One Step Beyond Cyber
Welcome to One Step Beyond Cyber, the ultimate IT and cybersecurity podcast that's sure to keep you on the edge of your seat! Whether you're a tech guru or a total newbie, our hosts Scott Kreisberg, and Tim Derrickson will make sure you're entertained and educated every step of the way.
As technology advances, it can be challenging to keep up with the latest trends and developments. Donβt worry, our hosts are here to help! They will discuss real-world IT-related problems and solutions, as well as provide tips for simplifying tech.
Whether you're a business owner, IT professional, or someone interested in navigating the cyber world β this podcast is for you. We understand the challenges of managing technology, and we're here to help. Sit back, relax, and join us as we dive in, providing you with the knowledge and tools you need to succeed in this rapidly evolving field. Subscribe now and become a part of the One Step community!
One Step Beyond Cyber
EP 9: Behind the Screens: Business Email Compromises and their Impact on Cybersecurity
In this insightful episode, we sit down with Jason, a seasoned cybersecurity expert, to delve deep into the ever-evolving threat landscape and its impact on businesses.
ποΈ Episode Highlights:
- Getting to Know Jason:
Jason kicks off by sharing his cybersecurity journey, shedding light on his background and what sparked his interest in studying the dynamic threat landscape. - Navigating the Cybersecurity Terrain:
Unpack the current state of the cybersecurity landscape. Jason provides a comprehensive overview of the most prominent threats businesses grapple with today. - Financial and Operational Impacts:
Understand the real-world consequences as we explore how cybersecurity threats and breaches directly impact businesses both financially and operationally. - Deep Dive into Business Email Compromises (BEC):
Jason breaks down the intricacies of Business Email Compromises (BEC) β why they're a growing concern and the significant implications for businesses. - Evolution of Cybercriminal Techniques:
Explore the ever-evolving techniques employed by cybercriminals in executing BEC attacks and how businesses can stay one step ahead. - Legal Frameworks and Cybersecurity Response:
Dive into the influence of data privacy and cybersecurity regulations on businesses. Learn how legal frameworks shape cybersecurity strategies and responses to emerging threats like BEC. - Emerging Trends and Future Preparedness:
Look ahead with Jason as he shares insights into the most significant emerging trends and threats in the cybersecurity landscape. Discover proactive measures businesses can take to prepare for what lies ahead.
Tune in for a thought-provoking discussion that equips you with valuable insights to navigate the complex world of cybersecurity.
Podcast Video One Step Secure IT - YouTube
Learn about our services https://www.onestepsecureit.com/
Host by:
Scott Kreisberg - CEO & Founder of One Step
Tim Derrickson - Sr. vCIO/vCSO- CISSP
Produced by Genesis Aquino
Music Production by Michael Stevens
----
LinkedIn:
https://www.linkedin.com/company/onestepsecureit/mycompany/
Facebook:
https://www.facebook.com/OneStepSecureIT
Twitter:
https://twitter.com/onestepsecureit
00:00:00,000 Hello everyone and welcome to OneStep Beyond Cyber. And in today's episode, we're going to discuss one of the biggest cybersecurity threats that all businesses face today, and that's business email compromises.
00:00:11,760 I'm your host Scott Kreisberg and before we dive into today's episode, just a friendly request to help us by rating our podcast and hitting the subscribe button. Now I'm excited to have Tim Derrickson on.
00:00:24,080 He's our in-house CISSP and he's back with us today. We also have a special guest from ConnectWise, Jason McNew. But before we get started, Tim, could you kindly remind our listeners about the purpose
00:00:37,080 of the content we share here on this channel? Absolutely. The purpose of this podcast is to provide news and information on cybersecurity and technology
00:00:45,280 law and regulations. All data provided on this site is for informational purposes only and should not be considered legal advice.
00:00:54,680 And that is why I do cybersecurity and not broadcasting. Thanks, Tim. I'm thrilled to introduce Jason Mcnew on today's podcast with 25+ years in IT, including
00:01:04,560 a 12-year sin at the White House. So I think it's safe to say that Jason, you've been around the cybersecurity block once or twice.
00:01:12,560 Now, he's also a US Air Force vet, holds a master's from Penn State, and is also a CISSP. Jason also founded a stronghold cybersecurity, which was acquired by Appalachia Technologies. Now, today, currently, he's the principal solutions advisor at ConnectWise.
00:01:31,720 Welcome Jason. Thanks, Scott. I think he covered everything.
00:01:35,320 What I do tell people is spend a lot of years working and buildings with no windows, surrounded by bar-bar and machine guns and that kind of thing. So, through these sorts of extreme security environments, out of presidential access clearance
00:01:46,400 for 12 years, which is known as Yankee White. So you worked on top-secret special access programs, that kind of thing. Awesome.
00:01:54,040 So anything else you want to tell us about your background in cybersecurity or how you became interested in the ever-evolving cyber threat landscape? How did you get into that exciting no-window building environment?
00:02:05,640 Well, I think all those spending all those years in the classified room, we got regular classified briefings on things that were going on in the outside world as far as the threat landscape was going specifically.
00:02:17,160 The kind of capabilities that nation states had and some of the advanced persistent threats actors had. But, you know, kind of got me interested in that.
00:02:24,560 I was an IT practitioner at Walker, the White House Communications Agency. So I did a little bit of everything in a really heavily secure environment. So pivoting into just security, a security practitioner was a natural fit towards the end
00:02:39,760 of that. Yeah, it sounds incredible, especially all of it sounds incredible. I want to just pick one thing there.
00:02:47,560 So let's go ahead and get into the meat and potatoes of the episodes. How would you guys describe the current cyber security landscape and what are the most prominent threats businesses face today?
00:02:56,480 And we'll start with Jason on that. Well, they're, they're opportunistic and the vast majority of this is just plain old robbery and it's no different than robbing a stage coach or robbing a train or robbing a bank out west.
00:03:08,320 And for the most part, they're going to pick targets that are, you know, soft and not well-defended. If you're going to rob a stagecoach, you're going to pick one with one person, one guy on
00:03:15,720 it, right? Not one with five guns or whatever. And it's not personal.
00:03:19,960 It's indiscriminate and there are two basic criteria for selection. Do you look like you have money? Doesn't necessarily mean you have money.
00:03:28,640 You might not have cash flow, maybe have a nice website and marketing collateral and, you know, beautiful people on your website and all this stuff. So do they think that you have money and do they think that they can steal it?
00:03:38,760 That's kind of about it. But most of it is just good old-fashioned robbery. But since we're talking about business email compromise, business email compromise is
00:03:46,640 a little bit more discriminant and they do pay attention to current events, especially in, you know, financial knows they'll look for changes in leadership and companies, mergers who think they're going to lot around, no CFOs, no CEOs, no size O's, that kind of thing.
00:04:05,080 It's a little less indiscriminate, but it's mostly just robbery, plain old robbery. When you're looking at, when you're looking at specifically the threat landscape, but so what do you see as the low-hanging fruit when it comes to this type of, this type of
00:04:22,200 compromise? Low-hanging fruit is going to be mostly small to mid-size businesses. When business email compromise and ransomware first started, they were kind of picking targets
00:04:32,120 that were, you know, easy to find on the internet, so to speak, you know. But they learned that the bigger targets that are more mature, they tend to be, you know, better finance and more mature and have better processes in place.
00:04:43,760 They have the people process and technology, so our security program is in place. And they kind of learned that the small to mid-size business is not going to have the security that, you know, that big enterprise does, so they started choosing them, you know.
00:04:57,600 Yeah, it's a discipline, right? Like the larger companies, you know, will adhere to certain, you know, conditions and they have the wherewithal to do it, the small to medium-size companies, they do their best,
00:05:09,840 but it's kind of hard. Is that what you see out there, Tim? Oh, yeah, I would agree with that.
00:05:14,800 I think what's interesting though, what I wanted to bring up to Jason is, then, yes, but why are we always so concerned with last pass, with all of these large breaches, whether it's, you know, Kasey, I got hit, or MGM got hit when we start seeing some of these large
00:05:32,440 corporations getting hit, what, you know, what chances a little guy have? I, you know, my answer to that is, frankly, it has a lot to do with the new cycle, you know, the old saying, if it bleeds, it leads, right?
00:05:44,960 And things that are in the way, they tend to make the nose and things that, you know, the media doesn't think they're interesting, don't, you know, I mean, so these, you know, these fantastic breaches, the big ones, like, you know, Kasey and SolarWinds, and, you know, these
00:05:57,560 are the kinds of things that could be the subject of movies, right? You could see Harrison Ford in a movie like that, right? And he did do a movie like that years ago.
00:06:05,640 I kept my, he was the size of some company. I kept running that movie, it was called the tub. It's just, you know, what interests people is what the news reports on, you know, statistics
00:06:15,160 tell a different story when you dig into things like the rise, the data bridge investigation reporting the reports by the big players in the space. They tell a slightly different story than what the news cycle does.
00:06:25,720 So all that creates a perception and we know that perception doesn't always match reality. Yeah, I agree. And you know, for me, we deal with a lot of the, you know, small to medium size, like 50
00:06:36,520 employees and above and one of the most common things all here is like, you know, we're too small. We don't have enough for the bad guys to even deal with.
00:06:45,360 And it's like, no, you're not too small. That's complete baloney. Yeah, that's that's complete.
00:06:51,160 The news. Yeah, you know, yeah. Yeah. 00:06:55,160 So the target selection is indiscriminate. It's almost a lot of it's automated anyway. You know, so you have these bots, right?
00:07:02,480 People, bots, computer robots, Roman the internet looking for exploits that they got possibly exploits just like where I tell people to imagine a blue whale, trolling the ocean, vacuuming up krill, right?
00:07:14,320 They'd eat the krill and then spit everything else out. You know, they don't care. They just swim around vacuuming it up and that's exactly how this kind of works.
00:07:20,800 It's indiscriminate. Small, but then the SMBs of the krill. Absolutely.
00:07:25,360 That's a great example. And remember that one too. Tim, do you have anything you want to say about that?
00:07:30,680 No, I agree. I agree with him. I think it's some of the things that we've been dealing with just so you know, Jason, like
00:07:35,680 we had we had someone come to us who got hit with not royal wear, but we've run somewhere, but a different ransomware of the lock bit ransomware where it was a small business. It was not something that I would have looked at driving down the road saying that this is
00:07:53,560 the one I'm going to hit, but boy, they get they hit them and they didn't know what to do. So then they called us and we got to go in and look at what wasn't there. And it's just these smaller businesses don't understand they need to change their passwords.
00:08:09,120 They need to not use a cable motor, but put in a firewall. So many different little things. How do you see the evolution of the cyber security landscape over the last decade, Jason?
00:08:23,400 You'd be surprised to find that statistically, the last time I checked something like seven percent of the world's internet users are actually in North America, 6.7 percent as of 2021. I've seen that statistics a few times.
00:08:36,640 And despite that, something like 90 percent of the attacks that are taking place, the ransomware attacks and the crimeware attacks are actually in North America. And the reasons for this are, you know, social-political, economic, even even religious for
00:08:50,960 that matter. There's the old saying that all roads lead to Rome, but in the modern day, all roads lead to America.
00:08:59,800 We export our entertainment, we export our technology, we export our culture, fashion. So it's, you know, an America-centric way in America, America-centric world in many ways. And, you know, American brands are so pervasive and so iconic.
00:09:15,920 I think that is in the most common, the most widely known brand in the world is what the New York Yankees or Coca-Cola or something like that. You could go anywhere in the world and find people wearing New York Yankees.
00:09:26,320 And my point is that it's a very, it's a very America-centric world. And there's that old perception that the streets are paid with gold in America. And depending on where you live, that would certainly appear to be true.
00:09:36,520 If you're living in, you know, a shack somewhere in, you know, South Africa, Mumbai or, you know, the foothills of Rio de Janeiro or, you know, just wherever, then Americans are going to look rich.
00:09:49,380 So we make good targets for this, this kind of robbery. Man, 7%. That's it.
00:09:55,540 Yet most of the robbery comes, comes overseas to us. That's, that's fast. That's fast.
00:10:01,460 And it's, is that why, you know, the FBI prefers people not to pay these ransoms because they're going to, you know, foreign entities that are, you know, that's, that's a big part of it.
00:10:15,020 You know, I mean, a lot of it's crypto, you know, cryptocurrency. So it's, uh, difficult and or impossible to track it. And law enforcement, I differ from law enforcement in that law enforcement will always say don't
00:10:25,320 pay the ransom. And the reason they say that is because if nobody pays the ransom, then theoretically, then all the revenue streams would dry up and then they would stop doing it.
00:10:33,460 But it just doesn't reflect reality. Uh, let's say that you're a small to midsize business and you started the business or maybe your parents started it.
