Wednesday, March 01, 2023

Defending the Perimeter Evolves into Securing the User Experience Bubble for UK Cancer Services Provider

Transcript of a discussion on how Macmillan Cancer Support in the UK places confidence in -- and ease of use of -- overall security as both top IT and health services requirements. 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.



An underappreciated aspect of enhancing IT security is the impact on an end user’s comfort and trust in the services provided. In the case of health care services and support, making the patient feel welcome and safe can be a game-changer as they seek access to needed services and care.


The next BriefingsDirect security innovations discussion examines how Macmillan Cancer Support in the United Kingdom (UK) places the ease of use and sense of security in the services provided as a top IT -- and community service -- requirement.


Here to share their story on how to develop and deliver a cloud-ready security bubble around all users, their activities, and the sensitive data they share is our guest, Tim O’Neill, Head of Information Security at Macmillan Cancer Support in London. Welcome, Tim.


Tim O’Neill: Lovely to be here. Thanks for having me.


Gardner: We’re delighted to have you. Tim, tell us about Macmillan Cancer Support. It’s a very interesting and worthy organization. I’d also like to hear about your approach to securing a caring and trusted environment for your community.


For all who navigate a cancer journey


O’Neill: We have a unique organization in that when people think of a cancer charity, they often think about the medical side of it and about the pioneering of new treatments. Every day there’s something new in the media about how swallowing a leaf a day will keep a cancer away, and things like that.


But we deal with the actual effects of having cancer. We help anyone who is affected by cancer. That can be a person who’s just had a cancer diagnosis. That can be the family of someone who has a diagnosis, or their employer, or other employees. Anyone who is affected by cancer can come to us for help.



We don’t do a lot in the medical sphere, such as creating new treatments or testing or anything like that. We’re here to look after the impacts that cancer has on your life. We help with the patient’s pathway; we help you understand it and what the implications are – and what might happen next.

We will help you financially if you need help. We believe that nobody should be cold or hungry because of a cancer diagnosis. We provide the cancer nurses who exist in UK hospitals. We train them and we fund them. We have specialist care centers. Again, we fund those. Our psychological care is done through a third party as well. But we manage that, we fund it, we maintain it. We also have an arm that lobbies the government. So, for example, in the UK we had cancer reassigned as a disability.


This means that as soon as you have a cancer diagnosis, you are legally recognized as disabled, and you have all the benefits that go along with that. The reason for that is that once you’ve had a cancer diagnosis, it affects the rest of your life. It does not matter if it’s gone into remission. It will still affect you.


The treatments are invasive. They affect you. We work in many spheres, and we have a lot of influence. We work with a lot of partners. But the fundamental core of what we do is that you can contact Macmillan when you need help.


Gardner: And to foster that level of support, to provide that trusted environment across the full experience, having six levels of authentication to jump through -- or not seeing your e-mails delivered properly -- can stop the entire process.


O’Neill: Oh, absolutely. And we have to be realistic here. We are talking at times of people phoning us at the worst moment of their lives. They’ve just had something come out of the blue or the treatments have gone badly, or they’ve had to have that horrible conversation with their loved ones. And it’s at that very point when they need to talk to us.

We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest open, and frank conversation -- or having to sit and suffer in silence.

Asking them, “Oh, can you go and grab your mobile phone? Yeah, and stick your fingerprint on there, and now that password was not recognized. You need to change it. And by the way, sorry, that password didn’t have quite as many exclamation marks as we need. And so, now if you’d like to turn on your webcam and log in using a photo, then we’ll let you in.”


You can’t do that. We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest, open, and frank conversation -- or having to sit and suffer in silence.


Gardner: Well, I don’t envy you your position, Tim. On one hand, you have sensitive healthcare and patient data that you need to protect. On the other hand, you need to make this a seamless and worthwhile experience.


How do you reach that balance? What have been some of the challenges that you’ve faced in trying to provide that proper balance?


Keep everyone secure by managing risk


O’Neill: Everything is risk-based. We look at where you normally phone in from, or if you’re a first-time caller, or “Are you in a location that we trust?” “Are you in a number range that we trust?” Things like that. What’s the nature of the conversation you’re having with us?


There are a number of parameters. Not everything is a high-level risk if you are just phoning us, and you simply want to talk. If you don’t want to impart any special information or anything like that, then the risk is low. Everything is measured against risk, which is a mentality change in the organization.


And, you know, I’ve been in conversations where people say to me, “I don’t like that idea … I think somebody got it wrong” without quantifying the risk. It’s not good enough.


But if we understand exactly what the risks are, then we can understand what controls can mitigate those risks. We can choose the effective controls for mitigating the risks. And then we can take the actions and do the tasks to enable those controls.

For example, with multi-factor authentication (MFA), if your workforce is five people working from one office and you have no remote connections, that’s potentially the wrong security control. Your controls could be completely different. They will have the same effect, but they will have a more positive impact on the end-user experience.


That’s the narrative change that you have to have. One of the most challenging things, when I first came into the organization, is when we were transforming IT systems. We were starting to understand how people wanted to interact with us digitally.


Historically, our interactions had been very much face-to-face, or through phone calls as well. And with COVID, obviously, all of a sudden, all of our interactions changed. So, it became, “How do we make it so that the legacy IT systems, users, and accounts can be migrated to new, safe methods without getting rid of the history of conversations they wanted to keep?” We didn’t want to lose the knowledge that we had and the relationships we had created with these individuals.


