Navigating the Digital World and Modern Cybersecurity Threats

Hosted By

Alana Muller

CEO & Founder
Coffee Lunch Coffee

Podcast Guest

Shawn Tuma

Co-Chair of Cybersecurity, Data Protection, AI & Emerging Tech Practice
Spencer Fane LLP

Episode Summary

In this week’s episode, Shawn Tuma, Co-Chair of Cybersecurity, Data Protection, AI & Emerging Tech Practice at Spencer Fane LLP, shares how his experiences from law school paved the way to becoming an expert in cybersecurity law. Shawn explains the importance of staying alert in the digital world, debunks common misconceptions, and provides actionable advice to protect personal and business data.

"Cyber is the one area where everything can be going fine, and with one click of a mouse, five minutes later, your whole network can be shut down and all your operations halted.”

 

Transcript

Alana Muller 0:09
Welcome to Enterprise.ing, a podcast from Enterprise Bank & Trust that's empowering business leaders, one conversation at a time. We'll hear from different business leaders about how they found success in cultivating their professional networks and keeping them healthy and strong. I'm your host Alana Muller, an entrepreneurial executive leader whose primary focus is to connect, inspire and empower community. We at Enterprise Bank & Trust thank you for tuning in to another episode.

Alana Muller 1:23
Hello, listeners. Welcome back to the Enterprise.ing podcast. My guest today is Shawn Tuma, Co-Chair of the Cybersecurity & Data Protection, AI and Emerging Tech Practice at Spencer Fane LLP. Shawn helps businesses protect their information and protect themselves from their information. He represents a wide range of clients, from small to midsize companies to Fortune 100 companies across the U.S. and globally, to address cybersecurity, data privacy, data breach and incident response, regulatory compliance, computer fraud, related legal issues, as well as cyber-related litigation. Shawn Tuma, welcome to the Enterprise.ing podcast.

Shawn Tuma 1:20
Thank you so much, Alana. It's a pleasure to be here.

Alana Muller 1:23
Well, I'm glad to have you. But I have to say, you're involved with a lot of big, scary stuff. I know you've been doing this work since 1999 and are widely recognized as an expert in cybersecurity and data privacy law. Tell me this: what made you go into this line of work, and how have you seen the space change in the last 25 years or so that you've been involved?

Shawn Tuma 1:45
That's a great question. It happened when I was in law school. I had no intention of doing anything related to cyber privacy or anything like that, as it really didn't even exist at the time. During my second year of law school in 1998, one of my professors created a class where we would pick a legal issue that was expected to be hot when we graduated. We would study and learn everything about it, write a publishable dissertation, if you will, and then, once we graduated, the plan was to publish it and start off with some level of expertise, even as junior attorneys. My topic in 1998 was the Y2K bug that was supposed to shut down our society. I graduated in 1999, had multiple offers to publish my article, and before I even had a law license, I was in a large firm as the only attorney who knew anything about Y2K when it all came to fruition. It was a great plan, but then Y2K came and went.

Alana Muller 3:03
It was kind of a bust, right? It was kind of a bust.

Shawn Tuma 3:09
That was supposed to be my rocket ship to stardom and early retirement, but it didn't work out quite so well. So, I had to pivot. I got into issues of contracting over the internet. Back then, we didn't know if you could have a binding contract over the internet, so I wrote a couple of scholarly publications on that. Some courts cited them, and it looked like that was off to a big start. Then, the Uniform Electronic Transactions Act came out and said, of course, you can; move on. So, there went all of that. In the early 2000s, I got into computer fraud and hacking legal issues. By the mid-2000s, this evolved into data breach issues because when there was a hacking, someone's information was impacted. I remember in 2011, I wrote an article about that being the year of the data breach. It wasn’t until Target and Home Depot in 2013-2014 that there was a watershed moment that really thrust this practice area into the spotlight. Now, we guide companies through the incident response and catastrophic response processes when they are hit with a cyberattack or data breach. We also use the real-world lessons we've learned through thousands of these events to help them proactively understand and mitigate their risks and prepare for these types of events should they ever happen.

Alana Muller 5:03
Okay, well, gosh, there is so much to unpack. First of all, the fact that you were so far ahead is impressive. I know we've joked about you thinking that each of these would be the watershed moment, but what you've proven is that you have to continue to flex and pivot as the industry changes. You've shown that this is a topic that is not going away; the way it manifests itself changes and ebbs and flows and maybe gets scarier or less scary as time goes on. With that in mind, and the fact that you are working with clients in a proactive manner, what do you tell people? What is your messaging when it comes to the threats related to our digital world? Essentially, how do you encourage businesses and individuals to proactively protect themselves without completely constricting themselves in their business?

Shawn Tuma 5:55
Yeah, I mean, that is the challenge. I remember around 2013-2014, the big popular statement at all the conferences and events was, "It's not a matter of if, but when." And when it happens, there's nothing you can do about it, and you're going to be shut down. I had a business owner ask me, "Well, then I'm not going to worry about it." I asked what he meant, and he said, "If you're telling me it's inevitable and there's nothing I can do about it, then that's a risk I can't control. So I can't spend my time worrying about it." That hit me pretty hard, realizing we were overhyping this. The threat is absolutely as real and catastrophic as anything you can imagine. Cyber is the one area where everything can be going fine, and with one click of a mouse, five minutes later, your whole network can be shut down, and all your operations halted. That's very real. But there are things we can do about it, and that's the part of the messaging we were missing back then. We made it sound so overwhelming that businesses now suffer from paralysis by analysis, they are fretting so much that they don't start to take action.

Shawn Tuma 7:25
My message is that 90% of your risk is stuff that is within your control. I encourage businesses to start with a real-life risk assessment. I'm not talking about some magical document that is all complicated — just trying to learn where your real risks are. Where are you most vulnerable? What type of data do you have? Where is it? What do you rely on the most? All of these kinds of things. What does your network look like? Who's helping you protect it? What's your line of business? And then from there, start with the basics. You may not fix every problem with the basics, but, look, let's make sure we've got backups, let’s make sure we are using good secure password policies, let’s make sure we’re using protected Wi-Fi with a firewall or VPN, or things like that. We’re not using remote desktops. There are lists of basic best practices that, they may not be perfect, but are a lot better than doing nothing. So start there.

Alana Muller 8:37
Rather than just waiting around for something to happen, you're at least taking the simple precautions, right?

Shawn Tuma 8:46
Exactly. Do something. It’s like when you don't know what to do, some people sit there and wring their hands and do nothing. Others will do something, even if it's not the best thing. Do something. Fail by action.

Alana Muller 8:58
I'm imagining sort of the pearl-clutchers, just waiting for something to go down. I guess they could do that, but if they're not taking any action at all, it is inevitable then, right?

Shawn Tuma 9:11
There's one other point I need to make. I know through doing the Enterprise University course and other things, we have a lot of small to midsize businesses that are listeners. There's this mistaken belief that if the bad guys don't know who you are, if you're a small company and you don’t have a big web presence, they won't find you. That is absolutely false. There is no such thing as security by obscurity. If you have a server, even if you don't have a website, even if you're using Gmail, whatever, they will find a way to get to you. They're not targeting you specifically; they're doing what we call “drive-by hacking.” They're just scanning for vulnerabilities, looking for targets of opportunity. They usually don't even know who you are until after they've hit you and are in your network.

Alana Muller 10:16
Wow, that's unbelievable. So, with that in mind, I wanted to ask about some of the biggest obstacles that you've faced or that your clients have faced, how you've addressed them, on your own behalf or with your clients, and what advice you have for others who may face similar challenges?

Shawn Tuma 10:37
One of the biggest obstacles I get is people asking, "What does a lawyer know, or what does a lawyer have to do with cybersecurity?" I have to explain to them that, number one, cybersecurity is a legal issue. There are state, federal and international laws governing how you protect your network, how you protect your data, how you use your data, and what you must do if there's a breach of how you use your data. That's all federal and state law. We have 16 comprehensive data protection laws in the U.S. right now for states, 16 states, we have numerous federal laws, and we're going to have more states with these laws. So these are legal compliance issues, number one. Number two, almost every contract you sign these days is going to have something to do with protecting data, confidentiality, information, something like that. Those are legal issues. Number three, I've been doing this for 25 years, and I've seen thousands of catastrophic-level events, hundreds of ransomware attacks. While I can't do your job, I have a perspective of what I've seen go right and wrong and the lessons learned, and companies often come back and say, "Boy, if only I'd have known this two years ago, here's what we'd have done to stop this." Those are the kinds of things we try to help teach our clients. Another huge stumbling block is that people are looking for a fix to cybersecurity, like there was a fix to Y2K. But cybersecurity is not a technical problem; it's a human problem, a human nature problem. These are criminals who are engaged in battle, warfare against you and your network. Every time you try to fix one thing and stop one way of attacking, they find another and another and another. So you can't just fix the problem of cybersecurity. You have to engage in a process of understanding and managing that risk, and that process never ends.

Alana Muller 12:51
Yeah, I like how you call it a process. It makes me think that, you know, in a way people think that because they have installed, I don't know some sort of software, or they have a password policy in place that they can just sit back and, unfortunately, become complacent, in terms of what that looks like. But as you're describing it, this is sort of like a daily practice, something that we always have to be engaged in, and to be continuously vigilant, if we are to protect ourselves and our companies.

Shawn Tuma 13:20
That's a beautiful way of putting it. I mean, it's exactly right. And because we literally don't know, as we sit here, how they're going to attack us tomorrow, or next week, or next year, we have to start with education. That's why education is so important, both to ourselves. I mean, every day, I'm continually learning. I spend at least an hour, maybe more, every day, learning about what's going on today, from the wall, from the technology, all of that. We as individuals have to understand that nobody's coming to save us from this: we have to protect ourselves. And so you have to understand what's happening. You have to educate yourself, you have to put appropriate processes in place to minimize the risk. But you have to educate your workforce. Your employees have to understand and buy into this idea that we're all at risk. We can't be ignorant anymore. We can't just say, "I don't do that cyber stuff. You know, I don't do that Facebook, I don't do whatever..."

Alana Muller 14:31
“I don’t get it…”.

Shawn Tuma 14:32
…We can't take that position anymore because we live in this digital world. I mean, we all have one of these right here. And our whole lives are sitting there.

Alana Muller 14:42
I mean, yeah, I think about what would happen if I — oh my gosh, knock on something — if I lost that phone, if my laptop was taken, how I would feel, and then what I would do about it. And it's kind of terrifying. I'll be honest, right now. So your point is really well taken.

Shawn Tuma 15:03
One thing if you lost it, but imagine a bad person getting ahold of it with the ability to get into it. There are people that don't have passwords on their phones.

Alana Muller 15:12
It's just shocking to me honestly. Shawn, is there a new project, something special that you're working on right now that you're especially excited about and can share with us?

Shawn Tuma 15:23
Yes, so number one, a couple of things. One, I'm doing a lot of work on artificial intelligence, and where that next level is going to be using the same processes we used with cyber law, and how to start developing that body of law and evolving with it. And then number two, I'm working on a book to help people in legal understand security and security understand legal, and business owners and all that, to kind of simplify some of this, take some of the mystique out of it and make it a little easier to collaborate.

Alana Muller 16:05
I love that. Do you yourself, have a mentor or somebody who has served as kind of a sherpa to you as you've engaged in this work?

Shawn Tuma 16:12
So, I do. I have one really in the subject matter itself, a fella named Peter Vogel, who is like the grandfather of cyber law in this area. When I was a baby lawyer back in 1999, going around speaking about Y2K, scared to death to speak in public, Peter was this fun, seasoned, old gentleman lawyer, who back then, you know, had been experienced in this area of cyber law, in general. He was just such a kind gentleman to me, made me feel better and took me under his wing. And then, he really helped me along and he still… he's a friend, we talk and I think the world of him.

Alana Muller 17:03
Is there one piece of advice that he gave you that was especially meaningful, or that helped to launch what you're doing?

Shawn Tuma 17:10
You know, the best I can remember, because I was terrified, I was scared to death to speak in public. And I think what he just told me was, it doesn't matter if you screw up because nobody knows what you're supposed to say.

Alana Muller 17:24
That is exactly right. Go, Peter. I completely agree with him. No need for notes because nobody knows what's on the card anyway.

Shawn Tuma 17:32
Yeah.

Alana Muller 17:33
[Crosstalk] Nobody needs to know, nobody needs to know. Well, so speaking of advice, I was going to ask you, are there, I don't know, a couple of relatively simple actions that our listeners can take right now, today, to protect themselves and their businesses from the threats associated with digital life?

Shawn Tuma 17:56
Yeah, I mean, number one, all of us are at risk of having our own personal identity stolen. Every one of these data breaches where you get the letter that says your information may have been impacted. By this time, all of our sensitive information is out there. So, we need to take our own steps to protect our own identities. When you get an offer for that free credit protection product, sign up for it and use it — it's beneficial. Don't use weak passwords on bank accounts, financial accounts, your phone, your computer, things like that. Don't reuse the same password that you're using on other sites. Because when those sites get breached, your password now gets breached, along with your email address. Now, the bad guys have that for any account you use. So, monitor your bank accounts, monitor your credit, get your free credit report each year, look for fraudulent accounts. Lock down your credit, if you don't need to be actively using your credit, put a credit freeze on yourself so no one can open up accounts. You can do this for free now. And then whenever you need it, unlock it, and then lock it back down. Do this for children, do this for family members, because that protects you from that. Number one, right? So, we're protecting our own identity.

Alana Muller 19:20
Where do you go to do that? Where do you go to lock down your credit?

