Innovation Nation
Innovation Nation

Episode · 2 years ago

The Only 2 Kinds of Cybersecurity Victims w/ Matthew Rosenquist


We’re all working from home not thinking about cybercriminals at all. 

They’re thinking about us, though. 

In this very first episode of Innovation Nation, I interview Matthew Rosenquist, CISO at, about cybercrime in the time of COVID-19. 

What we talked about:  

  • Hardware vs. software vs. wetware (people) 
  • We’re vulnerable during quarantine not because technology but our behaviors 
  • Cybersecurity issues that SMBs need to consider with IOT 
  • Security fears that we have & education that we need 

Innovation is all around us. In fact, everyone innovates, often unbeknowns to themselves. Many mistakenly assume the innovation is either a big capital project, a figurative bolt of lightning that brings inspiration, or the province of some exceptionally gifted person. This is the myth of innovation. But you can innovate as well. You are listening to innovation nation, the podcast where top executives in industry experts are sharing their insights on harnessing the power of innovation. We're here to help you stay ahead of the curve by driving your own innovation. Here's your host, Jasmine Martyr Rosen Hi. I'm joined today by Matthew Rosen Quiz, who is one of the world's leading cyber security experts, having spent over two decades with untel and other leading providers of services. So, Matthew, we live at a very interesting time with a lot of change. Some people are calling the new normal, the new ab normal, but one thing is certain. Cyber criminals are innovating there. So what can small to medium size businesses do to stay ahead of that curve and stay protected? Well, smaller medium businesses, they are a ripe target for cyber attackers, who are constantly innovating and changing and to them, from their perspective, it's an easy, easy win. So really the most important thing for small businesses to do is to follow basic practices from a cyber security perspective. And in our industry we, you know, we've got an axiom, and that axiom is really that there's two types of victims that exist, those was something to value and those who are easy targets. And so the obvious advices is don't be an easy target and protect your valuables. And this very much applies to small and medium businesses because, although they may not have massive amounts of of, you know, value that can be targeted, they typically are much easier than larger organizations that have much greater capability. So it's about a mindset right, to understand that we are, as a small and medium business organization. We are being targeted right. Don't tell us and tell yourself that you're not, because that's absolutely true. We tend to be easier targets. We have to be diligent and consistent in following industry best practices, and those don't have to be expensive, they don't have to be complex, following some good basic rules out there really get you out of that category of being an easy target, and that's what we have to internally make the decision for ourselves and get us on a right course so that we can have some defenses against that constant innovation and a constant pressure of attacks that are going on in the industry. In previous said discussions on the topic, you have rest reference to double sided coin when it comes to cyber security. What's your take on that? Yeah, you know, if you think about a coin, on one side you've got the technology and when we think about cyber security and and digital security, we're always thinking technology, new toys, new tex software, hardware, right, and there is a very important component. That's one side of the coin. But the other side of the coin that we often forget is about people. It's about behaviors, it's about good practices and decisions of what people do. Now that that edge of the coin, that the piece that connects the two, that's the process that connects the technology and people. But when we approach cyber security we have to look at both sides of the coin. You can't just address one. You can't just focus on the technology or just focus on the people. You have to focus on both, and one of the most underutilized areas is really in those behaviors, is making sure that your employees and vendors and suppliers,...

...everybody's acting and making good decisions right from a behavioral perspective. That is the easiest way for most small and medium businesses and even large corporations and governments. It is the easiest way to jump start to greatly increase your defensive posture against cyber threats. So thank you. Could you give us a few examples that where the human component is a huge factor in either dealing with a cyber's threat or preventing it? Yeah, yeah, so, if you look at a tax like ransom where we've heard about that, or data breaches, things of that sort, a lot of those really focus on social engineering, even the deployment of Malware, you know, viruses and worms and Trojans, especially right. A lot of those focus on getting somebody to visit a militarious website or to click on a link, download a program, open up an email attachment, and it really goes around people. In fact, you know, we talked about the strength of certain defenses and technologies and you know humorously, we often say the weakest link in most organizations is not the hardware software, it's the wet where, it's the humans, it's the people, right, and so if you can send an email to somebody or attacks, you might be able to get them to click on that link right, or to open that that word document or what appears to be a word document or a harmless pdf file, and in doing so you can easily compromise them. Social Engineering Right now is the easiest path to compromise most organizations and whether it's again ransomware or what they call business email compromise for fraud, that is the number one way and it works and attackers go for why? Because it's easy, right path of least resistance. Go after the people. The more you train people, the more you get them savvy and aware, the better choices they can make and you can avoid those types of attacks, vast amounts of attacks. And again, if you're solid and your people are not doing that, the attackers move on to that next company, that next organization, who isn't as savvy, who isn't as Villigent, diligent, and they're the ones that get the attention of the attackers. So it's really important, especially for small and medium businesses, simply to train employees. It doesn't cost very much, it doesn't take very much time and yet it provides a really good and important foundational shield against many of the most common attacks coming in. So we'll hear about major attacks. You know, media talks about it. Any major organization has been attacked, even the irs in the United States, which you'd like to think is impenetrable. Having said that, what is it is there's some kind of a mass sense of denial that people think it might not happen to them. Is there in sufficient training? What are the factors contributing to the spread? Well, cyber security? The entire industry, when you look at it, is really kind of complex and a little convoluted and convoluted and and there's a lot of ambiguity there. We have to deal with many different types of threat agents, right, the types of attackers, and we can break them down into different types of archetypes. And at the very top of that pyramid, right that the highest, most skilled, most resource are really nation states. They've the ability to throw billions, billions of dollars around. They can outsource and they can do their own research and and things of that sort. Very small, but it's at the very, very pinnacle of the threats. Now they typically don't go after small businesses, right, they are going after very big, very protected targets, like other governments or major banks, things...

...that sort. But as we go down the period pyramid, we've got different types of threat, archetypes, and you know the the the cyber criminal, right, who is motivated by personal financial gain, right, who will follow that path of least resistance, who really doesn't care who the target is as long as they get that money, that benefit. In there's huge organizations and there's very simple ones as well, and those tend to be the greatest single threat because of the size. Right too, small and medium businesses. So the defenses against them tend to be a lot different than if you are, you know, a top three bank or a major government in the of the world or a Defense Organization or an intelligence organization. We've got different types of threats, so it's important to understand. Most small businesses don't have to protect against a direct attack of a nation state. Really the primary focus for them are those cyber criminals who are sending out that fishing and that spam and and, you know, making calls and things of that sort. So we can be realistic in what we need to defend against and in doing so, then we can pull together, you know, what technology we need, what behavioral controls we need and what good processes keep those solid and inconsistent over time. Something even as simple as, you know, good password policy. Right, passwords and credentials in general have to be protected. We don't have to go to massive extremes, right, unless you are those big banks and things of that sort. For a small business having a you know, password policy that simply says you have to have two aspects, a strong password and you have to not reuse it. Right, it has to be unique. Something like that puts a small or medium business in a great position from protecting their assets with those credentials. It doesn't have to be complex, but again, we have to understand that there is a tremendous dark cloud out there that wants to infiltrate and there's different levels of threats that consist against that. You painted a VAT, vivid picture, right, with nation states at the top of that pyramid, in essence, innovating. Right, when we talk about innovation, culturally socially. We think of innovation if positive. Here innovation is used not for greater good but to only further certain goals of cyber criminals. How can companies, small to large, create a cutting edge for themselves to stay current and to stay vigilant? Well, again, we have to look at that two sided coin. On the technology side, the recommendation is making sure that you using good security products, tools and vendors right and that you're keeping technology updated. Innovation many times on the attackers side is looking for that window of opportunity. Let's say a new vulnerability is discovered and people have it yet patched. Well, that's what we do, of opportunity go exploit that vulnerability. So for small, medium large businesses, everybody patching, for example, is very important. It's not something you want to put off. Making sure that you're using quality antimelware software, for example, on your PC's or laptops. You're not developing that technology, but you can go out and invest in the companies that are keeping that technology updated. Let them be in that that arms race with the bad guys, because that's their job. So we don't have to directly, in many cases compete with the innovation of the bad guys. There are security processes and tools and products that allow us to do that, allows them to do that, and we invest in them. So you know, we don't want to be fearful because there is tremendous innovation and investment for...

