Arizona Technology and Innovation: Securing Data

More from this show

Data breaches for companies are a matter of “when,” not “if.” Companies can make numerous mistakes when it comes to securing data. Michael Kelly of Jennings, Strouss & Salmon Law will discuss the biggest mistakes companies make with data security.

Ted Simons: Tonight's look at Arizona technology and innovation focuses on data breaches. For most companies, data breaches are not a matter of if but when. So what can companies do and what mistakes can be avoided when it comes to securing data? For the answers, we welcome Michael Kelly of Jennings, Strouss & Salmon Law. Good to have you here. I've got a bunch of pretty basic questions for you but we'll see how we go here. Data breach. How big is that problem?

Michael Kelly: It's huge, and it's getting worse. Current estimates suggest that data breaches are costing companies approximately four to $500 billion a year in damages and the U.S. takes the brunt of that in excess of $100 billion a year.

Ted Simons: And we hear a lot about retail, the major big box stores getting hit. But from what I'm reading in this, most breaches are in the healthcare sector; is that correct?

Michael Kelly: Healthcare sector is particularly vulnerable because of the nature of the information. When you have health information for individuals, you have information that can not only be held hostage but you have the credit card and payment information which can be sold on the black market.

Ted Simons: Hackers, are we talking third parties, who's doing all of this?

Michael Kelly: Well, you have hackers certainly, a lot of them are doing it for fun and to prove themselves, to prove that they've got street cred among hackers. But increasingly we have state-sponsored terrorism, cyberterrorism. And we think longer term that's the growing threat, not just longer term. It also poses an immediate threat. It's been said that world war iii is not going to be fought with guns but with computers.

Ted Simons: Are they getting smarter, are we getting more lackadaisical, combination of both?

Michael Kelly: They are getting smarter. There are a number of companies that are, their boards, their leadership, is getting with the program but there's still a bit of a cultural malaise. There's still among some companies, there's a bit of let's not let it out that we're as vulnerable as we are. Or people won't want to do business with us and we need to overcome that. We need to get companies invested in the threat so boards take this threat as seriously as quarterly sales data.

Ted Simons: So what must businesses do to secure data?

Michael Kelly: Well, there's a number of things that businesses can and must do. I would like to challenge the premise that you mentioned earlier that it's not a question of if but when. Certainly for many companies it is a question of not if but when. But we would like to try to help companies increase their awareness that it doesn't have to be them. While it can be stated as a question but when, it's also been said that 80% of security breaches are avoidable. So there's some things that companies can do a lot better. One of them, one of the chief ones, is it's a cultural shift, which is the days when companies, particularly public companies or companies that are in possession of confidential customer data, credit cards, health information, the days when boards can relegate that to I.T. are gone. Someone at the board level needs to be invested with the responsibility for immunizing the company against a serious cyber breach or data breach.

Ted Simons: As part of that malaise you were talking about?

Michael Kelly: It's the malaise that we need to overcome. Technologically one of the biggest things that will come with that shift is the notion that companies, they think if they've got fire walls in place, that they're okay. Firewalls are good as far as they go but no technology is fail safe. Even the fire walls are themselves vulnerable, and one example that we like to use to make that point is that when you configure fire walls, you'll configure it with a set of rules. If those rules are inconsistent, say there's one rule that says we won't accept any traffic from China, just to take an example and later, they have a rule that says we're in the defense department supply chain so we must accept traffic from any dot gov. Well, there are U.S. government installations in China or that will use a top level domain from China. So even though one level rule may prevent that traffic, a subsequent rule may allow it in.

Ted Simons: So these are great ideas. How do you get companies to do this? Do you use the carrot, the stick? If these people get fined enough or punished enough, is that what you've got to do?

Michael Kelly: Well, lizard squad is out there trying to humiliate them into getting the message, that's what we're seeing them do with Sony and hackers are trying to get their attention by proving that their systems aren't adequate. So yeah, it's a combination of the carrot and the stick. The carrot is you don't have to be one of those companies that gets breached and the stick is if you are, it can be more than just damage to the reputation. Hackers have effectively learned how to infiltrate not only companies' software and hardware systems but literally the firmware that runs on a printer. So if you're breached, you think if you replace all your servers that you're safe and what we're hearing now is that you're not because it can require a comprehensive reinstall of all your hardware and all your hardware systems and I'm not saying that so that companies are deterred from looking at it. If you understand the gravity of the threat that you face, maybe the board will be persuaded to take this more seriously.

Ted Simons: We've got to get the board involved. Do you get on the right side of the if and when equation? There has been to be an understanding of what's going on out there but for someone who's got a business right now, small, large, and they're going what am I supposed to do? What are they supposed to do?

Michael Kelly: One thing they can do is they can adopt a response plan prior to a breach, so that if their servers are taken down or if they need to hibernate some of their critical systems, if they have a response plan in place prior to the breach, they can immediately get their systems back on, either through a shadow server or the like and they don't have to endure the business disruption that might otherwise occur if they don't have a response plan in place prior to the breach.

Ted Simons: All right. Very interesting stuff. Thank you so much for joining us. We appreciate it.

Michael Kelly: My pleasure.

Ted Simons: Tuesday on "Arizona Horizon," an update on foreign affairs with former NATO ambassador Kurt Volker. And we'll hear about an upcoming event designed to improve the delivery of democracy. That's at 5:30 and 10:00 on the next "Arizona Horizon." That is it for now. I'm Ted Simons. Thank you so much for joining us. You have a great evening. "Arizona Horizon" is made possible by contributions from the Friends of Eight, members of your Arizona PBS station. Thank you.

Michael Kelly:Jennings, Strouss & Salmon Law;

Illustration of columns of a capitol building with text reading: Arizona PBS AZ Votes 2024
April 2

Arizona PBS to present candidate debates as part of ‘AZ Votes 2024’

A photo journalist walking a destroyed city
airs April 2

Frontline: 20 Days in Mariupol

A woman working on a project in an art studio
airs March 29

Violet Protest

The
aired March 25

Pulitzer on the Road: Small Town Shakedown

Subscribe to Arizona PBS Newsletters

STAY in touch
with azpbs.org!

Subscribe to Arizona PBS Newsletters: