Hello and welcome to today's webinar on cybersecurity. My name is Kara Hoogensen, and I am the senior vice president of specialty benefits at Principal Financial Group. And it's my pleasure to be the moderator for today's event. We're going to focus the next 45 minutes or so on cybersecurity, and really, the state of cybersecurity risk for small businesses.

We hope to provide you with relevant, timely information on this topic, as well as tips that will help you put together a plan to best protect your business. Based on the latest information from the Small Business Administration, there's roughly 33 million small businesses in the United States today. And I think, among many things, one of the lessons we've learned during the last two years of a global pandemic is just how darn resilient small businesses actually are.

But a cyber breach or a data breach can have a significant, even detrimental impact to any business, and maybe particularly, to small businesses. So it's important to be vigilant and prepared, and we hope to help you do just that today.

The Principal Financial Group Well-Being Index is a body of primary research that Principal has conducted for eight years at this point. And we really made a transition during the early stages of the pandemic. Whereas before that, we used to conduct this research annually, we're now doing it three and four times a year so that we can best understand the current sentiment of small to medium-sized businesses and revisit timely topics to understand how small businesses are thinking about these topics and how that thinking may be changing over time.

We really gathered some important information from our most recent wave of the Principal Financial Well-Being Index, and that was on the topic of cybersecurity. So as you can see from the slide that's in front of you, according to this research, 1 in 4 businesses experienced a cyber attack recently.

And of those attacks, almost 50% of those, or actually more than half of them, were successful. The costs of a cyber breach can vary greatly, but on average, for companies that have less than 500 employees, that cost is $3 million. So not an insignificant impact to a business of any size, really.

So with that background, it is my pleasure to introduce our panelists for today. We have joining us Meg Anderson. Meg is the vice president and cybersecurity information officer for Principal Financial Group. Her accountabilities include leading our information security and risk function, driving our information security strategy for our global business.

She is a member of many cybersecurity information security councils. She's a board member of the Financial Services Information Sharing and Analysis Center, as well as on the advisory group the Fin Cyber Advisory Group, which is affiliated with the Carnegie Endowment for International Peace.

Also joining us is Karen Evans. Karen was recently named the managing director of the Cyber Readiness Institute. Prior to joining CRI, Karen has over 20 years of experience in cybersecurity policy with both congressional and presidential appointments. She's held positions at the Department of Energy, the Department of Homeland Security, as well as the Office of Management and Budget.

Meg and Karen, thank you for taking the time to join us today. And I'm excited to get your insights on this very timely and important topic. So we will dive right in here. We have, based on this Principal Financial Well-Being Index report that I mentioned earlier, one of the more recent pieces of information we gathered is that a majority of businesses are spending more money and resources on cybersecurity compared to a year ago. And you can see that information on the slide in front of you.

So arguably, they should be better protected today relative to 12 months ago. But to start out, let's get kind of a lay of the land. What are we seeing happening right now in the cybersecurity space for small businesses? Meg, let's start with gathering your thoughts on that topic.

Sure. Thanks, Kara. It certainly has been a very eventful year in cyber, and I think for 2022, we should anticipate another very eventful year. And in particular, the threat of ransomware is something that's top of mind. That usually involves someone who-- a malicious actor who encrypts your files and has a threat to either destroy them or to ask you for ransom, usually in cryptocurrency.

That is going to continue to hit businesses of all sizes in '22, and the sheer volume of the attacks is going to increase. It's reported right now that there's an attempt at ransomware every 14 or so seconds, and so the volume increasing from there is just going to be astronomical.

In addition, another theme is the impact of third party supply chain. So really understanding those in your ecosystem, who you depend on, and what their cyber posture is will continue to be very important.

Great. 14 seconds?

14 seconds.

Wow.

Honestly, I had no idea. There's a bit of a shock factor to that. Think of all the good that people could do if they were focused elsewhere. But that's a topic for another day. So, Karen, additional thoughts on this particular topic.

Well, first, Kara, thank you so much for having me join you and Meg. And I think the results of your survey, when you highlighted it, and then based on what Meg said, actually shows that what we call the threat landscape has evolved. And so your findings bear out that shift that we're seeing in that threat landscape.

And so a lot of this is really directly related to, I believe, the change in the work environment, the school environment, small business overall due to the pandemic. And everyone has become very flexible, which means that all of us have thought more about that balance of, how do you build that balance between, hey, I've got to get all my people online, I have to get all my services online, against the risk? And that's why I think you saw some of the increased investment going forward.

But you also said, well, we would think we would see an improvement. No, it's because of what Meg said. It's that balance of every 14 seconds, because everyone knows that we have shifted now to this virtual environment. And if we aren't ever-diligent in this particular new environment, then people will take advantage of us.

Absolutely. Well, and let's dive right into how businesses can be more vigilant. One of the-- whether we call it weak links. And often, I mean, there's no ill intent in the vast majority of circumstances, but employees, accidents, clicking on the wrong link can be so impactful to a small business if that link is part of some sort of an attack. And so, Karen, I'd like to get your thoughts first on this question. But really, what can employers do to best educate their employees so that they aren't adding to the level of risk that exists already out there?

Well, that's a great question, Kara. And I reflect upon, in my past, my 30 years of experience here. One of the great folks out there said, if it weren't for people, computers would work perfectly. They'd work exactly the way that they were intended. But I mean, people are people. And so what can small businesses do?

And that is why I was so excited to join the Cyber Readiness Institute as the managing director, because we're very focused on, how do we help small businesses, and answer your question? And if you go, we have a cyber readiness program, and we also have the cyber leader certification. And these are two of our foundational programs that are out there. And they are free, and they are available for small and mid-sized businesses.

They are focused around what we would call the cyber hygiene four basic areas which are strong passwords, multifactor authentication, make sure you're doing updates, phishing, which is specifically what you're talking about, Kara. I know I've had to educate my own family about, don't just automatically click on those links because it's convenient.

And so really-- and the actor has gotten so sophisticated that those messages look so authentic when they come in. And so a lot of this is human behavior awareness. And these are the tools that the Cyber Readiness Institute puts out for small and mid-sized businesses. So I really want to stress that, and that they're available. As soon as you're done with this webinar, go sign up.

Fantastic. And we'll provide more information on how to access those at the end of our time together today. Meg, thoughts from your perspective.

Yeah, sure. Karen said a very important F word, and that is free. Another very important F word is fun. So if employees see education around cyber as drudgery, that's not very fun. So think about how you can make it fun for them. There's platforms that will gamify some of the education.

A couple things that we have done at Principal that would also be available for small and medium-sized businesses is a virtual escape room. And that made it fun, where people had to solve puzzles to get out of the escape room and they competed against their peers and teams and had some glory in being at the top.

Another thing that we did is we invited some speakers in to talk about the security programs at their company so we could learn from others. In our case, it was the leader of the security team of a very, very popular social media platform. So it was really very interesting to hear about how they approached security in such a different business compared to ours.

Another thing I would say that maybe doesn't necessarily qualify as fun, but it's really interesting to walk through breaches at other companies, whether they're in your industry or not, and say, what would happen-- make it a game. What would happen if that happened to us? Could it happen to us? What are the things that we ought to be doing differently so that it doesn't happen to us, because we don't really want to find ourselves in the situation where we're having to invest in fixing our systems as opposed to investing that money into our company. So those are a couple suggestions that I have.

Yeah, those are great. And I think the thing that also comes to mind, as I listen to both of your suggestions, is also, it's not a one and done effort. I mean, this has got to be something that is done on an ongoing, regular basis. I think, isn't it that something like we have to get exposure to information seven times before it actually really sinks in and we start to absorb it?

Exactly right.

And so this is about, what kind of cadence can we create within a business so that this is more top of mind for employees, and thereby reducing the risk for that particular business?

So Kara, before you go on, there's one point I'd like to add on to that based on what Meg is also saying about making it fun. One of the things that CRI does is part of the program-- and I mentioned this a little bit about Cyber Leader-- is it's changing human behavior. And that's both what you're hitting on, is you're creating a culture where people are really thinking about it all the time.

If a business goes into this and says, wow, this is something I just have to do, that's not fun, to Meg's point. And so everybody's going to go through it. They'll do it. But you're not going to get the outcome that you intended. And the whole idea behind this is, you have to manage this risk on a continuous basis. And the only way that that's going to happen is if you create an environment where people are always thinking about it.

And that really is what the Cyber Leader program is about, and getting your organization, what we call cyber ready. It is creating that culture where they're always thinking about, ooh, should I do this? Is this good? Maybe I shouldn't do this. if I'm unsure and I don't have a Meg, I need to go and look at some of the things that and some of the resources that are available so that I can read up on it. Because we're talking about small businesses, and they have to balance those resources against business outcomes.

Absolutely. No, great additional thoughts. So we talked about, just a few minutes ago, clearly, the world today looks different than it did about 24 months ago because there has been so many changes to businesses as they adapted in light of the pandemic and leveraging technology, digitizing the business maybe in ways that hadn't been done previously.

Well, one of those implications from the pandemic is there's just more workplace flexibility, and that is not going away. I think there's a lot of information around that as being a key to attracting and retaining employees going forward. So the percentage of employees that are going to be working either entirely remotely or in a hybrid work arrangement is much greater than it was 24 months ago, and is going to likely stay at those higher levels.

So with that, what are the cyber readiness implications for more of the hybrid and remote work? Meg, can you share some thoughts on that with us?

Sure. Like you said, Kara, this not going away. However, about two years ago when we all started to work from home-- and to be fair, essential workers never did work from home. But for those people who went to work from home, I don't think anyone thought it would be this long or the outcome would be where we're at.

So if you haven't planned strategically for how hybrid work or work from home is going to work for your business, now is the time, I would encourage you. Don't wait any longer. And really, to think about what you must do at this point. I would offer up three suggestions, with the first being access to your information. Do the right people have access to the right things and are you appropriately restricting access to people who don't need it?

Because when a fraudster gets credentials or gets access, they do it, typically, through a person. And they're going to do that and get the access that person has. Now, they're going to be able to move around from there and get broader access. So making sure that all the employees that you onboard only have what they need to get their job done should be your number one priority.

The second thing is making sure all of your information is protected in your applications. And many companies are using cloud-based applications. So understanding, how is the cloud company, how is the application providing-- the company providing the service of that application protecting your data? Do you understand that? Is it time to maybe check the configurations or have a meeting with that third party to talk a little bit about what more you could be doing?

And we talked about education already, which would be my third suggestion. But education is a little bit in line with the third parties that you're using. It's a regular conversation. You can't do business with a third party and walk away. You really need to understand, what's the service they're providing for me? Has the threat changed related to that service? Are you seeing hacks or other cybersecurity incidents related to, for example, storage sites or email?

And if so, then you should be having regular conversations, or timely conversations, with your service providers as well. So three things-- access, and then making sure you understand your information is protected, and then on an ongoing basis, don't forget about the education.

Great. Thank you, Meg. Super important. Loved how you kind of distilled that down. And it is. It's ever-changing out there, not unlike the continual education for employees, but just staying on top of this topic and accessing what resources you have available to you. Karen, what are the best tips you have to mitigate cybersecurity risk?

Well, and I'd like to build off of Meg's answer, because it was a great answer. And really looking at it, information, access, and your vendor management piece. So I already talked about cyber hygiene, but part of this-- and really, what I want to talk about-- is business continuity, because that's really what we're talking about.

How do I keep my business up and running when a pandemic hits? I mean, who would have thought, two years ago, that we had to think about this? I know Meg has worked on this throughout her career. I know I did. We had business continuity plans. What happens on day 1? What happens on day 30? What happens on day 90? I don't think any of us thought we would have to think about what was going to happen on two years from now.

But if you're a small business and you're starting or you have five years into this, what is really important is, what are the most important services that you have, and then how do you put this together? And what is the most important application? What is the most important type of data that I have? And then what CRI offers as part of this-- and Meg talked about this earlier about ransomware-- we have a ransomware playbook. So what we try to do is demystify this process.

And it walks you through, what are the most critical things in your business, and then how would you mitigate that? What happens if the internet goes down in your area because somebody cut the line when they were plowing snow, and then what happens, and can you still do it? Do you only have one provider in the supply chain? Is everybody using that same provider for that service or that same provider for that good?

And so I think small businesses have gotten really creative on this. But what I would say is you should develop this playbook before the crisis and exercise it. So this falls under the category that Meg had of education, because people should know what their roles and responsibilities are before the ransomware hits, before the crisis hits. And you exercise it, and then you go, ooh, I didn't think about X, Y, Z. Let me update the playbook.

And so this resource is available also at the Cyber Readiness Institute's website, and people can work through that. And I think, as you start asking yourself those questions, you're going to be surprised at some of the answers. And you really want to be prepared before the incident happens.

So I would recommend really kind of walking through that playbook and thinking about, how do I keep my business running and what's an acceptable downtime? Is it acceptable to be down for 30 minutes? Is it acceptable to be down for 24 hours? Do I have another way that I can distribute my goods and services if I'm down for 24 hours? And before that happens, that's the time to ask that question so that that business resiliency, that business continuity thought is also built into the culture.

Fantastic. Thank you, Karen. I found myself thinking about that word "demystify" that you used. And I think that's a great way to describe the materials around CRI and what's available-- again, free-- to individuals and businesses, is those materials do such a good job of demystifying this really complex, ever-changing topic.

And for any lost fans out there, it certainly make them less complex than the Dharma Initiative, which I think is a good thing. So with that, a question for both of you. What cybersecurity challenges do you expect that small to medium-sized businesses are going to face going forward? Karen, why don't we start with you on that one?

Well, I think we've been hitting on a lot of them. I really think what's going to happen is we're not going to see a decrease in technology. I mean, that landscape is not going to change. Everything is connected, from my Ring alarm system that I can watch packages be delivered. And I think what you see in small businesses, that integration, also, of physical location of my home is my business and how that's going to work.

So it's really going to be, how do you look at those new capabilities? And Meg brought this up, is the supply chain. I think now-- I mean, I was ringing the bell of supply chain probably 15, 20 years ago. But now, everybody understands what supply chain is. And everybody understands what the impact that that's going to be. So those dimensions-- it's multidimensional.

And again, I'm back to the playbook. It's really going to be, for your business, when you bring in a new technology, or when you bring in a new service, or when you're going to have a partner-- a new partner-- it's really understanding that business risk, and then making sure your partner also has a good understanding of their business risk.

Because if you're going to have this dependent relationship with them and you realize that maybe they're not cyber-ready, you might want to share some of these materials and some of the findings from this study so that they could get ahead of it. I don't know that anybody can sustain a $3 million response.

And so if you're going to get into these business relationships with people, I think everybody has to understand what the shared risk. It's not-- we used to say, it's private/public partnership or shared responsibility. But this is a whole of nation responsibility, the small businesses all the way up to the federal government, and we all have to understand what part we play here.

Great. Thank you. Meg, additional thoughts from your perspective?

Yeah, I think everything Karen said I completely agree with. I think one of the challenges, as well, as you think about who is that champion in your business, where are you going to find the talent or the slice of talent? I think it's really important to be explicit about who you are having be your cyber contact, your cyber champion, your cyber leader, whoever that person is.

And then make sure you give them the time and the resources needed to keep up to date, because it's an ever-changing threat. And understanding what's going on is critical. So giving them the time to talk to their peers. I have been involved with several peer groups, Karen, earlier, as you mentioned, but throughout my career, I've learned so much from my peers and understanding from them, how are they tackling the problems, what are the biggest problems that they're seeing, what should be prioritized?

It's really important. But it does take time. And so I've been in some groups where they haven't been permitted to attend or they haven't been permitted to share because of legal risk that people think. And make sure you think about cyber differently. We have a shared enemy. So our competition, other businesses, they're there to help when it comes to cyber as opposed to us keeping those secrets to ourselves. So be sure that you have the talent and then that you give them the time in addition. And that should be really helpful.

Yeah.

So, Kara, I'd like to add one little piece on to that. When Meg is talking about the cyber leader, I want to make sure everybody realizes a cyber leader does not mean the person on your team that has a computer science degree. It's the person on your team who really understands what is important to the business and then the risks associated with that, whether it's the risk of technology, where we're physically located, what new technologies we want to bring in.

And again, I'm going to bring back to CRI, when I went through the materials, I thought, oh, cyber leader, what's this going to look like? And the materials are broken down into, if I'm a five-person business up to, I'm a 500-person business. And it got passed on to the HR director because everything is there and it's part of the onboarding process.

So it's really, who in the organization that, if the other employees have an issue, that they're the lead? And it's clear that they're the lead so that you know who to call. Because what really happens in a lot of these situations, especially a ransomware or, oops, I clicked on that phishing link I shouldn't have clicked, there's a little panic for the employee.

And what you want to do is reward them reaching out to the cyber leader or the champion, like Meg said, or the Megs of the world, so that they call as soon as possible so that you can contain what the issue is. Because if you really want to make sure-- it's going to happen. Your survey says it's 1 in 4 companies. So it's not, it's not going to happen. It's going to be, when it happens, this is what we're going to do.

So that leader element of cyber leader is critical, someone who's approachable, who's influential, who's going to create that followership amongst the employee group, no matter the size of the company, because it is a human behavior-- not entirely, but there's a huge human behavior component to helping mitigate this risk.

Absolutely. Absolutely.

Fantastic. Great. Well, we have received a large number of questions from the attendees at today's event. And so while we're not going to be able to get to all of those questions, we did take a look at, what were the common themes or what were those topics that were most of interest based on the different submissions we had received?

So we're going to switch gears and start asking some of those questions now. And I'll go ahead and direct here just so that we don't end up talking over one another. But please, looking for both your input on each of these to the extent you would like to. The first question, and the most popular question that we received-- and I think we've kind of alluded to this, but we'll really make it succinct with asking-- what is the number one action item to protect your business in today's ever-changing world? So Karen, let's start with you on that one.

My number one suggestion would be, really, to make sure that you've thought about and you adequately have password-protected your services. So I know, Meg, we've talked about this through different answers, but I'm kind of like, the number one thing that most of the industry studies say is, gosh, if only everybody had implemented multifactor authentication.

And so when people think about that-- multifactor authentication, what does that really mean? You're already using it. It's when you put your password in and they say, hey, do you want me to send a code to your phone, and you get that digit code to your phone. That's multifactor authentication. That's one example of it.

Most of the issues, the incidences, the penetrations, whatever you want to call them, they could be avoided if all of us had multifactor authentication in place.

And Meg, what would be your number one?

I really can't add to that because that is the number one. Years ago, it was very painful when you talked about multifactor. People thought, oh, my gosh, this is going to take so much time, and it's going to be very difficult. But I think our mobile phone and mobile usage of phones has really helped us. Adding a fingerprint here and there, it's been pretty painless.

And so making sure that multifactor experience is understood in terms of how important it is and then also making it as friction-free as possible. When you start having consumer applications suggest multifactor, it definitely makes it easier for employees to think through, OK, this is the right thing to do.

It does, anymore. It seems almost second nature, and I don't question it anymore when that happens. So I think, to the point, it's just becoming less friction and so much more commonplace, which is good for all of us.

Yeah. And I might add, to Karen's point, you get that push that says, hey, enter this code or approve this request. Don't be fooled. If you haven't asked for a code or if you're not accessing that particular application, please don't approve it. Please don't enter the code. Because that means that somebody has gotten a hold of your first factor. And so don't allow them to use your second factor. So that's also just as important, is don't blindly go ahead and approve things.

Yeah. I mean, that's so funny, because we were talking about, what's the one thing we could probably spend the rest of the time on this? They have shifted to your cell phone too. So when we talk about the ever-changing threat landscape, our adversaries are just as clever, and they wanted ease of use. So to Meg's point, make sure, if you haven't asked for it, then don't click it. There's a term for it, Meg. I know you know it. But it's like phishing for text messages.

Smishing.

Yeah. So you just have to be just have to be diligent. It's always diligence.

Yep. Always. Constantly. Wow. All right, let's talk about that cloud, the concept of the cloud and cloud storage. How secure is it? Meg, let's start this one with you.

Sure. There's so many stories in the news about cloud. And cloud started off as a lot of fear of whether or not cloud is as secure as our on-premise applications and data centers and such. Storage in the cloud is secure. It can be just as secure as what you were using previously, but you really just need to understand.

The default options when it comes to the cloud may not provide the level of protection that you're looking for, so you need to make sure you understand it. Most of the cloud providers, they understand what's going on in the threat landscape. They have specific people looking at compliance mandates for specific industries, such as health care, financial services, banking, et cetera.

So they understand what businesses are up against with regard to controls. But they also offer flexibility, because everybody doesn't need the same set of controls. Some of it is dependent upon the industry or dependent upon the level of rigor that you want to use in your environment. So understanding, how do I configure it such that only my employees have access? Or, how do I configure it so my business partners have access, because I need them to access this information as well?

It really comes down to understanding what are you trying to accomplish, who needs access, and how do I deliver that proper access in that particular cloud application or for cloud storage? So it's a little bit of, it depends, but it can be done. You should trust cloud providers that can show you and illustrate how they're securing the information and make sure you also check around for references and understand other people in your industry-- are they using this, are they having success, et cetera?

Karen, additional thoughts?

Well, I'm going to take a little bit different spin on this. And I'm back to asking the questions. Back on the survey, you said 1 in 4 companies are going to experience this. And so when everybody went out and there-- and I know Meg is very familiar with this as well-- there's been a whole issue of on-premise hardware.

So the biggest thing and the biggest proliferation is Microsoft Exchange. That's just how it is. It's locally-- it's done for convenience. And people, they want to do email. If you shift to a cloud provider, what ends up happening is you are leveraging all their resources. So if you can't keep up with all the patches for things that you have locally, like hardware that you have locally, then you want to shift, because you're not going to be able to compete for all these people to get them to come and work for your small company, because they're working for the big companies.

So what you really want to do is leverage these big cloud providers' resources so they can do that part of the security patching, that that's their job, is to keep that environment secure so that you can put your applications in there and continue your business. So to me, it's a business decision. I just don't have those resources. So I'm going to take advantage of all the cloud providers and what they're providing for me and that infrastructure so that I can then take my resources and apply it to my business.

Great. Thank you. So, passwords. Cloud's a popular topic. Passwords. Is it safe or unsafe to have passwords automatically saved in a browser? Karen?

So this is a personal preference question here. I'm going to say, to Meg's answer, again, it depends. But the word of advice that I give to everyone is, the more convenient you make it for yourself, the more convenient you make it for everyone else to exploit it. So my personal practice is, I do not do it. But it depends based on what you're trying to do, how you want to go through this. And there are good solutions out there so that you can keep passwords in a vault, in a virtual vault, and things like that. I just, from a personal practice, I don't do it.

That's a great way to think about it. If it's easy for us, it's probably easy for people that don't have good intent.

Exactly.

So to keep that in mind. Yep, that's helpful. Meg, anything you want to add on this topic?

Yeah, I would say I agree with Karen, but it depends. So sometimes, that convenience trumps security. And so you have to understand, well, am I sharing this browser with anyone else? Is it a mobile computer as opposed to a desktop computer that sits in my locked office, in my locked home, behind my gated community, perhaps? So how many layers of control do I have before somebody has access to that browser?

So I think it depends on whose browser. Is it-- I was recently at a hotel. There are people using the hotel computers. And whenever you go to a hotel, computer or a shared computer, you usually find things that are saved to the desktop that are very personal. Even in the rental car, I've got people's phone who connected to Bluetooth. They don't bother to delete them when they turn in their rental car.

So there's things to think about with regard to who's going to have access to this browser. And then also, what's behind that? So if I save my password so I can make racquetball court reservations, who cares? But if I share my password to my password vault, or I save my password for my financial services companies, maybe I want to think twice about that. So it really, definitely, is a personal choice weighing that convenience, but definitely some things to think about there.

Very, very helpful. Helpful. And so practical. I mean, but what you both shared is just so practical in terms of keeping that in mind, both at work and at home. So thank you for that. Facial recognition. So what are your opinions on facial biometrics for enhanced security? And then that compared to passwords? Let's start with Meg.

So I think this is something to watch. So obviously, we've been using facial recognition to get into phones, as well as into computers with Windows Hello, for a few years now. And it works very effectively. There's not too many false positives. There's a little bit of, it depends. How is this getting in? What does it give you access to? And typically, it's a second factor. So it's not the only way that we are ensuring that you are who you say you are.

One thing to think about on the horizon, and that is deepfakes and the increased technology around reconstructing your face and things to think about in terms of, is it really me? Who can recreate this face to get into this thing? And so again, you need to think about what is the thing that you're going to give access to with your face or your fingerprint or whatever it happens to be, and who could get access to that if technology improves? So it's just something to keep watching, I think. But for now, the answer, again, is it depends. How secure do I want the thing that I'm protecting to be?

