[00:00:35] Tom Garrison: And welcome to the Cyber Security Inside Podcast. I’m your host, Tom Garrison. With me as always is my co-host Camille Morhardt. How are you doing, Camille?
[00:00:44] Camille Morhardt: I’m doing well, Tom.
[00:00:46] Tom Garrison: Well, we had some exciting news in my group where one of the folks in my team, Josie, he opened up a brand new business called the Oregon Badminton Academy in Beaverton. And it’s fantastic to see people that you work with in one capacity and in my case, cyber security and Intel and technology, but they have these passions that extend into other aspects that have really nothing to do with cyber security. But it’s so fun to watch him go through the journey of opening this business.
[00:01:19] Camille Morhardt: Well, I think that’s really cool. Little known fact about myself, I was president of the badminton club in my high school.
[00:01:28] Tom Garrison: Whoa.
[00:01:29] Camille Morhardt: I will definitely have to look that up and go take a class or something at the academy that he set up. That’s very cool.
[00:01:35] Tom Garrison: Well, on the subject of small business, it actually relates to our topic today because as you can imagine, if you’re a small business, you don’t really have the resources to have experts in IT or cybersecurity or really for that matter, lots of different specializations, but there are people that are available that do provide those capabilities and services, almost like a CISO for hire type situation for small businesses. And we’re going to talk about that with our guest, as well as some of the resources that are out there that small businesses can tap into, that they may not even realize exist with regards to some of these really important aspects of protecting and growing their business.
[00:02:24] Camille Morhardt: Yeah. I think we’re familiar kind of with the PC side of the house sort of manage service provider where you can kind of have an IT for hire that can manage your IT environment, but this kind of takes it to another level.
[00:02:39] Tom Garrison: Yeah. I know you and I both walked away learning something, and I think our listeners will as well. So let’s just jump straight into it.
[00:02:45] Camille Morhardt: Yeah, good.
[00:02:52] Tom Garrison: Our guest today is Chris Apgar. He is CEO and president at Apgar Associates. He’s a certified information system, security professional, and certified chief information security officer. So welcome to the podcast, Chris.
[00:03:05] Chris Apgar: Thank you, Tom. Glad to be here.
[00:03:08] Tom Garrison: Can we start off today by having you just describe your background and the kinds of things that you work on?
[00:03:14] Chris Apgar: I’ve been in the field for over 20 years. I started off with a health plan in the Northwest as their, I was told that I was going to be their HIPAA compliance officer for those of you in healthcare, or if you go to the doctor and got your notice of privacy practice, you’ll probably understand where that comes from. And then I decided at one point about 18 years ago that I got tired of working for people. So I went to work for myself.
And I’ve been working with organizations around the country, health plans, providers, vendors like software development vendors and such on two different aspects. One is on what do they need to know from a legal perspective on how to keep things private. And then on a security side of things, okay, what do I need to do to secure my network, make sure I’m not open to ransomware, protect the organization, long term planning, things like that as far as like strategic initiatives in the cybersecurity area.
[00:04:11] Tom Garrison: Yeah. So today we’re going to focus more on the risk assessments and also privacy compliance and trying to delve deeper into those two areas. And I know this is an area that you focus on in your line of work. So let’s just start off with, let’s say risk assessments. What type of work do you do when you have a perspective customer let’s say, and they call you up and say, hey, Chris, I’d like to do risk assessment on my company. Where do you start?
[00:04:42] Chris Apgar: Risk assessment is looking out there. It’s saying what’s out there that could harm my organization? So when we go into an organization, we’ll talk to people and say, okay, tell me what you’re doing now. What are the security controls you have in place? Things like I got a firewall, I’m training staff properly, things like that. And then we also look at what are the things that can threaten that organization. We all hear too much about ransomware these days, and it is a very significant issue. We don’t necessarily hear about the risks associated with people, carelessness, lack of knowledge, things like that. So it’s saying, okay, what are the threats? And that ranges from human to I’m in tornado alley. So I’ve got tornadoes I need to worry about. I have other forms of threats that are out there that may be in natural, may be human.
I’m also looking at what are my vulnerabilities. In other words, if I’ve got a network and I’m using windows seven laptops, those windows seven laptops, haven’t been supported by Microsoft for a few years now. And that would be a significant risk. So we’re looking at, okay, what are the things that could harm you? Then we look at what are the security controls you have in place, whether they’re technical, they’re policies and procedures, they’re things like a business continuity plan. We look at all of that. We interview folks to say, okay, well you say you do explain it a little further to me.
And then in the end we say, okay, here are the things that can harm your organization. Here are the things that you’re doing to protect yourself against harm. And then based on all of that, what’s the likelihood something bad will happen? And what’s the impact of that? And we come up with a residual risk to say, as an example, I’m not encrypting my laptops. Well, that’d be a pretty significant risk because there’s a high likelihood that something bad will happen and the impact could be pretty significant if you’ve got a lot of sensitive information stored on that laptop.
[00:06:31] Camille Morhardt: What percent of companies that you’re talking with, or it doesn’t have to be the companies in your clientele list, but just generally, do you think are running crisis simulations, like as in a vulnerability happens or an attack happens? How many of them are actually thinking about that in kind of a comprehensive way right now?
[00:06:52] Chris Apgar: There’s a significant percentage that are, but I would also caveat that by industry because I primarily work in healthcare. One of the things about healthcare on the healthcare provider side of thing, the docs, the hospitals, and so forth, they haven’t necessarily been as good as going through something like that. We saw that last year when there were 25 to 30 hospitals that were hit with ransomware to very significant impact. In fact, the University of Vermont medical system was hit. And the governor of Vermont had to call out the cybersecurity experts from the National Guard to help them recover from that. They hadn’t really done anything in preparatory to that. We have something that, I mean, very similar happened in Oregon. Sky Lake’s hospital was hit with ransomware last year, which cost them a very significant amount of money.
And they actually did their own podcast about what happened, how did it impact us? And they basically said we were ill prepared for this. So there are organizations that I know of that I’ve worked with that actually do those kinds of tests, doesn’t necessarily mean that they’re doing it in a way that they’re looking at the broader perspective of something beyond just a simple tabletop test to say, hey, we got hit with ransomware. What are we going to do, something that’s broader across the organization. While that’s increasing, that’s not necessarily as common as it needs to be.
[00:08:12] Tom Garrison: When you’re doing these assessments do you rate the quality of, let’s say, for example, you asked, do you have a disaster recovery plan if there is a tsunami or something. And they say, yes, we’ve got one. Do you go through it? And you say, how comprehensive is it? Is the quality to the level that it should be?
[00:08:33] Chris Apgar: Yes. And I also look at components of it. As an example, I got a disaster recovery plan and I know that I can get things back up and running, but all my backup media is across town in a data center. Well, it’s gone folks. I ask questions around, okay, if you can back up your information and you can recover from that, is your backup somewhere else outside of a geographical region that you’re in now, somewhere where if you get hit, say with a natural disaster, where your data is, will not get hit.
[00:09:10] Tom Garrison: And how would you say people generally, speaking of the clients that you engage with, do you find that the level of maturity is getting better or are we still immature in terms of the risk assessment and where people are in terms of managing risk for their business?
[00:09:29] Chris Apgar: It’s getting better. And one of the things that’s helped in the market is like, I’ll give you an example in the healthcare space. If I’m a business associate, in other words, I’m a vendor that I have to comply with HIPAA because I have patient information that I use. If I want to play in that space, I need to be able to prove without a doubt that I’ve got sound security, that I’m doing the right thing. If I can’t do that, I’m not going to make it in that market. That’s a very important piece. Either I can demonstrate it, or more likely I’ve gone out and had an audit from a CPA firm. I’ve gone through, what’s called a high trust certification. I’ve got something that I can give to my customers to say, look, I had somebody come in, look at me and say, you’re doing the right thing. It’s not just, I’m going to tell you that I’m doing the right thing, and you’re going to believe me. It’s going to be approve it.
[00:10:21] Camille Morhardt: What’s your opinion on how transparent companies should be in general about knowing their risks or knowing their vulnerabilities or even attacks that have occurred to them? Do you think there’s a best practice in that space or does it really depend on the specific circumstance?
[00:10:42] Chris Apgar: I think you’ll find that organizations are being more transparent internally, and boards are more engaged in asking for that type of information. If you’re asking about, am I being transparent to my customers, or am I being transparent to the government or whatever? No, I don’t think that’s happening as much as it should be. Even though there have been efforts on the federal level to say, hey, we’re going to set an environment up where we can share information about attacks and things that are happening to us so we can be more open. And we’re not going to come get you because you share it. The idea is so that we can all share it in a safe space, but a lot of organizations are reluctant because there’s this fear that, oh, if I let you know that I was hit hard with ransomware, but I was able to address it without any headlines at all, I’m likely not going to tell anybody about that other than people inside the organization.
[00:11:32] Tom Garrison: Yeah. That’s interesting. So, Chris, in the preparation for today, we met briefly. And you talked about the other part of your role. You can act and do act as a CISO for multiple companies, sort of smaller companies that can’t themselves justify having maybe a dedicated person. Can you talk a little bit more about how that works and what type of company is it that needs your services in that space?
[00:12:02] Chris Apgar: It ranges in size. I’ve got one client, who’s they’re 22 people. They’re a software development company out of Boston. In their case, when I’m acting as the chief information security officer, it’s more of a they come to me because they have a question that they can’t answer, not as much from what I would call the strategic planning perspective. I have a couple of larger companies that I work with where that’s basically my role is I’m more the strategic guy who comes in and says, okay, let’s look at the roadmap, let’s see what you’ve got. Let’s talk about where you need to go. And then let’s map it out, and see what we need to do over the next one, two, three years, so that we can increase what you’re able to detect, increase what you’re able to block, improve your security stance.
In those particular situations, the CISO acts in a more of a strategic perspective and looking at it from, okay, what does the business need? What are the business requirements? Because I can’t come in and say, well, you need to do security because security’s a good thing, and it’ll protect you. I’ve got to be able to explain how does that fit in with the strategy of the business? There is no such thing as risk free security. So I need to look at it in terms of what is going to be the best way to address your needs as you move forward. And I mention the positioning in the marketplace, well, how am I going to better position myself in the marketplace? And at the same time, reduce my risk from attack, from data loss, from things like that.
[00:13:31] Tom Garrison: Obviously, your focus is mostly in healthcare. Do you have peers that do the same kind of sort of CISO for smaller businesses by vertical? Is that a thing?
[00:13:43] Chris Apgar: It is in a lot of respects. I’ve got one, who’s a colleague of mine. His background is he’s been worked as a CISO for some very large corporations, including national banks. And right now he’s got more work than he knows to what to do with. And he is more across the board. So he would work with finance. He would work in healthcare. There are other companies that they worked with providing executive level CISO talent, as well as chief information officer talent, to organizations. And it’s not just a particular sector. It could be government, it could be finance, it could be manufacturing. And then you go all the way down to smaller organizations, where there are entities that they have as part of their team or their workforce is they have virtual chief information security officers who work with smaller organizations, like maybe a law firm or a large healthcare practice or something like that.
[00:14:37] Camille Morhardt: Do you see a difference or a pretty big difference in the threat models for smaller companies versus larger companies?
[00:14:44] Chris Apgar: Yes. There are some that are just the same. Ransomware’s going to hit you. It doesn’t matter what your size are because with ransomware, it’s like a shotgun, especially now that you’ve got ransomware as a service is where you just buy the ransomware, and you go send it out. So say I hit a small organization, and I say, well, you got to pay me $5,000 in Bitcoins. Well, if I hit 40 small organizations, then I got a lot of money. And then on the other side of the equation, you have things like have happened with the oil refinery. You’ve had it happen with hospitals. You’ve had it happen with other large organizations. And those you have both what I would call the cyber criminals who are out to make money. You have also on the other side, you have nation states like Korea, like Russia that are out there for their own purposes, trying to disrupt things.
So you’ve got it in different places at different calibers. Smaller organizations if I were to say, what do they need to do? They’re a lot simpler profile because I could have a small company. I’ll take mine as an example. We don’t have any servers. All of our assets are in the cloud. We don’t have a lot of exposure. So I’m not going to go out and spend a hundred thousand dollars on the best firewall and security incident and event management solution that’ll monitor everything versus somebody like an Intel for that matter, Intel is going to spend a good chunk of money to make sure that they’re protecting their assets.
[00:16:12] Tom Garrison: Yeah. This is just an interesting area for me, because I guess I had never thought of the types of services that might be offered as a service. Like what you’re basically describing is CISO as a service for small businesses. And it gets me thinking, if you are a small business, maybe what are some of these other resources that they may have at their disposal regarding security or other things that you’ve come across?
[00:16:46] Chris Apgar: One of the things that’s relatively common in smaller organizations is they’ll contract with a managed services provider. So they’re contracting with a company that will basically, you get a new laptop in, they’ll put the right image on it so that they can’t install just about anything they want on it. They’ll provision it at the end of the life, they’ll destroy the date on it so it doesn’t get out there. They’ll do the ongoing network support, manage the firewall, manage the email servers, and things like that on behalf of smaller organizations. Another type of organization you see out there, and these work with small to sometimes medium to large companies, are the managed security service providers, or what some people call an outsourced SOC security operations center. Where what they do is they basically, they provide the 24/7 coverage to monitor the network to make sure somebody’s not attacking you.
And if they are, they do something about it. A client of mine, they’re a 2000 person organization. They’re a hundred million a year company. They don’t want to spend the money to try to find what can be high price resources to manage a security operations center 24/7 around the globe, because they are an international company. And that managed security services provider, they give them 24/7 coverage. That kind of talents expensive. And I don’t have that talent inside my organization. So if I only need 10 hours of that a week or a month, it’s far more economical for me to go buy that service. And I’m also buying a service where I know these people they’re experts in it. That’s what they do for a living is all day long, they’re the security people.
[00:18:27] Tom Garrison: How about government? I’m thinking for small and maybe medium businesses that don’t have those experts that you’re describing. Maybe don’t really know where to reach out to. Are there government resources where they can talk to somebody, get some insight into what to do and who they should be talking to?
[00:18:50] Chris Apgar: Yes. If you look on the web for U.S. Cert C-E-R-T, and for the life me, I couldn’t tell you what the acronym stands for, but it’s part of the US Department of Homeland Security. What they offer is they offer resources. They have cyber security experts like in Oregon, there is a cybersecurity expert. And she acts as that person who small businesses can go to and ask those questions and say, okay, I have this problem. Or I need to, what’s the best way to protect my organization. The other thing they offer is they offer things like free service around, they will do a phishing campaign for you. So they’ll send bogus emails, and they’ll let you know how many of your employees clicked on it. They’ll do an external penetration test for free. They’ll do vulnerability scans for free. So there are things that the federal government will do for free for organizations. And my friend who’s the cybersecurity advisor for Oregon, she said, send me as many people as you can, because we really, really, really want to help people. And they have the resources to do that.
[00:19:50] Tom Garrison: That’s great.
[00:19:51] Camille Morhardt: That’s really cool. I didn’t know that. That’s a fun fact.
[00:19:57] Tom Garrison: Yeah. Camille, any other questions for Chris?
[00:20:00] Camille Morhardt: No, I feel fascinated. I’m quite familiar with managed service providers. And I guess it’s logical that would extend into other areas, but I hadn’t actually heard of it before. So it’s really been interesting.
