Shark Tank’s Robert Herjavec: On How To Tell If You Are Cyber Secure

The following post originally appeared on Forbes | June 22, 2015

Last Monday – the 15th – password storage maker LastPass was hacked, exposing the email addresses and encrypted master passwords of its users. Last Tuesday – the 16th – in Congressional testimony, House Oversight Chairman, Jason Chaffetz, said that federal cybersecurity “stinks” in response to the governmental breach that happened earlier this month, exposing the personal information of millions of current, former, and prospective federal employees. Let’s not forget about the Sony and Target breaches in 2014 and 2013, respectively.

As newsworthy as all of these events are, they’re just a small percentage of the continually and aggressively expanding world of cybercrime. All of the above are institutions that, based on their expertise, access to resources, and fiduciary responsibility to their clients and/or employees, should have held themselves to a much higher standard. But here they are, living on a timeline that is now brightly marked as pre- and post-breach.

Though “hackers” have been around for more than 100 years – see Nevil Maskelyne – proliferation didn’t really begin until the internet started to mature and personal computers gained traction in the 1980’s. So, being that this is a relatively new battleground – and a quickly evolving one at that – cybersecurity is a lesser known commodity to most, and isn’t, perhaps, as embraced and understood as it should be.

Today I speak with Robert Herjavec — Shark Tank investor and CEO and founder of Herjavec Group — about some of the cyber-based concerns and realities that face organizations today. See our exchange below:

On Takeaways From The White House Summit On Cybersecurity And Consumer Protection

Parnell: You were a guest at the White House Summit on Cybersecurity [and Consumer Protection] this February. It was interesting, no doubt. What was your biggest takeaway from that?

Herjavec: Well, the biggest takeaway I got was from Secretary [of Homeland Security] Jeh Johnson. He said that the US Government, today, considers four areas of combat or conflict, globally. They’re land, sea, air, and space. And the US Government considers itself a leader in all those spaces. But they now see a fifth area of conflict, which is the Internet of Things. And they don’t think they’re a leader in that, today, but they have a very clear, aggressive strategy to be one.

So, I think we all talk about privacy and security, but for those of us in that industry — cybersecurity — it is a very real thing. And it’s going to get much better, or it is going to get much worse before it gets better. And fundamentally, this is because of no other reason than the simple proliferation of access points.

You look back a few years ago and the only way people in large enterprises had access was with a desktop computer. And then we had laptops. So some people had a desktop and a laptop. And now people have a mobile phone, and they have an iPad. So the average enterprise has probably doubled the amount of access points, if not quadrupled them, in the last five years alone.

On Why Privacy Really Matters

Parnell: Taking privacy into consideration, I don’t personally care if the NSA, for instance, is listening to my phone calls. At least on the surface, I think if you’re not doing anything wrong, why would you care if the government is listening to what you’re talking about, or doing online? What are your thoughts on this?

Herjavec: Well, it’s interesting from two perspectives. The first one is what you just said: “If I’m not doing anything wrong, why do I care what the government is looking at?” And so my view on that is you don’t have to be doing something wrong; it’s more about what somebody does wrong with that information.

It’s kind of like being sued. You know, when I started in business I had never been sued. And then somebody sued me for something that had absolutely no relevance in fact. But they still served me with a claim. I was devastated. I was devastated because this claim said I had done all these horrible things, but I had done none of them. I didn’t know this at the time, but I learned that some people in business use law suits as part of their strategy. You can sue anybody for anything, whether it’s based in fact or not.

So, using that as an example, if somebody wanted to use your information even though you’ve done nothing wrong, and they wanted to steal your identity, or mortgage information, or any of that stuff, you should care because it’s not what you’ve done wrong, it’s what somebody is going to do with your personal information.

The second part of that is who gets access to the information once the government is using it? Because if it is accessible by a government, how do you know who in the government, and what they’re going to use it for? So you may not be a terrorist, but maybe you didn’t file an expense claim that you should have and that information is going to end up with the IRS, or it’s going to end up in someone’s account, or it’s going to be a part of your health records, and on and on and on.

Parnell: I think one of the challenges for cybersecurity is that it’s not tangible; it’s not right in front of us and as a result we don’t necessarily take it as serious as we should.

Herjavec: When you think about it, there are two aspects to it. There’s the personal aspect of it, and that relates to personal information: credit cards, antitheft, and so on. And that continues to grow and it’s a big issue — I’m not saying it’s not — but the real danger is large scale enterprise cyberterrorism. I mean, yeah, I really care about my personal information being out there. And I really care about my credit cards not being compromised. But I care more that an air traffic control system doesn’t have a malware that’s going to put an airplane in the same spot as another airplane. That’s what I really care about. And I really care that the utility system isn’t going to go down when I’m having an emergency operation. Both of which are very real threats in the current environment.

