Have a backup plan. Be sure to regularly back up all of your critical data from internal systems and user devices. For best results, we recommend the 3–2–1 rule put forth by our partner Veeam: keep 3 copies of data; on 2 different media types; and at least one copy should be stored offsite. Additionally, build a disaster recovery plan for your business and test to ensure it works.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Brad Cheedle.
Brad is a grizzled veteran technology executive and entrepreneur with more than 20 years of experience. He is the leader of Otava, a quarter century old, yet rapidly growing company focused on secure and compliant cloud solutions for organizations in healthcare, finance and other data-sensitive industries. Otava was the first HIPAA compliant hosting provider in the United States. Brad’s deep background in the telecom and technology industries have shaped his views on data privacy and cyber security. His professional expertise spanning corporate finance, sales and business development, engineering, technical operations, marketing, product development and mergers and acquisitions, gives him a broad perspective on the impact of security. He has helped launch companies and organizations at WOW!Business, Zayo Group, Qwest Communications, Onfiber Communications, Level 3 Communications and MCI Communications. Brad is an active alumnus at the University of Northern Colorado, Monfort College of Business. He currently sits on the Board of Directors there and supports the organization’s entrepreneurial programs. He’s a sucker for a good bourbon and enjoys jamming out on his guitar more than anything, except being with his family.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I come from a Colorado ranching family that goes back three generations. My grandparents and parents worked extremely hard raising cattle. As a kid, I lived in a small western Colorado town where I worked hard, had great friends, and spent a lot of time competing in various sports including skiing, baseball, football and golf. I also played trumpet and piano in the high school jazz band. Imagine the movie “Footloose” without the rebellious dancing and you have a good idea of how I grew up.
From early on, my parents instilled in me a work ethic and drive that shapes who I am today and how I approach life. I had ambitious professional goals from a very young age and was the first in my family to go to college. Working my way through school meant holding down four jobs during the summers and two during the school year. I was inspired to pursue my desire for a different kind of professional future and the support and encouragement of my family gave me the foundation I needed to achieve my goals.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I’ve always found Steve Jobs’ story to be inspiring. He was a true visionary that motivated so many people to think outside the box. He had strong convictions and his every action had a purpose. I admire the fact that he applied just the right amount of pressure and tension on himself and others in the company to see past obstacles, so that Apple’s market disrupting innovation could emerge. His vision for what people wanted translated into products that the world didn’t even yet know it needed. He had an ability to break through the clutter like no one else. Whatever he dreamed up, he executed on. His constant forward progress resulted in lifechanging innovations. Over the course of my career, I have often considered these attributes and Jobs’ overall approach as a guidepost for developing excellence in executing on the mission of the organizations I was representing.
Can you share the most interesting story that happened to you since you began this fascinating career?
There is not a single story that can sum up all that I find interesting about this fascinating career. I feel it is an accumulation experiences over time that make it most exciting for me. I’ve been very fortunate to have met and worked with, and for, many extraordinary people that have influenced the technology industry. They have all inspired me. Exposure to great minds of industry leaders ranging from Internet innovators like Andy Bechtolsheim to telecom trailblazers like Jim Crowe and Dan Caruso sparked my excitement for the key issues our businesses are facing today such as data privacy and security. I’ve learned from each person I’ve met, gleaning insight from seeing them in action successfully manage situations by motivating teams and creating innovation. This strengthened my own drive to outwork, outmanage and overachieve.
And I continue to grow my network of contacts and mentors. Expanding my circle keeps me energized, engaged and motivated. Perhaps most importantly, it ensures that I never stop learning. One great thing about this space, is that it is impossible to know everything.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’m extremely grateful for my parents who always encouraged me. Rather than putting guardrails or boundaries on what they thought I could do or should be, they challenged me to always think bigger. They made it clear that I could be anything I wanted to be in life.
As ranchers, they instilled a strong work ethic and showed me that success could be achieved by ‘outworking’ any situation. My parents taught me many other lessons as well, such as to learn by doing, to dig deeper, to ask questions and to persevere when times get tough. They showed me how to evaluate a situation and recognize what works and what doesn’t. I’ve had a lot of great mentors along the way, but it was my parents that set me on this path. I wouldn’t be where I am today without them.
Are you working on any exciting new projects now? How do you think that will help people?
At Otava, we just launched our latest secure and compliant cloud platform to give businesses the ability to more easily control how they deploy and manage their data workloads. It gives them a way to do much more with less. Everything we do is designed to help make IT and cloud simple. We are focused on making data safe, secure and reliable. This is especially critical now as most companies have shifted to work from home during the pandemic. Our cloud platform helps make it possible to operate effectively with a distributed workforce by reducing the need for onsite resources, while keeping company data backed up and secure. Along these lines we are also working on a virtual desktop solution that would further support growing companies that need help in a remote environment.
In addition to adding new solutions to our portfolio, Otava is focused on growing the company through acquisition and organically. We believe that by bringing together the best people, process and tools, we can create even more value for our customers.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
My advice is to keep your eye on the prize. Stay the course. There will be twists and turns, ups and downs, and one challenge after another. Don’t get caught up in them, they are just obstacles. And obstacles are opportunities to learn and grow. You can actually use them as motivation and inspiration. When viewed this way, you can see more clearly how to thrive on the creation of new opportunities that are born from obstacles. Keeping your vision alive even through the tough times will help you to inspire those around you to stay focused and enjoy the journey.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena.
What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cybersecurity is arguably one of the most important technologies and disciplines of our time.
I get excited about the innovation taking place to help protect businesses as they advance down the digital transformation path. Otava is one of the only security- and compliance-focused specialty cloud services providers in the U.S. We expressly chose that focus because without a security-first posture — an overarching set of principles that includes everything from the tools used and the policies enacted, to the processes followed by all employees — the tremendous value of cloud computing can be quickly negated. The innovation is not just in the tools themselves, but the processes to integrate and embed the technology throughout so it is truly effective.
I also appreciate the fact that cybersecurity, including compliance, presents one of the greatest challenges of our lifetime. Because of this, technology needs to be as advanced as possible to stay one step ahead, which drives development opportunity. And at the same time, there is a need for a human element to help with education and compliance assurance. At Otava, we bake data security and compliance into every layer of our services, and our team has the expertise to help our clients to not only understand, but to be fully prepared for the threat landscape.
Finally, cybersecurity is an area that has unlimited growth potential. As we move deeper into the digital age, data security becomes increasingly important and will affect virtually every part of our lives, at home and at work. So, from a professional standpoint and business perspective, the opportunities will continue to unfold in ways we have not even yet imagined.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
During the pandemic, ransomware has been on rise. And even last year we saw ransomware attacks increase by 300%. Additional threats and attacks have been designed to expose vulnerabilities across the board. This isn’t just a government or big business problem; it affects all of us. We can’t rest on our laurels. We must be as prepared as possible. The good news is that businesses that are moving their data to the cloud are beginning that process, because some security is built into infrastructure that is hosted offsite. And some cloud providers offer additional benefits. For example, Otava’s cloud-based solutions are enhanced to mitigate cyberattacks, ransomware and other malicious activity. Companies also need to create a plan for how to recover in the event of disasters. A backup and disaster recovery solution will keep your systems available in the wake of an unexpected event so that you can minimize disruption of your business.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We work with a national distributor that originally came to us to help them gain disaster recovery services for about a quarter of its critical servers. Later, the company experienced a ransomware attack. Using Otava’s solutions, we enacted our joint disaster response plan and services to recover impacted systems into the Otava cloud with minimal loss of data. We had the servers up and running for production within minutes. But this of course didn’t apply to all of the distributor’s systems. The lesson learned following the attack drove the client to further fortify its corporate IT environments with additional disaster recovery, data protection and security governance, and policy measures to mitigate future cyber impacts.
The distributor’s complete environment is now fully protected by Otava in a redundant off-site location, safeguarding all of the company’s valuable data. In the event of another ransomware attack, the company is completely protected and can have all systems restored within a matter of hours thanks to the short recovery time and recovery point objectives. Otava’s staff also acts immediately to support clients with additional security solutions to ensure that no re-infection occurs. The incident showed just how valuable having a disaster recovery solution is and highlighted the urgency for security best practices.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
We are in the business of making sure our clients are protected and we view security as a three-legged stool. The first leg of the stool is physical protection which keeps your physical data center safe with alarms, video cameras, etc. The second leg is technical security. This includes disaster recovery, backup and firewall protection, plus the use of security tools including anti-virus, anti-spam, encryption, log reviews and more. These are all designed to protect the data inside your systems and data centers. The third leg of the stool is governance which is an important administrative function to ensure policy, process and access controls are being met. Compliance mandates, such as HIPAA that apply to medical information and are designed to protect the security and privacy of patients, are required by law for certain organizations. This is a critical piece of the overall security framework. All three legs are important measures against cybersecurity risk.