If you’re sending emails out to people saying, “Oh, we need you to change your log-on credentials because we’ve moved to this new IT system, et cetera, et cetera.” … If that person is sadly deceased -- we’re talking about cancer here -- then potentially sending something like that to their family is not great. So, there are lots of things to consider.


Gardner: It sounds like you’re approaching this from a fit-for-purpose security approach and then grading the risk and response accordingly. That sounds very good in theory, but I suspect it’s more complicated in practice and execution. So how, with a small security team such as yours, are you able to accommodate that level of granularity and response technically?


O’Neill: Everything starts complex. Every concept that you have starts off with a million boxes on the screen and loads of lines drawn everywhere. And actually, when you come down to it, it becomes a lot simpler.


When we get to the bottom level of this: What are the risks that we are trying to mitigate here? We are trying to mitigate the fundamental risk that an individual’s information may end up with the wrong person. That’s the most important risk that we’re trying to manage.

Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.

And bear in mind that people will tell us about their cancer diagnosis before they’ve even spoken to their family, friends, … anyone. And they will phone us at the darkest moments and talk about suicidal thoughts. Those are conversations that you do not want anyone else to have visibility into.


When we get to such a stage that we are entering into something problematic on privacy or risk, at that point, we will do extra validations. Again, it’s all based around the particular risk. You have your conditional access element risk whereby you’re looking at where people are coming from. You’re looking at historical interactions from that location and you’re extrapolating that information to have a choice made automatically based on it.


But then you’re also talking about training of individuals where they don’t need to go through vetting questions at the start of conversations but once they get to a point where the nature of it changes, and the data risk of that conversation changes, at that point controls need to be applied.


Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.


Gardner: Well, at the same time as you’ve been embracing this model of risk-balancing, you’ve also faced a movement over the past several years to more cloud-ready, cloud-native environments. And that means that you can’t just rely on programmatic web application firewalls (WAFs) or creating a couple of filtering rules for your network.


So, how do we move securely toward such a cloud or mixed environment? How is that different from just building a security perimeter? Previously, you’ve mentioned to me a “security bubble.”


Remain flexible inside your security bubble


O’Neill: The new models are different in a number of ways. What’s historically happened with information security is somebody says, “I have this new system.” Then you ask, “What’s the system? What’s the risk? What are you doing with it? Where is the data going?”


And so, you designed the security around that system – but then you get a new system. Is that one okay? Well, then you design a new bit of security. You end up with a set of tools that you apply to each one. It’s slow, and it’s prone to failure because people design the system first and its uses change. It can also lock the organization in.


If we take an incredibly simple thing, which is the storage of data, an organization might say, “We’re an Amazon Web Services (AWS) cloud house.” Wherein it’s your house, but as we mature with these cloud strategies, people are going to start leveraging economy of cost of storage by moving their data dynamically to the less expensive storage locations. And when one cloud storage offering is cheaper than another, then your data will fly across to that.


We can’t work in the old way anymore within cyber security and information security. What we have to do is create this security bubble that we’ve been talking about. It allows the organization the flexibility to change the security strategy.


For example, every year or two, we suddenly go, “There’s a new threat. Here it comes.” Yet every threat works in fundamentally the same way: You have to get in, you have to get the rights to see what you’re doing, and you have to be able to move around. If you break it down to those basics, that’s what everything in security needs to do, really.


If we can start to move to this bubble, to say, “We know what our data is, we know who our users are, and we know who they’re going to interact with.” Then we can allow people and organizations the flexibility to do what they want and only block the high-risk events within that.


If your data leaves the bubble, and it’s just, “Hey, do you want a cup of tea?” kind of communication, obviously you’re not going to worry about that. If it’s something that contains risky data, then we’ll worry about that. We’ll block that.


But we have to stop thinking about application-level security and start thinking a lot bigger and more strategically about security. We may have to stop and ask the business, “Where are you going? What are you doing?” But they don’t know yet. And also, as COVID has shown us, sometimes nobody knows where we’re all going.


Gardner: Right. We need to be prepared for just about anything and also be able to react quickly, so you can’t be knee-jerk and react to every app or system differently. As you point out, you need to be strategic.


And so, part of being strategic, for an organization such as yours, because you’re supported by donations; you’re a non-profit -- you need to be cost-efficient as well. So again, it’s a balancing act between cost efficiency and being strategic about security. How is that something you’ve been able to manage?


A wise spend supports smart security


O’Neill: Well, I don’t believe they’re in conflict. If we look at organizations -- I won’t name them, that are huge and have very big budgets, who spend tens of millions on their cyber security – they have huge teams, and they still get breached. The amount that you spend doesn’t necessarily create a graph to greater security.


Spending intelligently does, and it all comes from focusing on risks. If you sit there and you say, “You know what we have to do, we have to go through the top 20 NIST or CIS methods or recommendations,” or whatever, “and we’re going to supply the best product on the market for each of those, and check the box.”


Firstly, you potentially throw a load of money away because in the end you don’t actually need it all. The spec says, “Oh, you need MFA and a WAF.” Well, actually, it’s not an MFA that you need, it’s not a WAF that you need.


