Episode 045: Deception Perception [Understanding and Preventing Corporate Espionage and Sabotage]

Sign up to receive a monthly email with Wrap insights from our advisors

“The bad guy doesn’t know who you are or what you do. They just know they can get money out of you.”

As technology becomes more advanced, so do the ways your company can be exploited by bad players. Whether your company is a large leader in the technology industry or a local mom-and-pop shop, each person who works for or interacts with your organization is on the front lines of either protecting it or submitting it to a scam.

In this episode of The Wrap, Warren Averett’s own Justin Headley, CISSP, CISA and former FBI Special Agent Daren Mott join our hosts to discuss recent headlines about cyber attacks, what legitimate threats companies face and what organizations need to know about the future of cybercrime. Spoiler alert: it isn’t going away.

After listening to this episode, you’ll be able to:

  • Translate spooky headlines about the cyber attacks on other companies into tangible considerations for your company
  • Understand the three main cyber-threat areas that face companies
  • Have insight to prevent insider threats (both intentional and accidental) from your employees
  • Set realistic expectations about cyber risks and how you can be proactive in light of them

Resources for additional learning:

Mentioned in this episode:

Commentators: (00:00:00) Hey, I’m Paul Perry. I’m Kim Hartsock, and you’re listening to The Wrap, a Warren Averett podcast for business leaders, designed to help you access vital business information and trends. You need it so you can listen, learn, and then get on with your day. Now let’s get down to business.

Paul Perry: (00:00:22) Hey, Kim.

Kim Hartsock: (00:00:24) Hey, Paul.

Paul Perry: (00:00:25) How are you doing today?

Kim Hartsock: (00:00:26) Wonderful.  Welcome to all our listeners to episode three of the new season of The Wrap podcast.

Paul Perry: (00:00:33) Absolutely. Happy to be here today. Today, we’re going to be having a good conversation around cybersecurity.

Kim Hartsock: (00:00:38) And I definitely am the outsider of this group today, since all three of you live and breathe cybersecurity pretty much every day. So I’m going to try to be the gatekeeper to make sure that we keep our conversation so that those of us who aren’t considered experts in cyber security, we’ll still be able to follow the conversation and learn things today. So that’s going to be my job today to keep you guys in line.

Paul Perry: (00:01:04) I’m very excited about our guests – as I am for all of them – but in this one, we’re bringing in a former FBI agent who dealt with cybersecurity in a lot of different arenas. Darren Mott is with us today. Darren, happy to have you here.

Darren Mott: (00:01:19) Thanks Paul, for having me, I appreciate the opportunity.

Paul Perry: (00:01:20) Also with us is my good colleague, Justin Headley, who within our Risk and Controls group, he does a lot of cybersecurity, auditing, reviews and just discussions in what he does on a daily basis for Warren Averett. So Justin, we’re happy to have you here as well.

Justin Headley: (00:01:38) Thanks, Paul. Good to hear.

Kim Hartsock: (00:01:39) Well, Darren, if you could just maybe take a few moments and introduce yourself to the listeners. Tell us a little bit about your background and what you’ve done in the past and then what you’re focused on now.

Darren Mott: (00:01:48) Sure. So I joined the FBI in 1999. Prior to that, I’d spent seven years teaching high school science. And how I got from that to an FBI agent is another whole topic altogether, but I joined the Bureau. At the time the FBI was trying to get a handle on what the cybercrime perspective was. There weren’t even cyber squads within field offices.
So I was blessed to have been assigned to the Charlotte field division, which was one of 16 offices that had a dedicated cyber squad and started working intrusions and investigations around cyber-crime. From there, I went to FBI headquarters and worked in our national program, where we tried to build some relationships with Russia because what we were finding is a lot of the hackers that we were dealing with, at that time, were coming out of Russia. So we were trying to tell them, “Hey, you’ve got these guys, you know, we have evidence that they’ve done these crimes. Can you help us?” They said, “sure, sure, come on over.” Uh, and other than giving us a lot of vodka and tours of their historical sites, we really didn’t accomplish a whole lot or as much as I would have liked to.
So we went from there to Cleveland to run a cyber squad and then went back to headquarters to integrate the cyber and counter intelligence skills into a more national initiative. Into my career in the Birmingham division, for my last seven years running as counter-intelligence program with some cyber aspects to it. I retired in 2019 and worked for the national cyber security operation center here in Huntsville, where we do cybersecurity protection for the defense, industrial base and other critical national infrastructure laid organizations. And all of those services are offered to them at no cost.

