Taking a proactive approach versus a reactive approach to cybersecurity makes a big difference for the stress levels of employees and customers. The daily conversations that take place with management can change the impact of a ransomware attack remarkably.
Today’s guest is Robert Anderson Jr. Robert is a national security expert, author, and business leader dedicated to helping companies improve cybersecurity and reduce business risk. As Chairman and CEO of Cyber Defense Labs, he brings decades of executive leadership and operational experience in cybersecurity, counterintelligence, economy espionage, and critical incident response.“The reality is, you know what to do prior to the incident and in most of these cases, it’s a bad place to be if you are reacting to a breach that has already happened.” -Robert Anderson Jr. Click To Tweet
- [0:57] – Robert describes his current role as CEO of Cyber Defense Labs and his background in the FBI.
- [2:14] – The plan for Robert going into cybersecurity evolved over the decades of his career as a direct result of the evolution of how crime is committed.
- [3:52] – Anything you can do before something bad happens is the best thing for your company.
- [4:42] – Once a breach happens, it goes beyond inconvenience and risk for clients. It could mean the end of a business.
- [7:01] – In Robert’s experience, most companies have a plan but the plan hasn’t been tested and doesn’t hold up to an actual data breach.
- [9:01] – Robert describes scenarios while working in the FBI in companies choosing to pay ransoms after being hit with ransomware.
- [11:10] – The larger the company, the more complicated this becomes.
- [12:50] – Breaches have changed in recent years and now ask for millions of dollars.
- [14:45] – Chris and Robert recommend approaching practicing for possible breaches like fire drills.
- [17:03] – Robert advocates for being informed and understanding all laws when getting involved with ransomware.
- [18:57] – The reason why ransomware is so prevalent is it's a trillion dollar industry. Bad guys are making a lot of money.
- [21:26] – Hacking ability or high level hacking is not necessary to perform a breach anymore.
- [23:10] – Skilled hackers make even more money because they are often contracted for jobs.
- [24:36] – Robert believes there should be a global set of norms similar to the UN when it comes to what the world will tolerate when it comes to cybersecurity.
- [27:30] – The first call a company makes is not for help. It’s for mitigation.
- [29:18] – In Robert’s organization, cybersecurity is a daily conversation.
- [32:03] – Robert will not open a single email if he does not know who it is from.
- [34:10] – Logging onto public wifi can be dangerous.
- [35:55] – Your frontline of your company is made up of your employees. Educate them.
- [37:58] – You must have an internal and external communication plan.
- [39:31] – What are three things you can do after a breach?
- [42:31] – Chris gives an example of proper communication from a company that included their proactive approach and a timeline.
- [45:32] – Communicating with customers is important but it is equally as important to communicate with your team.
- [46:36] – When it comes to class action lawsuits, nowadays, even employees can sue the company.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Cyber Defense Labs Website
Robert, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me. Good to be here.
Can you give myself and the audience a little background about who you are and what you do?
Yeah. I'm Robert Anderson. I'm the Chairman and CEO of Cyber Defense Labs. Our main headquarters is based out of Dallas, Texas. We're a full-service cybersecurity company that does both proactive and reactive cyber for any company out there.
Background, I've been the chairman and CEO for the last four, going on five years out here in Dallas. Prior to that, I was an FBI agent for 21 years. Prior to that, I was a Delaware State trooper for nine years.
In the FBI, when I retired, I finished as the executive assistant director. I had about 24,000 of the 34,000 people in the FBI working under me. I was in charge of all global criminal and all global cyber operations and a bunch of other stuff. That's pretty much it.
Your introduction into cyber, was that something you chose to do, or was that just the course of your career that you just happened to get put in charge of something or learned about something and said, “Hey, we should have Robert do that”?
No, it's funny. It's a good question. What I would tell you is it's the evolution of what I've seen criminal activity and nation-state activity become. It wasn't anything in my career that all of a sudden I said I was going to go do cyber.
When I went into the state police, it was 1986. And you had a Plymouth Fury that was about the size of your studio and a radio with three channels on it. Back in those days, for a bad guy to hurt you, that bad guy had to break into your house, touch you, or physically accost you.
Fast forward 30 years later, around 2010, 2011, the FBI really started to focus on this stuff called virtual currency. All of us were going like, “What's virtual currency? What's that?” As a matter of fact, the laws weren't even written down virtual currency. It's tangible property. This isn't tangible.
By the end of my career, before I retired in 2015 and went out to the private sector, literally every conversation every day with the director or the Attorney General of the United States, Congress, or Senate, was focused on cyber, cyber terrorism, cyber counterintelligence, cyber criminal activity. It was really an evolution over 30 some years of watching how bad guys did it and that it really evolved into cyber, and hence why for the last eight years in the private sector, I've been out doing cyber.
You mentioned that your company works on the proactive side and the reactive side. Can you talk about what those are and what the differences are?
