A Brave New Digital World: Q&A with Next Solutions Group’s Cybersecurity Lead, Michael Harley

Every 11 seconds, a new ransomware attack takes place. The need to keep an organization’s data safe and secure instead of being unintentionally sold to those who should not have access is only increasing as our world becomes more virtual.

Michael Harley, Next Solutions Group’s Managing Director of Business Intelligence and Cybersecurity, sat down with The Bliss Group to discuss cybersecurity’s increasing importance in the digital world. He shares why a human-first approach to cybersecurity is so important and emphasizes the importance of ensuring all an organization’s employees prioritize cybersecurity. Below, we explore why cybersecurity’s recent past matters, as well as Michael’s predictions on what cybersecurity’s future may hold and where organizations need to focus today to stay safe tomorrow.

How did you become interested and involved in cybersecurity?

Out of necessity, plain and simple. I value languages—those that are spoken and programmed like Java, R, Perl or GoLang. Plato famously wrote, “Our need will be the real creator,” and every business has a need to be genuinely invested in cybersecurity in 2022 and beyond. I served in the United States Armed Forces in the wake of 9/11 and became incredibly appreciative of the prioritization and education placed upon cybersecurity at the national level. I had a front row seat to seeing “cyber effects” and realized I needed to invest personally in understanding authorities, regulations, intent and the overall cyberspace environment to make sure I did my job to the best of my ability and didn’t compromise someone from doing their job because of an error on my part.

What events stand out to you as having changed cybersecurity forever in the last decade or so?

There are two that are top of mind. First, I would say the “Snowden Effect.” It was an insider threat of monumental proportions back in 2013 that leaked classified information, created global controversy and eroded governmental trust. Second, the 2017 WannaCry ransomware attack. In a single day, 150 countries worldwide and more than 230,000 computers running Microsoft Windows OS were infected by a cryptoworm demanding bitcoin ransom payments.

Looking ahead, how might the cybersecurity space evolve in the next decade or two?

Well, hopefully for good, right? I posit that partnership decisions will use cybersecurity resilience and exposure as key determinants in selecting who they will partner with in business. Nobody wants to be seen as the weak link, and if your cybersecurity posture is subpar, it is only a matter of time before criminals capitalize on that. The fix today? AI-powered cybersecurity trained against the right models coupled with people focused on taking corrective action when it matters. Just as a stronger defense is evolving, so too will the offensive tactics employed by cyber criminals. Expect AI-powered cyber-attacks being launched by unethical threat actors to exponentially increase in the decades to come.

What do you wish more individuals or companies knew about cybersecurity and associated threats?

The threat landscape is tough. Just look at this infographic provided by the Department of Defense’s Deputy Chief Information Officer. The takeaway—do your part and the larger landscape becomes less daunting on a personal and professional level. We all forget things, but as it relates to cybersecurity, STOP mixing your personal and professional life on your mobile phone. If you must, do these three things: implement Multifactor Authentication (MFA) whenever possible, ensure a remote wipe option is available should the device become lost and use a Virtual Private Network (VPN) when browsing websites and properly configure those browsers.

What’s an easy first step to help organizations prevent a cybersecurity crisis and become more aware of threat risks?

Too often, businesses don’t take cybersecurity seriously until they are facing a paralyzing attack. Don’t make cybersecurity an afterthought. Education is where it begins. There’s no shortage of checklists. Make it clear to each employee that not only do they matter, but they have an active role in cybersecurity. Next, invest in designing a crisis communication plan and rehearse the most likely scenarios. The goal is ultimately to shape an employee’s cyber behavior in a positive way that has applicability on a personal level and wherever the office may be that day.

What are the most essential elements a crisis communications plan (CCP) must include from a cybersecurity perspective?

Ever heard that hindsight is 20/20? That is NOT what you want to hear amidst a cybersecurity incident or breach. Let’s start with ‘process’ in mind. An effective CCP plan needs to be current, accessible and actionable. Whether your business is B2B or B2C, each crisis communications plan will be slightly different. For example, imagine your network access is compromised and you are unable to access the electronic version of your CCP with all your key steps and holding statements. How do you respond? Who takes charge when senior executives normally earmarked for the CCP are unreachable? Who is capturing the timeline of events? Ransomware-as-a-Service (RaaS) is complicated and not something to shoot from the hip on.

Groups like ALPHV/Black Cat, Conti and REvil are formidable adversaries that want you to be a repeat customer. They target your data and demand a ransom. If unpaid, they will pivot to your customers and say you refused to safeguard their customer data when the opportunity was there. Find that page in your crisis communications plan. If a cryptoransom is demanded, who do you call? Should you directly negotiate with the ransomers? The list goes on.

What key takeaway do you want people to remember about cybersecurity?

The need for cybersecurity roles will only increase in years to come. There are so many spectrums to crises. One could be a truly life-or-death crisis while another could be the total economic fallout or bankruptcy of a company. People matter. They need you to get it right. And they need to know you care.

To learn more about cybersecurity solutions and crisis management, visit TheNextSolutionsGroup.com.