For The Future Indicative, Ep 3 Part 2
Transcript
ALEX EFFGEN
Welcome to the Future Indicative: a podcast on the trends, technologies, personalities, and narratives of business. My name is Alex Effgen, and today’s topic is Cybersecurity.
TOM CLAPPER
“Most everything we do today is in a digital format. Currency is digital. Our medical records are digital. Our legal documents are digital. So protecting these literally is how the world goes around: down to the level of retirees collecting social security checks to people running banks. Everything should be protected.”
ALEX EFFGEN
That was Tom Clapper, Director of Information Assurance at Redhorse Corporation, an IT consulting firm that works on data and technology with the US government. I’ve known Tom for…doing the math in my head but not wanting to age myself…over 25 years. Prior to Redhorse he worked as an Information Systems Security Manager at SpaceX and before that, Northrop Grumman. And despite being a fan of every sports team that I hate, he’s been an ally going back to his days with the armed forces.
I’m a diehard for Boston sports teams. Tom supports New York. We both grew up in Connecticut–the Mason/Dixon state between these two cities–and we got to choose our affiliations. Defending them…at times vigorously…against our rivals ever since.
In the digital age, our affiliations and rivalries can be promoted, publicized, and packaged as online products. Social media. Websites. Betting apps. And where there’s money to make, there’s money to take.
TOM CLAPPER
“I have a really good friend, who knows what I do for a living. And I get a phone call from him one day that says, ‘I need your help.’ And I said, ‘What’s going on?’ And his DraftKings…just a sports betting app. He went in to place a bet on a football game and there was no money in his account. And he was like, This isn’t real. There should be money in here. And then he looked at his bank account and there’d been large sums of money taken out.
And so he called me, and I told him, disconnect your phone—put it on airplane mode. Disconnect from the internet. Somebody had hacked his phone from him clicking on a link on Instagram, and started draining his finances. He’s a construction manager. He’s not a big finance guy. He’s somebody that runs a construction company.
And yet he lost thousands of dollars, and luckily his bank and DraftKings realized these were being shipped to offshore accounts, so it wasn’t him. But this can affect anybody.”
ALEX EFFGEN
Tom works with large corporations and government departments to protect them (and by extension us) from unauthorized access.
TOM CLAPPER
“Cybersecurity is the act of protecting computer systems’ network data from…people damaging your data, or theft of your data. Damage being things like when you see malware that bricks your data up and holds it hostage.
It uses technologies, processes, and different policies that ultimately keep safe our confidentiality, integrity, and availability of all of our digital resources. And that ‘CIA’ triad that you hear is a big thing: Confidentiality, you don’t want people to see your legal documents, your medical records.
The integrity, somebody hasn’t gone in and manipulated the data or your records. Then the availability is, when you need these things, you can access them.
And so when you see the people that hold data hostage or brick up people’s hard drives, that’s where the availability becomes a problem.”
ALEX EFFGEN
You would think protecting the confidentiality, the integrity, and the availability of data for corporations and the US government would require cutting-edge technology and security practices. And…it does. But Tom considers the health of the forest starting with the leaves on each tree.
TOM CLAPPER
“Do basic 101 cybersecurity. Things like unique usernames and passwords.
I hear a lot of people say, “Yeah, but I don’t do anything important.” Or, “My job’s not that important. Who cares?”
Most of us save our passwords for our bank accounts, for our stocks, for whatever you have—are saved in your laptop. Somebody steals your laptop, they also have access to all of that stuff. Basic protections like usernames and passwords. Update your virus definitions. Patch your software. Those are threat vectors—how people exploit and get inside of networks.
And then lastly, just don’t open hyperlinks you don’t know. This is a big problem for young people and seniors is, Hey, your tax return is at risk. Please click this link. And most people: ‘Oh no, I need my tax return.’ And click the link. And then you’ve just infected your computer or your phone or whatever.
If you get something like that, what I always tell people is go to that website. If the IRS sends you something, go to the IRS website and then find the link there.
Those basic one-on-one hygiene things would make the difference probably in—I’m going to pull this number out of the air—probably 60% to 70% of the breaches, the hacks, the things that happen are done through one of those things.”
ALEX EFFGEN
Seriously, Tom? The big idea we need to capture is that it takes a village to protect a network?