What are the risks that those products are mitigating? And then, what is the best way to mitigate the product risks? It all comes down to that, when you sit back and you look at what we do for a living in information security. 

We talk a lot about burnout in information security and wellness. It’s because people keep chasing their tails. Every day, there’s a new headline about a breach or a new zero day or a new technique -- or whatever it may be -- and everyone starts worrying about it. What do we do to protect against this?


But it’s about assessing the risk. And from a risk perspective, all the rest of it stays the same to a certain degree. It’s very rare that a new zero day fundamentally changes your risk.


Gardner: You bring up an interesting point. Not only are you concerned about the comfort and sense of security for your end users, but you also need to be thinking about your staff. The people that you just mentioned who are increasingly facing burnout.


Throwing another tool at them every three months or asking them to check off 16 more boxes every time a new system comes online, it’s going to be averse to your overall security posture. Is there something you look for on how you tackle this that’s also accommodating the needs of your security staff?


Monitor what matters


O’Neill: You’ll have to ask them -- but they all still have their hair. Yeah, organizations often talk about insider threats. I think it’s a terrible thing to be talking about because it’s such a small percentage. A lot of organizations treat their employees as part of the problem, or almost an enemy that needs to be monitored constantly. I don’t care if you’re on Facebook at all.


I care if you’re trying to download something malicious from Facebook or upload something like that to Facebook. But the fact that you’re on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor.


For example, we were getting a weekly report from one of our security products. It was typically a 14-page report that basically patted itself on the back by saying how great it had been. “This is everything I’ve blocked,” it said. And a member of my team was spending pretty much a day going through that report. Why? What possible gain came from looking at that report?

I care if you're trying to download something malicious from Facebook. But the fact that you're on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor. 

The real question is … Once you read the report, what did you do with the information? “Nothing, it was interesting.” “But what did you do with the interesting part? “Well, nothing.” Then don’t do it. Everything has to have a purpose. Even to the smallest degree. I had a meeting this morning about policies. Our acceptable use policy document is, I think, 16 pages long.


Come on. It doesn’t need to be 16 pages long. I want two pages, tops. “Do this, don’t do that, or absolutely don’t do this.”


We have a mobile device policy that everyone has to sign up to. … We have a mobile device manager. You can’t connect to systems unless your operating system is up to date, all of this sort of stuff. So why have we got a policy that is seven pages long?


Say what you can and can’t do on mobile devices. Then all we need to say is, “You’ll have to adhere to the policies.” All of a sudden, we’re making everyone’s life easier. Not just the information security teams, but the normal end users as well.


It is all about working out what’s actually valid. We’re very good in information security of doing things because that’s what we’ve done instead of thinking.


Gardner: I’m hearing some basic common threads throughout our discussion. One is a fit-for-purpose approach, sort of a risk-arbitrage approach, simplicity whenever possible, and increasingly having the knobs to dial things up and down and find the proper balance.


To me, those increasingly require a high level of analysis and data, and a certain maturity in the way that your platforms and environment can react and provide you what you need.


Tell me a little bit about that now that we’ve understood your challenges. How did you go about a journey to finding the right solutions that can accommodate those security analysis and strategy requirements of granularity, fit-for-purpose, and automation?


Streamline your team’s efforts


O’Neill: When we go to market for a security product, usually we’re looking at a specific issue that we’re trying to fix and control. A lot of the products will do the job that you want them to do.


But there are a few other things we look for. Can my team log into it and very quickly see what is important? Can we go from seeing that to the action that needs to be taken? How quick is that journey?


When somebody is demonstrating the platform, for me, my question is always, “How do I get from seeing it to knowing that it’s actually something I need to do, to then being able to do something about it?” That journey is important. Loads of products are brilliant, and they have a pretty interface, but then they fall apart underneath that.


And, the other thing is, a lot of these platforms produce so much information, but they don’t give it to you. They focus on just one element. What value-add can I get that the product might not deliver as a core element, but that actually enables me to easily tick off my other boxes as well?


Gardner: Can you describe what you get when you do this right? When you find the right provider who’s giving you the information that you need in the manner you need it? Are there some metrics of success that you look for or some key performance indicators (KPIs) that show you’re on the right track?


O’Neill: It’s always a bit difficult to quantify. Somebody asked me recently how I knew that the product we were using was a good one. And I said, “Well, we haven’t been breached since using it.” That’s a pretty good metric to me, I think, but it’s also about my team. How much time do they have to spend on this solution? How long did it take to get what you needed?


We have an assumed-breach mentality, so I expect the first job of the day is to prove to me that we have not been breached. That’s job one. Next, how quickly can you tell me that from the time you turn your computer on? How much of the time do you end up looking at false positives? What can the product do every day that helps us get a bit better? How does that tool help us to know what to do?


Gardner: We began our discussion today by focusing on the end user being in a very difficult situation in life. Can we look to them, too, as a way of determining the metrics of success? Have you had any results from the user-experience perspective that validate your security philosophy and strategy?


Inspect end-user behavior, feedback


O’Neill: Yes. Obviously, we interact constantly with the people that we support and look after. It is the only reason we exist. If I do anything that is detrimental to their experience, then I’m not doing my job properly.


We go back and we do ask them. I personally have spent time on phone lines as well. I don’t sit within my little security bubble. I work across the organization. I’ve been on the streets with the bucket collecting donations.