Paul Perry: (00:03:25) That is wonderful. It’s good to have one of the nation’s leading experts in cybersecurity here to have this conversation with us and talk to our listeners. Justin, you want to give a little background on you, please?

Justin Headley: (00:03:36) Thanks, Paul. Yeah, I’ll give it a little background here. Uh, I’m manager here at Warren Averett in our Security, Risk, and Controls group. Basically, what we do here in our group is we minimize risk and maximize peace of mind. So, anything from controls-related perspective to cybersecurity are things we help our clients with.

Paul Perry: (00:03:53) It’s good to have you and Darren here. Kim, this should be a wonderful conversation. So, let’s just go ahead and kick it off, Darren. You know, supply chain risk is a topic that a lot of businesses talk about. They may call it vendor management. A lot of businesses are calling us and saying, “Hey, you know everything with Solarwinds. Everything with Microsoft, that’s in the news. What is it I need to be worried about? You know, I’m getting phishing emails. Is that coming from the Microsoft hack that that’s occurred?”
And we have to put that into perspective for them. When they see those types of topics out there, what do they need to be worried about as a business owner and how do they need to respond?

Darren Mott: (00:04:31) Well, I think the best thing to think about. So, I’ve done a lot of presentations to a lot of companies over my course of my career. And I talk the same thing at the beginning and a large part of it is a lot of companies from a cybersecurity perspective are more reactive than proactive.
So, they don’t really worry about the problem until it hits them and they’re dealing with it. You have to start off on the perspective of who is targeting me and why, not necessarily the methodology. That’s certainly important to understand, but it comes down to cyber risk. So what is your cyber risk? Cyber risk is threats times vulnerabilities.
So if you don’t understand either of those two aspects, you’re not going to understand your cyber risks. So looking at the threat perspective for most businesses, there’s really three main threat areas that you can deal with. One is cyber criminals. They want to steal your personal information to sell it on the dark web or to monetize it in some way.
Then, you have your cyber espionage actors, which are your nation state actors, that want to steal your intellectual property. If your company has a national critical infrastructure perspective or some attachment there. There’s information they would want from you from there.
From an espionage perspective, North Korea does a lot of ransomware targeting just to fund the regime. A lot of companies need to look at who is targeting me and who is the most important threat I need to deal with to mitigate my risk. I’m not going to mitigate at all. So, if you are a financial organization, they’re coming for your information or for money, it’s really clear. If you are a defense industrial based company, they’re looking for your intellectual property because, especially China, wants to steal it so they can duplicate it and sell it and undercut you. So you have to understand your threats first and then understand your vulnerability. So the Microsoft vulnerability that came out two or three weeks ago hit anybody that had an on premises, Microsoft exchange server.
If you didn’t have that on your premises, it didn’t really matter. But these attacks come from a variety of different areas and the attackers will target different entities for different reasons. We had a case when I was working in Cleveland where the Chinese had compromised three servers within the Cleveland area and were attacking US government systems because launching the attack internal to the United States was easier for them to go undetected by the target. Uh, and the nature of those companies: one was a police department web server, one was a guy who sold an item online. So it’s his online web server. He was just like a 10-sign company. And one was a subway point of sale terminal. There is no commonality between those three targets, but they were targets of opportunity.
So, you know, businesses have to look at what are those threats and then, you know, the vulnerabilities. You have to look at how many end points do you have? What’s your surface attack area? How many, how many people do you have working from home now? You just increased your vulnerability scale by a factor of however many people are working from home, simply because those are new attack vectors that you’re not protecting from your network overall.

Kim Hartsock: (00:07:26) I think you bring up a really good point there, Darren. A lot of companies were thinking, “Well, I’m not a big company. You know, I’m not a target or some big medical group. I’m just a privately held company in, you know, on the outskirts of Atlanta and why would I be a target for someone in Russia or China?” Or maybe it was someone who thought, “Well, I don’t really have a lot of cyber information, right? We’re not a heavy technology company. We’re a manufacturing company.” I think you bring up a good point of, there is no specific type of company that becomes attractive to this. What they’re after is, is very different depending on who it is.
And so maybe speak to that about companies that didn’t think they were or would be vulnerable but they are.

Darren Mott: (00:08:19) And you’re saying the exact same thing I say in all my presentations. I have a slide that actually says no one expects to be a victim. I’ve never gone to a company that had been compromised or was targeted and had information stolen where the first thing they said to me was, “Well, we knew it was coming. It was our turn in the pipe.”

Here we are and all of them were shocked, but every company has crown jewels. If they didn’t have crown jewels, and I can’t define for you what your crown jewels are, but you all have them. If you didn’t have them, you wouldn’t be in business. And that is what someone wants to target, especially.
I mean, you got to think beyond just the nation state and the criminal hackers. What about your competitors? You know, corporate espionage is a big issue and you don’t see a lot of news reports on that simply because it doesn’t go reported. It’s largely dealt with civilly, so you’re not going to see that criminal aspect to it.
And it’s complicated and the way that they do it. So you have other threats that you’re just never going to see in the news. The Solarwinds and Microsoft Exchange vulnerability made huge news simply because of the depth and breadth of victims that suffered. There were either potential victims or there were victims that had that particular tool on their system.
Everybody can look at that and say, “Ooh, that could happen to me.” But you know, everybody is a target. There was a stat from 2008 that 62% of businesses experienced phishing and social engineering attacks in 2018. No, they weren’t all victimized by it, but it shows is that everybody is being target.
Everybody’s a target of opportunity. And I’ll give you a perfect example: one of the biggest issues from a cyber perspective for businesses is what’s called the business email compromise. And all they’re simply doing is getting into your legitimate business email system, however they get in, and there is a variety of ways.
If you were to go on to do a dark web search, chances are every company listening could find emails and passwords on the dark web from their company in some way, shape or form. Someone gets access, legitimate access to your email system, and then crafts an email that appears to come from the CFO that goes to your accounting department that says, “I have this invoice for this vendor for $70,000. I need you to pay it today, or we’re going to lose whatever service.” Are there processes in place that has your finance office double-check or do you just, “that’s how they do business” and they send it out? So it’s as simple as that. The bad guy doesn’t know who you are, what you do. They just know they can get money out of you.
Let’s take ransomware, for example. Everybody can be a victim of that because they don’t care where they get here, who gets it.

Paul Perry: (00:10:46) They’re just going for the money. You know, something else you talked about, Darren, you talked about the crown jewels. Justin, can you give us some thoughts on the other crown jewel that people may not think about which is: their employees and those people getting hacked or targeted?

Justin Headley: (00:11:02) Yeah, no, that, that that’s super good point, Paul, and you know, Darren, you’re talking about the crown jewels there. You know if you turn toward – Darren, you mentioned –  you know, things not being played in the media, these things you don’t hear about and I think insider threats are another huge risk that people don’t really consider.
People’s minds automatically go towards that you wouldn’t ever think an employee that you treat well would actually do something malicious with the inside of your organization. But it’s something you need to consider the risks, but there’s the unintentional piece of that people don’t really consider. Like you mentioned, Darren, some business emails compromise of clicking on links, allowing something to come into your organization. There’s the unintentional piece there but also the intentional, you can’t let that fall off your radar.
Um, it’s really important to put controls in place that you’re monitoring employee activity, that access that you give to applications within your system, your domain administrators, makings sure that those are appropriately restricted are super important there too.

Darren Mott: (00:12:04) And you know, you make a great point on insider threats.
My first case in the FBI was an insider threat. This was the company makes the storage, you know, like the U-Haul storage and all that stuff. They do the fencing for all of that. So they had a guy who stole all of their intellectual property in North Carolina and took it to their main competitor in Arizona.
Simple as that. He had access to the information, took it all. The company didn’t take the means they needed to protect it. So ultimately, we couldn’t prosecute them because the victim company didn’t do the necessary things. They needed to protect their data. So, extrapolate that now twenty years later. It’s a lot easier to steal that information and get it than it was 20 years ago.

Kim Hartsock: (00:12:47) Yeah and I think something else that you know is a lot better now is education, right? People are becoming more educated on cyber security and what all that means. And I think the first step is understanding that you don’t have to be a technology company to have cyber security issues.
Let’s talk about education. Let’s talk about the culture of education and making this an important part of your culture. What are some things that you can share with our listeners that are business owners or business leaders on how to create that, how to sustain that, what they need to be focused on?