Shawn Tuma 19:24
The consumer reporting sites like TransUnion, Equifax, those sites like that are a place to go do it.

Alana Muller 19:29
Great. That's great.

Shawn Tuma 19:33
From a cybersecurity standpoint, follow those good practices. You mentioned passwords earlier, using a good password policy, right? Don't use your dog, cat, spouse, whatever. Use multifactor authentication on every account you have, that's where it's two steps, which means your username and password is one and then the second is like a text message or an app or something like that. That will reduce so much of this fraudulent activity. Quit believing everything you see on the internet. People lie on the internet. That Nigerian prince? They're not trying to give you that money.

Alana Muller 20:15
Not coming?

Shawn Tuma 20:19
And that same principle applies to everything that you get in email now. It looks convincing. FedEx is not text messaging you, the U.S. Post Office is not. You know, don't trust these things and quit clicking on those links. If you want to know if FedEx is sending you a package, go to fedex.com and use the original way of doing it. Make sure you have backups of your data because at any given time, malicious software could get on your computer, or you could just have a hardware failure. Right? Keep backups of that precious data that you have. Talk to your family about how to protect themselves, talk to your children about what they're posting online, all of those kinds of things. Now, with the world of AI, we're seeing very convincing photographs, videos, audio of pretending to be someone they're not. We call that “deep fakes.” You've got to be vigilant for all that. And so you’ve just got to have good awareness.

Alana Muller 21:26
Yeah, you know, you're reminding me. I was at dinner with my brother last week and he has a new version of one of the popular AI bots. And he took a picture of me sitting at the dinner table. And he told it to create a photo of an image of me going for, I think, going for a walk or something. And honestly, it was not me, but you would not know that it wasn't me. And it was a little terrifying. I'll be honest, because I was sitting at the dinner table, I was not on that walk. Yeah, I was both impressed and a little terrified. So, what you're saying is meaningful. Thank you for sharing that. I appreciate it. And I think that, I think our listeners are going to appreciate some of these very simple things that we can each do for ourselves, our families, our companies, et cetera. So I'm grateful to you. You know, I wrap up every program with one question that I ask every guest and I have to ask you as well, and it is this: If you could have coffee with anybody, one person living, not living, fictional or nonfictional, who would it be? And why?

Shawn Tuma 22:33
Thomas Jefferson.

Alana Muller 22:34
Thomas… what a great choice!

Shawn Tuma 22:37
[Crosstalk]…Man, and I mean, we've ever had in American history for sure. He literally established our form of government, the freedoms we have, the Constitution, I mean, the declaration, and just, the brilliance, so I would definitely want to have coffee, or a beer or wine or whatever with Thomas Jefferson.

Alana Muller 23:00
I love it. What do you think he'd say about cybersecurity?

Shawn Tuma 23:05
Probably that it's taking away our liberty and that we're no longer free people because we're all now attached to something outside of us.

Alana Muller 23:16
That's probably right. I wonder what his password would be. I’ll have to think about that one.

Shawn Tuma 23:21
That'd be good. Who knows?

Alana Muller 23:24
Who knows? Well, Shawn Tuma, I've really enjoyed having you on Enterprise.ing Podcast.Thank you so much for joining me. Tell me this, where can our listeners go to learn more about you and your work in cybersecurity at Spencer Fane?

Shawn Tuma 23:37
Sure. So there's actually two places. One, our law firm website, spencerfane.com, S-P-E-N-C-E-R-F-A-N-E dot com, and just search for my name. Or my own personal blog website, which is shawnetuma dot com. S-H-A-W-N-E-T-U-M-A dot com.

Alana Muller 23:59
Fabulous. Shawn Tuma, thanks for being on Enterprise.ing Podcast.

Shawn Tuma 24:02
It's my pleasure. Thank you so much for having me.

Alana Muller 24:07
Thanks for joining us this week on Enterprise.ing. Be sure to visit our website, enterprise bank dot com slash podcast to subscribe so you'll never miss an episode. If you found value in today's program, please consider leaving a review on Apple Podcasts or telling a friend about us. Enterprise.ing Podcast: Powering business leaders, one conversation at a time. The views expressed by enterprising presenters or guests are those of the presenter or guest and not necessarily of Enterprise Bank & trust or its affiliates. All content of this podcast and any related materials are for informational purposes only. Enterprise Bank & Trust does not make any warranty, expressed or implied, including warranties of merchantability and fitness for a particular purpose, and specifically disclaims any legal liability or responsibility for the accuracy, completeness or usefulness of any information presented. Enterprise Bank & Trust is not under any obligation to update or correct any information provided in this podcast. All statements and opinions are subject to change without notice.