Yeah, that's a good point. By the way, I'm a big believer in anything you can do before something bad happens is the best thing for your company. Coming into a company after a major cyber breach is like showing up at a car accident. You can fix it, investigate it, but you didn't prevent it.: I'm a big believer in anything you can do before something bad happens is the best thing for your company. Coming into a company after a major cyber breach is like showing up at a car accident. You can fix it, investigate it, but… Click To Tweet
Our company has two sides of it, really. One side is the proactive coming in and looking at your policies and procedures. Are you prepared for a breach or ransomware attack? Do you know what to do with your data? Is your company resilient? Do you have segmented data, resilient data?
Can you get your data back? Most people in the house are now “in the cloud,” and they've never tested it. They tell you you can get it back in 24 hours, but can you? Most breaches I've been involved in, the answer is no.
The other side of the house is putting protection up around your firewalls and outside your endpoints, looking at your managed services side of the house to determine, “Hey, are there bad guys knocking on your door trying to get in?” That's really the two sides of our company. Obviously, we try to surround that because once the breach happens, it's beyond a business interruption. It's a critical incident to your company that could be, unfortunately, the demise of the company if you don't handle it correctly and very quickly.
I like when you talk about the backup thing. I come from a small business background. One of the companies that I originally went to start to work for them, they said, “Oh, yeah.” I was like, “OK, what's the setup here? How do you back up critical data?” “This is our backup solution.” I was like, “Where are the instructions for it?” Because it was a platform that I was like, “Gosh, this thing is pretty old. What are the instructions for it?” They're like, “Well, the last guy had it.” I'm like, “Do you know where he put the instructions?” “No.”
The company was no longer even in business, didn't have a website, so while they had this backup software running, there was no process in place on how to recover it. Once I started poking, then it started asking for a password. I'm like, “Does anyone know what the password is?” That's one of the things I've always talked to people about. It's great that you know how to back up something, that you've got a backup process in place, but have you ever actually tried to recover it?
Unfortunately, I’ve got to tell you. I did thousands of breaches inside the FBI, and I've done thousands outside in the private sector. Unfortunately, companies still don't do this. They all know they need redundancy data. They all know they need segmented data. They all know that they need to be able to restore their systems. But most companies are good at making this cup, that's why they're a company, they're good at making this cup.
I think, nowadays, because it's so sophisticated, the attack vectors of good partnerships with cybersecurity companies and/or IT firms, because that's two sides of the house, that actually make their systems safer. I'm telling you, I see this, unfortunately 90% of the large companies they work with, even with their incident response plan, if you sit down into a tabletop, if you sit down and just run them through a mock incident, they'll go, “Well, who has that piece?” “Well, that was Jim, or that was Sally. They retired two years ago or they got transferred over here.”
They have a plan and it would pass an audit, but as far as functionally operating that plan, almost nonexistent most of the time. If you think about it, these are really the basics. This isn't anything advanced. This doesn't even cost you any money. You just need to exercise the plan.
One thing that I would say here, Chris, too is very important, and I say this a lot. Nowadays, I don't care if you're a 10-person company or a 100,000-person company, you need to make cyber and the problems that occur with it with today's type of nation, state, and criminal organizations, a daily conversation. You need to not structure your whole life around it, but you need to have these conversations internally with the leadership team to say, “Hey, have we done this in a while?” Or, “Hey, are we familiar with the latest version of ransomware that's out there?”Nowadays, I don't care if you're a 10-person company or a 100,000-person company, you need to make cyber and the problems that occur with it with today's type of nation, state, and criminal organizations, a daily conversation.… Click To Tweet
Casual conversations, not a line item. That'll keep you much more abreast than the way I think we used to do it, where you just make it as a line item, put a plan and a book someplace, and you can't even activate it.
I think the public opinion or the conventional wisdom of, “Hey, if you're a victim of ransomware, don't pay it, restore from backup,” that works great if you've ever restored anything from backup. But if you haven't, that becomes problematic.
Yeah, unfortunately. By the way, people should be aware. The laws on ransomware and what the government's view on that has changed dramatically in the last year. When I first retired in 2015, the company I was running at the time, I will tell you, we paid for the clients hundreds of ransoms, hundreds, and hundreds, and hundreds of ransoms. Why? Because most of the clients that we went and engaged with, we'd say, “Hey, do you have back up?” “Sure.” Guess what, they weren't existing.
Now all of a sudden, a company's going, “Wait a minute. I'm going to go out of business, or do I pay this ransom?” Again, it's the company's decision, not mine. But the reality was, I will tell you a large majority of them defaulted to paying that ransom.
It promulgates this criminal enterprise of ransomware around the world. It's not because they want to pay it, it's because they're in a situation where they've not taken those measures or steps. Unfortunately, they have to pay it, otherwise the organization is going to go bankrupt. I really was surprised over the years. I've not seen a lot of change in that.
