Can You Hear Me?

Realities of Cyber Security

Episode Summary

One of the biggest issues facing companies today is what to do about cyber attacks, whether it's how to plan for one, how to handle it if you've been victimized by a ransomware attack, and how to limit the damage to your company and your brand if it does happen to you. Are you ready? Cybersecurity expert Reena Bajowala, a partner at law firm Ice Miller, is our special guest on Episode 12 of Can You Hear Me? to discuss an issue that should be top of mind for all corporate executives.

Episode Notes


Ransomware on a Rampage; a New Wake-Up Call (Forbes):

2022 Global Digital Trust Insights Survey (PwC): 



Episode Transcription

Rob Johnson [00:00:09] One of the biggest issues facing companies today is what to do about cyber attacks, whether it's how to plan for one, how to handle it if you've been victimized by a ransomware attack, and how to limit the damage to your company and your brand if it does happen to you. Are you ready? 


Cybersecurity expert Reena Bajowala, a partner at law firm Ice Miller, is our special guest on Episode 12 of Can You Hear Me? to discuss an issue that should be top of mind for all corporate executives. 


Hello again everyone. Welcome to another episode of our Can You Hear Me? podcast focused on best practices and communications. I'm Rob Johnson, president of Rob Johnson Communications, 


Eileen Rochford [00:00:54] I'm Eileen Rochford, CEO of the marketing and strategy firm The Harbinger Group. As you know on Can You Hear Me? We tackle some of the most crucial business related communications issues of the day and today is no different. We want to talk about cybersecurity. 


We know that is a huge catchall. So let's first talk about what we aren't going to talk about. This conversation is neither about the nuances of cybersecurity or ransomware, nor the challenges of obtaining and maintaining a cybersecurity insurance, which are all very important topics. To be sure, we are going to dive into the importance of cybersecurity to your organization. Some best practices as it relates to how to make sure that you are on the right path to protecting your company, and what can happen to your business if you do not properly prepare or if a ransomware attack happens to you. 


Rob Johnson [00:02:01] Now to accomplish this, we have a very special guest joining us today. Before we introduce her, we want to give you a little background about why this is such an important issue for your company. Now, according to a recent Forbes magazine article, the number of data breaches in 2021 will far exceed the numbers for 2020. In that article, Forbes cites a report from the Unit 42 Security Consulting Group, which reported the average ransomware payment climbed 82 percent to a record five hundred and seventy thousand dollars in the first half of 2021. Three hundred and twelve thousand was the number back in 2020, so you can see it's quite a bit of an increase. In fact, ransomware payments have totaled around 102 million dollars a month for companies that have been breached. Even though the general public rarely hears about such attacks, some of the biggest ones that have made headlines in 2021 are Colonial Pipeline and JBS Foods. The Forbes report stated that ransomware costs will reach 265 billion dollars by 2031, just less than ten years.That's frightening. 


Eileen Rochford [00:03:07]  According to the 2022 Global Digital Trust Insights Survey report by P.W. C, investments are pouring into cybersecurity. 69 percent of companies predict a rise in cyber spending in 2022, compared to 55 percent this past year. PCH Technologies estimates that the average expenditure and cybersecurity budgets for large businesses will be between two million and five million dollars for mid-sized businesses and between 500 thousand and two million dollars in small businesses. Five hundred thousand or less will be spent on cybersecurity per year, which are significant numbers depending on the size of your company. 


Rob Johnson [00:03:52] That's true, and we could talk numbers all episode, but we're not going to do that. We have someone who can really shed some light on this important topic. Please welcome Reena Bajowala, a partner at the Ice Miller Law Firm. She is part of their data security, privacy information technology and software dispute, and benefits dispute practices. Reena has extensive litigation and trial experience. She regularly advises on data privacy and security with a focus on data breach and cyber security issues. We could go on and on with the resume, but we won't. Reena, thanks for joining us today. 


Reena Bajowala [00:04:25] Thanks so much for having me. 