[00:20:12] Tom Garrison: Yeah. Well, the government angle too. I mean, it’s always nice to have people that do it for a living and would be willing to do testing for small businesses to see, maybe uncover issues before the small business even realized they had them. So I think that’s great, especially when it’s free.
[00:20:28] Chris Apgar: One of my clients asked a question about that. He said, hey, if they do the test and they find something bad, are they going to report that? And this was on the healthcare sector, and he was afraid they were going to report that to the Office for Civil Rights, and they’re going to get in trouble. And the answer to that is no. The only people that know about what they find is you. They’ll aggregate the data, and they’ll do it in like high level reports about, we found X percentage of organizations had real problems with phishing. But they will not disclose your information that they find from a scan with any other agency or organization.
[00:21:01] Tom Garrison: Oh, that’s good to know. All right. Well, Camille mentioned already that was kind of a fun fact, which I agree with her. That was kind of a fun fact, but we have a dedicated, fun fact section for each podcast. And we’re going to do that now. So Chris, do you have a fun fact that you want to share with our listeners?
[00:21:22] Chris Apgar: I do. I’m a native Oregonian. I was born in central Oregon. All but three years of my life, I’ve lived in Oregon, and this is something I never knew is Oregon is the only state with a state flag with two sides. You have the state flag that you generally see, but what a lot of people don’t know is there’s a backside to that, and it’s the beaver. So there’s two sides to the Oregon state flag.
[00:21:44] Tom Garrison: That’s right. I believe it’s the only state flag that has two sides.
[00:21:48] Chris Apgar: It is.
[00:21:49] Tom Garrison: Two distinct sides. There are some that have the mere image, but yeah, two distinct images. That’s cool. Very good. Camille, how about you?
[00:21:59] Camille Morhardt: Well, I was sitting around wondering what to do as a fun fact today and looking at that basil plant, probably about the 30th one I’ve bought over the last couple of years, because they just don’t tend to last very well in Oregon. And I was wondering if they were all the same species or if maybe I could branch out a little bit. So I found out there’s between 50 and 150 species of basil plants that we use in culinary purposes. I will say that in an outdoor greenhouse at the coast in Oregon, I tried all kinds of varieties, Thai basil, regular sweet basil, and African basal. And the African basal was purple in color and a little bit hardier, and it actually did really, really well. Whereas the others were too delicate and didn’t survive that somewhat harsh environment. So that’s my offering to people who want outdoor greenhouse basil, this winter.
[00:22:51] Tom Garrison: Purple basil.
[00:22:53] Camille Morhardt: Yeah.
[00:22:56] Tom Garrison: Interesting. Well, I’m going to do a fun fact that relates to the planet earth, but also space. So did you know that there are more trees on earth than there are stars in the Milky Way?
[00:23:11] Camille Morhardt: I don’t believe it.
[00:23:13] Tom Garrison: There are, for you naysayers, Camille, there are about 3 trillion trees on earth and between 100 and 400 billion stars in the Milky Way galaxy.
[00:23:28] Camille Morhardt: I’m flabbergasted.
[00:23:29] Tom Garrison: I am too. I thought that there’s no way that could be true, but I looked at the numbers and it’s like, dang, that’s true.
[00:23:37] Camille Morhardt: You’re not just talking about stars we can see. You’re talking about…
[00:23:40] Tom Garrison: No, in the Milky Way galaxy. In the Milky Way galaxy is 100 to 400 billion stars and 3 trillion trees on earth. It’s not even close.
[00:23:51] Chris Apgar: Yeah. That’s quite a few.
[00:23:54] Tom Garrison: Yeah. So we will end on that fun fact. Of course, is somebody going to count, but hey, whatever. Chris, thank you so much for joining us today. I thought it was really good to get a glimpse into some of the smaller businesses out there, small and medium businesses that are looking for security services. And I thought you did a great job of walking through those options.
[00:24:17] Chris Apgar: Thanks for the invitation.