly was going to be one. No only did I have to select IT platforms for the entire firm that would be secure, provide lots of functionality and allow for future change, but I also had to think about usability. Initially I think we got it right with 3 of the 4 platforms we selected, but ultimately I found that I had become too enamored with a certain centralized document management system that provided amazing functionality yet we were only using about 15% of the capabilities of the platform because it was not intuitive and user-friendly enough for our attorneys. Luckily, we have a very forward-thinking leadership team at Culhane Meadows that allowed me to do a complete overhaul of our IT systems (including the document management system) to put in place a much more user-friendly and intuitive set of tightly integrated systems, which had the added benefit of a number of excellent collaboration tools as well as much more control over and access to security features that some of our bigger clients were started to look for from us. And our attorneys have been making great strides in adopting these new IT systems with some even asking for help on learning new tools we have access to but have not even rolled out yet. But the challenge in keeping everyone trained never stops — but as I said — I like a challenge.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My father. He not only was my inspiration for going into a career in STEM, but he also taught me how much I enjoyed teaching others and instilled in me an expectation of excellence in all that I did. After being a mechanical engineer for almost 20 years, my father decided to start teaching online engineering courses (and this was back in the late 80s before anyone was really thinking about distance learning). But he had to go back and get a Master Degree in order to do so. I still remember teaching him (or rather refreshing his memory) on how to do derivatives and integrals for his Masters classes that assumed a basic understanding of Calc II, which I was enrolled in at the time in high school. After I would teach him a concept, he would ask me “now how could you have done that better as a teacher?” But his relentless expectation of excellence wasn’t limited to academics or teaching. When I would come home from basketball game and tell him I had “double/double,” i.e., double digits in rebounds and in points scored, he would say, “that’s good, but what could you have done better that you’ll do next game?” Despite the fact that I often just wished he would jump up and down and be excited for me over a double/double, he made me a better version of myself along the way and instilled in me a drive to always make a difference and see how I could be and do better.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, I just recently started on a new project that will involve teaching our attorneys and back office staff at Culhane Meadows how to take certain administrative tasks and certain approval processes and automate them using Microsoft Power Automate to make their law practice more efficient. It’s incredible that Microsoft has created a tool that will allow the automation of so many tasks without having to write a single line of code and doing it with secure/encrypted tools at our disposal within the existing firm systems. As noted above, most attorneys are luddites, but we also have a group of very tech-savvy attorneys and staff that want to take advantage of the technology we have to be more efficient. And because these tools do not require our attorneys to fully understand the technical side, they can start leveraging tools that previously would only have been made available to them by someone with a ton of software coding skills.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Don’t expect to have all the answers all of the time. Because this field is constantly changing, know when to get help and when to rely on other members of your team for the expertise you don’t have. Cybersecurity is a team sport — not an individual one. Despite the fact that cybersecurity experts do have to constantly keep up with evolving threats and changes in our industry, we also have to understand that there is no jack of all trades in this industry.
As for leading a cybersecurity effort I think anyone in the cybersecurity field needs to understand that *how* you train your employees on cybersecurity issues, in what format and whether or not you make it even a little fun, can make a world of difference in getting employees to comply with company security policies. Give yourself a break when folks don’t pick it up the first time. It can usually take 3 times hearing the same thing before it truly kicks in — and don’t be afraid of to tell the scary stories of how cyberthreats have affected other companies because THOSE stories are what your employees will remember. And always offer chocolate or candy for folks who even ATTEMPT to answer your questions during live training sessions (once we’re all back in the office). In the meantime, offer to send them some!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- That cybersecurity is an ever changing landscape so everyone understands that living with the status quo is never acceptable….. plus, we’ll never get bored. I might not sleep at night worrying about the next cyberthreat that’s out there, but at least it will be interesting learning about it and trying to protect against it. Cybersecurity is often times about solving different types of puzzles, and I love puzzles!
- As a huge proponent of STEM (and especially WOMEN in STEM), I’m excited that the cybersecurity industry is absolutely booming, and there are so many opportunities for growth for anyone either already in this area or looking to get into it. I would venture to guess that the unemployment rate for cybersecurity specialists is close to nil.