00:10:41,100 It's a first or second-generation business. And it's the functional equivalent of your 401k and you're putting your kids through college with it and you'll get a ransomware attack and now you are, um, dead in the water.
00:10:51,120 You're not operating. No revenue is coming in and you have this choice to make. Um, you know, I could pay this ransom and it might be 10% of my top-on revenue, which may
00:10:59,360 is a lot of money that could be easily getting the six figures just for that. Um, or I'm going to end up filing for bankruptcy because my, my business is, you know, no longer functioning.
00:11:09,400 So this becomes a very personal decision that's based on your tolerance for risk, finances, plans, and how it's going to affect your employees. Uh, and, and that's the reason why different, different with, you know, our law enforcement
00:11:21,600 on it, law enforcement, well, they're not, they're not going to lose their paycheck. You know, I mean if you don't pay, but you are, you know, I mean, so it's a very personal decision.
00:11:29,120 And I think we may see some legislation around that going forward. Uh, Congress doesn't have the authority to tell people not to pay this, um, but they do have some authority about regulating around regulating currency, some constitutional
00:11:41,520 authority on regulating currency that they made use to exercise to try and have an impact on this. That would be helpful.
00:11:47,840 Yeah, that would be really, is that, is that there now, or are they just talking about it? I've, I've seen, I think that some bills are being proposed and, but, and, you know, some ideas, but I don't know that there's anything formally, you know, any, any bills sitting
00:11:59,680 in committee or anything like that. Okay. Yeah. 00:12:03,480 So, you know, on this whole, on this whole business email compromise, um, topic that you know, for today, um, could you give us, give our viewers a brief explanation? Maybe of how, how this, how this takes place?
00:12:17,360 How do the bad guys use email against businesses? Um, and have you noticed any particular techniques or changes in recent years? Well, business email compromise is, isn't like ransomware in that it's a little bit less
00:12:30,720 discriminant and the target selection tends to be a little bit more careful. Um, and also the payouts for these are kind of bigger. So there's the risk rewards here.
00:12:40,080 All right. They're going to, I mean, there's not a ton of risk to them other than wasting their time, you know, I mean, because most of it's coming from overseas and jurisdictions where there's
00:12:49,640 no laws against it. You know, I mean, that's another thing that drives this. And most of what we call the developed world, think of, you know, the United States,
00:12:57,560 or a bust early Japan, South Korea, Canada, there's going to be legal prohibitions against hacking inside and outside of your borders, but not every country is like that. In Russia, for example, it's illegal to hack, if you're a Russian citizen, it's illegal
00:13:15,120 to hack within Russian borders. But if you're hacking outside of Russian borders, the Russian authorities aren't going to do anything about that.
00:13:21,240 So when they set up these, um, these ransomware shops or these crime, these crime shops, are targeting jurisdictions outside of their own because they know the authorities aren't going to bother them.
00:13:30,560 So there's several things that, you know, contribute to all of this. And as far as the target selection goes, like I said, if they, you know, they find a publicly traded company and maybe they get a new CFO in or something like that, or they'll look
00:13:46,200 for things in the paper. And the way that it's gotten more sophisticated over the last 10 years, I think probably, the biggest, uh, ways of people pick up on this is the people that are writing the emails,
00:13:59,720 They tend to be ESL and by ESL, I mean, English is a second language. And you can usually pick that up when English is somebody's, you know, second language, not always, but they've gotten better at that.
00:14:10,920 And automation, what we call artificial intelligence, I don't regard it as intelligence, to me, it's a, it's a very fancy algorithm that can mimic humans. It is not self-aware.
00:14:20,400 It will never be self-aware anymore, self-aware than your toaster. But what we call AI is contributing to this because you could take emails and make them sound, you know, more like they were written by a native speaker.
00:14:33,200 So it's gotten more sophisticated. And as our defenses have gotten better, the offenses have gotten better. And it's, you know, a back-and-forth kind of thing.
00:14:41,240 Scott. What do you think contributes, do you think that the dark web contributes to these BECs and the fact that we go out, we hear of all these breaches where they're losing, you
00:14:53,160 know, 5 million, 10 million, 20 million, however, million, million of records of email addresses that they're pulling out and selling on the dark web. I mean, a lot of that also contributes to the BEC.
00:15:06,280 Sometimes they get lucky, right? Sometimes someone's on a site they shouldn't have been on. They get hit.
00:15:12,680 They pull down the email address of whoever it might be. You know, George@ge.com. They start working on if they get the password they're in.