We recommend that every business have a disaster recovery plan because even after taking all precautions new cyberattacks can develop. In the event of an issue, you must have the ability to restore your data as quickly and safely as possible. Once the plan has been established, test it regularly so that if it is needed for any reason you are in full control of your data.
Defending against cybersecurity breaches is no easy task. It is not simply the job of an armed guard or a piece of software. But when all the pieces are working together, your organization can feel confident that it is doing everything it can to stay protected.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Cybersecurity is a serious issue for companies of all sizes. Even if you are a small business or don’t have an IT staff, you can take steps to protect your organization. You can find an external partner that you trust and that can work along-side your organization to provide the level of support you need. That partner could be a contract CSIO or an IT service provider. Outsourcing will require some ongoing investment; however, over time, it can potentially save your business from the much more costly damages of a breach. And remember that the companies that thrive are the ones that focus their resources on their core competency. Concentrate on what you do best and outsource the things that fall outside of your area of expertise to the experts on those subjects.
Once you have all the elements of security in place, another recommendation is to purchase cyber insurance. With the total cost of cybercrime now in the billions, cyber insurance policies have become increasingly necessary. Underwriting these policies can be a challenge for insurers, and your business must do everything it can to understand your exposure and take appropriate steps to mitigate risk. This includes demonstrating to insurers that you have already put safeguards in place. But if you’ve already done the work either on your own or with an outsourced partner, you can gain added protection from the right level of insurance.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Breaches can and will happen to the best of us. In addition to implementing proper governance, controls and cybersecurity protection, it is important to educate your entire staff on what to look for. This won’t stop all cyberattacks but may weed out some.
Phishing is one common type of attack. This is where hackers are impersonating legitimate brands via email to trick recipients into revealing valuable information such as account passwords, credentials or other sensitive data. To ferret out phishing attempts, ask your staff to watch their email for irregularities such as misspellings, unofficial logos or requests for sensitive information. Remind your team not to provide these details via email and to only deal with fully trusted sources directly. It’s important not to click on links or attachments in messages that are suspected to be fraudulent.
When dealing with ransomware, malicious software that restricts access to systems and or files until a ransom amount is paid, the most obvious sign that you are a victim is a splash screen that appears upon startup that prevents you from using the computer and provides instructions on how to pay the ransom to restore access to your computer and files. Alternatively, you may be able to access your computer but unable to open your files. Remind your team to contact your IT team or security point person immediately if this occurs.
Other types of attacks include password-based attacks which can happen when users use the same passwords across multiple sites, endpoint device attacks which are aimed at specific devices such as laptops or workstations, and business email breaches where scammers try to trick people into wiring them money. Most breaches occur because attackers have gained access through either emails or through maliciously coded websites to critical applications, passwords, accounts, systems or vulnerable employees. So, the cybersecurity goal is to tighten down these entry points. The fewer the access points the fewer openings cybercriminals have to gain access to critical systems or code — and therefore malicious activity becomes limited.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
There has been a lot of news around the heightened risk of cybercrime in 2020, and the increased sophistication of cyber-attacks. If your organization has had a security breach, make sure you have a plan and the ability to recover your server data. Many ransomware attacks tie directly to the server so make sure you are doing regular backups and have a tested recovery plan so you can restore your files. With much of the world currently working remotely, it is important to also have a plan for all user devices. As soon as an attack is discovered, initiate your disaster recovery plan for your laptops, workstations and other equipment. Then take steps to reimage them to ensure any malware is removed.
Planning ahead and regular testing is key so that when an issue occurs you know that the technologies and procedures you have in place will be ready to go, mitigating further impact.
Privacy measures such as CCPA and GDPR are simply guardrails around efforts that make us better. At Otava, our business understands these acts and regulations to help customers stay protected in secure and private environments that are fully compliant. With constantly evolving requirements, this is no small undertaking.
As these and other policies are created and enacted the industries affected must stay vigilant and prepared. At Otava, we see these policies as learning opportunities to help our clients put the right combination of policies and solutions in place that solve issues around these measures.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common data security and cyber security mistakes that companies make are often the result of not implementing and enforcing policies around who has access to company data. This can go hand in hand with being unprepared. Often companies are stretched too thin to sufficiently prepare for protection in advance by training their employees, creating a disaster recovery plan and backing up all their data. But these things are vital and need to be prioritized.