Rob Johnson [00:04:27] Well, it's great to have you. Let's start with this troubling reality, as if the stats we just cited weren't troubling enough. Why don't you talk to us about the real threat of ransomware and because of the pandemic tactics for getting it have evolved over the months and say, the last 20 months. 


Reena Bajowala [00:04:48] Absolutely, well, we are in sort of a perfect storm right now in terms of ransomware. The incidents have gone up dramatically, as you have cited, over the last 18 months in particular, and something else has happened over the last 18 months, the pandemic. The reality is the threat actors really monopolize on times of confusion. So you have people suddenly working from home policies, getting put by the wayside that might prevent some of these ransomware incidents. You also have a lack of proximity to each other. Everybody's working over email as opposed to popping their head in someone’s office to confirm practices. Just overnight, you have companies that are more reliant on technology, going to remote systems that they hadn't used before, and perhaps not thinking through all of the security issues. 


Ransomware incidents have gone up dramatically, and paired with this is the professionalization of ransomware. You might have heard the term ransomware as a service. But what happens is threat actors actually have a system that they put in a place of business where they develop a brand new ransomware variant. For those who are not as familiar, ransomware is just malware. It is a software that is injected into a system and it locks up your data and causes other havoc on a company. So, these threat actor groups develop their own unique flavor of ransomware variant and put together a list of victims where they would like individuals to target. They put together a kit, and they hire independent contractors essentially to carry out these ransomware attacks. Now you have a stream proliferation of these incidents because of the professionalization of the process. 


Eileen Rochford [00:06:57] That is just so awful, doesn't it just get to you when you're talking about it? 


Rob Johnson [00:07:02] Yeah, or when you realize how vulnerable you really are, and we are not sitting here trying to depress people. We are trying to give them a wake-up call. This threat is real and Reena has a front-row seat to it every day. 


Eileen Rochford [00:07:20] Because of the holiday season approaching, Reena, is that typically an even more dangerous time for being at risk for ransomware attacks? Or do you anticipate it is going to be even worse this year? 


Reena Bajowala [00:07:35] Absolutely, I think along with the other factors that I just mentioned, being in a pandemic, being decentralized, the threat actors really look at our behavior and look at times where we are going to be decentralized. 


People will be in different countries. People will be out of the office on vacation and you have additional activities and responsibilities that are happening. So, if you get a spoof phishing email from what looks like Amazon confirming an order for a Christmas gift, you might be primed to click on that without thinking it through just like you might when there isn't a major holiday coming up. 


Eileen Rochford [00:08:21] Yeah, that's a great point. I had an incident just today, an interesting tiny side note, a client of ours sent me a text and said, “Does this person work for your company?” I said, yes, but it was someone on a team who never would have interacted with this client. So, I said, “Hey, just send me a text, a screenshot of what that looks like.” When they did, I looked at it and it was so obvious that it was a pretty sophisticated, I wouldn't say ransomware, but a phishing of some variety. So it’s your advice to be on high alert during the holiday season. What else would you suggest that folks do differently? 


Reena Bajowala [00:09:05] Absolutely, trust but verify is the name of the game here. So what your client did is exactly the right thing to do, and ransomware can come from a phishing email. It can come in a variety of different forms. Someone clicks on a link and provides their credentials, or otherwise clicks on a link that installs malware which is an attack vector. The threat actors are getting much more sophisticated, as you mentioned. 


Here you have a threat actor that has gone on LinkedIn, perhaps, or other places to identify specific individuals who you would respond to. You have a lot of evolution in those tactics, but absolutely trust. Verification is a huge technique that you can use to prevent these incidents. Multifactor authentication is a technical solution that I think everyone has used before. After you log in to a system, you get an alert on your phone and for example, you may have to type in a code. That is an example of multifactor authentication. Its two ways of confirming your identity, which puts you into a system of implementing things like that, is helpful. Also just being on high alert in general. 


Eileen Rochford [00:10:37] That is really good advice. I think for people to really appreciate how serious this is and why they need to remain on high alert, it may be helpful if you could explain to us just how debilitating a ransomware attack can be for a company. In terms of what it does, how hard it is to come back from, and getting back online. Would you mind framing that for us a little bit? 


Reena Bajowala [00:11:08] Absolutely. Again, there has been an evolution in the tactics of the cybercriminals when looking at what they are trying to accomplish with ransomware. But ransomware is really meant to: 

A. Disrupt your business. 

B. Get money. 

They want a ransom in the form of bitcoin or some other cryptocurrency. I'd say the original flavor of ransomware has been to install this malware in your company's system and lock up your operational or other data. When thinking about it, if you are a manufacturing company, for example, and the threat actors are able to lock up the server that has all of the customer specifications for the parts that you're manufacturing, sure you can continue manufacturing the parts that are already in the pipeline. But can you put new parts into the pipeline without that data? Certainly, it would be a hit to your reputation to go back to those customers and say, “Hey, can you resend Those specifications?” Of course, it might actually be impossible given the number of customers that you're dealing with as well. Think about your crown jewel data as a company. If that was suddenly unavailable to you, what type of revenue loss, loss of goodwill with your customers, and contract violations might you be up against because you might have had to provide certain services or products within a particular timeline? 


That's just the first flavor of them, where the second flavor of ransomware, which has been becoming more prevalent over the last year or two, is what I call data publishers. It's extortion. These threat actors sound wild given the technical nature of this, but there's a ransom note just like any other type of ransom incident. Which means there is a note on the system that is left by the cybercriminals, and it indicates instructions on what to do to get the data back. Companies have been smarter about getting data backups into place that are really robust to get their data back, maybe within 24 to 48 hours. However, threat actors have shifted their approach to taking the data and exfiltrating it so they downloaded it themselves. Then indicating that if the payment is not made they will actually publish that data on some sort of public block. So think specifically about government defense contractors who have sensitive data that is government facing or major clients, and you have data relating to those clients. The fallout from that type of incident can be tremendous. 


Rob Johnson [00:14:31] Just to take that a step farther, I've listened to various webinars that you have been on talking about this subject matter in the past, and I believe I heard at some point that even when everything is back on track and you’re back online in 24 to 48 hours, it could be weeks before you truly get back online. That can really harm your business, and we are kind of getting ready to get into that part of the discussion anyway. 


Reena Bajowala [00:15:03] Yeah, that is a best-case scenario. I think there are some real conversations to be had with the I.T. folks as well about what is the best case, and what is the actual scenario to be able to bring that data back up and be online. On top of that, you are doing an investigation and having forensic investigators and data breach coaches, like myself, trying to figure out what happened and contain the damage. You don't just plug back in and try to get your data, you are really trying to figure out, how big is this incident? How many people are involved? Are the threat actors still in the system? Oftentimes they are, and you have to take a variety of steps in preserving data in order to go through that process as well. The importance of focusing on this issue can not be underscored enough. 


Rob Johnson [00:16:05] I can't imagine anyone listening to this right now, Reena, and saying to themselves, “Oh, this doesn't sound so bad.” I mean, it really is frightening. In fact,the more we hear, the more frightening it gets. In your experience for people that may be on the fence about investing in something like this, and you explained it pretty well just a second ago that some people frame this as just an I.T. issue, that this is not just an IT issue. Why don't you explain, and this is more in the communications world, the irreparable harm that can be done to a company's bottom line, their ability to do business, and their overall image? I know that's three different questions, but all of them are very serious and can be very grave. 


Reena Bajowala [00:16:56] Absolutely. We've touched on the one which is the most directly related to the bottom line, revenue. When you have your data locked up, that revenue stream gets halted. Also, there's an enormous cost to dealing with the data breach. You’re paying lawyers, forensic investigators, and other consultants and experts. If you have to notify individuals and the government, there could be a follow up investigation. So there are a lot of fairly direct costs relating to a data security incident. 


