Recognize that in the Cybersecurity cat and mouse game, it is not a question of IF you will be breached, but WHEN you will be breached. Therefore, you need to be able to have the ability to detect when a breach occurs immediately and a process to remedy it before significant damage can occur.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewingRick Klemm, VP of Technology of Liquid Web.
Rick Klemm is currently the VP of Technology at Liquid Web, responsible for Development, Network Operations, and Security. He has over 25 years of experience leading technology teams focused on Enterprise Applications for several Fortune 100 companies, including American Express, BellSouth, and Dell. Rick received his MBA from Georgia State University and a BS in Civil Engineering from Clemson University. Aside from his wife and two grown children, Rick’s proudest achievement was riding his bicycle across the United States from New Jersey to San Francisco.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Well, I grew up in the northeast but went to college in the deep South. A New Jersey Yankee down in Clemson, SC, was quite the culture shock, but I loved it. I had a strong interest in computers, but back then, Computer Science was not a degree yet, so I majored in Engineering. After a year of working as an Engineer, I moved into the Information Technology department as a software developer. Fortran was my language of choice at the time, so that dates me pretty well. The rest, as they say, is history.
Is there a particular story that inspired you to pursue a career in Cybersecurity? We’d love to hear it.
I wish I could tell you something fun and memorable like a cybercriminal victimized my family, and I have now dedicated my life to fighting cybercrime. But the truth is that I have been in technology for my whole career, and security is a part of that. Over the past 30 years, Cybersecurity has grown in importance and crept into every aspect of technology. As a result, it is now a significant focus for every CIO, CEO, or CTO.
Can you share the most interesting story that happened to you since you began this fascinating career?
My first programming job was with a major railroad, where I was in charge of programming automated controls in rail yards. My code would monitor which car went into each track and control the proper switches to get it there. Now, keep in mind this was in the early eighties, and we didn’t have test environments and controls for this kind of process. Once I made this change, I would have to work on-site at the railyard and have railcars rolled one at a time and validate the cars went into the correct track. During this process, a car was rolling down the track, and the whole computer system crashed. The switches didn’t move, and a 100-ton railcar went crashing into an empty boxcar and knocked it literally off its wheels. Both cars ended up on their sides and created a big mess. It was not one of my finest moments.
None of us can achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are a lot of people who have influenced me throughout my career. Through the years, I have been very purposeful to learn from every manager I have worked for, both the good ones and bad ones. I would try to emulate the good managers, and the bad managers would demonstrate lessons in what NOT to do. As I progressed into leadership positions, one thing I picked up was that every great and successful manager was proficient in leading and influencing team members outside their direct control. This realization expanded my understanding of leadership and helped me get to where I am today.
Are you working on any exciting new projects now? How do you think that will help people?
As a company, Liquid Web has several exciting projects in the works, bringing several new products to our customers who have the potential to be game-changers. In our Managed Hosting group, we are in the process of rolling out a new VMware offering to our customers. This product line is geared towards our larger customers requiring more sophisticated server platforms and provides an easy to manage Virtual Data Center at extremely reasonable prices. However, our fastest-growing segment is in Managed Applications, and we are continuing to expand our functionality and capabilities within our managed Magento and WooCommerce apps. One exciting new feature is a StoreBuilder, which allows our customers to build an online store via a simple wizard interface quickly. This enables them to quickly get up and running as a business without hiring a web designer.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
They say, “Do what you love, and you will never work a day in your life.” There is a lot of truth to that. If you don’t love your work, every day will be a grind. However, time away with family and friends is invaluable and will increase your happiness and productivity both in the short and long term.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Excite me or scare me? To start with, Cybersecurity is continually changing and evolving. You can’t just fix it, install it, execute it, and say you are done. Bad actors will forever be attempting to break into systems, and we need to make it a priority to make it as hard as possible for them to do that. Secondly, it is a growing field with plenty of jobs available and great career opportunities. It is an excellent place for technically minded individuals to start in technology and have a great career ahead of them. And thirdly, it is never dull, and the risks and consequences are real. Just ask anyone who has been the victim of ransomware, had trade secrets stolen, or had fraudulent bank transfers. These events are costing companies and individuals hundreds of millions of dollars and often their entire business.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The recent SolarWinds exploit is a new and dangerous attack that everyone needs to pay attention to. In this case, the hackers were able to plant malware code within a SolarWinds product and dispersed it with the product updates to the government and thousands of companies using SolarWinds products. This situation is scary as these product updates are usually considered trusted sources. Once the code was deployed, it was able to open up backdoors for access to systems and data stealthily. I do not believe we have seen the end of this one, and damage will continue to be uncovered for quite a while. Breaches like this will need to drive significant changes in processes and controls.
Do you have a story from your experience about a Cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We frequently get hits and attempts to disrupt our service from DDos to Brute Force attacks. These attacks can be disruptive; however, we have processes to detect them and react accordingly quickly. These incidents rarely have any significant impact on our customers, and they usually are unaware of the attack. We recently had a scare where a friendly hacker was probing one of our platforms as part of our bug bounty program and set off all sorts of alarms and activity. We quickly reacted and locked everything down before discovering it was a non-malicious attempt by someone working to find a vulnerability. This led to some process changes, but it was also a good fire drill in how to react to a breach.