We have very good relationships with people that we have supported and continue to support. We know because we ask them how it felt for them. What works for them, what doesn’t work for them? We are continually trying to improve our methods of interaction and how we do on that. And I’m constantly trying to see what we can do that makes that journey even easier.


We also look at user behavior analytics and the attack behavior analytics on our websites. How can we make the experience of the website even smoother by saying, “We’re pretty sure you are who you say you are.” Are they going to the same places? Are you changing your behavior?


And I can understand the behaviors and even how people type. People use their keyboards differently. Well, let’s look at that. What else can we do to make it so that we are sure we are interacting with you without you having to jump through a million hoops to make sure that that’s not the case?


Gardner: You mentioned behavior and analytics. How are you positioning yourself to better exploit analytics? What are some of your future goals? What are the new set of KPIs a few years from now that will make you even more strategic in your security posture?


Use analytics to lessen user interruptions


O’Neill: That’s a really good question. The analysis of user behavior linked to attack behavior – that and analysis of many other elements is going to become increasingly important for smoothing this out. We can’t keep using CAPTCHA, for example. We can’t keep asking people to identify fire hydrants that are within 30 centimeters of a dog’s leg. It’s absurd.


We have to find better ways of doing this to determine the true risk. Does it matter if you’re not who you say you are until we get to the point that it does? Because, actually, maybe you don’t want to be who you are for a period of a conversation. Maybe you actually want to be someone else, so you’re disassociating yourself from the reality of the situation. Maybe you don’t want to be identified. Do we have to validate all of the time?


I think these are questions we need to be asking. I think the KPIs are becoming a lot more difficult. You have to base them around, “Did we have any breaches?” And I think with breaches we separate our information governance from the information security, but they’re brothers from one another, aren’t they?

We have to find better ways to determine the true risk. Does it matter if you're not who you say you are until we get to the point that it does? Do we have to validate all of the time? These are questions we need to be asking.

The information governance leak shouldn’t happen with good information cyber security, so we should expect to see a lot fewer incidents and no near misses. With the best interaction KPIs, we should be seeing people get in touch with us a lot quicker, and people should be able to talk to the right people for the right reason a lot quicker.


Our third-party interaction is very important. As I said, we don’t offer any medical services ourselves, but we will pay for and put you in touch with organizations that do. We have strategic partnerships. To make that all as smooth as possible means you don’t need to worry who you’re talking to. Everything is assured and the flow is invisible. That kind of experience -- and the KPIs that matter the most for delivering that experience – provides well for the person who needs us.


Gardner: Any closing advice for those who are moving from a security perimeter perspective toward more of a security bubble concept? And by doing so, it enables them to have a better experience for their users, employees, and across their entire communities?


Dial down the panic for security success


O’Neill: Yes. This is going to sound a bit odd, but one of the most important things is to conceptualize, and to take the time, to challenge my team. What is the gold standard? What is the absolute? If we had all the money in the world and everything worked, what  the perfect journey? Start from there and then bring it down to what’s achievable or what elements of it are achievable.


I know this sounds odd but stop panicking so much. None of us think well when we’re panicked. None of us think well when we’re stressed. Take the time for yourself. Allow your team to take the time for themselves. Allow their brains the freedom to flow and to think.


And we’ve got to do what we do better. And that means we have to do it differently. So, ask questions. Ask why do we have endpoint protection? I’ve got this, I’ve got that, I’ve got all these other things. Why have we got something on every endpoint, for example? Ask that question.


Because at least then you have validated what it is truly for and better know the amount of value it has, and therefore the proper amount of effort it needs. Stop doing things just by ticking off boxes. Because as an ex-hacker, let’s call it, I know the boxes that you tick. You tick all those boxes; I know how to bypass those boxes. So, yeah, just take time, think, conceptualize, and then move down to reality. Maybe.


Gardner: Be more realistic about the situation on the ground, rather than just doing things because that’s the way they’ve always been done?


O’Neill: Yes, absolutely. Understand your risk. Understand what you are actually having to support. The fortress approach doesn’t work anymore. The proliferation of software as a service (SaaS) application, the desire to allow everyone to perform to their best within and outside of an organization – that means allowing people flexibility to work in a way that best suits them. And you cannot do that with a fortress.


Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how Macmillan Cancer Support in the UK places the ease of use and sense of security in the services provided as a top community service requirement.


And we’ve learned how this charitable health services organization delivers a cloud-ready security bubble around their users, activities, and the sensitive data they share.


So please join me now in thanking our guest, Tim O’Neill, Head of Information Security at Macmillan Cancer Support. Thank you so much, Tim.


O’Neill: Thank you very much for your time.


Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for these ongoing BriefingsDirect security discussions. A big thank you to our sponsor, Bitdefender, for supporting these presentations.


Our last big thank you goes out to our audience, that’s you, for joining us. Please pass this along to your community, and do come back next time.


Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Transcript of a discussion on how Macmillan Cancer Support in the UK places confidence in -- and ease of use of -- overall security as both top IT and health services requirements. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.


You may also be interested in:

Wednesday, January 25, 2023

How A-Core Concrete Sets a Solid Foundation for Preemptive Security

Transcript of a discussion on how to best balance resilient security requirements with efficient use of human capital and resources in a highly dispersed organization.

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.



