Community//

“Have a solid data governance policy”, With Jason Remilard and Shadrach White

Reduce network attack surface by not opening unnecessary firewall ports A majority of security breaches are a result of a single point of failure and this is often an open firewall port which then gives hackers access to your entire network. Carefully control your firewall and only expose only necessary services. As a part of our […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Reduce network attack surface by not opening unnecessary firewall ports

A majority of security breaches are a result of a single point of failure and this is often an open firewall port which then gives hackers access to your entire network. Carefully control your firewall and only expose only necessary services.


As a part of our series about “5 Things You Need To Know To Optimize Your Company’s or Government Agency’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Shadrach White, founder and CEO of cloudPWR, a Tacoma, Washington cloud software company pioneering digital transformation solutions for government and public agencies across Washington state and beyond. His company serves more than 125 agency customers in Washington state and is Pierce County’s highest-rated software company, according to Google reviews.

Shadrach is an active, highly engaged, well-known leader in the Tacoma business community. He’s a Mentor for the Tacoma Challenge, Advisory Board Member for UW Tacoma School of Engineering and Technology, and frequent guest lecturer for UW Tacoma’s Entrepreneurship program. Shadrach was the first Tacoma business leader selected to present at the inaugural Founders Live South Sound in February 2020, works closely with Startup253 founder Lee Reeves to mentor and drive awareness for the Tacoma Startup ecosystem and helps organize and promote New Tech Tacoma’s Happy Hour event series.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Thanks for having me Jason. I grew up at a ski resort in Alaska after transplanting from Oregon. I was given lots of freedom to explore the mountains and glacial valley in Girdwood, Alaska. Winters were spent skiing with the race team and summers were all about riding my BMX bike and playing in the woods.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Looking back on the earlier stages of my career I remember security tended to be more about privacy and protecting organizational assets and information from falling into the hands of a competitor. It wasn’t until the Internet created the global opportunity for bad actors to steal or hold data hostage that I became more interested in data and system security. Later, social media began to erode privacy through engagement, enticing millions of people to become more open about every aspect of their daily lives. When I began building my company in 2011 it was paramount that Cybersecurity became a foundational element of the software we sought to develop for the public sector. Ten years ago, the role of Chief Security Officer was not typically a full-time position. Today this is one of the most critical roles for State and Local Government IT Departments. We see the impact of not prioritizing security modernization and hardening over that same ten-year period when we look at events in Texas, Georgia and South Carolina that together total 20MM dollars in losses. Spending a fraction of that proactively may have prevented the attacks and provided constituents with increased levels of service(s) and community programs.

Can you share the most interesting story that happened to you since you began this fascinating career?

In 2012 the Washington became one of the first States to legalize cannabis for recreational use, creating an entirely new business ecosystem that was almost certain to attract bad actors looking to exploit newly minted software systems and data sets and success was not far off for those looking to do harm. Software startups sprang up quickly to offer solutions to this burgeoning sector and it didn’t take long before cybersecurity breaches started to hit the news. For us it was a tale of two outcomes, while we were busy building a licensing and electronic signature solution for new businesses looking to get in on the ground floor of a new industry. At the same time a separate company was building out a system for inventory tracking of product. In 2017 that system was breached twice, making national news above the fold. Because we prioritized cybersecurity as a primary element of our solution we remained under the radar and off of the front page.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are many that deserve to be recognized for helping in traditional ways, either through mentorship, as examples, or simply paying it forward by offering to assist without expectation of receiving anything in return. Each of these extraordinary people taught me to interact and work and behave for the good of others. I would have to mention Fred Goldberg as someone whom most recently gave me so much while asking so little in return. I count him as a friend and mentor whom I can email or call anytime, and he would do what he could to listen and advise.

While it is somewhat counter to the question you posed, I would be remiss If I was unable to share gratitude for those people and situations that showed me the opposite. I have learned a great deal from people that make decisions only based on what is in it for them. In my experience those relationships did as much to mold my philosophy towards business ethics, the greater good and shared success.