In addition, you have agreements with your customers that might have notification obligations in the event that any of the confidential information that they have given you under the scope of the agreement was disclosed. Which may lead to you having really difficult conversations with your customers. We are also in a competitive environment out in the business world, so if you have had a significant data security incident, first of all, you are going to have to deal with those customers and spend a lot of time assuring them that you are remediating the issue and will prevent a similar incident from happening again.


I guarantee you, if you're in a position where you are renewing a contract or they're going out to bid for a contract again, they are not going to forget that situation. It's going to come up and you're going to have to show your work in terms of the improvements you've made to your cybersecurity. And any time you say, “Hey, here are 10 improvements I've made.” The natural question is why didn't you have those in place beforehand? 


Eileen Rochford [00:18:53] I'm eager to know, and of course without naming names. An example or two where you saw firsthand the terrible implications of an attack of this nature. Maybe one of your clients or elsewhere. I am really curious to hear more about that. 


Reena Bajowala [00:19:15] Sure, just set at a very high level. For example, one incident happened at a manufacturing company. They relied on an outside company to do their data backups. When the incident happened, they went to the outside company. That company had not been doing the backup properly, so they had no leverage. Really in that situation, they needed to pay that ransom. Which is a very difficult situation to deal with. 


Another situation that is a practical scenario which occurs from time to time, is that a company will have a wire transfer fraud. There’s another kind of data security incident where a manipulation occurs and the money goes elsewhere. They might call their bank and say, “Hey stop this payment” and the bank freezes their accounts. But then they will have a ransomware incident that they have to deal with, and they can't get money out of their bank account because of their prior notice. You can have a lot of scenarios that are really difficult to handle. I think the government-facing companies absolutely have a tricky responsibility because once data has been downloaded, they may have a notification obligation to the government and those contracts are highly competitive and they go out to bid. So, the impact is wide-reaching. 


Eileen Rochford [00:21:11] And may I ask one more follow-up, what dollar amounts are you seeing in terms of these ransomware ads these days? Their demands? 


Reena Bajowala [00:21:23] Seven or eight figures in terms of the ransomware amounts. Especially as the first opening bid. Sometimes they do negotiate down, but you're seeing large numbers for the demands. 


Eileen Rochford [00:21:43] That's astonishing. Sorry. 


Rob Johnson [00:21:45] No, it is, it is astonishing. And the other thing that I find particularly interesting, too, and this I think came from another one of the webinars I was listening to you on, Reena, when they were talking about the overall cost of doing this, but also how there is this sort of honor among thieves. My inclination was, well, gosh, if they hold you up for ransom where they have all your information, they can leak it, they can do all sorts of things. What's going to keep them from just doing it time and time again? I heard that perhaps, “Once we got you, we got you and we're moving on to something else.” That's the thing, isn't it? 


Reena Bajowala [00:22:25] Yeah, they have reputations among themselves, right? So, remember that each ransomware variant is different. You can tell if it's the same threat actor group. If it is a threat actor group that's known to take the money and not provide the keys to decrypt your data or who is a “persistent threat actor group,” so they come back again. That will play into the calculus. 


We work a lot with law enforcement. For example, the FBI that tracks various ransomware variants, and they'll tell you whether this threat actor group is a persistent one. If they are not found to be a persistent threat actor group, that means they won't come back once you pay them. The advice from the FBI is always don't pay the ransom, of course. But, you can get pieces of information that way, and if they are a threat actor group that gets a reputation as being one who is not, “above board”  you can tell that they're going to have a tougher time getting those ransomware payments. 


Eileen Rochford [00:23:37] I think it's fascinating. I agree, I actually never thought about it from that perspective before. Wow! Honor among thieves, I guess this is accurate. 


Eileen Rochford [00:25:08]  Reena, in our communications business, everyone should have a plan in place for risk management, and Rob and I are always advising our clients to that effect. But often they're coming to us after the fact when bad things have already happened. What I'd love to hear you talk about in terms of cybersecurity is. What do you recommend on the front end to make sure that your company is prepared and to avoid this type of attack as much as possible? 


