Peter
This episode is brought to you by Stratascale. Visit shi.com/stratascale to learn more.
[music plays]
Michael
The ability to detect that somebody is actually inside your network is, according to recent report, 280 days. So, I think just that visibility piece is extremely important for us as understanding do we have the right controls in place to identify if anybody is actually inside our network and monitoring what we're doing?
[music plays]
Peter
Welcome to SHI's Innovation Heroes, a podcast exploring the people and businesses giving us hope in our drastically disrupted world. I'm your host, Peter Bean.
[music plays]
Peter
Our cybersecurity frontline defense systems have seen an unprecedented barrage in the last year. With the onset of the pandemic, nearly everyone had to adjust to remote work. While most companies have been able to carry out this change successfully, there's one segment of the population who's been evolving just as quickly: hackers. [thunderclap] As it turns out, sending everyone home to work has vastly increased the number of vulnerable spots in our cybersecurity safeguards. [techno screech] In the first three months of the pandemic alone, the FBI reported attacks had quadrupled. In six months, one survey found that one out of five companies had suffered a security breach caused by a remote worker. By April of last year, more than a half a million zoom accounts were sold on the dark web, often for less than a single cent. Malware attacks skyrocketed and kept pace with the rate of COVID diagnosis. Even when companies take measures to combat the rising tide of security threats, things like phishing tests are less than ideal. Even with training, employees can only tell they're being fished just over half the time. Michael Wilcox knows firsthand that keeping your data safe is more challenging than ever. He's the Chief Information Security Officer at Stratascale, an SHI subsidiary. But today, he's going to be our cybersecurity hygienist. A lot of you are probably late for your annual checkup, but not to worry. He's here to get you up to snuff. Michael has some great advice to offer when it comes to taking the burden of remembering a million passwords off of end users and finding some really practical solutions. Michael, welcome to the show.
Michael
Hey, Peter, thank you for having me.
Peter
So, before we get started, could you tell our audience a little bit about yourself and your previous experience?
Michael
I was kind of hardwired when I was a kid to love all things technology and security-related. I loved hacking things to understand how they worked, to see if I could break them and put them back together again. And actually, started out with an ancient computer called the Commodore VIC-20. I wrote basic computer code, and then I learned assembly language. And things got interesting when I figured out how to connect that computer to the phone system. And I think it kind of wired my brain in an interesting way to have that hacker attitude. In fact, my wife jokingly refers to me as the "king of worst case scenario" [Peter chuckles] because I'm always running a quick risk analysis on the worst probable outcome that can result in any situation. And then I'm always quick to point out, though, that it's a good thing, because then I can calibrate and figure out what we should do to prevent that from happening, and that served me pretty well. A few years ago, I had a strong desire to work with cybersecurity executives, so I took a role with a large tech company. And I basically interfaced as a security evangelist with many cybersecurity leaders. But life has a funny way of mixing things up. I always say you can't control what happens, but you can control your reaction to the things that happen. And I had some personal events that took place, and so I decided to take a sabbatical for a year to spend time with family. And about seven months into that I saw job posting on LinkedIn for VP Chief Security Executive leadership position at the largest nonprofit cancer research organization in the US. I felt like it was a calling, and I took the role arguably at the perfect time because I was able to be part of an amazing team that transitioned the company to a remote workforce during the global pandemic and along the way, also moved the data center to the cloud. And then I had the opportunity to chat with somebody about this amazing company Stratascale that was being formed, and now I find myself into this role. I've been here for about three and a half months.
Peter
So, your job at Stratascale is to talk to CSOs and figure out how to fix the problems that are keeping them up at night. I'm really curious, what are they most worried about right now? And what are the blind spots that they're not thinking about, but really should be?
Michael
People are worried about the effect that the global pandemic has had on their businesses, and what they have had to do or need to do right now to pivot and support their businesses to enable their remote workers. So, what keeps us up at night, hopefully, are the same things that keep our executive leaders up at night. And some of those things are what they don't know, not having the sufficient resources, worrying that the teams maybe don't have the appropriate skillsets. But a lot of this is the speed at which things are happening and ensuring that you are in fact aligned with the right members of IT and the business. And if you look at the media and headlines right now, supply chain attacks have really taken a limelight, because we're seeing how attackers have the ability to embed themselves and what is perceived as trusted code being provided to them in a very stealthy way, and gain access to a large number of organizations. So, I'd say, you know, right now it's about remote workforce, data center migration, supply chain attacks. And then I always advocate, too-- and I hear this from a lot of people, is dwell time. It's a very interesting metric, which essentially says this is the amount of time that it takes before you realize that somebody has been in your network. And a report from IBM recently said that that timeframe is 280 days. And I always say that's like having somebody break into your house when you're taking a vacation, they've been living in your basement, and you don't have a clue. And that's something that people are worried about, as well. A couple years ago, that metric was a little bit lower. But it seems, you know-- [Michael chuckles] it doesn't make sense, it's a little ironic that that number actually seems to be growing a little bit. So, the ability to detect that somebody is actually inside your network is, according to recent report, 280 days.
Peter
Wow.
Michael
And like a year or two ago, I remember talking and saying it was more around, you know, 100 days or so. So, I think just that visibility piece is extremely important for us, as understanding do we have the right controls in place to identify if anybody is actually inside our network and monitoring what we're doing?
Peter
Wow, that is scary. So, I want to talk about the weakest link in terms of cyber security, right? And what companies can help do to tackle it. In your opinion, what is the weakest link in a cyber security strategy?
Michael
If we tried to break this down...you know, I think really in terms of the weakest things, think of three things, maybe. Maybe I'll throw a bonus one in at the end here. The first thing I think of is people. I think people are the most important element. If the business and its people don't exist, there would be less risk, but then you wouldn't have a business. And so, we're always doing things like phishing training to make sure our employees know not to click on bad links. We need to educate our employees. And we need to make our systems very usable, so that they can efficiently access those systems in a secure way to do their jobs. Another thing that we struggle with-- we've been struggling with this forever, is patch management. When you hear about vulnerabilities that are exploited, in many cases you can solve for that. There was a solution in place, but an organization quite simply didn't get around to doing the patching in a timely manner. So, we need to be better with what I call Security 101 and make sure that our systems are patched. Another one which I can't ignore-- back to our earlier conversation there, Peter, is around third-party supply management. We not only need to be concerned about our company's hygiene and security, but we need to think about who is connecting to us, and we need to think about third-party security hygiene, as well. And this should involve departments like our sourcing departments, procurement, making sure that we are collecting evidence and attestations that those companies are secure, but then also monitoring to see what they're doing to some extent when they access our network and restricting access to resources that they don't need to be touching. And then the last one is passwords. I-- personally, I get frustrated with passwords, even as-- you know, because I also have to work from home, and if my computer locks and then I need to type in my password, and if my VPN connection has idled out because my computer locked, then I need to re-authenticate in. And we do have the technology now to abandon this outdated concept of passwords. We can use biometrics, we can use some of the technologies available to us and reduce operational costs by going to passwordless environments, as well. But if you think about companies that have been hacked, and a very large percentage of companies have been breached due to passwords being compromised.
Peter
I read a blog on our Stratascale website that you wrote recently, where you referenced how your wife is actually savvier than you are, the security pro. Can you tell our audience about that? Because I thought that was just a great story.
Michael
Yes. So, my wife is a political science major, and I have been focused on cybersecurity my whole life. So, many years ago, we didn't have a lot to talk about. But it seems like over the past few years, everything is converged. And so, we talk a lot about what's happening globally, and then we talk about cybersecurity. So, my son was going off to school, and I wanted to get him set up with a bank account-- like, a credit card, bank account, just so he could pay expenses and stuff like that. I was traveling a lot at the time, and I was between meetings, and I figured I've got a few minutes, I can just go out online, and I can fill out the form and just get that ball rolling. So, I went online, started to fill out the form; everything was going really well until I hit that box that asked for our bank information and routing number. And my wife is uber organized. So, I texted her and I said, "Hey, honey, when you get a chance, could you please send me her bank routing information." And I wasn't thinking anything about it. I just needed the information, I thought she could help. So immediately, she replies back "..." I knew she had received my message and she was replying back. But what popped up on my screen kind of surprised me. It was all caps, which she never uses. And it was three words, "PLEASE AUTHENTICATE YOURSELF." And so, I laughed, I thought that was kind of cute. And so, I replied back with a little "lol" emoji. And I said, "No, seriously, I do need the information if you could send it." And she replied back, "No, seriously, if it's you call me right now." And so, I thought, "Well, that's kind of odd." And so, I went to call her and as soon as I went to dial the number, I realized that all of these years of talking about how people could be victims of identity theft and how you can be phished all the time, is that she was actually challenging me, in a very respectful way, because she didn't know if maybe because I was traveling my phone had fallen out of my pocket, or somebody had swiped it off of a restaurant table. And if it was unlocked, I mean, they would have the ability to instantly look for a VIP contact, in case of emergency contact, and get bank routing information right off the bat. So, I was so proud of her. I called her up and I said, "Good job. You challenged me." And I think more employees in the workplace need to do the same thing. So, she's very cybersecurity savvy. And in fact, that day she was even savvier than I.
Peter
I just love the story. Thank you for sharing it. It made me laugh again when you told it. It's fantastic. [music plays]
Big problems need big innovations. And innovation means thinking ahead and asking the right questions. It means putting your business before technology. Innovation is analytics done right. It's big ideas and small details. And that's where Stratascale comes in. Part of the SHI family, one of the world's most successful providers of technology solutions, Stratascale brings a consultancy-first approach to helping organizations rapidly adapt in response to business changes and challenges through technology innovation. This is called digital agility. As a wholly owned subsidiary of SHI, Stratascale's researchers, technical advisors, consultants, and field services professionals are fully and seamlessly integrated with SHI's world class procurement, implementation, and managed services capabilities. Customers have access to a truly integrated end-to-end partner for enabling their business to technology transformative journey. With groundbreaking guidance and research services like their Customer Innovation Center and Innovations Lab, Stratascale looks to the cutting edge to find the next big disruptors. Their consultants and advisors are ready to help you discover more than what you dreamed possible. But not only that, they help you do it, too. From strategy validation to solution deployment, execution to ongoing optimization, Stratascale's innovators, technologists, and practitioners will deliver your vision and drive the change you need. Stratascale makes achieving digital agility easy. Visit SHI.com/Stratascale to get started.
[music fades out]
Peter
So, I want to focus more on work-from-home and home workplace cyber hygiene. Stuff that everyone can do, but many just don't, or don't know about. Can you share some strong, quality advice for good work-from-home cyber hygiene?
Michael
Yeah, that's, that's a lot to unpack there, you know, because there is that relationship between what the company provides in terms of security controls, and then what that person has available on their home network. If they're living in an apartment, living in a house, it's really hard for CSO to know all of those different types of environments. So, there are some best practices, obviously, that people should follow. Number one is to connect via the VPN, make sure you're using multi-factor authentication. But you know, if I could tie it back, just in terms of a person sitting at home and maybe not even think about the work computer, think about their own personal devices, as well. One thing that I always champion, because I've seen too many people affected by this negatively, is have a good backup of your most important stuff, right? And what's precious to a lot of people is things like family photos, their budget information, documents that would take a long time to create. And so having a good backup is important, because, you know, unfortunately, I've had a friend whose house burned down. He literally lost everything. And if he had had a backup of some of his important documents or photos digitally, he would have been able to salvage that. So, good backup is really important. You know, you always see those recommendations, which kind of turns a person, like an end user, into a network administrator. Changing the default network name, making sure that you change the default router password. These are all important things. But if I get down to basic things that people can do is, like, don't use the same password across multiple accounts. I think we're all kind of guilty of that from time to time, as you might use the same password on your Hotmail account as you used to log into a website. Try not to do that. And there are password managers if you need to use passwords. Using a firewall is great, but one of the things that people can do actually is if you think about attaching yourself or connecting to various websites which are malicious, you can change your DNS settings. And I think there's probably an audience here which is very technical, and maybe some that aren't quite as technical. But DNS is used to connect to just about everything. And if you want to, like-- Cisco acquired a company called Open DNS, and they actually have a free version of this technology, which allows you to change your DNS information to prevent you from going to malicious websites. It does a lot of dynamic filtering in the background to help protect you. And so, you can go to opendns.com and you can download their free software. And with a real quick change, you can have access to faster Internet, built-in protection for malicious phishing and malware domains, and even some parental controls for people that are trying to practice Internet safety for their children. Another thing is checking to see if your email accounts have been compromised during a breach. There have been so many breaches. If you look at the chronology of data breaches over the past several years-- there have been many. If you go to haveibeenpwned.com, it's-- "have I been" and then it's "P-W-N-E-D" dot com, you can type in your email address and it's a database, which will let you know if your email address was associated with one of those top level breaches. And if you do that correlation and say, "Oh, my gosh, my credentials were actually used," you think about things like password reuse and stuff like that. And then the other thing is just, you know, good fraud monitoring. Nowadays, you can monitor for credit card fraud, and some of those services will actually also scour the dark web to see if any of your credentials or other things are being used maliciously, as well.
Peter
That is excellent advice. And I know exactly what website I'm going to as soon as we are finished this recording, and hopefully I don't find anything. So, we've entered the era of Internet of Things, right, and that creates a whole new world to cybersecurity. Can you talk about how the world is more and more connected, and what risks there are from this, and how we can address them?
Michael
I-- actually, Peter, you know, before I dialed in here for this podcast, I literally walked around my house and pressed "mute" so Alexa wouldn't wake up if I said her name. And my devices didn't wake up right now, so that's good. I successfully put Alexa on mute. The key point here is that many of us have kind of embraced technology. I have the ability to control my temperature, I can change the lighting, I can have music play just by calling out with my voice and connecting through the cloud to these incredible services. And this has really blossomed over the past couple of years. But I think along with this, we need to think about how devices are interconnecting, and then we also need to obviously address privacy. That's a whole other ball of wax, and we could spend hours just talking about privacy. But I just kind of wanted to point out one key thing here, and this is for people who work in cybersecurity, probably very well aware of this. But there is a challenge in terms of visibility with what we've typically had...has been called an IT environment. You picture your standard administrative office workers, whether they're working from home, or sitting in an office, gaining access to company resources to do their job, interacting with customer service systems, financial spreadsheets, and the like. But there's also been this whole other domain of operational technology, and if you think about manufacturing plants, you think about sensors that are trying to monitor and detect different types of events, this OT environment has been kind of a blind spot for a while. And we're starting to see some interesting headlines. In fact, there was a story that was published about a casino that was attacked. And I always picture, like, in the movies, some high tech equipment and people trying to infiltrate into a company using all the sophisticated stuff, you know, getting past the lasers and everything. In this case, it was basically a fish tank. It was an aquarium, and the thermostat. And attackers were able to get in through the thermostat, move laterally through the network to gain access to high roller information. And you smack yourself on the forehead, you go, "Oh, my gosh, you talk about a blind spot!" Like, who's thinking about their temperature control systems within an aquarium? But this really points out the fact that because we have so many devices that are trying to communicate, and they're sharing the same networks, they're sharing the same protocols, we need to think about things like segmentation. And I've been joking recently with a lot of security friends that what's old is new again. For the past decade or so there's been this concept of something called a Zero Trust Network. And what it does is it essentially flips the idea of a perimeter-based security model, where you've got all these controls and firewalls around a data center, and instead what you do is you look to the devices themselves, you look to the users themselves, and you look at the security around those things. And you exercise-- what we've been talking about for a very long time is the concept of least privilege, where a user or a device as the ability to gain access to only those systems required to do their job. And if we can take that idea of IT and OT and build in a trust model-- and you have to follow a crawl, walk, run approach, you know, where you implement this over time and you try to design really good security models, then you're going to be able to connect to disparate resources, whether they're on your laptop, at your data center, out in the cloud, it doesn't really matter because you're always looking at the person or the device, and what they're trying to gain access to, and making sure that you have the appropriate permissions and segmentation around those things. So, there's been a lot of buzz recently around Zero Trust. I personally am a huge champion for it, and I think it's a really interesting thought conversation to have about how do you achieve, or can you even achieve that model to say, "I'm not going to trust anybody, I'm going to challenge them and make sure I have the right controls in place at the offset before I even let them onto my network."