Great. Karen, anything you'd like to add?

I'm thinking of Minority Report as she's-- Meg is talking, or Mission Impossible, all the things that we used to think about. But I think the key piece that Meg is talking about is, whatever these layers that you put in for access-- and they brought this up very early on in our discussion. And she just said it again, too. And I don't want this nugget to be lost. It's, what are you giving them access to?

And so if you think about this in layers-- and they only get in, but they don't have, whoo, they can get to the whole enterprise, and every data store that I have in every application, then it's not bad to do it. But if you open it wide up, I think you need to think about your playbook and make sure that you're not the 1 in 4 that you talked about that's going to have to do the $3 million recovery.

Yeah. Absolutely great points. So I think we are nearing the end of our time together. So we'll make this our final question to get your expertise on. We've talked about the important role of human behavior in mitigating cybersecurity risk.

So can you share some thoughts with us about-- there's the carrot and the stick. You can punish bad behavior around technology practices that may be adding risk to a business, but what recommendations do you have around rewarding positive or good behavior, if you will, in terms of technology practices to help a business mitigate this risk? Karen, let's start with you.

Sure. And I talked about this a little bit earlier, but I'm going to give a suggestion. And where I came from and what you see as trends out here in the technology world, we call it vulnerability disclosure programs. And they're rewarded. Or if you look at some of the technology things, it's bug discovery programs. And so researchers do this, and you want to reward that.

So internally, within your own organization, Meg said it should be fun. Maybe what you do is you can have these competitions which allow people to be able to bring forth weaknesses, some kind of vulnerability, some kind of risk that maybe somebody hadn't thought about, and that they also have a mitigation control for it as well. And you reward it. And it becomes a competition so that everybody is constantly looking at what your environment is, and you're rewarding behavior.

But I would like to stress that if somebody makes a mistake, nobody comes to work and says, hey, let me click on this phishing link so now that my company is locked up with ransomware and they've got to pay, you know, $5 million to do X, Y and Z, nobody does that on purpose. And so I think we need to think about that as leaders. How are we going to respond? Because you want them to come forward and be able to disclose that they've done something.

Yeah, transparency is key.

Absolutely.

Meg?

Yeah. Just quickly, a couple things that we've done is we reward people with gift cards when they contribute to helping us with a security investigation. And sometimes, those have occurred during what we call our red team activities, where we're paying a third party to see if they can break into our systems. And we have alert employees that say, hey, this looks funny. And we're like, hey, congratulations, and thank you for helping us. We also call attention to those employees in blog posts and articles, make sure their leaders are aware.

So really, you can look at, what is your community doing to reward those people who help out in the community? You hear about people who stop and change a flat tire for somebody on the side of the road or has saved a life with CPR or something like that. How are they rewarding them? They get plaques, and the chief of police may do a presentation. So things like that. They don't have to be elaborate, but they do need to call attention to the fact that people are helping us out with our security program and we do appreciate that.

Great feedback. So there's a learning element to all of this. So when something does go awry, sharing that so we can hopefully avoid it. But equally as important, maybe even more important, sharing those good behaviors so others can emulate that as well. So fantastic.

Well, Meg, Karen, thank you so much. I know I have learned a ton during our time together. And I'm hopeful that the rest of the participants have as well, and have gotten some very clear action items that you can take to help mitigate cybersecurity risk in your business.

I do want to point you to the free materials that Karen mentioned previously. You can find all of those at the cyberreadinessinstitute.org, CyberReadinessInstitute, all one word, .org. And then if you put in the referral code "principal," you can gain access to all of those free materials to help you run your business.

We will be following up with each of you via email, providing you a link to this recording. If there are others in your organization or your network that you want to share this information with, happy to have you do that. And we will be publishing a new whitepaper around cyber security. And so you'll be receiving the early edition of that as well.

Certainly, thank you for your time. Thank you again, Meg and Karen, for joining us today and sharing your expertise. And until next time. Please stay safe and take care.

Thank you, Karen.

Thank you. I appreciate the opportunity, everybody. It was awesome.