Reena Bajowala [00:25:43] Absolutely. An incident response plan is critical, so an incident response plan is a plan that walks through the WHO, which is who is the incident response team. As I mentioned, these incidents happen on holidays. Sometimes they happen on weekends. I unfortunately spend a lot of weekends dealing with these incidents because that's when less people are in the office. So you need to know who to contact at 10 o'clock at night on a Friday when this incident happens and who the team is that needs to get pulled together to make all the decisions. 


You also need to know how to make the decisions and what steps to take to determine, Hey, is this an actual security incident or is this a false alarm? What do we need to do to contain the incident, to remediate it, to look at our notification obligations? So this document is going to lay out all of those steps. I'd recommend as a larger part within which this incident response plan sits is having an analysis of, well, where is your sensitive data? What do you need to protect? Do a risk assessment of your company and then take this incident response plan, test it with a tabletop exercise. So that's where you get a number of people in the room, the decision-makers and you walk through a simulation incident and I would recommend having a data security lawyer with you, a forensic investigator with you, potentially a communications person with you, so that you can have all of the key players in the room and you all understand what the values of the company are, what the goals are, and you have a better fleshed out understanding of who your business partners are. That's a really important part for companies where sometimes they're thinking internally in terms of who needs to be notified employees, board members, things like that, customers. But you may have, you know, partner organizations that need to have input. 


For example, medical hospital systems will have medical practices that are major that they need to contact and be involved in that process. So having an incident response plan as part of your risk assessment as well, having a tabletop exercise done and then I also recommend having a communications plan. So going through, if you have cyber liability insurance, they'll have a list of preferred vendors that they will cover under the policy, going through those vendors and identifying, well, here's a company I'd like to work with for forensics and then I don't want to write down the one 800 number. I want to get that person's cell phone number because you're calling it again, 10:00 pm on a Friday night. You don't want to call a hotline. So really drilling down and having a list of individuals that you're going to call holding statements for what you might want to say to your constituents and the key stakeholders and having all of those pieces together as a package. 


Rob Johnson [00:29:05] That's a lot to digest there, isn't it Eileen?


Eileen Rochford [00:29:08] It is! It's great advice, though. I wear two hats when I come to this podcast arena. I'm both a business owner and a communications expert. So it's funny as you're citing all of those things on the checklist I'm thinking through. And obviously, we're a very small company on a very small scale and thinking of each of those items and realizing, Oh, there's at least one on there that I'm going to go and just shore up right now when we're done!


Rob Johnson [00:29:37] Absolutely! I mean, I don't want to be repetitive here, necessarily, but I think you've already talked about some of the people that need to be involved. If you haven't come up with the plan that you just talked about and that all of a sudden you're doing, as Eileen mentioned, they call you after the fact and they say, Uh oh. You don't want to hear that right? “I got hacked. What do I do now?”


What kind of advice would you give our listeners for whom this may happen to? And do you pay the ransomware? Who needs to be called in? I think you touched upon them in terms of having them already in place, but who are the key people that need to be involved once this does happen to you? And how will it help you come back from it? 


Eileen Rochford [00:30:24] And I would just add even what's the first thing you do? Like, I want to have that drilled in my head.


Reena Bajowala [00:30:31] No, the first thing you do, and this is going to sound self-serving, but I promise there's a reason for it, to call your data security attorney because we can put measures into place to protect the investigation to the extent possible under the attorney-client privilege. And the first thing that I do is figure out who we need in terms of a forensic investigator to come in and support the I.T. team and support the company in doing an investigation to determine what happened and what the options are? Then making your claim to your insurer. That's absolutely necessary at the front end in terms of the incident response team. It varies by organization, but you want to look at who are the functional heads of your organization, you want to have representation across the organization. 