In the last year with the government, the Department of Justice, and the way that they're looking at this, companies need to be very careful on doing that. I think they need to consult with outside law firms before they even think about it because they're taking a harder line look at it with the victim, meaning the company than the bad guy, and it's changed a lot.
Unfortunately, when I came out to the government, everybody was paying ransoms. Even now, today, that's one of the first things we talk to clients about. “Hey, what are you doing on this and what are you going to do?” Like you said earlier, exercising and making sure, check and verify that you can actually get this stuff back.
With respect to ransomware payments, since you actually have personal client experience with this, is it even somewhat more of a pragmatic thing of like, “Well, yes, we do have the backups.” Let's say we even do have backups in place, but we know that that process is going to take us hours, days, weeks to restore everything. There's an opportunity cost, there's a financial cost to being down while you recover everything.
Is that sometimes that pragmatic decision of, “Well, us being down, it's going to cost us $10 million, let's say, and the ransom is only $500,000. It's just a pure financial decision. Let’s just pay the $500,000 to be back up and running quicker, and then we can now start to play cleanup so it doesn't happen again”?
It's a great question. I would say it's a little of both. It seems to me, in my experience, we have a lot of these things, the larger the company, the more complicated this becomes. Depending on how bad the adversaries have actually engaged throughout the company, if there's only a piece of the company locked up versus the entire global corporation locked up—but the biggest learning point out of this is the time to talk about it is today, not during the ransomware.
What I find is the majority of companies—again, they're really good at building a cup or whatever they make—they don't take that time to say, “What if? What if this happens, how are we going to do it?” It becomes really critical incident management because you've got a company now that's in a bad situation, and now they're trying to manage this on the fly.
The biggest part of this, whether you think you're going to have to pay it or not pay it—and I would default to not if you can with your segment, redundancy, and knowing when you get your data back. That's a big key; you pointed it out. Sometimes it takes weeks, especially if it's a large company. If your data is commingled someplace and they don't even realize it is, but the reality is, you know what you need to do prior to the incident.
In most of these cases, unfortunately, I will tell you that I've been involved in over the years, it's not. It's a reaction to the accident. It's a reaction to the breach, and that's a bad place to be. I will tell you this too, eight years ago, ransoms were routinely $5000, $10,000, $15,000. These things nowadays are millions of dollars.
What people don't realize if they haven't even understood, where do you get virtual currency? There's hundreds of versions of virtual currency. How long is it going to take me to procure this? How am I going to get it? You get what I'm saying—there’s a lot of complications there. Even down to that, you really need to understand the process, because that will also impact your thought, your rationale, and what's going on in the company.
My bigger thing is to be a consumer and be aware of what's out there. You don't need to be an expert, but you need to be aware of what's going on. You can call in the experts, but understand what other companies are, especially if they're in the same business line as you.You don't need to be an expert, but you need to be aware of what's going on. -Robert Anderson, Jr. Click To Tweet
We see this all the time. We have an immense amount of large banks as clients. One bank gets it, you might as well start calling the other banks because they're all going to get it. It's the same way with manufacturing, health care, and on and on. Just being an avid consumer of understanding what's going on around you, I think, is a big help.
You talked about companies having reactive incident response in terms of like, “OK, it's happening now, what do we do?” It's the thing that the conversations they need to have or similar to when we were kids, there was always the quarterly fire drill at school. “OK, when the bell goes off…OK, you get up, you go out this door, you go out that door, this class always lines up at this spot.” It's the analogy of planning. “OK, if we have ransomware, we may not be able to solve it ourselves, but we know this is the company that we call as opposed to, ‘Hey, let's start getting referrals now.’”
100%. As a matter of fact, one of the things I recommend, and it should be on every board meeting, it shouldn't just be four times a year, but the reality is, you should have on speed dial the outside law firm that you're going to call. By the way, the day you meet them shouldn’t be the day of the breach. You should meet them and talk to them, interview them, and make sure you're comfortable with them. Make sure they are absolute experts in whatever you're hiring them for.
The reason I say that, even if you're a large company, you have a general counsel with a very large lawyer staff, it doesn't matter. That man or woman is going to be completely overwhelmed by the CEO and board on running whatever's going on in the company. You need that outside support.
I would have a list of cybersecurity firms, incident response firms. Obviously, if you have cyber insurance, that's a whole ‘nother conversation. I could talk about that for days. And then who's your outside law firm, virtual currency, all that.
You should have already met these people or somebody on your team should have met them. You have that prepared for the worst-case scenario instead of trying to scramble for it and kind of catch as catch can during an incident. That's the best way to do it.
Earlier, you were talking about the government stance on ransomware payments changing, and you alluded to it. What specifically is that change where the government is doing it now?
It's a lot more focused back on, in my opinion, the company that is potentially being attacked by a bad guy. It doesn't matter who it is—nation, state, or criminal organization. It doesn't matter. If they are going to now pay a ransom to that, there are very tight guidelines the DOJ is looking at. Is this a legal thing to do? Are you violating any type of audits or fiscal responsibility depending on what business sector you're in? There's a whole bunch of those, and they're holding companies accountable.
I don't necessarily agree with that philosophy. I think there has to be a middle ground someplace. You also need companies and they're not there yet, trust me, that aren't afraid to go to the government for help. They don't want to immediately go and then all of a sudden, “Wait a minute. You’re digging into all this stuff about my company and holding me responsible.” There's still a hesitancy, especially with large companies to do that, so there needs to be a better way of doing it.
When I first retired in 2016, 2017, 2018, it was like the Wild, Wild West in cyber. The incident when you had ransomware involved was extremely high. The ability to try to decrypt that on your own is almost non-existent nowadays because the hexadecimal codes and algorithms that the bad guys or bad gals use, you can bring in the FBI, the CIA, DOD, NSA, you're not going to break it. You default to, “OK, wait a minute. Now I can't run my company.” Hence pay the ransom.
I think people don't understand that. What I advocate is you need to be informed and understand these laws before you even get near a ransomware thing, because inadvertently, as a CEO or chairman of a board, you may make a decision that has civil or legal complications for your own company. It's just something somebody should be smart about. You probably know, and it's kind of disjointed, but literally, every state in the country has a different statute that says, “This is what constitutes a breach.”
Depending if you're in Delaware, California, or Texas, you might not have gotten breached. It's up to the legal entity and the cybersecurity firm working with you forensically to say, “Did you actually have to report this?” If you’ve got a publicly traded company, do you need to make an announcement or not? It's very complicated nowadays. Again, I think a lot of it is making a daily conversation and being aware of what's going on in your surroundings. That's the biggest piece of this in my opinion.
Just one more thing about the government stance. Some of the concern is this money is going to fund terrorism or criminal organizations, and therefore if you're giving money to the criminals, we're not sure we're OK with that.
No, it is. There's definitely that. I also think, though, you want my honest opinion, it's more that I'm trying to get a handle on this whole problem. They need to stop the promulgation. The reason why ransomware is so prevalent, it's a trillion dollar industry. Bad guys are making a lot of money off this.
It's funny because when I came out coming from 30 years in law enforcement, every time we work with a company and they said, “Oh, we want to pay the ransom. Can you help us do this, this, and this?” I always said to my team, “They're never going to give us the code.” Well, I've got news for you. I've never not received the code back from the bad guys because it's a business.
There's this chicken or the egg thing here, and I think the government is trying. Don't get me wrong, you have men and women killing themselves 24 hours a day to protect the country out there. I think they're trying to curtail this. I think, though, what needs to happen, and I've been a big proponent of this, because this is such a large problem nowadays. It really needs to be the private sector, the government, and private cyber corporations that work together to curtail this issue.
I could say from being in it, there's not enough men and women in the USIC or in the federal law enforcement community to handle this threat. There are too many breaches. It's thousands of these things a day, and I don't think people realize that.could say from being in it, there's not enough men and women in the USIC or in the federal law enforcement community to handle this threat. There are too many breaches. It's thousands of these things a day, and I don't think… Click To Tweet
In the FBI, when I ran the cyber program, we didn't open up a lot of cases, but Iran had Snowden, Iran OPM, Iran Sony. That's the cases we open. There are thousands of little companies and medium companies that are getting hit just as hard that would never rise—you get what I'm saying—to that level. I think we just need a better philosophy on that. In my opinion, this is the first step of the government trying to curtail that, and we'll see where it goes.
There's this weird level of ethics in ransomware scammers. There's not enough ethics, so they're willing to commit criminal acts, but there's enough ethics for them to be able to say, “Well, we have to give the ransomware key if the ransom is paid, otherwise, no one's ever gonna pay the ransom.”
That's right. It's not going to be an issue.
It's a very weird route.
It's a trillion-dollar business. There's a lot of money to be made at that, unfortunately. I always say the old days of cyber three years ago, like that's the oldest. But when I first started back in 2010, 2011, 2012, we started really hitting cyber hard both for cyber and all these other, whether it's counterterrorism, criminal, or counterintelligence. Back in those days, the men and women that attacked companies actually knew how to hack.
What people don't understand nowadays, the reason why I think this has proliferated to large-scale criminal and small scale, but large money criminal organizations, is because you don't need to be a hacker anymore. I can go on the dark web. I can go into a router. I can hire somebody to hack you. I can buy your PCI, PHI, or PII. These are some of the things I think when you talk about educating people, they need to understand, that's real. That’s not some made-up thing.