Are you working on any exciting new projects now? How do you think that will help people?

I am currently working with a team of senior level consultants to perform a feasibility study for the Washington State Department of Ecology. The study examines Microsoft 365 as a secure Enterprise Content Management solution for the agency. This is an exciting project on multiple fronts.

The project was a great fit for my professional background and a very timely research project in light of the massive shift to support a remote workforce in the public sector. A year ago, it would have been unrealistic to think that so much could change so rapidly. The project will help the agency and potentially be used by others to prepare for deployment of a modern technology stack for managing agency records securely and fulfilling public records requests in a more comprehensive manner, thereby providing better public service to constituents.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

To avoid burn out, I’d say, first be vocal and share any of these feelings with a team member or supervisor. Any healthy work environment will embrace the situation and do what they can to help. Second, when faced with a difficult challenge or feeling a lack of motivation, exercise and fresh air are my go-to actions. Many of my best problem-solving experiences have been while I am outside walking with a colleague, not necessarily talking about work but connecting on other topics. Don’t be surprised by how powerful hitting the pause button on work and shifting to health and well-being will help you avoid burn out.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The first element that excites me is the unbelievable business potential because, despite rampant data breaches with roughly 60% of surveyed organizations (1), less than 30% of organizations even deploy encryption. So, since I am naturally a problem-solver, the second really exciting thing is to help people as well as organizations understand, deploy, and manage Cybersecurity technologies. Obviously, with such a pervasive problem that is well recognized in the industry, it’s not an issue of organizations disputing this need for improved security-related defenses, so I enjoy using my philosophy for ease of use, instead of complexity, when it comes to technology. And third, what is especially exciting as it relates to Cybersecurity especially is that I take great satisfaction in the fact that I can help organizations detect, and thus avoid potential major data breaches which tarnish companies’ reputations, create serious trust issues and cause significant financial losses.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

In the future we can be assured that threats will be increasingly sophisticated for many reasons including major advances in augmented reality, artificial intelligence, and machine learning. While these are great innovations that can be applied for good purposes, the reality is that they can also be exploited for bad purposes and, therefore, we must prepare.

As former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked, and those that will be.” While this is a sensitive topic for IT professionals and can be quite embarrassing to organizations, we have found that modeling out a worst-case data breach scenario is often quite productive in establishing a solid data governance strategy and policy. In addition to establishing a solid data governance strategy, which is non-technical, the next common thing that we would recommend to start preparing is to take inventory of where and what data your company current has. You would be surprised what incredible insights a company can understand if they simply took the time to do an inventory of their digital, as well as physical, corporate assets.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Yes, I would like to share one story, in particular, that really resonated with me and this is in regards to when the United Nations confirmed a ‘Serious’ Cyberattack with 42 core servers compromised (2) last year. From my experience in the enterprise content management (ECM) industry I know that Microsoft SharePoint is a widely used system among many organizations. So, when I learned that an unpatched SharePoint server was responsible for allowing hackers to compromise the United Nations critical authentication servers, I immediately put a special bulletin out to our clients of course. But I also sent notification out to even our non-clients in the hopes that we could help others avoid the same mistake that that UN had made. I am very pleased to report that we were, in fact, able to review some of our current clients SharePoint environments where the security patches had not been applied and we were able to take immediate corrective action to avoid potential disaster.

Another recent example of what not to do in a serious data breach for State and Local Government is with Tyler Technologies where they were slow to disclose and apparently haven’t been too transparent in their business practices (3).

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We use many cybersecurity tools in our cloud services platform including multi-factor authentication (MFA), encryption and intrusion detection, to name just a few. Each of these tools provide a certain capability that, when put all together, provide a secure user experience.

First, multi-factor authentication is a first line of cybersecurity defense which is much more secure than just a username and password login. You might be familiar with MFA when you login to certain applications they will send you a temporary code as a second form on authentication proof before you can get access to your data.

