Ransomware main topic at first EY Cybersecurity Symposium

Don Sinko and David Shade talk to each other

Don Sinko will be the first person to tell you that he is not an information technology expert. The chief integrity officer at the Cleveland Clinic became an important person in IT and cyber because he could make tech make sense to non-tech leaders.

“About nine years ago, the CIO comes to me and says, ‘Don, you keep talking about our vulnerabilities. I keep trying to get assets, but I'm not getting them approved. Could you do something about it yourself?’” he recalled. “I ended up putting together a PowerPoint that I took to the capital committee and asked for $7 million for cyber projects, talked about the need, the vulnerabilities, and the cost of the organization.”

That $7 million price tag has increased a lot since then as malware, exploits, and ransomware have swept the world. “I still am heavily involved in the oversight role. I meet with our cyber group every Tuesday afternoon, and we talk about cyber frequently,” Sinko said. “It’s a value to you to understand cyber and the programs that are going to be taught here, because one of the problems that professionals have is communicating to people outside of their own profession.”

“Everybody talks in their lingo. They assume everybody knows what they're talking about. So when they present, they talk in their language, but board members, management, and operations, they have no idea what the tech folks are talking about. If they don't under understand it, they're not going to fund it and they're not going to support it,” he said.

Sinko and EY partner David Shade were the guest speakers at the first Cybersecurity Symposium since the new EY Cybersecurity Initiative was created at the Farmer School’s Information Systems and Analytics Department.

Shade was quick to agree that Sinko touched on a key skill that students should try to acquire. “That skill is one of the biggest areas of opportunity in business, being able to translate risk from a technical perspective into something that business leaders can understand.”

Shade said that in the beginning of cybersecurity, the fight was over account information, then over personal information. But he said that when criminals discovered the opportunities of ransomware – the encrypting of information on a computer or system that won’t be released until a ransom is paid – the field of potential victims became nearly endless.

“One of the things that ransomware really changed is that now everybody is a target -- every business. As long as you make money and you have systems, you're going to be a target for ransomware,” Shade said. “These are businesses that are operating these ransomware operations. They aren't people sitting in their basement. These are well-funded businesses that are doing research on their targets. They’re recruiting talent, they have pipelines, they're trying to exploit their targets, realize the revenue and then move on to the next one.”

He noted that the majority of ransomware attacks not only don’t make the news, they aren’t even reported to authorities. “Why does ransomware work? The big factor is that companies don't report this. 65 percent of the companies that are compromised by ransomware never report it. You never even hear about it,” Shade said.

Shade and Sinko agreed that the companies best able to fight against ransomware are the ones that train their employees to ignore phishing attempts and that run simulations to learn better ways to respond to an attack. Sinko said that the Cleveland Clinic periodically sends phishing emails to all 72,000 caregivers in the network and gauge the response.

“It's not ‘if’ it's going to happen, it's ‘when’ is it going to happen? How prepared are you for that event? Have you done the right diligence to make it at least difficult for them to deploy it? Are you able to detect it, respond to it?” Shade said. “These are very sophisticated outfits. You do research on customers, you do research on markets. They do research on you. They look at you on social media, they look at you on LinkedIn. Whether you go into a cyber field or anywhere in a business, you will be a target.”

And paying the ransom may not solve the problem. “A lot of people don't realize that when they give you the key to unencrypt, their malware is still in your system. The malware doesn't go away. And so one of the things that happens is you pay them and then six months later, they can turn it back on again and say, ‘Well, we want more money,’” Sinko said.

Sinko said that board members of companies need to be asking questions of management such as:

  • What is the risk assessment for cybersecurity and ransomware?
  • What is your prioritization of those risks?
  • What are the resources available to tackle problems, and are there enough resources?

And, Shade added, “Have you tested your responses to an attack? And what were the results of those tests?”

Tomorrow’s “heroes” will be those who understand the technical and can translate it into “plain speak” while also devising strategies to mitigate and minimize the opportunities for cybercriminals to get inside their systems.