We talk with Tim Eades, the CEO of vArmour, a risk and cybersecurity company, about high-profile attacks and what we can learn from them.
Transcript
Mark:
Welcome to PeopleTech, the podcast of the HCM Technology Report. I’m Mark Feffer. Last December, UKG’s legacy Kronos organization had to confront every executive’s nightmare, a ransomware attack. Those were always bad, but Kronos handles the paychecks for a wide range of customers who, for a number of weeks, were forced to enter employee data by hand while the company worked to recover. Today, I’m talking to Tim Eades, the CEO of vArmour, a risk and cybersecurity company. We’re going to look at the attack on Kronos and the lessons we can draw from it on this edition of PeopleTech. Tim, welcome. It’s nice to see you. We’re talking focusing on what happened to Kronos, and I wondered if you could start by telling me what happened.
Tim:
Kronos is a regular ransomware attack. Right? We see these around the world now all the time. I was talking to a service provider yesterday, a small managed service provider, and she focused on healthcare. And two of their customers get hit by ransomware every single week. Every single week. I know obviously, in the pandemic, everybody talks about the new normal. Ransomware is the new normal for organizations, and being ready for it is a mindset as well as a practice, and a program that you have to implement. And this is a key wake-up call for the HR systems, and as a community, and the HR folk to… But it’s another ransomware hit. You’re going to hear about this probably every 48 hours for the next three, four or five, 10 years, whatever the timeframe is.
Mark:
Can you explain, what the impact has been on Kronos? It sounds like the hackers got to their data.
Tim:
Yeah. They get to the data, they compromise the data. They hold the HR information. They hold the information back, and obviously, they hold the organization for ransom that they’re owed to give the information back. But the thing that’s has been increasing over recent years is the realization of value of the data being held by the HR systems. I’ve been in cybersecurity for 20 plus years, and we started out with these worms that went propagating… [inaudible 00:02:49] Maybe the worms are what started it, but they were very popular back in the day. And then, we went off to the financial records of things like that, and I had my identity stolen a bunch of times, but the HR systems are now crown jewels for the hackers. They can go after them, they have very sensitive information, and can give massive reputational damage to the organization if they’re released out into the wild.
Tim:
But some of these healthcare organizations have nowhere near the budgets of the banking organizations that have been the typical target, so you got a challenge where the HR systems are now a great target. The HR communities don’t have the same budget issues. And yet, these attacks are more prevalent, and they don’t have the same security programs made more resilient over the last 20 odd years of attacks. These HR systems are not… Because they haven’t been selected as a main attack, or main target, for as long as the banking systems, as long as the payment in gateway, as long as the financial systems, they’re not as resilient, and they don’t have the same programs.
Tim:
I think they’re vulnerable for two reasons. One, they’re a big target now, and clearly the hackers have woken up to going after them. And two, because they don’t have the budgets, like I said earlier, and they don’t have the depth of years of being attacked, so that… We always talk about defense in depth. If you’ve been a target for a long period of time, you have a whole series of different types of protection mechanisms and detection mechanisms, and these guys don’t have it quite so much.
Mark:
Now, given that you think that this is going to happen pretty regularly for the next several years at least, is the technology of cybersecurity in general up to dealing with all of this, or does it need more of an investment in time and money?
Tim:
That’s actually the good news on this. Right? I’m not going to be the guy that runs around saying, “Bad things happen because of cyber,” But there is actually a silver lining here, and it’s very clear. The thing that was happening in cybersecurity is quite interesting. The old tools are showing their age. Right? And so, a lot of the old tools that, if they had to deploy them, is old. They’re complex to manage. They’re difficult to install. They’re difficult to operate, sometimes. They’re not made as intuitive as they are now. The modern day tools… Right? The tools that you are seeing that [inaudible 00:05:30] heavily invested in, that you’ve seen lots of venture companies getting invested in at the moment, is because they’re simple and intuitive and easy to use.
Tim:
And so, that means that you can operate them at a lower human bandwidth level. It means that your time-to-value is easier, and it’s much more simple to implement. And so, I think the tooling is easier, which means that the manpower and the training is more simple, and you don’t have to use the legacy tools because the new tools are easier and more simple, and they’re faster time-to-value. Right?
Tim:
With the rise of APIs as a core-play, this gets a lot easier to do. That’s the good news. And then, the other part of that is, when you start your security program around some of these tools, or when you’re inspecting or reinspecting your security program around these tools, just by starting by discovering visibility and having the observability of what is going on will allow you how to build a [inaudible 00:06:31] security program. Everybody talks about zero trust. Even Biden’s talking about zero trust, but it starts with a basic thing of understanding what’s going on in your environment, and you can use modern tools, some of which you can install in 10, 15 minutes, and you’ll get visibility very, very quickly. That’s the good news. You can do it, and it’s a way cheaper, way easier to use, much more intuitive than ever before.
Mark:
Realistically, this stuff, and just these platforms, are under the day-to-day purview of the IT department. Realistically, how can HR departments protect themselves and their data from this happening?
Tim:
I think they played an essential role. Right? You’re going to see this emerging category coming out called HDR, human defense and response… Right? … where the training tools for their employees that can be pushed out through HR programs can be pushed out to the employees and give real-time training. See, the thing is about… The human vector is still the biggest entry point, obviously. Right? If you can train your employees in real-time of what they’re doing wrong… Let me give you an example.
Tim:
Mark is working in an environment and he steps on malware, and Tim is working in the same environment, but I get a phishing attack. If, when you step on that malware, or when I do the phishing tools, there are programs that are being pushed out by the HR tool teams to train you specifically on malware at that point in time, that in-moment training, and me for phishing. The effectiveness of that training has been dramatically increased, rather than running an annual program. Right? I’m saying you still have to do your annual programs, but the HR people can run programs now that will drive in-moment training, and much better, much more effective training programs to drive a better security culture, because securing the organization is everybody’s responsibility. Right? But you have to be aware of what you’re doing, and these programs that there are now are available to do that, and you’re going to see HR programs, I believe, endorse this new category called HDR.
Mark:
It’s interesting. You mentioned that security is everybody’s responsibility, but does everybody know that?
Tim:
That’s a great question. Obviously, I’m biased, because I’ve been in security a long time, and I would say, “[inaudible 00:09:22] even at your household. I have my wife, and I don’t have kids, but I guess securing the household is everybody’s responsibly.” You should always shut your front door. You should always lock the doors when you go out around the neighborhood, or whatever you’re doing. You should always keep an eye out. There’s a thing called neighborhood watch. Right? It’s everybody’s responsibility. Are they aware of it? I think some people have selective memory disorder, but I think that’s part of your onboarding and organization, part of your ongoing human capital management program. I’m sure training is part of that, but the security training should be at the forefront because it should be a part of everybody’s responsibility, but they might… Like I keep coming back to, if you can train people in-moment, the effectiveness of that will be way better.
Mark:
Tim, thanks very much for stopping by today.
Tim:
Very nice to meet you. Always fun to catch up.
Mark:
My guest today has been Tim Eades, the CEO of vArmour, and this has been PeopleTech, the podcast of the HCM Technology Report. We’re a publication of RecruitingDaily. We’re also a part of Evergreen Podcasts. To see all of their programs, visit www.evergreenpodcasts.com. And, to keep up with HR technology, visit the HCM Technology Report every day. We’re the most trusted source of news in the HR tech industry. Find us at www.acmtechnologyreport.com. I’m Mark Feffer.
Image: iStock