Peter
So, look, I wanted to ask you before we wrap up-- you know, I'm not a security expert, and I want to make sure we don't miss any really key topics that you think are highly relevant to our audience. Is there anything specific that I probably should have asked you about today, Michael, that I didn't that you think our audience needs to know in the landscape of cybersecurity today?
Michael
I think the main thing is, and I've used this mantra quite a bit, that-- because most of the people that I meet in the IT space, the security space, are really smart. I always say, you know, we're smart, but none of us is as smart as all of us. And a lot of the things that we're trying to solve here, we need to be bouncing ideas off of each other, we need to be talking about our pain points, and we need to have a vision for how we're going to achieve that success, whatever that success looks like. So, you know, companies that are focused on reducing organizational risk, and using things like available frameworks to demonstrate measured progress over time are usually the most successful ones. And then if you can kind of pepper in some additional things, like-- there's something called the Mitre Att@ck Framework, which allows you to understand the efficacy of your controls, then you're making sure that you're not trying to boil the ocean, that you're actually focused on protecting the right things. So basically, what I'm saying is let's talk about security, let's come up with a vision and a plan for it, and that's where I think Stratascale is well positioned, you know. I have one of the coolest jobs, I think, in the world, is being able to talk to customers and to have this great team of super smart people behind me. And we've got so many SHI customers that have been around since...you know, '89 is when Thai Lee created SHI, and now we've got Stratascale to kind of elevate that conversation. So that's what we're here for, and if anybody wants to have a conversation, we've got a lot of great resources, really smart research teams and otherwise, and anybody that wants to chat about any of these things, or anything cybersecurity related, they can go to stratascale.com, S-T-R-A-T-A-S-C-A-L-E, stratascale.com. And then also, like, if they wanted to connect with me, I'm not great at social media but I'm fairly active on LinkedIn, so LinkedIn is a great way to connect with me, and then also to monitor for activity related to Stratascale, as well. We've got a very active group of folks who are out there publishing thought leadership articles and the like, so look for and follow Stratascale on LinkedIn.
Peter
Awesome. Thank you so much for being here today, Michael. I appreciate your time and your efforts and keeping all of us at SHI and Stratascale safe, as well as our customers.
Michael
Thank you, Peter.
[music plays]
Peter
Overcoming the human factor continues to be the biggest hurdle in cybersecurity. But the answer to this problem doesn't need to be complicated. Sometimes making things easier is simply the best approach. You have to be willing to think about things differently. And remember, brush your teeth after every meal, use MFA, and try not to bite when the hackers come phishing.
[music plays]
Peter
Innovation Heroes is an SHI podcast, with new episodes streaming every second Thursday on Apple, Spotify, Google, and everywhere else. If you liked this episode, and you want to be our hero, leave us a 5-star review on your podcast listening app of choice. On the next episode of Innovation Heroes, I'll be speaking to Will Ramey about the myths and legends of deep learning and AI, and the real life opportunities this tech can offer to companies large and small. You won't want to miss it, so listen and subscribe to Innovation Heroes now wherever you get your podcasts.
[music fades out]
Peter
This episode is brought to you by Stratascale. Visit SHI.com/stratascale to learn more.