Fully understand the compliance requirements that apply to your sector or business, whether that’s PCI for companies processing credit card transactions, HIPAA for health care organizations, or CMMC for manufacturing. If there isn’t a standard in place for your industry now, there likely will be soon. Keep track of developments for your industry or adjacent industries and prepare for requirements that may come soon. Despite years to prepare for NIST 800–171 (a certification in manufacturing that preceded CMMC), many manufacturers failed to achieve compliance before the deadline, and some lost business as a result.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jim Parise, president of Kelser Corporation, a leading IT consulting firm based in Glastonbury, Connecticut. Jim believes that technology is a business enabler and is proud to lead a company that helps businesses and organizations achieve their potential through technology. Kelser’s clients include Fortune 500 companies as well as small- and medium-size businesses in a wide range of industries such as health care, insurance and manufacturing. Jim was instrumental in developing Kelser’s comprehensive managed cybersecurity offering, which is tailored to each individual client in order to provide multi-layered protection designed specifically for their workflow and the data they need to protect. After joining Kelser in 1998, Jim worked his way up to president, assuming this role in 2019.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Growing up in Connecticut, I was a ham radio geek. A career in technology was the natural path. My career started in the newspaper business right when it was evolving into the digital world and figuring out how to leverage technology to deliver the news.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Cybersecurity has always been part of my career in IT, though the importance of it has increased over time. The moment I realized cybersecurity would become a central part of the identity of Kelser Corporation actually occurred when I went to see the doctor for my annual physical in 2008. My doctor was telling me about how he had experienced identity theft, and it suddenly hit me that the shift in the strategy of hackers from using “brute force” attacks to social engineering was going to pull every small business into the cybersecurity arms race against their will.
Can you share the most interesting story that happened to you since you began this fascinating career?
In October of 2011, a massive snowstorm hit New England while the leaves were still on the trees. The result was widespread and long-lasting power and communications outages. We worked with clients to get their systems back online quickly, and for many businesses, it was a wakeup call for how unprepared they were for a weather disaster or a cyberattack. Changes in backup and disaster recovery strategy and systems that went into place as a result of this storm prepared businesses much better for COVID-19.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Kelser Corporation CEO Barry Kelly has given me the opportunity to grow as a technologist and leader working in a wide variety of IT disciplines over my more than two decades at his company. This broad experience prepared me for the role of president — I’ve done just about every job in the company. Through Barry’s vision for Kelser and insight into the ever-changing landscape of IT, he has created not only a growing business, but also a place to work that makes everyone better at what they do.
Are you working on any exciting new projects now? How do you think that will help people?
Cybersecurity regulations and certifications are, thankfully, catching up to the reality of the cybersecurity landscape in many different industries. For example, the introduction of CMMC, or the Cybersecurity Maturity Model Certification, is elevating the cybersecurity posture of the entire manufacturing industry. This new certification makes cybersecurity understandable and achievable for manufacturers throughout the supply chain. Kelser is actively engaged in working with manufacturers to achieve compliance with this standard. I think we will look back on this moment as the point when business and government collaborated to take a stand against cybersecurity in a new way and turned the tide on the increasing frequency and severity of cyberattacks.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Nothing causes burnout faster in IT than always being in reaction mode and never being able to take a step back and identify proactive steps that can make a huge difference in the long run. Many companies have a small IT department of one or two individuals who are usually technology generalists. They are typically not cybersecurity specialists, so expecting them to be in charge of the company’s defenses can be a source of tremendous stress.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I have a great deal of respect for what it takes to build a successful business, and to help ensure the longevity and security of companies is fulfilling work that never gets old.
As the demand for cybersecurity services and expertise has ramped up so dramatically over the past decade, so has the caliber of talent attracted to this industry. Intelligent and creative people all around the world are setting their minds to cybersecurity problems, and it’s a very exciting movement to be a part of.
The pace at which threats mutate and emerge forces anyone working in cybersecurity to be agile and open to adapting new strategies and technologies. In some industries, it can be easy to get complacent or set in your ways. Thankfully, I don’t see that as an option in this field.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Honestly, most companies are not equipped to defend against the threats that already exist. The increasing sophistication of ransomware and spear phishing, for example, are outpacing the ability of businesses to defend themselves. Even if your company has excellent cybersecurity, your partners may not. We often see third-party breaches where a company is compromised by a vendor or supplier. That’s why industry-wide initiatives such as CMMC in the manufacturing space are so important. Until we raise the bar for businesses overall, we’re going to continue to see increases in the number of successful attacks and the damage they inflict.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We got a call from a manufacturer in Manchester, Connecticut, which is just down the road from us, who was experiencing a ransomware attack. When they saw that one of the computers had been locked and a screen demanding a ransom had popped up, they immediately shut down the rest of the computers on their network and called us. The office network was separate from the shop floor, so fortunately they were able to continue production. However, the office did experience a day or so of downtime as we helped them recover their data and close the gaps in their defenses. We then began working with them to find ways to use technology to grow the business. Looking back on this, the president of the company recently reflected that the cyberattack was a turning point that led to thinking about IT strategically for the first time in the company’s 75-year history.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Our managed cybersecurity offering has dozens of potential layers that we can deploy depending on an organization’s need. Cybersecurity awareness training is essentially always part of the cybersecurity strategies we create and manage for clients because tricking employees into giving access to the system is the single most successful tactic hackers use. Cisco Umbrella is an example of a technology we use to take some of that human element off the table by preventing users from going to malicious websites that could cause them to download unwanted code. This tool has been particularly useful in 2020 because it works for remote employees as well as those in the office.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It’s important to look at how much strategic expertise you need versus tactical implementation. For each company, the balance is going to be different. If you have an IT person or team on staff who are well suited to handle daily cybersecurity work if guided by comprehensive plan, a fractional cybersecurity executive can be a cost-effective option. A vCIO or vCISO brings all the knowledge of a full-time executive without the hefty salary. Alternatively, you may have a decent understanding of the cybersecurity measures that need to be in place, but lack the resources internally to execute a strategy effectively. In some cases, it may be most efficient to outsource cybersecurity (other than engaging in awareness training) entirely.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
In many high-profile cyberattacks (Equifax, for example) companies with a large IT staff do not discover a breach for days, weeks or months after it has occurred. It can be quite difficult for a layperson to detect a breach. A sudden change in the performance of the network can be a red flag. Checking firewall logs for traffic to sites you don’t recognize or general changes in network traffic is another way to root out a breach early.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
If possible, shut down the network immediately to contain the breach. In the example I discussed earlier of a ransomware attack Kelser helped remediate for a manufacturer, their IT manager shutting the system down quickly greatly reduced the severity of the damage.