A special breed of company -- even though it has a relatively small number of employees -- does very big jobs with those lean and often distributed workforces. A perfect example of such a concentrated and efficient business is A-Core Concrete Specialists, which builds large and complex structures across the Western United States.

When it comes to managing IT, the lean-and-mean mantra also holds true. The jack-of-all-trades requirements means that the IT leadership of it is often the head of security. As a prime example, that’s another way that A-Core Concrete shines.


Today’s BriefingsDirect security innovations discussion examines how A-Core Concrete has created a security culture that relies on centralized administration, proactive insights, and rapid remediation to successfully assure that the whole company operates at peak performance.

Here to share the story of how to best balance resilient security with the efficient use of human capital and resources is Andy Black, Chief Information Officer (CIO) at A-Core Concrete Specialists Inc., in Salt Lake City. Welcome, Andy.


Andy Black: Hello. Thank you.


Gardner: How does your management and IT approach allow A-Core Concrete to best meet its security objectives?


Black: A-Core Concrete operates in seven different states within the Western United States. We have 13 offices throughout the Western U.S., and our main corporate headquarters is in Salt Lake City, Utah.

From there, we run the majority of the businesses. Each division operates independently. There are some that operate branch sites in various states and others where we don’t actually have offices. So, we need to provide a lot of remote capabilities and access to IT at all of these various locations. 

When I came aboard several years ago, I determined the best answer was not to have a central data center where all of our servers and applications were housed. That just made it more complex for every one of those locations to gain access to the main facility. Because we also were growing rapidly, I needed the ability to expand the business quickly and plug in a new location really fast.


If I had to establish a direct virtual private network (VPN) connection back to our main data center at the main corporate headquarters, it probably wasn’t going to work well. So, instead we decided to migrate all of our servers and the environment to the Microsoft Azure cloud and set up each office location with VPN connections up to that Azure cloud environment.


That’s enabled us to operate lean and more securely. Each office has a secure connection to our primary applications via remote access. And all of our people operating remotely on mobile devices and laptops are also able to gain access to our cloud-based environment.


That’s basically how we’ve configured our IT environment so every physical location -- as well as all of our remote workers – can have secure access into all of our cloud-based resources.


Gardner: Andy, we hear so much these days about remote work and whether that’s the right fit for the long-term. Seems to me what’s most important is gaining the flexibility and the agility to be location-independent. You can always get the work done regardless of where the people are.


What were some of the challenges you faced to maintain your security requirements, even with 13 offices – and more remote locations -- spread around the country?


Keep clients safe across the Western U.S.


Black: Well, a great example that comes to mind is we are currently working on one of the largest renovation projects in the country, the Church of Jesus Christ of Latter-day Saints temple renovation project in downtown Salt Lake City. That project involves a lot of very intense and technical work. We’re lifting the entire temple off of the ground to install earthquake prevention materials. Within the facility, we’re drilling holes down the sides of the temple. Of course, this is an historic landmark, so we have to retain and protect the facility.


But we’re working on that job site in conjunction with other companies. We are a subcontractor in partnership with the main host organization that is doing a lot of the construction. And so, we have our managers and our administrators working in the other companies’ offices and trailers. And so, we rely on those other companies’ internet connections for the majority of their work and yet our people still need to have access to our main company IT resources.


For them, for example, we have set up a VPN client that they load onto their individual computers, so they can simply rely on that internet connection and still tap into our Microsoft Azure cloud.

We're aware that there are a number of hacks and other issues out there where they take advantage of VPN and RDS-types of connections into remote access servers and cloud environs. We need to protect and secure those, too.

Now, for all of our other main office locations, we have firewalls in place, and each firewall is configured with that VPN client. But the way we’ve configured and built this out -- so that everything is cloud-based, while we can secure it with a VPN connection -- puts this in a tight spot because people are located all over the place. They might be using a cellphone as a mobile hotspot or an airport Wi-Fi network. And so, while they have that VPN connection to me, that still does not protect them 100 percent.


We’re aware that there are a number of hacks and other issues out there where they take advantage of VPN and even Remote Desktop Services (RDS)-types of connections into those remote access servers and cloud environments. And so, we have to be able to protect and secure those as well.


As a result, I rely on a lot of the services and support I get from Bitdefender for securing our computers and connections. They can be remote, in these other offices and shared with other companies, and we can still have secure access to all of our resources.


Gardner: The days of creating a fortress and moat perimeter that you can protect and beef up from time to time -- those days are gone. There is no perimeter. The perimeter is everywhere.


Given that, what are the top requirements for the endpoints to take advantage of your cloud use and remain secure and under control?


Protect all platforms, everywhere


Black: One of the main reasons I moved to Bitdefender in the first place was its high quality and reputation when it comes to ransomware protection. That was one of my primary goals as a result of an instance where we had an attack several years ago. The security solution we had at the time helped prevent the vast majority of attacks, yet we still had a couple of machines that were hit. I needed to find a good, solid solution.


At the time I did my research, Bitdefender came out on top of the list. By installing Bitdefender, we not only gained an endpoint protection solution that provided ransomware protection, it also gave us antivirus, anti-malware, and other resources to securely protect those local devices. Then, at the same time, because we still see so many attacks through email, we tapped into the Bitdefender email filtering solution as well.