Darren Mott: (00:13:25) That’s a great question. And that’s really the biggest issue for all businesses is how do you help your employees create what you need, which is a cyber secure mindset. How do they think that everything that they do relies around that cyber secure mindset, thinking that there’s a risk of a threat around every corner.
A lot of times, if you’re dealing with technology, you’re on their computers all day, there are threats around every corner. The problem is for companies, training cybersecurity in general is a profit loss. For any company: you’re not making money on it, but you have to spend money to deal with it.
And the other part of that is there’re compliance issues, depending on what industry you’re in, you have certain compliance requirements. If you deal with credit cards, you have PCI requirements. If you’re healthcare, you’ve got HIPAA issues. If you’re DOD, you’re going to deal with CMMC. So you’ve got all these compliance requirements around cyber security, and part of that is training and cybersecurity awareness.
So how do you create that? How do you solve that problem? How do you beat that compliance piece? A lot of companies just go to KnowBefore and they hire or they buy whatever training is and they tell their employees to go to this website and take this training for 20 minutes.
All good. And if that’s the minimum you do that’s the minimum you do, but you’re going to get the minimum out of it. There needs to be some kind of paradigm shift in education because I think we’ve all seen it now. We’ve all had cyber education at our work, but a lot of it is how quickly can I get through these PowerPoints?
You almost need to develop a more dynamic educational approach that brings in someone who has examples for: this is what happened to a company like yours, here’s what they had to do to deal with it, and here’s how much it costs them. You know, we could talk about annualized loss, expectancy and all that kind of stuff, but who wants to be bored with the numbers? You could spend $25,000 on a very good quality cybersecurity educational program, or you can hope you don’t get hit with a cybersecurity event. Because the average cost for a data breach, as of 2019, it was $3.92 million.
So let’s extrapolate that out over 10 years. That’s what $392,000 a year. That’s your ALE. So. Pay $25,000 for good education or hope that one-time hit doesn’t pound you. If you can train your employees to have that cyber secure mindset so that it helps them protect themselves beyond the business, then they’re being more engaged too. Because they want to protect themselves, but they also then can protect the business. So that’s my perspective on it. I don’t know if everybody believes in that perspective, but that’s kind of where I come down on it.

Justin Headley: (00:15:54) I totally agree with that. I mean, so, so often we see even organizations that have been hit or have been burned. It’s still a cybersecurity security awareness is still a check the box thing, like you mentioned with: how quick can I get to this PowerPoint slide? And it’s a whole different difficulty actually changing the mindset and actually developing that security awareness culture within your organization.
One thing we always like to tell clients is that you can have all the best technology in the world, the best firewalls, the best endpoint protection, but all of that can be undone with, with one click of an email. Training users to really think that cybersecurity is not something we toss over the fence to IT, that we are all on the front lines.
And we are all dealing with these on a daily basis and, you know, really training people to develop that mindset is definitely more difficult than done.

Commentators: (00:16:48) To learn more about Darren, check out his podcast, The Cybur Guy, spelled C Y B U R, wherever you listen to podcasts. Now back to the show.

Kim Hartsock: (00:16:53). So, I mean, hearing all of this… is there ever a point where you’ve reached the end of cybersecurity? You’ve prevented everything. Yes. Help us set some realistic expectations on how to be prepared, how to be aware, how to create a culture of awareness. But with some realistic expectations.

