Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small town of about 3,500 in rural North Carolina, nestled in the middle of the Uwharrie National Forest. Like many small towns, it fostered a close-knit community of people who supported and encouraged me to dream big. My parents encouraged me to travel, to explore, and to get involved in activities and organizations that would foster an enthusiasm and passion for learning. That early appreciation and desire to soak up culture, information, and awareness ultimately became the springboard for my personal and professional trajectories. I went off to a large college, then law school in another state; studied abroad in Switzerland; and moved out west to San Francisco for a decade. I now reside in Charlotte, just over an hour from where I grew up — coming almost full circle to where my quest for knowledge was first born.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In college, I worked for a technology division of the University of North Carolina (UNC) system. At that time, it was called Academic Technology and Networks (ATN). I helped manage academic and administrative computing and networking on the UNC Chapel Hill campus. As a communications and psychology major, I had had little exposure to computer science, coding, technical infrastructure, networks, or information technology. The job challenged me to learn about the various technologies, communication networks, how data and information are stored and transmitted, how to troubleshoot various technical issues, and how to ensure the efficiency and security of operations on a large academic campus. Years later, after law school and while working in the technology hub of Silicon Valley, I was able to merge the knowledge and skills gained while working with technologies with the practice of law; in particular, in the area of cybersecurity and data privacy.
Can you share the most interesting story that happened to you since you began this fascinating career?
While not everyone enjoys this type of high-stakes, fast-pace, work, I really enjoy the challenge of having to think quickly and stay focused under pressure. For example, many cyber-incidents occur on Friday afternoons while most people are leaving for the weekend, over holidays, or at other inconvenient times when personnel are not physically in the office. When a business’s computer system first goes down, it can create a sense of panic. In the course of my career, I’ve had the opportunity to assist businesses as they navigate these high-stress situations, such as when management can no longer communicate within the organization, customers are irate because they rely on operations that are now down for an indefinite period of time, law enforcement and FBI agents are calling, employees can no longer access their email or files to do their jobs, or national media outlets are sending inquiries and publishing stories about the attack.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Agility, focus, and integrity.
Agility, and in particular, the ability to learn quickly, make informed decisions, and feel comfortable in unfamiliar circumstances has been instrumental to my success. In my field in particular, where law is often lagging behind technology, it is both a challenge and a skill to be able to adapt, think creatively, and problem-solve in a way that allows flexibility and doesn’t stifle business or innovation.
Likewise, focus is important, given the multitude of distractions that occur daily. Early in my career, I felt pressure to respond instantaneously to inquiries, which often left me feeling like I was never actually accomplishing any particular project. Several years ago, I started blocking off several hours of time each day, and sometimes full days, to focus on getting projects completed that required more of my attention to deep-dive into issues. That has allowed me to have more focus time, and ultimately allows me to complete projects faster and with better results.
Integrity is one that does not always get attention as a leadership quality. However, as I think about myself and the people who have most influenced my leadership style, integrity, honesty, and the value of hard work are central tenets. As a leader, you are tasked with making important decisions that can have a significant impact on other people. Leaders have a responsibility to ensure that their success, and the success of others, hinges on the ability to make good decisions based on sound judgment, ethical considerations, candor, and trust.
Are you working on any exciting new projects now? How do you think that will help people?
One thing I love about my line of work is that I am always working on something new and exciting. No two days are the same, and I’m constantly learning something new. One project that I’m working on right now, without going into too much detail, is centered around how cybersecurity events can cause a ripple effect through everyday life due to our dependence on technology. We’ve seen this already in things such as supply chain disruption and attacks on critical infrastructure, including the healthcare and financial industries. The project looks at not just how stepping back from some technology can be helpful, but also — and more importantly — how smarter technology and more education can help ease the risks and make us all safer from large-scale cyber-disruptions.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I’ve been practicing law for 17 years, much of that time working in the intersection of technology and law. When I joined my current firm, Bradley, seven years ago, I realized that cybersecurity and privacy were at a pivotal point in the practice of law. I built, grew, and now chair the firm’s Cybersecurity and Privacy team, which includes attorneys in multiple states and Washington, D.C. The practice has grown from a handful of attorneys to close to 50 attorneys in a diverse array of industries. Bradley is now recognized as one of the leading firms in the practice. In the past year alone, I, alongside my incredible team, have worked on hundreds of new matters and with clients in the data, privacy, cybersecurity, and digital innovation space.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
A cyberattack is typically a deliberate attempt by a bad actor to gain unauthorized access to an information system. There are various type of cyber-attacks, but the most common attacks I see are malware, network or application exploits, distributed denial of service (DDoS), social engineering schemes (such as phishing), and business email compromise.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Cyber attacks affect us all. Businesses are targets because criminals understand that businesses will provide higher value and oftentimes have more valuable data assets to steal or ransom. However, individuals are oftentimes victims, even if not directly targeted, through social engineering schemes or other scams.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
The first person who should be called is a data breach coach, which is typically a lawyer who focuses on data incident response. That person will help coordinate and liaise with a business’s cyber insurance carrier, law enforcement, cyber-incident forensic investigators, disaster recovery/infrastructure rebuild teams, and other consultants who may have to be involved depending on the type of attack. Due to recent case law, it is more important than ever to get counsel involved early to provide legal advice and to protect a business’s interests as you navigate responding to a security incident.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Common mistakes often center around human error, underestimating the prevalence of attacks, or failure to recognize social engineering. Education and diligence are two things that could greatly reduce these types of mistakes.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
More coordination between private companies, government officials, and industry leaders as part of an overall education program and information-sharing practice will help limit such attacks. Reducing the number of these attacks and limiting the damage caused by them is going to require a large-scale, joint effort by all stakeholders.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
1. Invest. Cyberattacks are expensive to recover from. They interrupt business, strain resources, and can cause long-term reputational damage. It is important for businesses to invest time, money, and resources into preventing attacks, as well as responding to attacks when they occur. Businesses should invest in early risk assessments and designate resources to continuously look for potential threats. Addressing cyber-concerns is a dynamic and ongoing process.
2. Educate. It is imperative to educate and train employees about cyber-hygiene and best practices. Executives and directors should understand their role in preventing and responding to cyber-attacks. Training should be updated and refreshed regularly to account for changes in the threat landscape, technology, business practices, and guidance.
3. Have a Plan. Create an incident response plan and internal policies that address the steps that the business has to take in responding to a cyber-attack. Every business should have an action plan that covers crisis management and best practices, as well as legal and compliance obligations. A successful plan will identify team members and their roles, as well as clear steps that can be taken in response to a cyber event.
4. Practice. Schedule regular practice exercises and table tops, and audits of your incident response plan. It is important to have the right people in the room to walk through a mock incident so your company can understand where their pain points are and how they can improve the response outcomes before having to make split-second decisions in an extremely hostile and stressful situation.
5. Find Trusted Cybersecurity Partners. Cybersecurity is an area that lives up to the “it takes a village” mentality. Line up cybersecurity partners, vendors, and legal counsel who know your business, have experience and depth in cybersecurity, and are comfortable to work with.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
If I could inspire a movement that would bring good to the world, I would focus on mental and behavioral health awareness. Unfortunately, there is still a stigma associated with mental and behavioral health disorders, yet so many people suffer themselves or know someone who does. This movement would help prevent the need some feel to suffer in silence and could help change the trajectory of so many lives.
How can our readers further follow your work online?
I regularly contribute to Bradley’s Online & On Point (https://www.onlineandonpoint.com/) blog, of which I am also an editor. The blog focuses on the rapidly changing landscape of data privacy regulations and its impact on businesses. There is a wealth of information to be found on Online & On Point that my colleagues and I have written. I encourage you to subscribe!
In addition, I try to stay active on LinkedIn (https://www.linkedin.com/in/erinillman/). The network of privacy professionals and the sharing of information about the quickly growing and changing areas of data privacy and cybersecurity has been a helpful resource. I participate in the conversations happening on LinkedIn, so be sure to connect with me there!
Republished with permission. This article, "Cyber Defense: Erin Illman of Bradley On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack," was published in Authority Magazine on April 10, 2022.