We rely very heavily on that solution to handle the local desktops, the laptops, and all those devices -- as well as all of our communication through email -- to make sure that we protect ourselves as much as we possibly can.

We still have to train the users. The weakest point in any security system is still the users. They still click on things, and they can still open things. But by having the endpoint protection solution and the email filtering solution in place, we feel that gives us a really good perimeter, if you will, to try to protect us and keep us much more secure when it comes to managing all of these devices that are all over the place.


Gardner: As your security and other IT partners have also adopted cloud architectures, how has that impacted your ability to manage and secure all of those far-flung endpoints?


See, secure, and share the cloud


Black: That’s a really great question. Not only do we have our own primary servers in the cloud that we use for specific systems in our environment, but we also outsource many other vendor-related hosted services, including software as a service (SaaS), for many other applications. Most of those are also hosted on Amazon Web Services (AWS) or Azure, so they’re all cloud-hosted. We may have one type of connection on one location, but on that same computer we’re doing 10 other things and 10 other resources are going to other cloud-hosted services.


I have, through Bitdefender, a great console that we use for two purposes. The first purpose is so that on my main view I can see all of the connected devices, and I can see which devices have had things blocked -- whether it’s been blocked, quarantined, or deleted. In a snapshot, I can open it up and determine if I have any devices out there that are jumping out and saying, “Hey, something just happened. We need to look at this right now.”

I also receive notifications if somebody's machine has clicked on a wrong link. That primary console has been great. I can pull up each computer, and it makes recommendations for how to better secure that specific device. It will automatically make the adjustments for me and make that fix. 

I also receive notifications if somebody’s machine has clicked on a wrong link. It gives me a notification, saying, “Hey, you need to go look at this particular computer.” That primary console has been great. Through that console, there are also links whereby I can pull up each individual computer, and it makes the recommendations for how to better secure that specific device. I can then click on some of those and it will automatically make the adjustment for me and make that fix. Then in others, it actually relates more to group policy kinds of changes that we can make on our network so each device within the entire company can be adjusted based on those particular recommendations. That’s all in the primary endpoint protection console that I use.


Then secondary to that is the email filtering console. And I dive into that on a regular basis, and I’m learning, “Okay, what’s getting blocked? What’s getting filtered? Should this really be going through? Should this not be going through? Is it virus-related? Is it malware? Is it simply a phishing scam? Is it marketing?”


I look at that on a regular basis to make sure that if something does get blocked, it really should. I can still, if needed, release it and get it right to our end users very quickly. These particular tools have been very, very helpful for me in trying to manage the endpoint protection and manage our communications through our email service.


Gardner: Andy, you’re the CIO, not the chief information security officer (CISO), so you’re juggling a lot of different priorities. One of the things that is hard for people to balance is getting too much – or too little – email information. Can you, through the management console and interface, tune it so that you don’t get overwhelmed, but can find the right balance?


Fine-tune filtering your email


Black: When we first implemented the Bitdefender email filtering solution a while ago, we weren’t really entirely certain how best to make it work. And so, we put specific settings in place, and it seemed like we were still blocking more than we really wanted to block. But we had the capability to very easily open the console and shift something here, do changes there, make an adjustment -- and then see how that all worked.


Ultimately, I got to a point where I reached out for help. I needed to get more assistance from Bitdefender specifically and I was assigned to an individual who then put me in contact with the more technical backend resources so that they could help me more specifically adjust and configure and change our parameters for the email filtering solution so that we could better get the things that needed to come through and block the things that didn’t need to come through.


One specific piece to that was the marketing component. People get all of the spam emails, all the time. There is in the email filter solution, three specific selections. You have a marketing low reputation, a medium reputation, and a high reputation.


Because we were getting so much spam, I decided that I wanted to block that medium reputation email as well and have that filtered out. And so, while it greatly reduced the amount of spam email that everybody got, we discovered about a month later that it was also blocking bid requests.


We have a number of our managers throughout the company in every state where we are who are subscribed to various resources that would automatically send these managers’ current job bid requests. They have a job that’s going on in such-and-such location. We need to know about this so we can provide a bid on that particular job.


Well, we discovered that many of those were also getting blocked because they were being treated as a marketing medium -- and that wasn’t the right answer. I made more adjustments and I talked to the managers and said, “Okay, well, if I adjust this so that we don’t miss these bids, you will continue to get all of these other marketing emails.” And they replied, “No, that’s fine. We’d rather get the marketing emails together with these bid requests than miss the bid requests and then miss out on a potential job that that we could get into.”


So, this is very customizable. There are a lot of adjustments we can make. Sometimes it’s just a tweak here and a tweak there. But what I found was very, very helpful was that I had the capability to tap into Bitdefender’s backend, and to talk to the right people, have them sit down, see my screen, and we could work through it together -- and they could teach me.


As you said, I’m not necessarily the security expert. I need to manage all of these environments and all the data and information that’s coming through. Having Bitdefender as a resource was also very helpful to configure and tune our system to make it work best for our needs.


Gardner: Sure, you want proactivity, you want the machine to do the work for you, anticipate some of the things, and offer analytics. When it comes to that proactive approach, is there something about the way that the interface and the data and the analytics come together that gives you a heightened sense of the security behind your security?


Get the whole picture to manage threats


Black: The display in the interface for the endpoint protection is very, very useful. In fact, in working with the same Bitdefender consultants, they helped me put the right quadrants in the right spots, to select which reporting features would be the most useful and would show me all the correct data.