...vulnerabilities out there in the industry and the attackers are constantly innovating. We don't have to directly undermine that as a smaller medium business. We just have to follow the Industry Best Practices that are designed to keep parity with the innovation of the bad guys. Thank you. And what's been the impact of Covid nineteen in the world of Cyber Security? Well, in computing it's kind of turned everybody on its side and and everything on it side, because it's pushed a lot of people to work from home. They're working on maybe personal devices instead of company devices, they're connecting to their home networks instead of the work network, and so there's a lot of technical aspects that again create a potential opportunity for threat agents right ways to get in. Attacking someone's home network is a whole lot easier than attacking a corporate network with secure controls. So there's different scale, but there's also different problems. Finding an employee on their home network is a little more difficult than than understanding that they're probably on the corporate domain network that I can search on the Internet. So there's tradeoffs there. But one of the most important things, beyond the technology that people are using, which is important right people need to understand that you still have to follow those base of practices, is the behavioral aspect. And again we come back to that two sided coin. When people are in their office, they know what the corporate policy is, they know not to use usb draws, they know that they should only be doing certain things and it's reinforced. Is Part of that community when you're at work. Right, what's acceptable when we start working from home? This is our safe place, this is a place that we trust and our guards sometimes goes down and okay, well, I'll just use a USB drive, I'll just go here, I'll just click this email, things you wouldn't normally do at work and around your colleagues in a professional setting. People let slide a little bit and they get a little laxed while at home and it's normal. It's normal behaviors, but it puts it risk your work. The company, Work Assets, access to other employee these again, if you get compromised, you're putting everybody at risk. So the behavioral aspect of being in a comfortable place in your pajamas, you know, working throughout the day, you feel safe. But from a cyber security perspective we must continue to be vigilant in following the good practices for security and you have to follow that hygiene regardless of whether you're in your slippers and pajamas or whether you're in a suit sitting at your desk in the office. So keeping professional boundaries, whether you're working out of home or within the office setting, is critically important. Absolutely, because the attackers are taking advantage of that comfort level and you know they're getting away with it. They're creating, you know, tens of thousands of fake domains and and you know, sending out all sorts of fishing emails and communications and they're using keywords that are interesting to us right they're using covid or coronavirus. You know, they're creating fake APPs, fake web pages with malicious code in them, sending out emails, messages, text messages, alert right on your phone alert. Click on this link for the latest covid stats in your area, right, and they're using that very well. They're very well versed and they look for opportunities where there is a global crisis or something that will catch someone's eye and just instinctively get them to click. They're using that against us. So always be a vigilant that's the key lesson and to not drop the guard right. Absolutely, very, very important. You don't have to do a whole lot different than you did in the office.

There isn't some you know, special software you have to download or special practices. Simply follow the you know, the the best practices in the industry, just like you did in the office. That's what we want to reinforce in this new model of work. There's a few new applications people are using. Think of the teleconference applications right, a huge spike in that. Some of them, you know, weren't vetted for security. That's coming back around, but for the most part, ninety nine percent of what you need to do are those best practices, following the policies of what you would do if you were sitting in an office around your peers. We're living in an IIOT WORLD, industrial internet of things, increasing connectedness, of devices, smart devices, everything talking to each other. What trends do you see in the area of Cybersecurity? That's companies big and small should be watching out for. Well, Iot Internet of things and Iot Industrial Internet of things. They are growing at a phenomenal rate. In fact, the greatest growth that we see across all of technology and Cybersecurity is really in those IOT divice ices and Iot devices that are being turned on and they are typically small or less powerful devices than, you know, our desktop or laptop or even our phone, and so they tend not to benefit from the same security controls and oversight. In fact, most of the security software and services out there are geared towards servers and workstations and PC's and laptops, and so there isn't even a whole lot of choices out there right now in the industry. And again the attacker see and opportunity and we have seen massive compromises of these types of devices, pulling them in the botton nets, using them as a network foothold to gain access to other other devices on the networks, things of that sort. So this is a pervasive problem and it's only getting worse every single day. The security industry is lagging, unfortunately, in being able to provide proper and comprehensive security services and capabilities, even some of the basics, right, making sure you don't have a default password on these devices that you're you're installing in your home or in a factory or in, you know, a power center or, you know, a water meter. Right now the industry is struggling just to even get the basics in and the attackers are having a heyday and they're seeing it. And as we have some of these IOT device is we look forward into the future. Right, these are the devices that are going to be controlling your autonomous vehicles when you get in and take your kids to school or to daycare and changing lanes and accelerating and breaking the car. You know, it's important that all of these kinds of devices are secured. Right we're seeing a major infusion of these devices because of cost benefits and control benefits into critical infrastructure, into the power and telecommunications and water and sanitation and and transportation and food networks all over the United States. And if they're vulnerable, that puts all that critical infrastructure okay, so enough about the fairmore and green what we really need to look at from a small and beaten medium business is take a look at the devices that you're bringing into your environment, what's connecting to your network. You know, it's great having, you know, an IP camera or set of Ip cameras to protect your assets, but are they really secure? Have you chosen a vendor that's that's emphasized security, that is invested, that is constantly updating these types of products? It's really important because that may be that entry point. You may have protected your your primary network with firewalls and everything, but then opened opened it up for these cameras. So we must understand whether it's a camera or, you know of Fitbit that you use at home or or any of the devices that we bring into our lives. Every...

