Comstock's C Menu

George Usi founded Rancho Cordova-based Omnistruct in 2019, selling cybersecurity compliance programs to businesses. (Photo by Ryan Angel Meza)

Protecting Our Privacy

Cybersecurity advocate George Usi on how businesses can prepare for an eventual compromise

Back Q&A Apr 3, 2020 By Sena Christian

This story is part of our April 2020 issue. To find the issue on newsstands, click here.

This story is part of our April 2020 issue. Click here to find the issue on newsstands.

George Usi founded Rancho Cordova-based Omnistruct in 2019, selling cybersecurity compliance programs to businesses. Usi is now helping launch a Sacramento chapter of SecureTheVillage, an initiative to equip people and organizations with the knowledge and skills to combat online dangers. Comstock’s spoke with Usi about his mission to educate businesses so they can manage their risk when a cybersecurity breach occurs.

Tell me about how you got into cybersecurity.

I started my career very involved with the design and development of the internet in the ’90s. … Then in 2004, about a year after I started my first information security business, I had a life-changing event. My wife fell ill, and it was a very poor diagnosis. I began to start taking care of her medical records, all kinds of privacy records, and I was shocked at how poorly her information was being handled. … Sadly, a number of years later, she passed. I went back to having to deal with her affairs, her privacy data, … and that’s when I found my “why” for what I consider to be a cybersecurity and privacy problem. 

There were two key problems that I recognized. One, we’re living in an internet-deliverable world; we are always digitally connected to the worst part of town, and compromise is a matter of when. Second, there were really no privacy regulations or standards and guidelines or even roadmaps for how cybersecurity and privacy should be addressed. So I reached out to internet scientists, … and they said, “You need to do this thing called the National Institute of Standards and Technology.” (The NIST Cybersecurity Framework and NIST Privacy Framework are) a new guideline for cybersecurity, and it’s something our country is certainly going to get behind because it’s bipartisan, and that’s how I started Omnistruct.

Generally speaking, are companies vigilant enough when it comes to cybersecurity?

We believe that many companies have overfocused on the mindset of trying to protect and not understanding that compromise is a matter of when. … The problem is although there are lots of cybersecurity protection measures and monitoring measures out there, a lot of businesses take that problem and toss it over the fence to the IT department and say, “OK, you go fix it.” But that doesn’t work anymore, because a lot of the problems that are happening are not the technologists’ problems alone. The technologists are in a position that makes it very difficult for them to get the rest of the organization to follow a cybersecurity and privacy mindset because they lack the authority. … It has to be done at the executive level. These new laws and regulations, like the (California Consumer Privacy Act), are pretty much going to force that mindset so executives … start realizing they can’t just isolate this problem in the technology department: They have to spread it among all the leaders and be ultimately responsible for cybersecurity.

So these regulations are pushing companies to have these new mindsets?

It’s a double-edged sword. It’s good we’re headed in this direction with privacy laws, like the California Consumer Privacy Act that went into effect Jan. 1. The idea and what it’s trying to do is fantastic. But like many laws, (privacy laws) do have imperfections, and they need to be tested in the field. To answer your question, is it helping? Yes. But it’s also hurting, because it’s increasing the cost to do business.

One big challenge all privacy attorneys seem to be addressing is that the regulations are popping up state by state. … If there’s anything wrong with the regulations, that’s the biggest challenge (that) we don’t have a universal, federal regulation yet that will keep everybody on the same page. So a business in California now has to plan for the CCPA, the state of Nevada’s (Senate Bill) 220 (internet privacy law), the Mind Your Own Business Act (introduced by an Oregon senator) and the list goes on and on … throughout the U.S. But there are also international laws too.

What are the first steps a small- or middle-sized business should take to make sure it’s secure?

The first step is to know where you are. Figure out a way to measure your current state. That includes things like questionnaires, or you can hire organizations; we have a website (where) you can go to answer those questions for free. Your second step is to plan. Many people in the legal profession will say if you have a plan and can illustrate you’re doing that plan, it puts us in a much better position to help you through serious security incidents. … That’s what this new NIST framework (does). … Fortunately, there’s a lot of blueprints out there. … For the third step, what does reasonable minimum security look like? You would want to implement those lists of minimum security items. The best example is an organization out of Los Angeles called securethevillage.org. They’ve been having a lot of success with their movement, and they tell you to do nine minimum things.