Another area that can lead to issues is assuming that your vendors have you covered. It is worth the time and effort to clearly understand the shared responsibility of data security when it comes to your partners and vendors. They can explain in detail what they cover and what is left up to you to handle. This reveals where you have gaps and vulnerabilities that need to be addressed. You may have multiple tools that either don’t integrate with each other or don’t cover as much of the business as you expected. Finally, and understandably, companies often don’t allocate enough of their IT budget to data security. Budget and resources are scarce but minimizing the investment in data security could result in much larger financial problems in the long run when you consider that the average, all-inclusive cost to a business for a data breach is 3.9M dollars.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Ransomware attacks have reportedly increased by 148% due to the coronavirus. This is not surprising considering the vast majority of corporate employees are now working from home and many companies were not prepared for securing a distributed workforce. Since the pandemic began our clients are looking to add more connectivity, cloud and backup support to deal with the impacts of COVID-19. We’ve also seen more demand for desktop as a service software which helps maintain control over distributed workforces. Desktop management solutions are now more important than ever because they provide the ability to standardize and regulate interactions with applications with respect to your company’s security policy. And in cases where companies are downsizing in response to current challenges, we are finding that they are moving toward turnkey solutions, as they may no longer have the resources or budget to manage their environment themselves. We bake security into every layer of the IT environment, on-premise, offsite and in the cloud so that customers are protected regardless of where employees are located.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Cyberattacks organizations of every size, industry, vertical and geography. No business or individual is immune. Five things that every company needs to do to tighten up its approach to data privacy and cyber security are:
- Define and enforce your access policies. Start by categorizing your employees into groups and decide which of those groups should have access to which types of systems or applications. Consider factors like seniority and decide what is absolutely necessary. For example, cybercriminals love to prey on accounting departments to access financial information, so it may make sense to lock down access to only a select few in the department, thus lowering the odds that a clever trick gives a hacker access to vital systems.
- Trust No One. To trust is to be vulnerable. Businesses shouldn’t automatically trust anything inside or outside its perimeters. Instead, verify any and all connections into systems before granting access. Also, make sure to validate the identities of all individuals using more than one authentication measure. Be proactive by activating secure sign on to systems and backing up everything. Don’t forget to be on the lookout for anomalies in end user device and systems activity.
- Keep everything up to date and test, test, test. It is very important to keep all your software packages and vendor patching up to date. Perform a threat analysis with your security team to test whether your patches and updates were successful or if gaps still remain. Train staff. Test your disaster recovery plans and procedures.
- Have a backup plan. Be sure to regularly back up all of your critical data from internal systems and user devices. For best results, we recommend the 3–2–1 rule put forth by our partner Veeam: keep 3 copies of data; on 2 different media types; and at least one copy should be stored offsite. Additionally, build a disaster recovery plan for your business and test to ensure it works.
- Invest in cyber liability insurance. Buy as much coverage as you can afford but shop around. Make sure the policies are reviewed by someone that understands your business and how you operate as most insurance brokers aren’t well versed in the day to day operations of your business and may not be aware of nuances that will be important. And before purchasing a policy it is important that you fully understand the coverage scope and your responsibilities. For example, will it cover independent contractors, your clients, your clients’ clients? Cyber liability insurance can be a great asset when you have the all facts and are fully informed.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
In my experience, so many folks settle and let others determine their path. Every day, for all those around me, I try to inspire the “You Do You!” movement. I often remind people to remember that this is their journey.
My advice is to own it, believe in yourself and don’t give up. We all have ups downs in life but try to see through the challenges and think of them as puzzles to be solved. It is important to surround yourself with people that support you and make you better. This helps you to create goals that achieve balance. I encourage everyone to try new things, be inspired, read more and stay curious.
An example from my own experience comes from when I went to a concert that I didn’t expect to enjoy, but instead left me feeling inspired. I was 40 years old and had never even picked up a guitar, but I went out, bought one, and taught myself to play by watching instructional videos on YouTube. Playing music has become one of my great passions and I now own 27 guitars.
You don’t need to be an expert by any means. Just keep exploring life by trying new things and letting your mind expand to learn what is possible. You may be surprised to find how many new opportunities arise and you may also discover new passions along the way.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!