For me, to launch an attack against 10,000 banks in the United States, I can subcontract that out. Nowadays, you don't need to be a hacker. That's a big deal. In the old days, you needed to know how to hack. Nowadays, I can hire somebody. That really has speeded up, in my opinion, the whole proliferation of ransomware and these extortion attacks that they really just got to make a buck and then get out before law enforcement can catch them.
Do you think that in some sense, while at the moment it might be increasing, but the fact that maybe that because the hacking is outsourced that there's actually less hackers out there than might be imagined?
You make a good point. I think it's going the other way. I think the people that can actually hack are getting paid crazy money now because they're the subcontractors. They are the guys that can actually do these attacks. Whether the attack is successful or not, you're paying them up front.
I think, especially the really sophisticated ones that potentially could be breaking into government organizations on behalf of—because even nation-states do it nowadays. Sure, they have intelligence organizations to do it. Russia is a good one with the 26 elections and all that. But the reality is they also subcontract this stuff out.
I think they stand to make huge money, unfortunately, nowadays. They take one step back from the actual risk, because if the law enforcement is following the money and seeing where all this is going, that's not going back to those guys. They've got it set up so it's going back to the organization. I think that's one of the new modern trends that makes this so hard when you actually try to look at attribution and say, “Where did this actually come from?”
Even if you are able to determine this organization orchestrated the attack, none of them actually committed the attack themselves.
That's exactly right. It's interesting, because as you know, this is a global problem. It's almost like terrorism was, in my opinion, right after 9-11 for us, because I lived that inside the FBI, and it monumentally changed the entire United States intelligence or let alone just completely transformed the FBI. But my point is, prior to that, did we have what was called legal attachés in countries all over the world? Yes. But after 9-11, and definitely by the time I left way up high, I would talk to my counterparts in countries all over the world daily.
When it comes to cyber, I really think we need these global cyber norms, almost like the UN in a war zone. Here's what the world's going to tolerate when it comes to cyber attack, whether it's criminal, nation-states, activists. The reason I say that, I was in Australia probably a month ago giving speeches in three or four cities down there for some companies. If you look at what's going on in Australia, they are starting to get hit hot and heavy by major sites. It almost reminds me of the US 10 or 15 years ago, where they're specifically targeting large-scale companies for large money.
The reaction by the government is totally different from what I've seen here, and I think it merits some conversation. They've stepped fast, stepped in to help the companies and said, “We're not paying anything. You're not paying a dime, but we're going to come in and help you get your infrastructure back up and running.” There's a subtle difference there. Granted, much smaller economy and scale than what we do in the United States, but I thought it was very interesting.
One of those attacks actually happened when I was down there. The conversations I had with some pretty high-ranking government officials when I was there was, “We're just going to stand fast and not panic, but we're going to come in and support the companies on the front end. Do not worry about if they did something wrong or not; let's just get them fixed.”
It's more part of that global norm. What are we going to tolerate and then how do we link together like we did in terrorism? I can tell you, a large part of the world after 9-11 all came together and said, “We're going to stomp this threat out,” and we've done a pretty good job on it.
It's easy for a government entity to say, “Don't pay that ransom” when they don't have to deal with the consequences of it.
Exactly. When you're the CEO, chairman, or chairwoman sitting there, and you're trying to figure out, “How do I pay my 20,000 employees? How do I keep this company running?” It's your fiduciary responsibility to the stockholders or the investors in your company. Having been a chairman and CEO for the last four years, trust me, my thought process on this is different than it was eight years ago.
The reality is, I see a different picture because of where they sit than I did when I was just a pure government official. There's merit on both sides, obviously. But you get to see like, “Hey, my responsibility legally is to this company, my shareholders, my employees.” You know what I'm saying. It's a different conversation.
I keep the point, and it's a hard one to do in the US, but how do you get companies that their first phone call is to somebody in the government? We're not there yet. How do you make that happen? Don't get me wrong, I don't have all the answers, but that's where we need to get, I think, because it's just such a big problem.
I think in the US, unfortunately, the first phone call is the lawyer. It’s not, “Who do we call to deal with this, but how little of this can we make public?”
The first call is damage control, not mitigation.
I'm in 100% agreement with you, and that is something I understand. But seeing this glimpse into Australia and some of the things going on in the UK right now, it's interesting to me because it's not how we've done it. Again, it's a smaller scale, so they might be able to do it easier there. But it's interesting, at least to talk about.
Hopefully they're learning from our mistakes and how we've done it here in the US.
Yup, no doubt.
I wanted to ask, being a cyber defense firm, do you believe that your organization is being attacked by criminal organizations in the sense of your attempts to help your customers or to find out who your customers are?
First of all, 100%. Our internal security team absolutely comes to work every day thinking we're going to get attacked. I will tell you, the reason I think they would attack us is not necessarily to get our clients. It’s more of a professional thing. They want to break into the firms that pride themselves on protecting other companies, and then publicize that they've broken into those firms.