- I get to wear a white hat in all that I do with cybersecurity. There is a bigger purpose here — to protect our customers’ data and the integrity of our systems and often times what we teach in the cybersecurity area helps our attorneys and staff in their personal lives as well to not get hacked or not fall prey to the many many phishing schemes and social engineering attacks that they experience in their work environment and their personal lives. As someone who moonlights as a fitness instructor, I can tell you that it’s a lot easier to get folks to understand the benefits of NOT clicking on an unfamiliar hyperlink than it is to convince someone that lifting weights is just as important as spending time on the treadmill or bike. The instant feedback of possibly having your bank account drained when something goes wrong, as there is with cyber scams, definitely gets people’s attention.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I think the latest statistics still show that the overwhelming majority of cyberattacks that result in breaches are due to human error (that statistic can be as high as 90%). I don’t foresee that changing any time soon, so if folks are not investing in training their personnel and if they don’t have support from the leadership of their respective companies, THAT will continue to be their biggest threat to cybersecurity.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Given my role as a data privacy and security attorney, I frequently advise my clients on data breach responses and mitigation efforts. I think so many of the data breaches that I see our clients experience have some very common themes or takeaways: (1) human error where someone falls for a phishing or social engineering scheme; (2) lack of multi-factor authentication that allowed for hackers to easily break into the clients’ systems; and (3) lack of controls over user credentials once they leave the company.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
- Multi-factor authentication (“MFA”) is a *must have* cybersecurity tool for any organization. No one should be accessing data on your systems by merely entering a username and password. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN, e.g., Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Authy, Yubico, etc. Our firm uses Microsoft Authenticator.
- Microsoft Advanced Threat Protection (ATP) — it’s a cloud-based email filtering service that helps protect an organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard an organization with the following: (a) sophisticated scanning of attachments and AI-powered analysis to detect and discard dangerous messages; (b) automatic checks of links in email to assess if they are part of a phishing scheme and prevent users from accessing unsafe websites; and © device protection to prevent devices from interacting with ransomware and other malicious web locations. ATP also includes robust reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in an organization.
- Malwarebytes Endpoint Protection — to protect against malware, viruses, hackers, ransomware, and other established and emerging cyberthreats as it has the ability to: (a) provide always-on, real-time threat detection and automated scans; (b) Proactively identity new threats with Anomaly Detection Machine Learning; © lock threats out of our network with seven-step Multi-Vector Protection;(d) root out hidden threats with proprietary Linking Engine Remediation; (e) trace attacks back to the source with threat analysis and forensics; and (f) clean infected systems remotely with Cloud Platform.
- Data Loss Prevention Tool — Microsoft’s data loss prevention capabilities allows us to (a) set specific data prevention policies to identify, monitor, and protect sensitive information such as social security and credit card numbers; (b) set encryption rules to prevent an email from being forwarded, copied, or pasted into other programs; © set up email archiving and preservation policies to help ensure data is properly retained with continuous data backup and compliance; and (d) enforce BitLocker device encryption on all Windows devices to help protect against data theft or exposure if a protected device is lost or stolen.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It is a huge misperception that you have to have a huge cybersecurity team in order to take steps to deal with cybersecurity issues. For SMBs, there are so many vendors out there today with excellent tools that will provide a great deal of cybersecurity for SMBs that do not have their own cyber team. Most SMBs can utilize the support of a cybersecurity consultant to advise them on the best way to implement these off the shelf software cybersecurity tools and to help set up a monitoring and reporting system for potential cyber threats.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- You know you are entering the right password, but it’s not working (b/c someone has already reset your password after hacking you) and you get locked out of your accounts, like your social media account.
- Your computer starts acting strangely or really slow, e.g., popup messages, antivirus warnings, new toolbars in your internet browser, or the mouse cursor moving by itself
- Your anti-virus/anti-malware is disabled, and you didn’t disable it.
