Every business has a rough day now and then. Sometimes it’s a slow sales day. Sometimes it’s the day a key employee puts in their two weeks’ notice. But increasingly, it’s the day a cyberattack happens.
In fact, nearly half of all small businesses in the US have recently experienced cyber security incidents, with many of those incidents resulting in hours (if not days) of downtime and significant financial loss.
While cyberattacks may be inevitable, there are ways to reduce their impact on your business and the people you serve. At Ruby, we’ve learned how through years of experience and a few encounters with cyberattacks, including the one that recently brought down our hosting provider.
I sat down with Todd Hinnen, a partner with the Privacy & Security practice at Perkins Coie, to share our learnings from these experiences with the small business community. In addition to acting as Ruby’s cybersecurity attorney, Todd has served with the Department of Justice, the National Security Council, and as Chief Counsel to then-Senator Joseph R. Biden. Suffice it to say, he knows his stuff.
Watch this video for Todd’s tips about spotting a cyberattack—and check out the full four-part conversation on our YouTube channel.
Read the interview.
Hi, I’m Kate Winkler, CEO at Ruby, and I’m pleased today to be joined by Todd Hinnen. Todd is a partner and head of cybersecurity at Perkins Coie. And Todd is Ruby’s cybersecurity counsel.
Todd, I want to get started today by having you start with an introduction because you have a really interesting background.
Thank you, Kate. Happy to give a short introduction. As you mentioned, I’m a partner at Perkins Coie in the Privacy and Data Security practice here. Before I joined Perkins Coie I was a federal prosecutor in the Department of Justice’s computer crime section. I was at the National Security Council for a few years, coordinating the inner agencies’ approach to terrorist use of the internet, terrorist financing, and cybersecurity. I was briefly then Senator Joe Biden’s chief counsel his last two years in the Senate. And then I was a member of the leadership team and ultimately the leader of the Department of Justice’s National Security Division.
So you’re a little bit of an expert here.
A little bit of a background in this area, yes.
Well, I really appreciate you joining me today because, for the benefit of our audience, you and I met last July when Ruby was impacted by the big Kaseya cyberattack. Kaseya is a remote monitoring and management system and it’s one of our vendors that pushes updates throughout our system. They experienced a global cyberattack impacting hundreds of thousands of businesses, and Ruby was just one. And unfortunately, you and I got back together this week, when Opus Interactive, who is our hosting provider, was the target of a cyberattack as well. So, this conversation’s pretty fresh of mind.
What I want to do today is give our Ruby community practical tips and advice on what to do if they’re impacted by a cyberattack and how to spot a cyberattack.
So, Todd, could you help us understand how do you see those typical signs of when you might be under attack?
It’s really difficult to overemphasize the importance of preparing for the possibility of an attack. Companies should be conducting risk assessments to identify their biggest cyber risks. They should be implementing controls to mitigate those risks, developing policies and procedures to make sure they take a holistic approach to cybersecurity across their organizations, putting in place an incident response plan so that they have some of those early detection mechanisms, and then making sure as a technical matter that they’ve got incident detection and malware detection throughout their computing environment so that they get an early warning when they may be subject to an attack or an intrusion.
And are there typical signs of what those early warnings might be? Is it system monitors, an abrupt shutdown as an example?
Yeah. It really depends on the kind of attack that you’re subject to. So a ransomware attack will look very different from a spear phishing attack, which will look very different from a watering hole attack, which may look very different from an invisible attack—where someone gains access to your network, conducts reconnaissance, over a period of months, installs backdoors, and that kind of thing.
So, really, again, sort of taking a holistic view of your environment—understanding where your sensitive data is, what the risks to it are, and putting in place those technical measures that can give you an early warning, regardless of the form the attack takes, can be important.
That’s a super interesting point, because you went through a list of all the things, and I’m going, “Yep, Ruby does that. Yep, Ruby does that. Yep, Ruby does that.” We have all the monitors. We have all the systems in place. However, both of our attacks were through vendors that we use, so how do we think about that piece of it? Not only do we have to monitor our own systems—do we have to monitor our vendor systems too?
Yeah. I mean, that’s an increasing challenge and an increasing problem for companies as they rely more and more on third-party vendors to provide services that enhance their business. And, really with respect to vendors, there are a few things you can do ahead of time. You can circulate a cybersecurity questionnaire to them when you’re onboarding them. Or, if they’re a particularly important vendor you can conduct an audit or require that they get a penetration test as part of the onboarding process. When you contract with the vendor, you can make sure that the contractual terms are favorable and require them to provide you with prompt notice when they detect an attack. And then you can make sure that both you and they are well-insured against the damage that can be caused by a cyberattack.
But as a practical matter, at the end of the day, with respect to vendor attacks, you’ll usually identify them if they visibly affect your vendors’ operations, and you see that the service is no longer available or that is no longer functioning the way it should, or the vendor will detect it and notify you.
That’s so important because we have a lot of those things that you’re talking about in place. One thing I would add is that I think we over-relied on was how transparent our vendor was going to be in a lot of these scenarios. And so, we’re now taking a completely different lens of saying how do we have a backup vendor for our primary vendor, active/passive vendor, active/active vendor, et cetera. Because even in that scenario where you go through all of the recommendations that you just outlined here, there’s still another scenario that things aren’t going to go as, as you expect, and you have to be prepared with a different environment.
I think that’s absolutely right, Kate. And you know, one of the most common forms of attacks these days—and one I’m sure we’ll talk about more—are ransomware attacks. Backups really are the key antidote to those, and thinking broadly about backups—not only of your system, but as you said, when you strongly depend on a particular vendor—being able to back up that vendor’s role and back up the data that vendor possesses for you can be critical too. Again, thinking about all this in advance and making sure that you can restore your systems, you can default to backup vendors or backup systems or backup data sets can be critical to an effective recovery.
For more videos full of small business tips and insights, subscribe to Ruby on YouTube.