On The Most Vulnerable Points In An Organization

Parnell: What are the most vulnerable access points within an organization? I’ve read often that people are the most vulnerable points. Could you talk about that? What are the most vulnerable points, and why are they so vulnerable?

Herjavec: There’s no doubt that every large scale cyberattack has some element of social engineering to it, or human element. As long as there are human beings on our network, we’ll fundamentally be insecure. It’s just the way it is.

We used to click on SPAM when we thought we won the lottery. When we teach our customers, we say “You can’t really win something you haven’t entered.” And “There really aren’t that many women in Eastern Europe that want to meet you.” And “You’re really not that sexy.”

You know, it’s a cute way to point that out because people still do click on it. But those kinds of attacks – phishing attacks — are becoming much more targeted. For example, we got an attack this morning where somebody sent a very realistic looking email to me that looked like part of our ticketing system. So those are the kind of things that are entering the market, you know? I don’t think it’s ever going to go away. It’s just a continual process of education. But there’s also technology for [Data Loss Prevention] and catching that type of stuff that continues to get better and better.

On Identity Management

Parnell: With that technology in mind, what do you see as the fastest growing area in cybersecurity?

Herjavec: Identity and access management is a fast growing part of cybersecurity. You know, identity in the sense of is “Robert Herjavec” logging onto the network at the Herjavec Group this morning at 9:05 AM really Robert Herjavec?

The President alluded to this a little bit [at the White House Summit on Cybersecurity]: You’re going to start to see legislation that places the onus of responsibility back to the enterprise. I see a day where the government will come to a company and say “Prove to me that ‘Robert’ was Robert on your network at this time on this date.” And I think the basis of all that is going to be logging infrastructure.

A log is really an electronic fingerprint. Every time you hit a key on a network, or on your phone, it creates a log. And those are billions and billions and billions of records that are being created every day. So you have to have a cohesive security strategy; you’ve got to have that information. You’ve got to be able to not only gather it and collect it, but analyze it. And that’s why you’re seeing the growth of analytics in companies like Splunk, which are worth so much money because they have the ability to do that.

On What Really Happens In Remediation Efforts

Parnell: From your viewpoint, from your perspective, what is it actually like to go through a remediation effort? Imagine that I’m an organization and I’ve had a breach, what does it look like when you come in and fix this and clean it up for me?

Herjavec: It’s an interesting question because the first part that many companies don’t realize is, when you do have a breach, who are you going to call? Who are the Ghostbusters of cybersecurity? A lot of people think “Oh yeah, I’m going to call the police.” But the government’s job is not to remediate your network. The government’s job is to collect evidence.

When you get breached, what do you really want? You want to get back up as quickly as possible. That’s it. Full stop. The CEO of every company that’s been breached: Yes, they want to know how it happened. Yes, they want to protect their brand. But what they really want is to go back to business as usual as quickly as possible. And when you don’t have a relationship with somebody that knows your environment, you’re spending valuable hours and days trying to piece the information together before you can remediate it.

What we always encourage companies to do is to have a relationship with somebody that can help you before you need them. Kind of like it’s good to have a relationship with an alarm system company that’s monitoring and managing the environment, which can send the police car out, or can send a guard out, as opposed to waiting until you’ve gotten broken in and then signing a deal with them.

On Their Most Complex Remediation

Parnell: Obviously you can’t tell me who the client was, but could you talk to me about the most complex remediation that you’ve done?

Herjavec: The largest deal that we worked on was an American-based gaming company that was attacked by a foreign government. It was one of the largest attacks by a foreign government against a private U.S. corporation at the time. This company was more or less shut down for 48 hours. And it was pervasive throughout their entire system — from the hotel systems, to the gaming systems, to everything — and it was purely an attack that was meant to hurt the company. There was some element of negative publicity that the foreign government didn’t like, so they really just wanted to hurt this company. They wanted to see how they could shut them down. Kind of like the Sony attack, if you will; if that’s what we believe the Sony attack to be. But it’s just the power of being able to do that. This was a very large corporation.

What we found was it took a long time to bring them back up because you’re constantly scrubbing systems that are constantly being re-infected. And so, what I always say is “It’s important to know what your ‘good’ looks like before you’re faced with that.”

Most people, when they’re breached, can’t clearly, quickly, come up with a way to know what their clean environment looks like. So you’re constantly remediating systems, but you don’t know what to compare it to. And so that’s one of the things we recommend to people: Be very vigilant and make sure that you can always, on a regular basis, show what good looks like just in case bad happens.

Parnell: Are you ever able to get back to 100% after remediation?

Herjavec: Yeah, for sure.

On The Major Cybersecurity Implements That An Organization Should Have

Parnell: At 20,000 ft., what are the major cybersecurity implements that an organization should have in place? Any CIO would have at least a good idea, but the average person who’s perhaps looking at their company and wondering whether or not it’s secure, what would you tell them to look for?