Of course, you have leaders in your I.T. and your information security groups. If you have those, you want to have your legal and compliance representation, you want to have your finance representation. So if you have a CFO or finance director because money is going to be involved here, probably. And then you want to have human resources, there's often an internal component. Some of these incidents end up having some insider activity that you might need to address an employee doing something improper or otherwise, maybe a disgruntled employee of some type. So having human resources involved is really important for a number of aspects as well. But you also need to know for your organization well who at the end of the day is going to make that decision, whether to pay the ransom or not. And, you know, in a lot of organizations that go all the way to the top. So that goes to the CEO. And that is a surprise a lot of times because the CEO didn't really think about it. I can recall being in a tabletop exercise.


The question comes up, who decides who is going to make the final decision and sign off on whether we pay the ransom? Everyone looks at the CEO and he had that aha moment, and I will tell you that's a good way to get senior leadership also really to the table in making sure to fund appropriate pre incident exercises, which are so much less expensive than when an incident hits right, doing that preventative work. Really, it's an educational tool as well. 


Rob Johnson [00:33:34] And given the number of dollars, we're talking about the big numbers you were talking about earlier. Reena, it's a little surprising that your CEO was a little taken aback by the fact that it was their decision. It hits you that this is the most crucial decision this company is going to make for a while, so of course it's your decision. I mean, the buck stops with him or her. 


Reena Bajowala [00:33:55] Absolutely. 


Eileen Rochford [00:34:02] That was really good advice, and thank you. You certainly got me thinking I'm actually reflecting here. And I recently, really just last week received a notification from a major professional service provider about a breach in their data, which involved, you know, ransomware and other things. But I'm intrigued because it said that the breach took place in April of this year and I just received the letter. What's your take on that? Are there any, you know, obligations in terms of communicating? I'm just curious because obviously, communication is what we talk about. 


Reena Bajowala [00:34:43] Absolutely! There are 54 data breach notification laws in this country, and they all have different definitions of the type of information they apply to. They all have different tests for when they trigger notification and  most of them have some variation of language stating that, please notify as expediently as possible, but if you think about how an incident occurs. You find anomalous behavior in your system, you spin up at your incident response team and then you start looking to see, is it one email account? Is it five email accounts? And I will tell you at least half of the time what we think happened at the beginning isn't what really happened. 


There might be one person's email account and then you start looking at logs, you start looking at IP addresses to try to figure out to identify the threat actor and what their actions were in the system. And then you start seeing that while it was actually three or four different email accounts and they moved laterally by sending a phishing email from one email account to the other. And, they send it out broadly, but a few people fall prey to them. So, let's say you have four or five email accounts and you have to determine, well, did the threat actors get a chance to download this entire set of emails, which you can do in some ways if you're logging in remotely? Now you have to look through all of those emails to see if there's information that falls within the definition of personal information under those 54 data breach notification laws. Once that's done, there's another test that applies and then the notification drafting process occurs. And so and that's when you find out about the anomalous behavior at the time of the investigation and you start the investigation right away. Sometimes the threat actors were in the system six months ago, and you haven't felt the effects of it yet. So you don't discover it until later. So it could be a variety of different things. But I think that the timelines do tend to stretch out for that reason. 


Rob Johnson [00:37:22] You just answered the legal part of the question, and Eileen's scenario is so apropos because I think a lot of people can relate to that. So let's just turn it a little bit one way or the other here and talk about the brand that you're putting at risk here. So if I get something five or six months after it happened and nobody told me that I needed to be on alert of any kind, I'm a little upset, I have to say, and I think a lot of people would feel the same way. What damage to your brand can you do? You gave us the 54 laws and this and what's the definition and all that. But when it comes to pragmatism, when it comes to maintaining the trust of your customers, our clients or whatever it is, you really run the risk here of trying to seem like, listen, nobody wants to admit they had a data breach. That's embarrassing, even though it happens all the time. But you really run the risk of causing your brand some harm here. True? 