00:15:23,920 So how do you feel that that plays into it as well? Well, the dark web mainly is a way for thread actors to exchange information with each other in a way that they could fabricate and then hide it from, you know, from humans.
00:15:39,800 And to go, you know, the dark web requires in doing any kind of investigation on the dark web, it requires just good old fashioned footwork, you know, it's like a beat. You have to get on there and then go looking for things and then get on message boards
00:15:53,720 and talk to people and then gain their trust. You know, it's kind of like, if you remember the original Star Wars movie, the Moss-Isle Cantini, you know, never before we've seen a more wretched hide, of scum and villainy,
00:16:05,960 right? But that was where they went to get what they needed, wasn't it? You know, and there are times that even personally when I was looking for information that
00:16:14,520 was not available through normal news channels or not available on the clear web. And it was, you know, information was, you know, being hidden from the public by whomever and I would go look for it and then find it that way myself.
00:16:25,920 You know, I mean, you can go get information there that you can't get in other places. Right. Do you find it, it also has contributed though to the changing landscape as they get more
00:16:35,200 organized as well to working with the dark web? Uh, yeah. But keep in mind that there's more than one dark web out there.
00:16:43,240 When we talk about the dark web, most people, they're automatically thinking about the one router or tour, um, the one project and, you know, incidentally, that technology was invented by the Naval research labs, NRL.
00:16:55,720 And if you remember, radio for Europe from the Cold War days, it was kind of the internet version of radio for Europe. The dark web was originally conceived as a way for people who live in oppressed areas
00:17:07,200 to get information out, you know, if you're, you know, living under an oppressor regime or something like that or if you're a reporter or a very dangerous area, you needed a way to get information out from there.
00:17:17,160 That's what that technology was originally invented for. And if you've ever taken the time to pull down the white papers that describe how all of that works, the cryptography and the mathematics, uh, the mathematics boy, uh, that was a real
00:17:28,680 team of eggheads that built all that stuff, you know, even, even with a master's degree in cyber security, most of that is beyond my ability to understand because I'm not a mathematician or a cryptologist.
00:17:38,480 Those are different, uh, different career fields. It's all very sophisticated and yes, they use it as, you know, a force multiplier in this leveraging over to hide what they're doing.
00:17:48,200 Criminals are always trying to hide what they're doing. And, that's the easiest way on, on the internet to, uh, upskate your information. There are other ways.
00:17:55,960 And then, you know, of course, as I said, tour isn't the only way. And this is technology. It's, um, once it's been invented, it can't be uninvented. 00:18:04,040 You know, it's all open source. So any, you know, really anybody can, uh, can do this. It's anybody that has a technical wherewithal and the desire to do it anyway.
00:18:14,120 So yeah, so diving a little bit maybe, I don't know about a deeper man because that was pretty deep in there. But are there any, um, really prevalent, uh, techniques used by the cyber criminals to
00:18:23,720 carry out these types of BEC attacks? Well, uh, probably the most, the most common technique what they do is they insert themselves into email chains somehow, right?
00:18:36,760 So they'll compromise somebody's email and then they will, or they'll, you know, compromise a partner's email. It doesn't have to be you.
00:18:43,200 They could compromise a business partner's email without even getting yours. And then they can masquerade his email by setting up fake domains or sometimes they do a penetration, get ahold of use in a password and compromise account 0365 or exchange
00:18:56,280 or email or whatever it is. And they will set up their own mail rules in there. So it's a good idea to check your mail rules periodically to see if there's mail rules
00:19:03,720 that you didn't put in there, uh, to hide their communications, uh, from you so that you don't see them. And normally what they do is they'll sit in the email, uh, chains for a while and then do
00:19:15,360 some reconnaissance, again, an idea of who's doing what and who's saying what and whose roles or what, um, and then they'll pose as a client or, uh, you know, a vendor and then send finance information and say, hey, um, our banking and routing information has changed.
00:19:31,280 And the next time we send you an invoice, we want you to pay it this way and it's, you know, the banking and routing information of Mr. Badgey. That's the most common way that it's done is by wiring, you know, money to the incorrect
00:19:41,400 place. They fooled the, uh, the victim into wiring money, uh, to the wrong, wrong bank account, which they control, and then they take off with it.
00:19:49,200 And these things are tens, hundreds or some thousands of sometimes, sometimes even millions of dollars. There have been some spectacular ones.
00:19:56,720 So when it comes to the risk-reward proposition, the rewards for this can be very, big. So, um, if someone were to spend, you know, three months full of time on a high, like this,
00:20:07,560 That's not an unreasonable thing to do with the expected rewards, the potential rewards. And I have no idea what their success rate is. I don't know if anybody knows that, but, um, even if it was a fairly low success rate, um,
00:20:19,440 It still makes sense to do it. Yeah. So this lens itself did not necessarily being, um, you know, the widespread situation is
00:20:28,800 compared to what you said with regards to compromising maybe an executive or somebody within the company and, uh, and, and, you know, compromising their email and trying to figure out what's going on there.
00:20:40,000 Yeah. What you're referring to there is, you know, fishing or whaling, when you are, um, or whaling or spearfishing rather, when you are, um, fishing is when you're just kind of doing
00:20:49,160 it and discriminately, you're tossing your bait in and seeing what you get. Spearfishing is when you're interested in a specific fish. You know, I mean, I, I want that big fat tuner right there.
00:20:57,160 I'm trying to spear it. And then whaling is the same idea, but when you're looking for a high-value target or a high net-worth individual or something specific or something like that, um, or, or in, or in
00:21:07,440 The case, I suppose where, uh, the, remember, these celebrities were targeted. Their eye cloud accounts were targeted and then their personal, thick pictures were exfiltrated and they didn't do that for money.
00:21:17,880 They did it for the heck of it. Um, that would be something I would describe as whaling and it was fairly sophisticated, a coordinated attack by several thought people that hung out on forechan and,
00:21:28,800 You know, forehand is even on the dark web that's on, you could go to that website. I don't recommend it. It's horrendous, um, but that's where stuff like that goes on.
00:21:37,240 Very interesting, man. Does anyone have that? No, I think you covered that one.
00:21:43,040 I think you did. I think you covered it well. But with the increasing focus, though, on data privacy and cybersecurity regulations,
00:21:51,040 Um, how have the, let's say, the legal frameworks affected how businesses approach, uh, cyber security and, and how they respond to the EC attacks? Is there anything going on there?
00:22:01,360 You know, all, that's, that's a very complicated answer. And we're gonna go on the rabbit hole academically, uh, there, um, we do live in a constitutional republic for now, right?
00:22:11,840 Which is why everybody has a different driver's license, for example, right? We're all citizens of whatever state you live in the citizens of the United States of America.
00:22:20,000 And the way that our constitution is supposed to work is unless Congress has the specific authority to do something on supposed to. And there's not any authority in the Constitution for Congress to do anything about
00:22:30,920 Cybersecurity for small businesses. Now they try to do it in ancillary ways, um, by, you know, the states will do it and there's federal regulations that regulate what the federal government does.
00:22:42,040 And then, you know, the, the federal government does have broad reach because there's so much contracting that goes on. There are so many small private businesses that do contracting for the federal government.
00:22:50,480 What's their, what's their budget? $3 trillion a year or something like that. So they can't regulate it directly.
00:22:55,600 Um, for them to regulate it directly, we, we would have, you know, technically have to pass an amendment for the constitution for them to do that. There are about 20 powers in the United Congress and the Constitution.
00:23:05,760 But there's not any kind of power around regulating what small businesses do. So, um, however, there's nothing in there that prevents the states from doing it and, um, you know, all the states have their constitutions and typically they could do what they want.
00:23:18,200 Um, so different states, California being an older one, New York, uh, are passing different laws. And I kind of suspect that, uh, as time goes on that a lot of this is going to make itself,
00:23:29,840 I would compare the state of cyber security in the United States and the developed world today to the way that, um, safety was say a hundred years ago. Um, remember in high school reading, uh, the movie, the book by Optin St. Clair, the
00:23:41,840 jungle, right, people falling in the meat grinders and that kind of stuff, right? So, um, when I think of safety a hundred years ago, I think of poor lighting and missing fire exits and no safety guards on machines.
00:23:52,560 And I think that um, and it's also true that, you know, Congress didn't have a lot of authority to do anything about that either. And it took time between, uh, you know, insurance and between, uh, private enterprises and
00:24:03,320 between the various states in the Republic and, uh, and, uh, Congress itself doing all those things working together. We have gradually made safety.