Darren Mott: (00:17:22) Sure. Well, I think the first realistic expectation you need to have is that at some point you are going to be a victim of something.
Now it may not be a big problem. You may be someone that clicks on a link and it compromises a computer. But you’re able to isolate that computer because you have an incident response plan in place that you practiced. You have the ability to do forensics. You have the ability to isolate that computer immediately.
If you’ve thought of nothing of these things, you’re just going to go, “Well, when we get hit, we’ll deal with it then.” Ask Huntsville city schools how that worked for them. They got hit with ransomware. They couldn’t do anything for a week because everything was locked up. A better example is the city of Atlanta.
So you would think that the city of Atlanta would have a fairly good cybersecurity plan in place. $19 million later, they recovered from the ransomware attack. Likely, 90% of the cases the FBI ever works and 90% of the cyber cases that are ever seen started happen with a social media or a social engineered email, a phishing email, someone clicked a link, opened an attachment, went to a website and bad things started to happen.
So, you know, that’s kind of the simplest there’s, there’s simple things you can do. Like the number one thing, which I can’t believe no businesses do. Our policy is don’t allow personal email on your network.
We all have phones. Now, if you want to do your personal email, look at it on your phone. Don’t open a browser in your corporate network to check your Yahoo or your Gmail or whatever, and then click the link within it. Now, ideally, if you have technology in place, that’s going to identify malware – great.
But even the technology is not going to save us. You can buy all the technology you want. There’s plenty of companies that have spent hundreds of thousands of dollars on technical solutions. And half of it is still sitting in the box in the closet. All right. So, you know, technology is not going to save you.
Education will help because if you can create that cyber secure mindset, you can greatly reduce the risk of someone clicking on that link. You can do phish testing and then remediate phish testing and remediation training as to why you shouldn’t have done that. But you’re going there. No company has a 0% success rate on phish testing that I’m aware of. I had one company that said we were talking about this and they said, “Well, we only had 8% failure rate except for the one person that clicked the link 42 straight times.” Why is this not working? So, you know, it’s understood that risk is going to be there.
You can reduce your risk by doing some education to making people understand that they’re the first line of defense for your company, and it’s going to come through them. The best thing you can do, throw out all your computers, move to Antarctica, and you’ll be good.
But beyond that, the risk is going to always be there. All you can hope to do is reduce it to a level that’s acceptable to you. Now, I’ll give you an example.
Let’s take ransomware as an example, if you have backups – you test your backups and you, you that they’re good and clean and you get hit with ransomware.
You can recover from that fairly simply. So at that point, ransomware is not really a big risk to you. If your crown jewels are all isolated on a standalone system that only people can go into a room and log into that system to see whatever it is, they see business plans, corporate information, whatever.
Then you can probably figure my risk is pretty low. No one’s going to get to that particular information. The one thing is the insider threat becomes a bigger issue there because it’s not just cyber as a problem. It’s the human problem, too. We had a case where there was a company, they had all their crown jewels on a standalone computer in a blue room.
I’m trying to say this without getting myself in trouble for talking about classified stuff, but we had information that a certain nation state told someone they knew who was in that particular city, you need to go to that company and get into the blue room. They knew that there was a room with blue paint on it that had the information they wanted.
They couldn’t get into it technically. So they sent someone there to try to access it. This goes way beyond just the cyber piece. It’s who your partnerships and all that kind of stuff. So I think the best thing to do is understand that it’s a problem. That’s not going away.
How’s the best way that we approach it, it has to be someone’s full-time job and maybe more than one person’s full-time job.

Paul Perry: (00:21:41) So, Justin kind of piggybacking off that, you work with a lot of companies, all sizes, right? Public company to mom and pops with very little resources. What best practices, what controls do you see working that are helpful? You gotta keep in mind, the size of the organization, they just don’t have all the resources and capitals that others do.

Justin Headley: (00:22:02) Yeah, that’s a good point. I mean, I think Darren mentioned this. I mean, you can really, uh, get overwhelmed with some of the stuff and think that the more cash I’ll throw at this situation that it’s gonna magically resolve it.
There is no silver bullet in cyber security, unfortunately. Like Darren mentioned, there’s no piece of technology out there that that’s going to just resolve all your problems and money can certainly help. But one thing that we get a lot into is people. We see some of the organizations put all of their time, energy, and resources into preventing something from happening and regardless of what you do, you know, eventually it’s going to happen. It sounds grim, but if it’s just going to happen. So the more that you can put into focusing some of that time, energy and resources on detection and responding is so key. We so see so many organizations that focus on preventing and when it happens, they’re running around like crazy. See, they’re not sure what to do. You know, we see it.
There’s a stat out there that it’s about six months to actually detect an attack or somebody lying within your organization. And then outside of that, there’s another about 60 days to actually stop or remediate that attack. That just shows you that organizations are just not prepared to detect and respond to these attacks.

Darren Mott: (00:23:26) If I can piggyback on that, the average life cycle of a data breach, according to IBM, is 314 days from breach to containment.

Paul Perry: (00:23:33) So, Justin, that means I need to change my passwords, what?

Justin Headley: (00:23:35) At least, every 90 days.

Paul Perry: (00:23:38) And don’t use the same seven passwords. And then you’ll go back to the one that you use six times ago, and then they’ll have the password and then they’ll hack you.