Reena Bajowala [00:38:25] You absolutely want to do it as quickly as possible. I think there's a realistic problem because you don't know who to notify until you've gone through all those materials, right? There's not a list of people until you've done that process. But it does behoove you to get a team going as quickly as possible and to put the resources behind it. You can do interim measures and absolutely clients have different approaches on this. But you know, putting something on your website or putting out an email to all of your customers saying, “We've been notified we had an incident. We don't know the details of it. We are cooperating.” Is another risk-mitigating technique. A good thing to do if you contact law enforcement is saying that you are cooperating with law enforcement on the incident. But there are ways to send out messages that are not the full notification in advance to manage your brand reputation. 


Eileen Rochford [00:39:38] That's really good advice. I don't think that necessarily would have occurred to me. I'll just share my own personal reactions. When I received this letter my immediate reaction was wait a minute, this took place in April? But then as a communications professional, an expert who has done this for 25 plus years, I walked through all those scenarios in my head. Not as in detail because I don't have the same depth of knowledge that you do Reena, but I did think, I'm just going to assume that they were doing due diligence and therefore they didn't notify me until it became evident that we may have been affected. So fair enough. You know what I mean? But someone without my background may have a really different reaction with only getting in communication five or six or however many months later. That interim approach that you just suggested sounds very wise to me as a communications professional and that's the takeaway I definitely am going to remember. I think our listeners should really perk up and take note of two. 


Reena Bajowala [00:40:58] Yeah, all of these scenarios are really tricky balancing of considerations that are the legal and then the business and the practical. And so we really have to right-size it for your organization and assess what the risks are, right? I think with any communication right in terms of a crisis management situation, how much information you put out there and when are there other news stories relating to this that are giving incorrect information about this incident? We certainly dealt with that type of scenario as well. So it's not a one size fits all, absolutely. But they are balancing and keeping an eye on all those considerations is important. 


Eileen Rochford [00:41:46] Thank you, Reena. I think this advice has been so incredibly valuable, and I'm certain our listeners will find it equally actionable, which is something I really appreciate when listening to experts like yourself. I really hope they also take it to heart and activate a lot of the suggestions that you've made here. But if there are listeners who are interested in contacting you, what's the best way for them to do that? 


Reena Bajowala [00:42:14] You can Google my name, there's only one Reena Bajowala out there that I'm aware of. My bio will pop up, but you can contact me via email at But my contact information is there or link up with me on LinkedIn. Happy to always have a conversation about someone's cybersecurity maturity. 


Eileen Rochford [00:42:40] Excellent stuff. Thank you. We really appreciate you being here. 


Reena Bajowala [00:42:45] Thank you for having me. 


Rob Johnson [00:42:46] Yes, thank you for your expertise Reena. This was absolutely terrific and I'm sure a lot of people listening have had their eyes opened in ways that perhaps they weren't thinking about. Now, before we leave, we want to give you some tips that you might find helpful. That aforementioned PWC report gave some good advice when it comes to mitigating some of the risks of the four P's to reach your cyber potential. The first is Principal ple, meaning that the CEO must be able to articulate an explicit, clear principle establishing security and privacy as a business necessity. 


Reena touched upon the buck stopping with the CEO and what he or she needs to be thinking about when it comes to this. Then, People hire the right leader and let your I.T. folks connect with the business teams. Make sure there's good coordination and communication there because these good people can help simplify what can be a very complex process to many of us that may not have that technical expertise. And then there is Prioritization. Your risk will change as you become more ambitious digitally. Make sure you use your data and your intelligence to continually measure those risks. Finally Perception. You cannot secure what you can't see. And I think Reena touched upon it earlier in this thing, but I'm going to say it a little bit differently. Make sure those blind spots in your relationships and your supply chains are identified and addressed to make sure that you can handle this very weighty issue. 


Eileen Rochford [00:44:13] That's it for another episode of Can You Hear Me? We'd like to thank you, Reena Bajwa of Ice Miller once again for being our special guest, and to thank everyone for listening once again. I'm Eileen Rochford, CEO of The Harbinger Group. 


Rob Johnson [00:44:27] And I'm Rob Johnson, president of Rob Johnson Communications. We hope you will join us next time. In the meantime, you can listen to us wherever you get your podcasts, Apple, Spotify, Google Podcasts and more. Thanks for listening.