00:24:10,640, Of course, we have ocean now, um, but I think it's going to improve with time, but we're still really kind of in the infancy of all this and like us, and the best analogy I have is it's kind of like safety was a hundred years ago.
00:24:22,120 I imagine going into, uh, you know, a factory and it's four floors and there are no fire exits and there's no lighting and, you know, we, what is this? It's crazy.
00:24:30,520 You know, so I think in, you know, a couple of decades when people look like what we were doing now, they're going to think that we were not. You know, it's going to take time to get better.
00:24:39,480 It's going to be a process. Right. And it's only going to get better as you just said or more stringent or whatever
00:24:47,360 you want to do. It's going to get worse and better at the same time. Right.
00:24:51,520 Do you feel that, um, so we have PCI DSS, which is privately run compliance? Correct. Do you think that we will see more privately run compliance is before the government
00:25:03,000 finally does catch up? I mean, we have our NIS libraries. We have, uh, FISMO, we have all these different compliances and regulations that we use for
00:25:10,280 the federal space, but on the private space, we don't. So even when we start talking privacy, right, you got your California Protection Act, you have New York, you have the American, which still hasn't caught up to the others.
00:25:23,800 How do you feel that it's all going to play? Do you feel that the, we will see more private compliances that will rise before we see the government take control?
00:25:33,280 Or do you think the government will? I certainly, I hope that these problems are solved through voluntary cooperation. Now I have my own biases, of course, um, but one of the things that sets the tech sector apart
00:25:45,600 from the rest of the global economies and think about this, the tech sector for the most part is made regular. So to speak through voluntary cooperation, right?
00:25:52,760 We've all this stuff from the, obviously, I S.S.P. There are no government-sanctioned licenses than cyber security or, uh, or IT, right? So, um, one of my old jokes I would run in my slideshows is that it would be completely
00:26:05,240 legal for supercuts to sell cyber security, but my company's stronghold cyber security couldn't cut hair, right? So if you go get a will or you go get your teeth cleaned, your hair cut, you get tattoos,
00:26:16,040 You buy pizza, all these things are regulated typically by the states or the locality, and those people all have government-sanctioned licenses. Tim, you and I are both CIS, S.P.s, right?
00:26:26,320 But that is not a government-sanctioned license. However, it is widely recognized as something. It's being kind of on par with the C.P.A. and sort of, uh, and my dad was a C.P.A.
00:26:36,040 So I think that, um, I think that we can achieve what we need to achieve without regulations and, and statutes without, you know, without the force of law. Um, I think that's possible.
00:26:47,360 And I think the insurance companies are going to drive a lot of this because the small to mid-sized businesses are starting to understand that cyber security insurance is necessary. After all, these risks are extreme.
00:26:57,240 Uh, this, this could be a disaster and it could put you out of business just like a building fire or a flood. And when you go to vice-cyber security, the, the underwriters and the carriers and the brokers
00:27:07,440 will tell you, well, you need to have these protective technologies in order, or, you know, to refresh the solar policy, and people, they get that. It's kind of like telling somebody, well, okay, we'll ensure your car.
00:27:17,440 But, you know, it needs to have a B.S. and he's a traction control and needs to have seat belts and it needs to have these other things. Um, so it is getting better and I think it's going to continue to get better and I think
00:27:28,240 The government is going to play some role in it, um, at both the federal and the state level. But I think, uh, for the most part, the problem is improving, uh, on its own without too much intervention by the, by the federal government.
00:27:40,720 I think it's going to continue to improve and I think these problems can't be solved through voluntary cooperation. Um, and we don't necessarily need to have statutes.
00:27:47,960 And I'm sure that other people would disagree with that vehemently. Yeah. Well, it's always better. I think if, if the private sector can take care of it before, you know, regulatory stuff takes
00:27:58,680 place, but we'll see. And I tend to agree with this seems like it's already happening. So I think it's happening, especially with cyber liability insurance because they've
00:28:06,400 started to drive how we see, um, how we see small businesses taking care of themselves, but also how they're reaching out to be protected. So we're seeing more small to medium-sized businesses start looking externally at their
00:28:19,920 own, uh, IT internal people to be able to secure their environment since security and IT are two different things. And that's something that still needs to be learned, I think in a lot of spaces.
00:28:32,800 I think this, um, Tim, I think it'll unfold kind of. Let's use the National Electric Code as, as an example here, right? NFPA 70 National Electric Code.