- You start to see unexpected software being installed
- Your internet is suddenly running very slow
For those organization with the budget to really understand and be able to comply with regulations like the CPPA and GDPR, ensuring such compliance can be a competitive advantage with sales and business referrals increasing as a direct result. We expect that to be the same for the CCPA also as recent surveys show that 85–90% of U.S. consumers are very concerned about the privacy of their personal information/data and view privacy as a human right. Unfortunately, the main competitive advantage that these laws may bring about is continuation of the trend of a winner-take-all economy. Bigger companies have the budget to contend with the ever-changing legal landscape, and small companies — even if well-intentioned — are left to make do with small budgets while worrying they will come across the radar screens of regulators. Our firm’s Data Privacy and Security Team has counseled many smaller clients as they seek to comprehend the complexity and interplay of these laws, but for those without a budget to implement the required regulatory changes, knowing what they need to do isn’t much comfort.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake I see companies make is to ignore the human factor. You can have the most state of the art cybersecurity tools, but if you have failed to adequately train your employees — early and often — then you will fall prey to so many cybersecurity attacks aimed at nothing more than tricking people into clicking on a bad link or opening an infected attachment.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely there has been an uptick. You have companies that have been suddenly thrown into a remote working environment without the real capability to actually work remotely. So they are finding the fastest solutions they can to get their employees up and running in this new normal of a remote work force. Many times the fastest solutions are not the most secure, so security breaches will occur. And even with the tightest security systems specifically built for remote working, one factor that companies fail to consider is the security of the wi-fi network being used to access their company’s systems. For those employees who hop on the wi-fi at Starbucks to access their company’s systems, the vast majority are likely not using a VPN to secure that connection. For those employees who use the wi-fi in their home offices, the vast majority are not likely to have properly secured their wi-fi routers because most lay people do not even know how to access their wi-fi router settings to be able to activate the proper security settings.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Just like in the world of broadband, it’s all about “the last mile”: that is to say, a company can spend huge amounts on systems security, only to be foiled by a wayward employee who clicks on an attachment with malware. It’s all about the training.
2. Know your data sets and who has access to what data from what location. It’s impossible to assess the application of various laws in a cross-border context without this information.
3. If you have a limited budget, concentrate on worst-case scenarios. Don’t spend thousands dealing with low probability/low risk threats that are easy to perceive (e.g., breach of customer contracts), while ignoring company-endangering practices that no one has sufficiently examined because nothing bad has happened yet (e.g., sending texts or faxes that violate TCPA or other laws that permit class action lawsuits).
4. Have (or engage) a person who can ask the right questions about technology marketed as secured or encrypted before implementing with customers. It’s all too easy to create non-secure interfaces with customers if one is simply relying upon vendor assurances of security.
5. It may be a lot of effort to transition to new technology enterprise-wide, but it’s probably cheaper in the long run than policing the security gaps between combinations of legacy systems layered over time. This should be looked at on a case-by-case basis, but is more likely to be true in organizations handling large amounts of sensitive data, as newer systems will be better designed to create secure interfaces with “the rest of the world” such as with customers and key vendors.
A few examples of security incidents we have seen that could have been prevented….
- Client did focus on training their employees but once a year, so one of their employees (a sale rep) allowed malware in through an email he should not have opened or clicked on. This allowed the hackers to send emails out as him. The hackers also obtained company letterhead and sent out an invoice to a the client’s customer using the employee’s email address with the wire instructions to hackers’ bank account. Customer paid the invoice. Client was not paid. Customer furious about the entire situation.
- Target company for proposed acquisition failed to update its privacy and cyber security compliance for 2 years. Due diligence on behalf of the client (acquirer) identified so many privacy and security deficiency risks, the client decided against acquiring the other company. One week later, the email account credentials of the former target company’s CEO were stolen by hackers in Eastern Europe entering through the target company’s online intranet web portal.
- Client global developer of mature video games marketed a new game for EU and US kids under age 10 without assessing EU and US children’s privacy laws compliance obligations including parental consent content and mechanisms. Client obtained huge global kids entertainment contract for new game. Client attempted to retrofit mature game software for EU and US children’s privacy compliance to fulfill contract. Retrofit was not possible in time to fulfill the children’s contract and the client’s entire game division regrettably was unable to survive the COVID-19 business downturn and closed.
- It used to be that storing old data on tape or in boxes in warehouses cost a lot of money, and companies paid attention to the cost of storage and had budget incentives to get rid of it. So they didn’t keep data that they didn’t need or should no longer have. Now that the cost of storing data in the cloud is low, companies don’t make the effort to purge old data (or even to know what data they have). So keeping that data now means a higher risk of breach. The LOW cost way of preventing disaster is to not keep the data that is no longer needed by the company (or that was never needed by the company).
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
To keep on-topic,make sure that you, your children, parents, friends, etc., all start utilizing multi-factor authentication on your/their email accounts and all social media accounts. All of these typically already have these features built in so all you need to do is activate the feature.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!