Justin Headley: (00:23:46) That’s right, yeah.
There’s so many things, like I said, there’s a lot of take it back to the basics. You know, access, making sure that access to applications is locked down. No one has too much access within the organization. Education.
We’ve kind of beaten the dead horse there, but you can’t overexert that education is so important and why Darren mentioned policy and testing those policies to making sure that if you have to enact those, that they’re good and your organization knows how to respond. It’s so key

Darren Mott: (00:24:18) And multifactor authentication.

Justin Headley: (00:24:18) Multifactor authentication, you can’t overstate that. Right?

Paul Perry: (00:24:22) Exactly. Let’s talk about the future. What’s the next headline? What’s the next conversation? What’s the thing nobody’s thinking about that as a business owner. When you say it, when somebody says it, you know, that’s the thing I’ve got to work out and I’ve got to watch out for. So let me go back to my risk assessment and let me say, how am I going to prevent this from happening?

Darren Mott: (00:24:39) Well, I’ll give you to quantum computing and artificial intelligence, I think are the two big ones. The problem with quantum computing, once it actually becomes more mainstream. It’s going to be a while before it’s mainstream but there’s going to be some of the big companies and some of the nation states are going to have access to it fairly quickly.
Because of the rate at which quantum computing can process information, passwords are going to become useless, because it’s going to take them two minutes to crack a 20 character password. So that’s going to be a huge problem, but it’s not a vulnerability. Most companies are gonna be able to deal with that other than they’re going to have to think of new ways to authenticate users. Be it biometrics. Be it… I don’t know, man, I’ll be honest. I don’t know what that looks like at this point.
And then the other thing, and I’ve been saying this for a couple of years, is artificial intelligence is going to be a huge boon to criminals. Because, you know, we all get the phone calls from the department of IRS that they’re going to come arrest you because you have some problems.
They always sound like they’re coming from somewhere in Pakistan. So, you know, they’re not from the IRS. Well, once artificial intelligence becomes more well used and we’ll sound. You already have defects. We have the deep fakes that look for pictures online when the deep fakes goes to voices, the bad guys are going to be able to use that particular technology, to trick people into giving them information that is a lot harder to get now because people are suspecting of certain things that artificial intelligence is going to make it much easier. This is going to rely on people understanding that technology and what to be, what to be on the lookout for.
And I think there’s going to be technology that doesn’t exist today. That’s going to be around next year. I mean, two years ago, had any of us heard of Tik Tok as an issue. No. But here it is. And then it’s an issue from a counterintelligence perspective. That’s a different podcast, but what technology is going to exist six months from now that looks like it’s great for helping businesses do what they need to do, and then gets exploited. Microsoft Exchange vulnerabilities for on-prem Microsoft exchange – who saw that coming?

Kim Hartsock: (00:26:39) And I think it’s things where people start to be concerned, right? When your phone is using your eyes and things like that. Um, I just went through the airport, clear TSA, pre-check, all those things. It’s all done by my fingerprint, my retina scan and it’s, that’s a little concerning: do I need to be wearing some sort of glasses that cover up that, right?
Because who’s going to take that to be able to take on my identification. So I tend to not be someone that goes down that rabbit trail, but maybe that’s a good thing so that I don’t get myself too scared to sleep at night.

Paul Perry: (00:27:15) Did we scare you enough today, Kim?

Kim Hartsock: (00:27:16) A little!

Darren Mott: (00:27:17) I think the one thing would be aware of the internet devices that you want to bring into the office. That’ll make your life easier. Like, you know, smart speakers and stuff like that. If you’re a business and you have Alexa on your network, you might as well just say: Welcome China, Welcome Russia. Come on in and take what you want.
There’s no reason to have those on your network. Now, if you create a separate WIFI network that is isolated off that anybody can use for whatever. That’s fine because you don’t care about that network, but if it’s connected to your corporate network, you know, do you know what all your end points are? If people can come in and plug stuff in to use that’s a vulnerability that you don’t want.

Kim Hartsock: (00:27:52) Yeah. And I think that COVID and the push for people to go home has just opened Pandora’s Box for that, right? If you don’t have protocol in place to do sweeps of your network and see what people are, you know, maybe you had a policy for that when people were in the office, but are you checking to see what’s happening when people are at home?
You know, now where personal and business are blurred, right? This world that we’ve lived in the past 12 months has really blurred those lines. So I think that just opened up a whole ‘nother set of issues that many businesses had not had to deal before.

Darren Mott: (00:28:31) Right. And I think you’re also seeing it. You’re seeing a lot of new malware targeting Apple devices. Be it the M-1 laptops or your iOS devices. Apple came out last Thursday or Friday with a critical update to all your iOS devices cause there was some vulnerability that bad guys get access to the data on there. Uh, and the same thing with, with laptops.
So a lot of people thought for years: if I have an Apple, I’m good. No one’s coming after me, but the bad guys are figuring out that there’s a lot of people out there that think that. And so I can target them. And, you know, get them to click a link open on the attachment. And now I have access, they don’t know I’m in there, and I can do all sorts of good things.

Kim Hartsock: (00:29:10) We have to convince all the people who have been convinced. I shouldn’t do the update on my phone because it’s going to slow my phone down. Apple just wants me to buy a new one. Right. With everything, there’s always an alternative issue we have to deal with.

Justin Headley: (00:29:24) Yeah. And I think one thing, you know, we’ve talked a lot of scaring people, you know, a lot of negative things. But I think one positive thing we’ve seen with privacy is lately, there’s been a trend of demanding privacy rights. So I think that’s something that we can, you know, we talked about looking towards the future.
We’ve seen things like: you guys mentioned Apple with iOS 14. So things like, you know, telling you when you’re being recorded, when your camera’s on, when your microphone’s on. Uh, but I think that will lead to talking privacy in the future, we don’t have a US-based privacy act. Yeah. It’s something similar to GDPR, but we’ve seen things like the California Consumer Protection Act laying the groundwork for a US wall there. But I think that will, again, in the future, kind of way more groundwork too. If you do hold sensitive information, really coming under scrutiny of how you access that information, what you do with it, you know how often you delete it periodically. So I think that’s something we’re looking toward the future that will certainly be weighing heavy.

Kim Hartsock: (00:30:31) So here on The Wrap, we always like to wrap up our conversation in 60 seconds or less. What would you like to leave our listeners with to wrap up this conversation?

Darren Mott: (00:30:40) Well, the last thing anybody wants to be is the person on the news that got hit with some kind of cyber-attack, be it a data breach, be it their own personal information or, heaven forbid, being their child exploited online.
The best thing you can do for yourself is create a cyber secure mindset. Educate yourself on what the threats are and how to protect yourself. And like Paul mentioned earlier, that may mean listening to different podcasts, having different resources, having different applications that can help you collate different news articles.
You can just do it based on topic and then read the ones that are of interest to you. The cyber threats are not going away. Cyber security and cyber issues are going to be a fact of life going forward. So if you don’t educate yourself, no one else is probably going to and take the responsibility to understand the threats that are targeting you. Assess your risk online and proceed wisely because knowledge is protection.

Justin Headley: (00:31:35) Yeah, I’m going to piggyback off a little bit of what Darren said there and we’ve overstated this a lot, but education can’t be a “set it and forget it” type thing. Uh, it changes all the time. So you can’t just get into a wall there that “I’ve checked the box annually and I’m good to go personally”, as well as for your organizations. So, uh, it’s so important just to keep on the cutting edge of this stuff, because it is changing, and you can’t be too safe.

Paul Perry: (00:32:00) Darren, Justin — what a wonderful conversation. And I appreciate both of you being here with us and having this discussion.

Darren Mott: (00:32:07) Thanks for having me.

Justin Headley: (00:32:08) Thank you. Really appreciate your time, sir. See you

Kim Hartsock: (00:32:10) Great to see you again, Darren. Have a good night.

Darren Mott: (00:32:11) Thank you. Paul, I’ll send you an invite for my podcast. Okay. Thank you, Justin.

Kim Hartsock: (00:32:17) Good to see you, Justin. Bye.

Commentators: (00:32:19) And that’s a Wrap. If you’re enjoying the podcast, please leave a review on your streaming platform. To check out more episodes, subscribe to the podcast here, or make a suggestion of other topics you want to hear – visit us at warrenaverett.com/thewrap

Listen to More Podcast Episodes

Listen to additional episodes of Wrap—a podcast by Warren Averett designed to help business leaders access the information that you need, when you need it, in the time that you have, so you can accomplish what’s important to you.