I have argued that you might spell the word business with the letter S three times, but it takes four of them for a business to be in business:
SPECIALIZE: What is this?
SELL: Who needs this?
SECURE: What can disrupt this?
SCALE: How do we expand this?
Every business must address these four categories, some sooner than others, but when it comes to cybersecurity, how do we SPECIALIZE, SELL, and SCALE what everyone must SECURE?
It starts by changing our collective mindset.
TOM CLAPPER
“Unless you are somebody who is 100% off-grid, which almost doesn’t exist, if you have any sort of technology, this stuff applies to you.”
ALEX EFFGEN
If we can’t put the genie back in the bottle, or the carbon back in the copy, then how do we SPECIALIZE the protection of our products and services?
TOM CLAPPER
“I’m going to give you a two-part answer. The first one is AI and machine learning as a tool to start protecting where we get humans out of the loop, so there’s not a human actually touching a keyboard. It’s software keeping this stuff safe, things like detecting hacks or intrusions, protecting against the intrusion once it happens, things like that.
The second, and for me, the bigger one is what is called zero trust. The average computer network right now is built like an M&M. Has a nice hard outer shell, but once you get inside, it’s just a squishy piece of chocolate.
What zero trust says is if I exploit one single service or one single threat vector into your network, you then have to exploit the next one, the next one, the next one. You can’t just get in and then have unfettered access. You will have to do it over and over and over again.
And they do that by micro segmenting data and services. They’re all literally independent of themselves. So zero trust is coming. It’s very important because it makes it a lot harder to fully exploit something or somebody. And AI and machine learning will help make that a reality as well.”
ALEX EFFGEN
When will they make that a reality?
TOM CLAPPER
“In the not-too-distant future, let’s say the next two-to-five years, zero trust will be a relatively common phrase the way AI is today.”
ALEX EFFGEN
Cultures change with practice and patience, as much as they change nowadays from program transformation, the process of formally changing a program to a different program with the same semantics as the original program–improving the construction, maintenance, and reliability of software iteratively. If everyone needs to do this, then it should be easy to SELL. Right?
TOM CLAPPER
“I’m starting to liken scams and cybersecurity schemes to cancer. Everybody knows somebody that’s been affected by cancer at this point in their lives. If you haven’t, you are very, very lucky.
But scams and cybercrimes are starting to become that. We all know somebody. And what we inherently do as humans and go, Man, that sucks for them. But that’s not going to happen to me.
And inevitably something will happen because there’s going to be a different threat vector that you didn’t see coming. You might say, Oh, I don’t ever click on hyperlinks and emails and I delete that stuff.
But you see an Instagram thing that you find amusing, and you click on that and then boom, your phone’s infected. And so the fact that this is starting to get into people’s lives, not just company lives….It affects everybody, either peripherally to somebody you know, or you directly.”
ALEX EFFGEN
It affected me directly. A year ago I was notified by my credit card company that there was suspicious activity. A number of charges local to Southern California while I slept in Northern Massachusetts. I was incredibly grateful that my card company notified me in time to suspend the card and cancel the charges. Covering my bases I contacted the monitoring service that I paid monthly to make sure they were aware of the compromise. They were not aware, nor did they seem terribly concerned.
TOM CLAPPER
“Anybody that ever has heard me speak on a panel or worked with me, they hear me use the phrase security theater. Security theater is where you believe you’re protecting yourself. And your monitoring service is a perfect example.
Monitoring services usually are out there to tell you if something new comes up in your name. But if somebody is exploiting your existing thing, they will rarely tell you. And so somebody could max out your credit cards, drain your bank account, all of that stuff. And they’re probably not telling you.
But I do think the average person thinks, Well, I have this credit monitoring thing, so I’m good. I’m safe. And the reality is they’re no more than security theater to you.”
ALEX EFFGEN
Well, at least I had that going for me.
Thank you for joining us on Part 1 of The Future Indicative’s Cybersecurity episode. In Part 2 we’ll cover the vulnerabilities outside and inside an organization, as well as how to make security more accessible and therefore more extensive.
While opinions expressed are solely our own, we’d gladly connect with you on zero trust, sports teams, or theatrical security for further discussion. This is a village and here is our network. Share the link with friends and family for their own best practices. On behalf of Indicate Marketing, I’m Alex Effgen. And we appreciate your time.