(Out of those nine things), if you’re a really small business just starting out, there are three things you want to do. I mentioned the first, which is know where you’re at, (including) laws or regulations that might impact your industry, as well as what your posture looks like. The second thing you want to do is start … documenting everything you’re doing (and) look seriously at any kind of cyber insurance options that might make sense for you. The (third thing is) make sure you’re taking all of that information and bringing it to your IT company — for instance, a lot of small businesses will work with a managed service provider — and you’ll want to make sure the company you’re working with has the same mindset. So if your managed service provider doesn’t know what these new standards and guidelines are, it’s probably time to start shopping for another one. If you have internal staff for IT, it’s time to start working with a company like ours to help be your Sherpa on the journey to planning your cybersecurity posture and preparing for when a compromise happens. If you’re a very large company, doing more than $2 billion a year in revenue, you’re probably investing in a risk-management team. They’re doing more than those nine things — there’s probably 20-30 things they’re doing as a big company. 

It’s good we’re headed in this direction with privacy laws, like the California Consumer Privacy Act that went into effect Jan. 1. The idea and what it’s trying to do is fantastic. But like many laws, (privacy laws) do have imperfections, and they need to be tested in the field.

The number of privacy records you have, that’s the big thing that changed on Jan. 1 (with CCPA). Privacy records used to be identified in this state as a Social Security number, a driver’s license. … This new law has made that much simpler to classify, so it can be something as simple as a consumer’s personal email address, and that’s now privacy information, according to this new law. So the game has changed considerably. I think that is the challenge for consumers — they want to know that their privacy is secure. They want to make sure that businesses are good stewards of the data they’re keeping. So when we talk about the regulations that exist, it’s absolutely critical to make sure businesses understand … what those risks are. Because it’s really hard to plan your cybersecurity if you don’t know what you’re planning for. When we ask the question of how are small businesses doing, many small, midsize businesses aren’t really qualified to know what’s next, and they turn to the IT workers — “OK, go fix this” — and they’re not going to read up on privacy laws. They’re not going to understand the regulations or the impacts — that’s your legal team and your HR team. That’s why we say this is no longer an IT problem alone.

This could all sound very overwhelming to a small-business owner.

Small businesses should look at themselves and ask: “How many privacy records do I have?” … If you have more than 500 records and you have a breach, you have an obligation legally to report to the California attorney general that you had a breach. It’s the law. … As soon as you get above 500 records, you have to be more aggressive. We want you doing those nine minimum reasonable security things if possible, but there’s really three that you should have on your list. … Everyone should be trained. It doesn’t matter what size your business is: If you’re not cyber aware and know how to deal with and identify when hackers are attacking, then you’re going to have a problem. Two is make sure (with) your vendor relationships that you’re working with companies that can address the cybersecurity question. What are (their) certifications? What are (their) qualifications? Check your vendors, and make sure they’re as serious as you are, even if you’re (business-to-business). If you’re a small business dealing with a company that has privacy records, you have to be as equally compliant as them, and, eventually, they’re going to send you a checklist to make sure you are — they’re going to audit you. The third thing we believe small businesses should be addressing is understanding what your regulatory exposures are. If you can count those records and just bring somebody in to do a gut check, then you’re probably going to be OK. … You really should contract with another third party that’s not your managed IT service company. … We call it a two-party model.

What is the main takeaway you want businesses to remember when it comes to cybersecurity?

The main takeaway we want business owners to (know) is compromise is a matter of when, so be prepared. (When) compromise happens, how do you make sure it stays contained? It’s like getting poison oak. You want to contain it to one part of the body, don’t scratch it, and make sure it doesn’t move around. That’s essentially what the new frameworks and new laws are really trying to help businesses (do). … This is something you have to plan for, and it needs to be done … at the executive level. Prepare for when, and do it at the very top of the chain, otherwise your tech workers and your IT workers (won’t) have the authority to get people to move. 

Stay up to date on business in the Capital Region: Subscribe to the Comstock’s newsletter today.