Next, follow your incident response plan, which should detail who to call and in what order including your attorney, the authorities, your cyber liability insurance provider, managed service provider or incident response firm. The plan should also outline how to communicate with customers, employees and partners.
The increasing volume of privacy legislation is overall sharpening everyone’s focus on protecting personal data. HIPAA, for instance, makes cybersecurity for medical practices not just good business, but a matter of legal compliance. HIPAA compliance is where we start to form a cybersecurity strategy when health care providers engage Kelser.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Having an incident response plan is often the difference between successfully weathering a cyberattack, and a complete disaster. It’s the sort of thing that’s easy to put off, and hey, you might get away with it, but scrambling with no plan when a cyberattack hits is not something anyone wants to go through.
Once an incident response plan is in place, it has to be reviewed and updated regularly. Having a plan that no one has looked at or thought about in over a year is essentially not having a plan. Personnel and technology are always changing, so the plan needs to be up to date and fresh in the minds of key employees.
Similarly, backup and recovery systems need to be tested regularly. I have seen companies who thought they had a backup in dismay when that backup failed after a long period of neglect. Unfortunately, the “set it and forget it” mentality simply does not work in a field as fluid as cybersecurity. Any organization that can’t handle the upkeep internally needs to outsource that responsibility.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
COVID-19, and the sudden transition to working from home that accompanied it, forced companies to examine more closely how they are extending security protection to employees working remotely. Some companies had very secure office environments and remote work was fairly rare for their team, so they hadn’t given a great deal of attention to maintaining security for employees working from home. Hackers seized this opportunity almost immediately. It wasn’t so much that there were new threats being launched (though there were some), but more that known strategies such as phishing suddenly worked a lot better. Home networks are generally more vulnerable to begin with, and the ad-hoc nature of the COVID-19 business environment made phishing attempts more believable. For example, an email that appears to come from an executive asking for financial information might seem out of the ordinary normally, but during COVID, one might think, “Well, she must not be able to access this info from her home office. I better send her what she’s asking for.”
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Fully understand the compliance requirements that apply to your sector or business, whether that’s PCI for companies processing credit card transactions, HIPAA for health care organizations, or CMMC for manufacturing. If there isn’t a standard in place for your industry now, there likely will be soon. Keep track of developments for your industry or adjacent industries and prepare for requirements that may come soon. Despite years to prepare for NIST 800–171 (a certification in manufacturing that preceded CMMC), many manufacturers failed to achieve compliance before the deadline, and some lost business as a result.
- Train on an ongoing basis. Rather than making an all-out blitz to train your team on cybersecurity, it’s most important that you train frequently. This can be done through brief modules employees complete when it fits for them. Hands-on exercises such as simulated phishing also help the team get excited about sharpening their cybersecurity awareness.
- Understand your cyber liability policy. Often, cyber liability policies require certain best practices be in place in order to make a claim. Ensure that you can’t be found negligent by the insurance company if a breach occurs, otherwise your insurance is worthless.
- Get inside the heads of hackers. Cybercrime is a business. Just as companies need to understand their competitors’ business models, knowing how hackers operate can better equip you to stop them. For example, companies often don’t realize how valuable the data they have is until they investigate what dollar amount it might fetch on the black market. Knowing the type of payday hackers could expect if they’re able to breach the system motivates companies to keep their defenses strong.
- Learn from mistakes. I often think about a business owner I met who had recently experienced a ransomware attack that locked the whole environment and shut the business down for days while the ransom was paid. I asked him what he was going to do to fix the vulnerability and he told me that he thought his company would be safe now because the hackers had already been paid off. The truth is that hackers are opportunists and more than happy to exploit the same vulnerability more than once. Plus, there are many, many different groups of hackers out there and if one was able to get into your system, another one can’t be far behind.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
During COVID-19, it became apparent that for each of us, there is more at stake than our individual health. We’re not just responsible for keeping ourselves well, but also for protecting others we might pass the virus on to if we contract it, who could be much more vulnerable than us. I think we need the same community mentality for cybersecurity. Protecting your data is also protecting your customers, employees and partners.
How can our readers further follow your work online?
Our blog at kelsercorp.com is frequently updated with IT tips, trends and analysis of technology news that affects businesses. We also post the latest cybersecurity information daily on Twitter, LinkedIn and Facebook.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!