Herjavec: I always look at it as a home analogy. I see three levels of security at a 20,000 foot level. The first one is what I call doors, locks, and windows. And in the corporate world, what are those? Those are firewalls; those are [intrusion prevention] systems; and those are malware network devices. You need those. Are they going to stop a burglar? No. But it’s good to have a door on your house.

The challenge as your home gets bigger: you have more doors, more windows. So how do you protect all of it? When you’re not home, you can’t watch the doors, you can’t watch the windows. So the next level is the alarm system. And there’s two parts to an alarm system. The physical alarm system, and an alarm company monitoring it. Today many companies are putting in alarm systems — which are called a “SIEM” — and that’s software and hardware that takes the logs, analyzes them, and tells you what’s going on. So an alarm is looking at all your doors and windows and saying “What’s going on? Is somebody breaking in?” But at an even higher level, the alarm company is monitoring it in case something’s happened. So you need both of those.

And the third level of that is what happens when you have multiple homes? So in that same analogy, all that was great when we had one home. But now I have 50 homes. How do I make sense of 50 alarm systems and 50 alarm monitoring companies? I now need software that analyzes every time I get a call from an alarm company. And that is analytics.

The level of sophistication in most enterprises today is not at the analytics level. Most of them are going from doors and windows, if you will, to buying the alarms. And that’s where a lot of the growth is. McAfee/Intel bought a company called Nitro Security a number of years ago. IBM bought Fiberlink and Trusteer. ArcSight was acquired by HP. All those people make the “alarm systems.” The biggest ones, and some of the fastest growing ones, are companies called SPLUNK and SUMO, which not only make the alarms, but make them in the cloud, which is really interesting because you don’t need anything on site now.

On The Escalation Of A Breach

Parnell: So, let’s say you have a system in place that is doing all of this. You have software that is watching the network and can send out an alarm that there’s a breach. What is the next level from there? Is this something that goes to the CIO of the company and then there’s some sort of a shutdown? How does that escalate?

Herjavec: Then you need a remediation plan. With most breaches — like Sony or Target — the one consistent factor is that they will breach for a long time before the company actually knows it. Today the general theory is that you can’t really stop somebody from breaching your network if they really want to get in. but the question becomes, how long will it take you to know that they are there? And so the wise thing in cybersecurity today is how quickly you can realize that you’ve been breached and respond. And that’s really the goal, the target: to cut down the time. So instead of knowing six months later, or three months later, knowing in a few minutes. And cyber breaches are incredibly easy to fix if you can quickly determine that you’ve been breached. The longer they go, the more they proliferate, and the more systems they infect and it becomes harder.

On Law Firms Being Held To A Higher Standard

Parnell: My business is BigLaw. And they obviously have a fiduciary responsibility towards their clients and their client’s information. Should they be conducting themselves differently than other corporations or banks, for instance? Is there anything special that they should be doing?

Herjavec: Every sector of the economy has a different requirement. You’ve got HIPPA, you’ve got general privacy issues under Sarbanes Oxley, and most audit boards today have a privacy component or cybersecurity component. PCI — the payment card industry standard for anybody who does credit card transactions and processing — is probably the biggest one for cybersecurity… I think you’ve got to adhere to all those compliance requirements, but every industry has its own set of rules and standards.

I think a law firm obviously has more onus on keeping client information private, which is a different challenge to doing business online than a manufacturing company. But it all becomes pervasive. I mean would Sony ever have thought that they would be a victim of a large scale attack? They are movie studio. I guarantee you that two years ago they would have thought “Well, who would really want to breach us?”  So, regardless of what industry you’re in, it makes sense to hold yourself to a very high standard.

On The Top Questions CEOs Should Be Asking Their CISOs.

Parnell: Agreed. Now the top two or three questions that CEO’s or chairpersons — or even employees of an organization or a firm — should be asking their CISO or CIO. What are the top things that they should be looking for to feel that their organization is well protected?

Herjavec: I think the first one is going back to our house analogy. Do we have the right doors and windows in place? Do we have the right firewalls? Do we have the right tools in place? Many companies have had stuff in place for a long time that is outdated and needs to be updated. You can’t fight a modern war with weapons from a hundred years ago. And everything in the internet world moves really quickly. I think that’s the first question.

The second question that I would be asking if I was the CEO is “Okay, assuming we have the right tools, how are we collecting that data and who’s watching it?” Someone’s got to be watching it and monitoring it all the time.

And then the third question is “If we did have a breach, what’s our game plan?” What’s our remediation plan if it happens?”

Obviously there are multiple levels within that, but those are the questions that every CEO should ask. And that isn’t the responsibility of just the CISO; Every CEO should know that.

*Robert can be followed at twitter.com/robertherjavec

Email: [email protected] Twitter: @davidjparnell

Books: The Failing Law Firm: Symptoms And Remedies; In-House: A Lawyer’s Guide To Getting A Corporate Legal Position