Next, encryption in-transition and encryption at-rest ensures that data in our platform, whether it’s moving between devices and our cloud service or if it’s sitting in storage, is ‘scrambled’ (i.e. encrypted) so that it’s not readable by humans and cannot be easily hacked.

Finally, a very important technology for proactive cybersecurity defenses is our suite of intrusion detection system that is continually monitoring and looking for abnormal activity that could be signals of potential hack attempts. Some examples of abnormal activities would be a sudden spike on login attempts in an odd hour of the day, or a usually high data transfer rate that doesn’t correlate with the regular data backup schedule. This could be a signal of someone attempting to download from one of our databases. Basically, we get notified immediately of attempted data breach intrusions and can take swift action to thwart these attempts.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

This is a great question that I enjoy answering because it’s not the typical answer that you might expect from a technology company. The truth of the matter is that most “over the counter” software is just fine and there is no need to move to a contract with a cybersecurity agency. Even without a large team, the problem usually is not technology itself but rather the implementation and management of this technology. For example, having a software update policy, a regular system review strategy and then an overall cybersecurity governance plan can all be very time-consuming and complicated.

However, it can be done, even with a small team. Sometimes it’s good to contract with an agency for the simple fact that having a third-party oversee cybersecurity provides an independent perspective.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

It is very important to be aware of the signals of a potential data breach or hacks because the longer they go undetected, the longer the hacker is able to collect your data. One of the first things that a person can look for that something might be “amiss” is if your computer or mobile device is experiencing a significant slowdown in performance. Also, another clear sign of a potential breach is unexpected internet browsing behavior such as advertisement pop-up banners or landing on website addresses that you did not intend to go.

Both slow performance and browser hijacks can be simple malware, which is inconvenient but sometime not destructive, but these also can be indications of initial stages of a more serious attack such as ransomware or data breach so you want to take care of these immediately. Another tip that something might be “amiss” is frequent network disconnections because if your computer is compromised often times the increased data transfer, happening without your knowledge, overloads the network and causes disconnects. If you are experiencing any of these symptoms then you should immediately run a malware check and anti-virus check at the very least.

After a government agency is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The very first thing that must be done is disclosure. Not only do you have a moral obligation, but there likely are legal requirements that a data breach must be disclosed in a timely manner. This is important because if a government agency has experienced a security breach then, obviously, the whole point is that the data is now out of their control.

In such cases the customers have a right to know so that they can be on high alert to monitor for unusual activity on their accounts and take corrective action. After disclosure then it’s important to be transparent about what happened, why it happened and what is being done to fix the issue. As you can tell disclosure and transparency are not specifically technology-related, rather these are policy-related considerations for government agencies. Often times when there is a data or security breach agencies are eager to fix the technical issue, which is critically important to be doing simultaneous to disclose and being transparent but overlook good communication. Having a good data governance plan, and actually expecting the worst-case scenario, regarding data breaches is highly advisable.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

These recent measures have a massive positive impact on our business, in particular, because while these privacy regulations are about data governance and not really about security per se. Given my personal history in document and data management, in addition to the AIRLIFT platform we’ve built, we have intentionally focused on highly regulated industries because have a deep understanding and appreciation on the sensitive nature of this data.

We collect and manage lots of personal identifiable information (PII) and protected health information (PHI), so CCPA, CPRA and GDPR are variations of something we already know very well. It’s true that these recent privacy measures add additional complexity but if I had to summarize our methodology in one word it would be “observability.” And since we already surface a lot of “observable” data through our metadata collection techniques to make AIRLIFT an easy to use application, we can use these same metadata to apply certain business rules and cybersecurity measures to ensure compliance.

What are the most common data security and cybersecurity mistakes you have seen government agencies make?

There are several common data security mistakes that government agencies make that we continually advise that they correct and they are quite reasonable and easy to implement, surprisingly enough. The first is always-on encryption instead of optional. In the past encryption might have been expensive and complicated but nowadays there simply should not be any debate as to whether or not about making encryption an option. Encryption should be enforced because honest misconfiguration mistakes happen all the time so just simply eliminate this with always-on encryption.