For us, obviously, being a cybersecurity leader and coming into companies as the experts, you can't have that happen. When I say we have daily conversations about this, we do. I like to have briefings with my team weekly on who's knocking on our door, why are they doing it? We talk a lot about third-party risks because you have a large scale between the 25-year-olds that are working in our SOC as a tier one analyst up to the guys like me that are closer to 60 than 25.
The reality is anything you got on your phone, any social media app you got on your phone, any email that you have—and we all know everybody's lives are tied to their phone nowadays—that’s all third-party risks. How are you managing that? Not necessarily to intrude on the employees, but how do you keep your company safe? We have a lot of conversations about this, but really for us, it's more of an image issue. They will try to hit our company, no different than large brands of cybersecurity companies around the US so that they can say they broke into that place and then disparage you that way.The reality is anything you got on your phone, any social media app you got on your phone, any email that you have—and we all know everybody's lives are tied to their phone nowadays—that’s all third-party risks. How are you… Click To Tweet
A little bit of the ego trip.
100%. There's a lot of that out there. “I'm better than you. I can get in.”
Do you find yourself personally on the paranoid side in terms of the way that you look at your devices, your computers, the electronics that you bring into your home?
I wouldn't say paranoid, but after 30 years of law enforcement and eight years doing this, the answer is yes. I use two-factor authentication on everything. This is a true story. You can call my CFO and ask her this right now. I don't open any email that I don't know who it's from. I delete it. If it's important, guess what? You're going to email me back.
A true story was about a year-and-a-half ago, she sent me a DocuSign document. It didn't come from her, it came from one of her staff. I deleted it. I didn't even open it. About an hour later, I get this call, “Hey, did you sign that document?” I go, “What document?” “We've sent you a document.” I go, “Unless you call me right before you send that—and by the way, the conversation takes three seconds—send your document, sign it, Bob, I'm deleting it.” Guess what? I haven't got a document set to be sent that somebody hasn't called me.
I know most people think, “I don't have time for that.” Yes, you do. If you don't, somebody on your staff does. I'm very, very particular on how I respond to anything like that because unfortunately, I've been through with so many breaches—not me personally, but with the clients and partners that we've had over the years that have called us in to say, “Hey, how did this happen?” We come in forensically to look at it and go, “Here's exactly what happened.”
Most of that, as you all know, is conscientious employees, not people that are trying to destroy the company. They're busy with their daily life, their personal life, their professional life. They're just trying to get through work to go pick up the kids or do whatever. They click on something wrong, and it's a disaster.
I have a pretty ironclad policy. Unless I know where it's coming from, I delete it. I already told you about the DocuSign stuff. I really, really push any type of multi-factor authentication that anybody will do. I don't care how you do it. There's a million ways to do it nowadays, but I think that cuts your risk significantly.
Are there steps that you take on bringing electronics into your home? Some people will be like, “Oh, I want an IP camera for security on the outside of my house. I'll just find the cheapest one on Amazon, throw it up in my house, and connect it. I've got security now.” Would you just buy a random camera off of Amazon? What kind of due diligence would you do before bringing something like that into your home?
No. I think that's also a very nice point. It goes unfortunately well beyond that now with thermostats, refrigerators you talk to, your car. I don't do anything. If I'm investing into that, you can guess I’ve got cameras everywhere around my house.
I always buy direct from vendors. I don't do anything off the internet. I don't bring anything in that isn't at least at the highest acceptable level of this is probably a true product. I am very cautious. I obviously shield my Wi-Fi. You can't get to it outside my house. There are ways to do that. I do all the types of that stuff.
Another thing—I will tell you this right now, and I see it all the time. I'll just cut to the chase. It goes further. If I'm sitting in a lounge because I fly everywhere, I don't log on to the Wi-Fi; I use my hotspot. If I'm sitting on a train going to New York, I don't log on to the train; I use a hotspot. If I'm sitting in some well-known coffee shops because I know that's where a lot of bad guys sit, I don't do that.
I know we all do it out of necessity because, “Oh, my goodness. I’ve got to get this email back. My boss has hit me up. I'll just log on for a second.” You don't realize that, potentially, there's a guy or gal that has been sitting there all day waiting for you. I'm pretty diligent about it.
I don't want to get into particulars on camera, but we do a lot of self-initiated testing of our own employees. I won't get into what all that is just for security reasons, but I take it pretty seriously. Again, as you and I have talked, because this is on the proactive side, and this is so much easier than dealing with a major catastrophe.
It's funny because I still get pushback from large-scale partner clients about multi-factor authentication. “My team hates it. There's no way I'm going to get 50,000 people to do this.” “Oh, yes, you are. Trust me. It'll happen in a day to shut their email. You know what I mean?” It's funny, people push back on that. You know what I mean? It's the easier side of this, quite frankly.
It's challenging because we live in a society that is so much about convenience and lowering barriers to entry. Security is an uphill battle against that because it's intentionally putting barriers to convenience in front of people. It's just trying to figure out how much barrier convenience can I put in there before they start doing something stupid to try to bypass it.
100%. And it's a balance, especially with phones nowadays with the employee gap and age and stuff. Some people live their whole life on social media, and you’ve got to be careful. You don't want to take that away from them. There's a variety of different things you’ve got to look at, but you’ve just got to make people aware.
I'll tell you one of the biggest things if no one listens to a thing I say, educate your employees, your team, your staff. Educate them. It's the number one thing. That's the front line of every company. Whether it's your personal banking, it's your 10-person shop, or 100,000-person shop, educating your employees to what the threat really is, because that's who's going to stop most of this. Then you can put in all this other stuff you and I talked about, but that's a really big piece of this. I think it's just educating the employees that this is real.Educate your employees, your team, your staff. Educate them. It's the number one thing. That's the front line of every company. -Robert Anderson, Jr. Click To Tweet
People do come in through social media. People do come in through different connected devices. Third-party risk is off the charts nowadays. You look at it easily. I go back to my analogy when I was a state trooper in ’86. If you had an alarm on your house and a bunch of lights back then, nobody burglarized you. It's too hard, so they went to the next house. That's the way you need to think of your organization, quite frankly, because notoriously, bad guys aren’t going to go out there and work real hard. They're bad guys. They want an easy way in and an easy way out. You want to make yourself the more protected of those people to target.
The more complicated of a target you are, you hope they're just going to go on to an easier target.
100%. For criminal organizations, that's 100%. We get into these targeted nation-states—that’s a different thing. For criminals, 90% of what most people are dealing with, you're 100% right. They're going to move on, and they're going to go someplace else because they're not going to come back.
As we come towards a landing here, let's talk a little bit about the reactive side. We've talked a little bit about it. But now that someone has been a victim of an intrusion into their network or ransomware, we talked about whether you need to call outside counsel right away, call an appropriate government organization. What steps should companies be taking after the fact?
I'd say three things. If you're the guy or gal running the company, you have to have an internal and an external communication plan. You need to be able to talk to your employees, and you need to be able to talk to your clients. People go, “Oh, that's no big deal.” “Really? Remember, your email’s down. Write all your emails down.” Then they stare at you.
There are ways to do all this, but internal and external communication plans. Again, if it's ransomware, you're getting really good guidance from a reputable law firm that understands cyber ransomware and where the laws are nowadays.
The last thing, which unfortunately doesn't happen all the time, is after you’ve fought through all that and you have been told or notified that your breach is contained, you need to understand is the bad guy/bad gal forensically really out of my company? Too many times, I can tell you that we've gone into post-breach remediation. I've been told, “Bad guy/bad gal was out of here three months ago.” While we're there doing some type of an assessment, they get breached again. It's not because the bad guy came back in, it's because they left the payload inside their system that forensically nobody found. It's no different than putting a bomb on your desk that says in 128 days, 12 hours, and 18 minutes it's going to go off and send it back to the bad guys.
Unfortunately, in the last year alone, I bet you have seen three or four companies across the US that have suffered this. They've had the breach, they fought through it, they think they're remediated, they go about their daily business, and the bomb goes off six months later. Those are the three things that I would do if I was the head of whatever corporation, and then you can finesse it after that, but those are the big ones.
This is a little satire question here. What's your opinion on those public disclosures to customers if we value security, followed by all the ways that they didn't value security notifications?
I think you’ve got to make a statement. One thing that I always say to boards and the people running the companies is—and we used to say this in the FBI all the time—whatever you just said, what if that just went into The New York Times and to show it up in front of everybody?
Again, this is part of that productive conversation. If you know something's broken, you don't necessarily need to have it fixed overnight, but you need to be moving in that direction. You need to be putting resources, money, and people towards it to fix it. I think it comes off a lot more professional, not so disingenuous as some of these things you and I have all seen in the media. And I think you really need to think about that upfront.
“If we did have this, this is the weak spot in our company, this is where they're going to hit us until we get it fixed. How should I communicate that to our internal audience, which is our employees, because they're scared about it. Are they going to get paid? Is their health care no longer working? Blah, blah, blah, and then also to our constituents.”
It's more complicated than people think, because when you actually start thinking about it, this is going to take some time. Yeah, it is. Push that out front because you don't want to be the company that comes off in some of these things you just brought up where it's just like, “Yeah, blah, blah, blah. Sorry, we were breached.” That's not how you want it.
There was a contractor organization that I work with that I recently received an email from them saying, “As you've seen in the news, X vendor experienced a data breach. We used this service.” While there isn't the appearance of, “Any of our data or your data is at risk, here are the steps that we're taking.”
“As you can see from the description of our steps, this is not something that we're going to be able to complete in the next three hours. This is something that's going to take us a period of time to do, and we just want to let you know what we're doing and how we're doing it.” I was like, it wasn’t, “Hey, we were breached,” but I was really impressed because it was communicating. “We're on top of something that happened. We’re doing our due diligence,” and they're also setting an expectation that this is not…
They gave you a timeline. I agree with you, that is. That's the way it should be done because now, you know what's going on, you know they're working on it, and you have a timeline. All of a sudden, your worry goes down. You don't even know what's happened yet, really, but that's the right way to do it. And then follow up on that. Don't just let it sit out there. Whether it takes a week, a month, whatever, follow up on that.
I'll have to wait and see if they do that part. I think they will.
You’ve got to follow up, that's the one thing. The only other thing I would say in all of this, because honestly, going back to what you and I were talking about earlier, the potential for any company nowadays to get breached is very high. It just is, and a lot of it is luck for the bad guy. A lot of times, when they launch ransomware attacks, they don't even know who they've hit. Different from old school ransomware attacks that were very targeted.
It doesn't cause anybody a dime to sit around for an hour or two hours and go, “Who should we call for a law firm? How should we communicate this? By the way, if our email’s down, how would we do it? Do we have a roster where we text everybody?” It's just those kinds of things.
It really will decrease the stress level when something like this happens. I can't emphasize it. I know I've said a lot today, but I can't emphasize because I've seen the back end of thousands of these things, and it's the same every time. I don't care how great a company is or bad of a company. It's a lot of stress on the executives. It's a lot of stress on the employees, the shareholders. Anything you can do up front, it limits that.
When you're talking about how we email if our email system is down, I was starting to think of, “Well, gosh. What if the CRM was tied up in this ransomware? How are you going to even contact your customer? Where's my customer data? How am I going to get a hold of my customers to let them know that there's an issue that they need to watch out for?”
It's a big issue. You don't want your customers getting nervous, because your customers will leave. I said it's beyond a business interruption. If you have a large-scale breach, this is a business crisis until it's handled. Your company needs to keep running, but your focus needs to be on this breach until it's remediated and you can come out and say exactly what was lost, taken, compromised, whatever, and here's our plan to go forward and we're back up, blah, blah, blah.
The reality is, you can't forget about your internal clients and your external clients. I've seen it both ways, where companies communicate really well internally, nothing externally. I've seen it usually defaults to this. They communicate really well externally, they don't tell their employees anything. If you've got 10,000, 15,000, 20,000 employees, you need to communicate with them because they're going to be worried. It's not one or the other, you have to do both.
Whether they're customers, internal, external, people are going to start filling in the gaps themselves with the lack of information, and they're going to fill it in with things that are not so good.
Right or wrong, just flat out wrong. I know we don't have a lot of time. The last thing I'll say—and I have been the expert witness in a lot of these things in the last couple of years—these large-scale breaches nowadays, unfortunately, when a big breach happens within days, weeks, months, class-action lawsuits are filed. These are billion-dollar lawsuits against companies.
What ends up happening is now the company's got a business crisis. You just got served with a billion-dollar class action lawsuit. In some cases, the employees now sue the company on top of that. Members of the board, we’ve all got board insurance. I can tell you, you still get sued personally. This has changed the dynamic in this. Whether they're right, wrong, indifferent, this is something and the whole cyber insurance side of this is a big deal nowadays.
When people are trying to educate themselves about the cyber threat, don't leave this part of it out. If you don't do any of the things we've talked about today and you don't show that you're on top of it, unfortunately, this is what's going to happen to your company. And it happens a lot nowadays.
A lot of these things are publicized until they're settled, and that could take years. But in the meantime, unfortunately, companies are spending millions of dollars defending themselves in the stress of your employees pitted against the company, the company, you know where I'm going at. It just goes on and on and on.
I don't think people talk about that enough. I've seen the backside of a lot of these things. When people are looking at what's the overall threat, have this part of the conversation, internally, to the team. What if? Because that's definitely inside of this. You don't hear a lot in the news, but it's definitely happening.
That's the scary part. It's all scary, but that's the lingering after-scariness.
Yeah, that's right.
Robert, where can people find you online? Where can they find Cyber Defense Labs online?
You can go to cyberdefenselabs.com. Come to our website. There are all kinds of means to contact me. You can google me. I'll pop up all over the place. I'm on LinkedIn, obviously. All my details are up on the website along with the entire executive leadership team, the board, and everybody else on cyberdefenselabs.com in Dallas, Texas.
We will make sure to link those in the show notes so people can easily find them if they don't know how to spell cyber defense labs.
There you go. Thanks, Chris.
Robert, thank you so much for coming on the podcast today.
Happy New Year.
Leave a Reply