00:28:40,600 Ever read that thing? I've read that entire thing a couple of times and I worked at LaKa. And the National Electric Code is not a federal law or anything.
00:28:47,720 It's a code, but the various states and localities have all adopted it and set for us to give you an occupancy permit for a building, you'll have to follow the National Electric Code.
00:28:57,480 It's not a, it's not a federal law. It's not even a state law. That's the states and the localities that drive that.
00:29:02,400 And I think what we could eventually see is something, um, where we have the NIST cybersecurity framework, the CSF, it is the five functions of 23 families, 108 controls. And by the time you factor in all the interpretation, which is in the NIST A 100-53, that's another
00:29:17,160 500 pages, it's kind of like the National Electric Code. There's a lot of meat on the bones with that thing. And you could see various industries saying that for us to sell you cybersecurity
00:29:26,560 insurance, or to do this and do that, that, you know, a state or a county or whoever could say that you have to follow the NIST cybersecurity framework, if we choose to go that route.
00:29:36,440 So there are, there are examples and precedents of ways to solve this problem without, without necessarily having to do it by Washington, DC. Yeah, absolutely.
00:29:45,600 Well, this is good. So finally, you know, looking ahead, what do you guys see as the most significant trends for threats and the cybersecurity landscape?
00:29:54,840 And if you have any recommendations for businesses to prepare for them, you might have just gone over it, you know, like, you know, picking a, picking a compliance flavor them. But anyway, I'll leave that to you.
00:30:06,440 Well, the first thing to do is to work with the qualified, you know, practitioner like one step and get an assessment done because you don't know what you don't know. You could have glaring gaping holes in your cybersecurity.
00:30:17,440 Most people are not experts in this. And, you know, kind of, it's kind of like getting a homeowner's inspection on a new home if you're somebody that, you know, can't change a light bulb or can't change a door and
00:30:27,240 hop or something like that. And I'm not saying that in a disparaging way or anything like that. You know, one of many forms of expertise in cybersecurity.
00:30:33,240 But you have, you bring in some of like one step and they could use some automation, some tools, and then some Q&A and then give you a good idea. Well, these are the things you could do right now to dramatically reduce the probability
00:30:47,360 and the impact of a bad outcome. So the first thing is to get a cybersecurity assessment done. And then the cybersecurity assessments are going to have some recommendations that you may
00:30:57,000 want to implement over quarters, say Q1, Q2, Q3, Q4 because you can't solve all these problems at once. It's not practical.
00:31:04,160 It's not cost-effective. You try to reduce your IT-born business risk in a way quickly with us spending the least amount of money, you know, hit the low-hanging for first.
00:31:15,640 So my answer to that is to start with an assessment. Yeah, I think that also when we look at these things, we go back to what I was just saying about security and IT, bring in that expert.
00:31:28,840 Whoever that person is, like you were saying, Jason, I can go and get a haircut and they can sell cybersecurity. But I can't sell haircuts.
00:31:37,600 We do something very specific and make sure that person that you're going to has some type of security background. There are a lot of companies out there right now that they're IT people, nothing wrong with
00:31:50,280 IT people, but they're selling cybersecurity, not understanding and just throwing tools at something. Yeah, the people process and technology, you have to have people in the process, not just
00:32:01,520 The technology, technology alone cannot solve these problems. And IT and security are separate disciplines just as, you know, you wouldn't have an accountant audit their books.
00:32:12,800 And it's not because they can, it's because they should. And, you know what I mean? But beyond that, they are different skill sets.
00:32:19,560 And this is my opinion, but I think that you're probably your better security practitioners or people that cut their teeth on IT. So, you know, if you know how to build a castle brick by brick, then you know how to protect
00:32:29,400 it or attack it. Absolutely. Wow.
00:32:33,400 Okay, so this has been great. That's all the time we're going to have for today's episode. Jason, thank you so much for your time and your insight.
00:32:40,160 And I hope we can have you on again in the future. Tim, as usual, always a pleasure to have you and get your wisdom shared with our listeners. Thanks, everyone for tuning in with us, and don't forget to like and subscribe.
00:32:53,480 And if you're watching this on YouTube, go ahead and turn on your notifications bell so that you are the first one to know when we drop a new episode. Remember, it's better to be safe and never just blanket trust emails you receive from within
00:33:10,080 or even outside your company. Take a few extra seconds to apply good cybersecurity hygiene and verify you can trust that email. Until next time, stay safe.