We’re all visual people. A picture’s worth a thousand words. And so, rather than just looking at tables or lists of things that appear, it’s much easier to see it visually. One interesting thing about the dashboard is that I can click on a specific link or a specific dashboard icon and then it will take me to more information in greater depth and greater detail.

We're all visual people. A picture's worth a thousand words. Rather than looking at tables or lists, it's much easier to see it all visually. I can then click on a dashboard icon and it will take me to more information in greater depth and detail. 

At a glance, that executive dashboard is very helpful first to see exactly where we are and what number of threats are coming through. I can quickly determine, “Are we seeing an uptick in an attack perimeter at the moment or not? What’s being hit?” If I want greater detail, I click on it, I pull it up and I can get more information that way.


That particular resource has been very helpful. Again, once it’s set up and I know it’s there, and I trust it, it is no longer something I have to go into every single day. I’m not tapping into this every day. That’s not really my role overall, but when I need to, or if there’s something that’s happening, I can tap into it very quickly, pull it right up, see what’s happening, talk to my team and say, “Let’s go attack these particular systems. This one’s questionable. We’re not sure what’s going on here, so jump on that one.” It’s just a great management tool from that perspective.


Gardner: It sure sounds as though it’s a fit-for-purpose management approach, which is so important when you’re in a lean-and-mean environment.


You mentioned earlier, Andy, that your end users and their behavior are such an important part of security. Is there something about the way that you’re getting information about what’s going on at your endpoints and in your network that you can take back to the users and reinforce the right kinds of behaviors? Is there a way that you can instill a security culture based on the information you have for your consoles and analytics and take that back to train, in a sense, your workers to be more diligent about their best practices?


Train your teams to spot spam


Black: A couple of years ago, we determined as the leadership team it will be very beneficial and helpful for us to meet on a weekly basis across the company and do training. I’ve trained on all sorts of different things within the organization, but one of the key things that I continue to bring up regularly is security. I will say, “Here are the most recent things that we’re dealing with. Here are the most recent attacks.”


Then every once in a while, something may come through our e-mail, because no solution is 100 percent perfect, and so I still have to rely on my users to know and be aware and look at what’s coming through to make sure that it’s still good or bad. And so, we have a phishing report link option. If something comes through and it looks fishy, they click the link, and it automatically sends it to my team. We see this e-mail and we can double check and verify whether or not it’s good or bad.


If it’s bad, we can obviously let the user know and thank them and congratulate them for being proactive and determining, “Yep, sure enough, that’s not the right thing.” And then depending on what’s coming through, sometimes I will take screenshots of that, and I will send out a communication across the company, saying, “Hey, everybody. These are certain things that are happening right now. This is bad, this is bad, this is bad,” so you don’t want to open these. Then, during these trainings that I have with the company, I can discuss with people, “What are you seeing? How do we look at and break down one of these messages in these e-mails to determine, is this really a valid e-mail, and if not, how do we recognize that? How do we determine it?”


By helping and working with all of the people throughout the company on a regular basis, having these conversations, showing them the examples, taking these screenshots and so on, it’s helped to create a greater security culture within the organization. A lot of the smarter user base can be more proactive on their own end and say, “Yeah, yeah. This is bad or I’m not really sure about this particular one, Andy. Let me send this to you and have you double check it for me just to be sure.”

The vast majority of the time, it’s worked very well. Now, people can still make a mistake. I had a user literally a week ago click on a link that said they needed to redo their e-mail password. I can’t remember what it was and sure enough, it took them to a spoofed site. They didn’t think fast enough. They entered their credentials and immediately thought, “Okay, that was probably bad. So, Andy help me.” The next thing you know, we helped them reset the password right away so that whatever just got compromised is no longer there.


But at least people are more aware. They’re thinking. Even if they clicked the button and afterward, they’re like, “Yeah, that probably was not the right answer. Let’s jump on. Let’s talk to Andy’s team and let’s see if we can get it fixed.”


Helping to create that security-aware culture makes a big difference. Because the people in IT can put all of the infrastructure in place. We can have the firewalls and the VPNs and the endpoint protection, the antivirus, and the anti-malware, all of that -- but at the end of the day, it still is up to the end user. They are the last point of protection, so they need to be aware. They need to be cognizant of what they’re dealing with. The more we can work with them, the better.


Gardner: That root-cause analysis and learning what’s been behind problems is one part of the solution, as you point out, and relating that to behavioral adjustments is another. But what about the ability to react as a security professional when something does go wrong?


Is there something about the way your security apparatus is designed that helps you so that when things do go wrong, to nip it in the bud?


Plan ahead for best problem-solving


Black: Using the console within Bitdefender, I can see the machines that have recently blocked something, or had a virus come through and then quarantined it, or whatever. I can then have my team go out and look at that specific computer and see if something got through.


But I will tell you that if Bitdefender says they blocked it, they blocked it, and it hasn’t really been an issue. But it also tells me who those users are, so I know if there’s a specific individual that we need to work with. We can say, “Okay, now it looks like six times in the last week you clicked on things. Let’s talk about this. What is going on? Let’s make sure you have figured that out.”