What are the main Cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Like most companies, we use a myriad of hardware and software solutions for threat prevention, detection, and remediation. I won’t list them all but will say that some of our most effective tools are our least expensive. For example, we implemented a bug-bounty program on our website. This program allows friendly freelance hackers to explore our site for vulnerabilities and if they find one, we will pay based on the degree of severity. We advertise this on our website and post the guidelines they must follow. This has been an extremely productive method to identify avenues for potential exploitation. Another extremely useful tool has been our security awareness software InfoSec. While it is not glamorous, phishing and social engineering are some of the most significant risks and easiest to exploit. So in the past few years, we have put in aggressive training programs, including frequent phishing campaigns, where we create fake phishing emails and send them across the company. If someone clicks on it, a message pops up stating what they did wrong and how to identify real phishing attempts. This has brought a healthy state of paranoia in the company when unusual emails are received.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter “software, and when they need to move to a contract with a Cybersecurity agency, or hire their own Chief Information Security Officer?
Cybersecurity does not have to be expensive or require a large team. Good virus protection, a hardware firewall, and security awareness training can go a long way with a small company. Additionally, using two-factor authentication and keeping your software up to date with the latest releases are inexpensive and straightforward ways to increase your protection. Software vendors are continually providing updates with security patches, and shame on you if you are breached by a known issue that has already been addressed by the vendor. As your company and systems grow in size, breadth, and complexity, more resources and attention is required.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Aside from threat detection software, which uses AI to identify unusual activity, probably the most common sign is unexpected activity on your servers or a sudden decrease in performance. High CPU or disk usage when nothing is running can be suspicious. This could also include a high volume of emails sent out from your systems, as bad actors often hijack a system to disperse phishing attempts. Another sign is just finding unexpected files on your system, especially in a root directory. A good anti-virus software should do this for you by identifying unknown files or programs on your server and quarantine them.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first immediate thing a company should do is to contain the breach to prevent further spreading and penetration. Isolate the platform, remove it from the network, then try to clean up the issue or restore from a recent backup. Second step is to look for additional breaches or bad actors on other systems. The bad actor could have used one breach as a gateway to the rest of your environment, or other bad actors may have taken advantage of similar vulnerabilities on your other platforms. Third, fix the hole. If you are uncertain how they got in, hire a forensic expert, but at least upgrade software patches and any other likely source to keep this from recurring.
While I am not a big fan of regulation, these acts are dutifully bringing data privacy to the forefront of attention, and that is a good thing. People should understand who has their data and what they are doing with it. These regulations add some overhead in development and administration efforts for tracking and such, but it is quickly becoming just a regular part of doing business online.
What are the most common data security and Cybersecurity mistakes you have seen companies make?
Many companies will put in anti-virus software and never think about Cybersecurity again. They forget that this is a continual process and needs continual attention. You have to incorporate Cybersecurity into the very culture of a company. Put in standards for two-factor authentication, software patching, and security awareness to make it as difficult as possible for the bad guys. It is too easy for bad actors to make your life miserable otherwise.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in Cybersecurity or privacy errors? Can you explain?
There has been an uptick in security events/attempts as the bad actors recognize that work from home can provide a new way inside a company. Many employees are using their home computer for work, and it may not have the same degree of protection as the office desktop. Additionally, the home is a more relaxed work environment, where employees may be more susceptible to phishing attempts. And the bad guys are jumping all over that. At the start of the pandemic, we put in some extra firewall protection and strengthened our VPN process to address these concerns. For example, when accessing our VPN, we now scan the workstation to ensure proper virus protection before allowing the user to login.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Formal and continual Security Awareness Program. Ensure everyone in your company recognizes the signs of social engineering, phishing, etc. Interactive and frequent training, phishing campaigns, and security drills will heighten awareness and thwart an easy attack.
- Keep software current! Security vulnerabilities are continually being identified in software, and vendors are continually creating patches to address them. Don’t let yourself get compromised by outdated software.
- Don’t get complacent. Bad Actors do not give up. So you can’t either.
- Recognize that in the Cybersecurity cat and mouse game, it is not a question of IF you will be breached, but WHEN you will be breached. Therefore, you need to be able to have the ability to detect when a breach occurs immediately and a process to remedy it before significant damage can occur.
- Integrate Cybersecurity into your everyday life at work and home. Like the security of your house, you don’t necessarily need to build a fortress, but make it hard enough for a cybercriminal to decide to go after someone else who is an easier target.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
It is probably controversial and unpopular, but my movement would be to eliminate 90% of all social media. Unfortunately, apps like Facebook, Instagram, etc., have taken over the attention of our society. People believe their worth is tied to the number of “likes” on a post, and there is a growing amount of depression and suicide due to people comparing their life to the often false projections of others posted online. It expands the local rumor mill to 3 billion people, and a small moment caught on video can go viral and permanently affect an individual. And it is a mechanism where someone without knowledge, skills, or education can post false information and immediately have hundreds of millions of people believe what is said. I dread seeing how this will affect our society in twenty years.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!