...time we bring in a device that connects to our networks, we are potentially opening the door that an attacker to come in, and it can be attacked at scale. It's not that an attacker needs to know you. They can be scanning entire networks automatically looking for these devices that are calling home, that are listening in, and automatically exploiting them and taking them over. Attackers can do this at scale and can compromise hundreds of thousands of devices in a single day so that every single device closely and now you've talked about the human factor a lot throughout this conversation. Right. You are father to four kids, if I may share that with the audience. Have you made an attempt to like educate them about cybersecurity from a young age? Is is that something that parents should be doing across the board? Educating the next generation is hugely important. Right when we, you know, look at our lives and how we grew up with technology, it was a shadow of what we currently experience today and we have a wealth of knowledge and maybe a little bit of pain and suffering in the technology that we've brought together into our lives. Children especially, they don't get that. They don't see that, they don't see the risks, they only see the benefits, which is one of the beautiful things about being a child. So part of our role is parces, is to protect them and make sure that they're they're not exposing themselves or the rest of the family, but also to prepare them for taking on that responsibility themselves. And as we go through this digital transformation, all of society goes through digital transformation, we are getting more connected and we are bringing ourselves and our data more online and more data is being created about us and this creates a wonderful capability to connect in and enrich the lives of people across the globe. So there's tremendous benefit, but there is equal amount of risk. As we become more reliant on technology, as we become more integrated with it, that information can be used against us and that reliance can be held against us. You know, imagine again that that Smart car, right, we all want that, that next generation car that will drive us to work and we don't have to worry about it, that autonomous vehicle. I I'm looking forward to the day of that. But again, I would hate to get into my car on a rainy night far from home and just want to get there and for a ransomware screen to come up to say, oh well, if you really want to get home, you need to send me three hundred dollars. Right, I don't want that. That's that's me being victimized by the technology that I'm now reliant upon. So again, every thing that in our lives that's digital, for all the goodness that it brings, it also is accompanied by some level of inherent risk. We need to be cognizant about that and it's best to proactively manage and address that. When it comes to our children, it's to educate them, to protect them for things that they can't understand and to prepare them to take over that role, to be aware and to make good digital decisions. Excellent. Well, any final thoughts that everybody should be guided by to live in a more cyber secure world. Well, especially for small and medium businesses. Right, it's important that we're not fearful. The organizations that I work with in the companies and when I speak many times there is, especially with small and medium businesses, there is a concern. People are put off by even talking about cyber security. It seems so complex and and so expensive and they just don't want to deal with it and they start telling themselves these things of Oh well, I won't be a tack, I won't be victimized, I'm too small. Why would somebody want to come after me?...

No big deal. It's about denial and really there's no place for that. Small and medium businesses are being targeted like crazy because they are easy to go after, because people do have that sentiment and therefore they don't do even the basics. And I have to tell you, doing the basics doesn't have to be complex, it doesn't have to be expensive. And you know, an ounce of prevention is better than a pound of cure, and it's very, very true here. And so there is help. There's help available, there's advice, there's free tools, there's free capabilities. You just have to take that mental step to say yes, this is important, yes, let me look into this. Let yes, let's see what we can do. You know, reasonable way perfect cyber security is not being a is not about being impenetrable. It's about finding that right balance between risk, costs and that usability or productivity right. Finding that three way balance is really about optimal security and everybody, even in swallow medium businesses, need to approach it that way. Don't be afraid. Thank you. That's a very strong message to everyone. Don't be afraid, take charge, be proactive. You have more tools. That your disposal, that thing you think you do absolutely really appreciate you sharing your wisdom and expertise with that's matthew. Look over to further conversations. Thank you, my pleasure. You've been listening to innovation nation for more subscribe to the podcast in your favorite podcast player or connect with us on Linkedin. Thanks for listening.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (34)