The second common mistake relates to opening too many unnecessary firewall ports for network services such as virtual private networks (VPN’s) and authentication services. Opening firewall ports should only be done when absolutely necessary because it’s like opening your front door to your home to the potential hackers. By implementing modern innovation, we can still offer these needed network services but also still maintain a high level of security by not having to open unnecessary firewall ports (4).

Since the COVID19 Pandemic began and government agencies and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Absolutely, I have seen a dramatic increase in cyberattacks and privacy errors since the COVID19 Pandemic began. In one example of a ransomware attack the city of Lafayette, Colorado ended up paying a 45,000 dollars ransom to hackers(5). Unfortunately, hackers are not ethical and pray upon individual people and organizations when they are most vulnerable.

This really irritates me badly when people already having a difficult time, experience additional hardship because of the greed among these hackers. Especially since the COVID19 Pandemic began, there has been a major increase in privacy errors because hackers know that many novice work-from-home users either haven’t been trained on proper cybersecurity techniques or don’t have the proper technology because organizations were caught off guard so quickly.

It’s a difficult situation for organizations because to properly setup a secure work-from-home user takes additional cybersecurity technology with implementation, and this was likely not in business budgets so many organizations are taking extreme risk of data breaches.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company or Government Agency Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. Have a solid data governance policy

Be prepared with written policy and an action plan for data privacy and cybersecurity which details exactly, as best you can, how to handle certain worst-case scenarios. Many careers and agencies have been badly damaged such as the case with city of Lafayette, Colorado.

2. Share experiences to help others

Without a doubt managing cybersecurity is a massive undertaking so, as we shared in our United Nations data breach example previously, we think the best approach as an industry is to share knowledge for the benefits of defeating hackers. Real world learning experiences from other agencies is critical important to success.

3. Monitor proactively for “observability”

Using CCPA, CPRA and GDPR as guidelines, a good strategy for Government Agencies as a general rule is to collect data on every single action, or event, as it relates with who, when and why someone is accessing any sort of PII or PHI data. If you are collecting this data then applying rules to this data is much easier.

4. Reduce network attack surface by not opening unnecessary firewall ports

A majority of security breaches are a result of a single point of failure and this is often an open firewall port which then gives hackers access to your entire network. Carefully control your firewall and only expose only necessary services.

5. Consult an expert (when needed)

Not to fear-monger but the truth of the matter is that government agencies are one data breach away from losing the trust of their customers and there are many, many examples of this here (https://en.wikipedia.org/wiki/List_of_data_breaches) that will be even more current than the date of this published article. My advice is to take cybersecurity seriously and don’t be on that list!

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

How can our readers further follow your work online?

https://www.linkedin.com/in/shadrachwhite/
https://www.linkedin.com/company/airliftapp/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

SOURCES:

  1. https://www.cbronline.com/news/enterprise-encryption-use
  2. https://www.forbes.com/sites/daveywinder/2020/01/30/united-nations-confirms-serious-cyberattack-with-42-core-servers-compromised/#551c7a0c633d
  3. https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/
  4. https://www.zdnet.com/article/ransomware-why-one-city-chose-to-the-pay-the-ransom-after-falling-victim/
  5. https://patents.justia.com/patent/10791095

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...

    happy at workplace
    Community//

    Stay Psychologically Relieved At Your Workplace With These 5 Tips For Protecting Your Personal Data

    by David Share
    Community//

    “Security awareness training”, With Jason Remilard and Eric Pinto

    by Jason Remillard
    Community//

    “Without good backups, you have no data security”, With Jason Remilard and Dustin Leefers

    by Jason Remillard

    Sign up for the Thrive Global newsletter

    Will be used in accordance with our privacy policy.

    Thrive Global
    People look for retreats for themselves, in the country, by the coast, or in the hills . . . There is nowhere that a person can find a more peaceful and trouble-free retreat than in his own mind. . . . So constantly give yourself this retreat, and renew yourself.

    - MARCUS AURELIUS

    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.