Now, again, looking at it from the leadership perspective, I can put all of the infrastructure in place, but I need to have the capability to recover should somebody do something that they shouldn’t have. I can focus on having all of my backups in place, my replications in place, whether it’s cloud-based or otherwise; having my resources, my applications, my files stored in different locations so it’s not all in one bucket, so that if something does happen to get through, it’s that one piece that might be affected, not the entire organization.

I can put all the infrastructure in place, but I need to have the capability to recover should somebody do something they shouldn't have. I can focus on having my backups in place in different places so it's not all in one bucket. Then if something happens, it's affecting that one piece, and not the entire organization. 

It becomes more of a mindset of how I built out the infrastructure to support my company, specifically to meet our needs so that if one particular site has an issue or one particular application has an issue, it can be isolated to that specific component. We have the backups, the replications, all of the disaster recovery in place so that if the worst happens, we’re not going to be completely out of business.


Now, one last piece to that, it’s very important to have the communication ahead of time with the business leadership, the ownership, so that should something such as ransomware come through, it’s not just locking the computer. We can restore a computer, we can restore from backup, that’s fine. You might lose a day. It’s not going to kill us.


But, one of the biggest things with ransomware that’s happening today is not just an encryption of a computer but where the bad people will get in, pull data out first and hang onto your information and then they want to charge you a ransom because they’re going to threaten to release your information. They want you to pay the ransom to not release the data and then pay the ransom to also decrypt your devices and your systems.


And so, the issue is more with the information that they gather. If you can have a conversation and have that decision made ahead of time with the organization, you can let your leadership know, how you created your backups. Here’s how you got your encryption. Here’s how your data is being protected. And if somebody comes in and says, “We have your data, we will release it unless you pay a ransom.” Well, then you at least have a game plan and a decision process made ahead of time so that it’s not a response or knee-jerk reaction to just immediately pay the ransom.


Have those conversations in advance, have that plan in place already, so you’re ready to go if and when that occurs.


Gardner: Now you’re talking about operational resiliency -- to have those plans in place with the right steps to take when you need it. When you have the data at your disposal, you can act. That’s a huge part of a good, solid security culture. I commend you for that.


Before we sign off, let’s talk a little bit about the future. Where do things go next? Are you concerned about the number of different endpoints that you might be involved with? Do you feel as though you’re going to have to expand your horizon across more endpoints?


Meet and manage mobile-device risks


Black: The two fronts that don’t really keep me up at night per se, but they are in the back of my mind, are the mobile devices because we do have a lot of our applications accessible on cell phones, on tablets; iPads, for example. It’s more than just the desktop computer anymore, it’s not just a Windows or an Apple-based machine. It’s definitely those mobile devices.


More than two-thirds of our company, of our workforce, are field operators. They are the guys out in the field actually cutting the concrete, doing the freeway work, and so on. They rely entirely on a mobile device -- their cell phone, their tablet. I have to build and secure those devices as well. And the number of those devices is only going to grow. As our business continues to grow and as we expand, and we go to other locations, I’m going to have more people who are going to have those mobile devices. And so, that’s a huge front for me that I really need to make sure that I have protection services in place.


Now secondary to that is the impact of artificial intelligence (AI) and machine learning (ML). People can create millions of bots, and with those bots they can find new ways to hack in. The more intelligent AI and ML becomes, the stronger your own defenses need to be. And so the more we can incorporate our own AI and ML into our defense environments -- on the computers, on the mobile devices and in our endpoint protection -- the better we can prevent the bad guys who are also using those same tools to come at us. Right now, to me, those are my two biggest fronts going forward that I’m the most concerned about.


Gardner: Andy, any advice to organizations that like you are distributed, are lean, and have big jobs but a relatively small workforce -- and perhaps also a fairly lean-and-mean IT department? Any thoughts that you would impart to them as they try to improve their security posture?


 A lot of the smaller and mid-sized businesses, they all realize that computers and technology are required to keep them in business and to press forward. But they’re still not really willing to spend the money that it might take to bring in that level of protection. They try to play the risk game, saying, “How long can we go until we get hit? We’re not going to get hit. We are too small of a company. We’re not a target.”


Well, what we’re finding is that the biggest target is the small- to medium-sized businesses (SMBs) because they tend to not have invested into their security to protect themselves. And so, that’s where those weaknesses come in.


Again, those same organizations -- while they do the bare minimum, they might have an end-point protection solution on their computers -- they’re not necessarily securing their mobile devices. They’re not necessarily creating and working with their people to create that culture of security.


And so, it doesn’t take a lot. It’s not a huge investment in most cases. But if you will make that more of a priority it does make a world of difference to protect your business because it’s going to cost a lot more to recover than it would be to prevent in many of those issues.


Gardner: That’s great advice. I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how concentrated and efficient businesses like A-Core Concrete build security cultures that rely on centralized administration, proactive insights, and rapid remediation to move safely at the preferred and optimized speed of business. A big thank you to our guest, Andy Black, CIO at A-Core Concrete Specialists. Thank you so much.


Black: Thank you.


Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of BriefingsDirect discussions. And a big thank you to our sponsor Bitdefender, as well, for supporting these presentations.


Our last big thank you goes out to our audience, that’s you, for joining us. Please pass this along to your community and do come back next time.


Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Transcript of a discussion on how to best balance resilient security requirements with efficient use of human capital and resources in a highly dispersed organization. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.


You may also be interested in: