Mark Sangster

Mark Sangster is the VP and Industry Security Strategist at eSentire Inc. He is also the author of the book, No Safe Harbor: The Inside Truth About Cybercrime—and How to Protect Your Business. Additionally, Mark is an award-winning speaker at international conferences and prestigious stages, including Harvard Law School and the RSA Conference.

Mark’s thought-provoking work and perspective on shifting risk trends has widely influenced industry thought leaders. With over 25 years of experience, he is the go-to subject matter expert for leading publications and media outlets, including The Wall Street Journal and the Canadian Broadcasting Corporation.

Available_Black copy
Tunein
Available_Black copy
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg

Here’s a glimpse of what you’ll learn:

  • Mark Sangster discusses how he got started in cybersecurity
  • Why small and mid-sized companies aren’t prepared for a data breach
  • Whose responsibility is it to prevent cybersecurity issues within your company?
  • Mark shares a cautionary tale about using public WiFi
  • How an increase in remote work is affecting the way companies look at privacy and security
  • The common privacy issues and impacts of a third-party supply chain
  • How your company can be used to reach an intended target during a hack
  • Mark shares some helpful tips about privacy and security that he uses in his everyday life

In this episode…

Many business owners believe that only large companies can be the targets of major data breaches. However, small and mid-sized businesses are also increasingly at risk when it comes to cybercrime. Because of this, Mark Sangster, the VP and Industry Security Strategist at eSentire Inc., believes that businesses of all sizes should take measures to protect themselves from possible cybercrime attacks.

According to Mark, creating a mechanism of continued improvement within your company is the key to combating cybersecurity issues. As a cybersecurity expert, Mark helps companies understand the risks of data breaches and put plans in place to reduce those risks. So, how can you start better protecting the privacy of your business today?

Tune in as Mark Sangster, the VP and Industry Security Strategist at eSentire Inc., joins Jodi and Justin Daniels in this episode of She Said Privacy, He Said Security. Mark shares his expert advice on how businesses can better protect themselves from cybercrime. He also discusses the security mistakes of other companies, the role that privacy and security play within a supply chain, and the key takeaways from his new book. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.

 

(00:01):

Hi, Jodi Daniels here. I’m a certified privacy professional, and I help provide practical privacy advice to overwhelmed companies. I’ve worked with companies like Deloitte, the Home Depot Bank of America and Cox enterprises.

(00:17):

Hello, I’m Justin Daniels, the cyber side of the house. I’m a subject matter expert in cybersecurity, and I’m also a business attorney and I’m also a cyber QB and I help clients design manage and implement cyber plans. I also help them manage and recover from data breaches.

(00:39):

This episode is brought to you by Red Clover advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers to learn more, go to RedCloveraAdvisors.com or email us at info@redcloveradvisors.com

(01:20):

All right. And so with that, I want to introduce our guests today. We have Mark Sangster and he’s here from Eastern tire and he is the author of the book, No safe Harbor, the inside truth about cyber crime and how to protect your business. He is an award winning speaker at international conferences and prestigious stages, including the Harvard law school. And the RSA conference is thought provoking work and perspective on shifting risk trends has influenced industry thought leaders. And he’s a go-to subject matter expert for leading publications and media outlets, including the wall street journal when covering major data breach events, Mark welcome. It’s a pleasure to be here. Thank you. And it’s great to see you. We’ve had so many great collaborations in the last six months and we’ve had a lot of fun together. So I want to open it up by just asking you a question, cause we’re going to talk a lot about your book today and just give us a general sense. How did you get started in cybersecurity?

(02:27):

Too many decades ago and I won’t give you an exact number. I I started working in the, in the tech field and quickly ended up in companies like Cisco and Intel. And at one point, if we all remember those phones blackberries. And in fact, I worked on a project which was one of the first secure devices that they were building actually for the Pentagon and the defense groups and contractors and so on. So it was pretty it by our standards today. I think would consider it to be ridiculous, but at the time it was, it was cutting edge and that really was the start. Then here most recently with the Sentire, I’d worked at Intel and some other companies in related spaces. I think the big thing for me was the fact that we have these clients in these different industries and, you know, realizing what’s happening to them and the, and the simple fact that, you know, in many cases they don’t understand that they are a target. They don’t understand what the consequences look like.

(03:26):

And of course you dealing with the data breach post event type of work that you do, you fully understand what that what that entire journey, you know, and, and painful process looks like. Frankly they don’t, and they’re unprepared. So, you know, that’s sort of been my mission in these last few years is to try and get that word out so that they understand the risk and then B help them put plans in place to mitigate those risks.

(03:50):

So, Mark, why do you think is the big holdup? What is it that companies are thinking? Why don’t they get it?

(03:58):

So I think a lot of companies, like, I, you know, I’ve sort of you know, kind of hinted at it there, right? It’s the first thing is that many of the smaller mid-sized types of firms, so, you know, not the big banks and the insurance companies and so on. They don’t see themselves as targets. And I, and I think that’s simply down to the demographic of what’s represented in mainstream media, right? So they, you know, they read about the big breaches, like capital one, or travel X or, or Marriott hotels and so on. What they don’t hear about is, you know, the small family run manufacturing business in the Midwest, or the law firm of 150 attorneys, or the small medical facilities that get hit and shut down, not the big ones, you know, not these, the, you know, the major kind of conglomerates that we know about that we will read about like one, you know, a couple of weeks ago.

(04:40):

For that reason, you know, I think that the real problem here is, is it’s ignorance, right? That they don’t understand there’s a problem on, unfortunately ignorance is not bliss. In some cases it can be negligence, right. Then when it comes to doing something about it, there’s a real break, I think, between the, a ones and zeros of IT and the dollar signs and the sense of the board and the executives. So finding a common language or vernacular that they can use to discuss it right. To talk in terms of risk, not in terms of budget and not the, kind of, you know, where we skip understanding what problem we’re really trying to solve. And we go straight to solutions. So it’s like, we’ll buy a firewall, buy antivirus, you know, get another box that blinks and supposedly does things for me versus truly understanding what problem they’re trying to solve. And, and, and, you know, having that ability to sit around the boardroom or the boardroom and, you know, collaborate

(05:32):

Well kind of following up on, on Jodi’s question, talking to your book a little bit, Mark. So what are you think some of the key takeaways from your book are w why do I want to pick up and read your book? What will I learn in it?

(05:45):

Yeah. So that’s, that’s a great question, right. I think as, as I’ve said here, you know, part of the mission in this book was actually to get the word out right. To, in an, either an anonymous way or the, or the stories that have become public, but not mainstream to kind of tell those stories and not to blame, not to say, you know, they made a mistake or they screwed up or whatever it is, but to learn those lessons because in cybersecurity, that’s part of it, right. Is we don’t have a kind of a public mechanism of continued improvement, right. Where we, you know, like if you think about airline safety, as an example, you have the, you know, national transport and safety board that comes in and does an investigation determines all the factors makes recommendations. And then the FAA, the federal aviation authority mandates those, right.

(06:29):

And all the players airlines manufacturers, et cetera, I’ll have to abide by those rules and doing that. They continuously improve. And I think that’s one of the takeaways from the book is creating partly to create that kind of mechanism within your own company. So to understand what’s happening, if something’s occurred to seek forward accountability, right? So look at, you know, what happened, not who’s to blame and to put a simple, a simple framework together, and through the various chapters in the book, I look at those different aspects. So things like board and executive reporting, I look at understanding what root causes of the events are insurance, and, you know, what’s insurance going to cover, and what’s, what’s it not gonna cover to try and create a simple framework for those, you know, mid-sized firms that don’t have the wherewithal of these big banks when it comes to defending themselves.

(07:18):

So something comes to mind, which is, you know, all too often, people think about security, that’s the, IT person’s job. Or maybe if they’re lucky they have a CSO or someone responsible for it. You talk about board and executive level of reporting though. So who, who should be responsible and paying attention to these needs and, and kind of know who’s a core reader for what you’ve put together here.

(07:44):

Yeah. So the book is very, it’s non technical, I mean, a technical practitioner, and I’ve certainly had many, you know, have read it and reviewed it and so on. But it is more of the business leader, right. That’s who I’m trying to get across to say, you know what, this is a responsibility of yours, right? Just like any other aspect of fiduciary care you know, you have to do the same thing when it comes to the risks that are represented through cybersecurity issues. Right. and, and so really it’s helping them understand that, right? Those basics, like having the awareness, being able to measure that risk, to know the obligations that come through their business, through the assets that they hold you and understand that as a privacy officer, right, is the, you know, what, if you forgot, you know, protected non non-public or an otherwise like medical records and those are in your, you know, under your control will then you have an obligation responsibilities that come with that. So understanding what those look like, and then also putting the right plans in place. So it’s about alignment. So from a you know, who, who should be doing this. Yeah. Ultimately there should be an executive who is responsibility for security. They should have a seat at that table. It shouldn’t be, you know, the kind of the person who greets you at the takes, your order,

(08:56):

Cooks your food, clears your, you know, clears your plates away and brings you the bill. Like you can’t have, you know, that person who’s running all those tasks. You need one person who is responsible. So it, you know, it falls, we see this a lot of times, it’s the CIO, you know, the information officer or in financial institution. Sometimes it’s a risk officer, a compliance officer and you know, privacy security, you guys are perfect sitting here, right. Privacy, security, and compliance. They’re like the three sisters and they overlap in a Venn diagram, but there’s not a hundred percent coverage between the three. Right. there are subtle differences. And, and and that’s where I think it’s important to have somebody who understands the security element and they should be balanced with the person who understands, let’s say the legal issues, right. So your general counsel or whoever it might be that provides that sort of risk assessment to say, okay, here’s what are our obligations look like and can determine whether or not the framework that the security team puts together, you know, meets that test.

(09:51):

So, Mark, one of the things that I find interesting when we talk about cybersecurity or are talking about some of the stories behind it, and I know that one of the key aspects of your book is you put it into a real world context and you tell some great stories to prove some points. Is there any anecdote of a particular story in the book that you think will particularly will resonate with the audience? And could you share that a little bit?

(10:15):

Yeah, absolutely. So I sort of tell to two different sets of stories, right? The ones or the non-security ones. Like I talk about an airline accident. I talk about the deep water horizon to, to look at things like supply chain Rez and another story about the Citicorp tower in New York, which is the, you know, sort of the disaster that never occurred that might have and, you know, was, was a secret for, for decades. And the reason to do that is to get out of the trees to see the forest, right. When we take it out of that context it gives us a better chance to look at at what some of the, you know, what were some of the findings, what are some of those recommendations of the lessons we can learn from that, because we’re doing it in a framework, in fact that doesn’t have any kind of emotional bias to it, right?

(10:56):

It’s, it’s not about budgets or, you know, who has the authority in the company and so on, but in the cybersecurity space. Yeah. I talk about lots of different stories and, and there’s ones like this will be very relevant to now with the, you know, with COVID and, you know, working from home is, you know, a story about a hedge fund in New York that years ago was opening a new office in Midtown Manhattan. The spouse of the managing partner was buying artwork. Their email account was unfortunately their credentials were harvested and a fake wifi spook, you know, so this is where you, you know, we all know arrive phones or your, your Android phones, you walk into a Starbucks and you’ve already been on Starbucks, public wifi. So if your phone is set to do so, it just automatically reconnects, well, often you can buy a little, or not often you can buy a little box for about a hundred bucks that effectively will spook that wifi.

(11:46):

That is a stronger signal. So your phone will go onto that one. And then once you’re on that device, you know, they’re effectively scooping and monitoring everything you’re doing. And if it’s, you know, it’s not properly encrypted as an example, they can read it. So anyway, they were able to get her this individual’s email they had credentials for their bank account, their iTunes you know, when you get those suspicious emails from Google, for example, like your, your accounts and access from a new device, you’ll get that alert. They were catching those and deleting them within seconds so that she was never actually reading them and what they discovered and the reason they were doing this is, yeah, they, you know, they could have defrauded her, you know, used some phishing campaigns based on, you know, what they knew about but they, they knew she was buying this artwork.

(12:25):

And so they went and they, they created a replica website. They figured out from her social media and her emails, what art, they were buying, what it was worth. And they started billing the the hedge fund, the hedge fund paid at about $450,000 before they figured out what was happening. And that’s where we came into the story, right. And then they, they brought, they brought us in and they brought me in and I, you know, we, we reverse engineered it and figured out what had happened. So, you know, some of the lessons here is it’s not always a big bank where they’re trying to steal money. There are other ways to monetize. No, this is direct cash operation. This is, you know, fraudulent wire transfers and fake invoicing. It also shows you the blend of understanding, you know, your personal and your professional the crossovers and where some of these risks come from, right?

(13:10):

Like it, wasn’t just the managing partner who from a security perspective would likely be locked down, right. You know, proper passwords and multifactor authentication and all that goodness, you know, purchasing a pantry on their device and on their, on their systems at work. But the actual risk and the vulnerability came through a family member. And we’ve seen other times like this sort of kids play on a computer as an example. And in doing so it downloads whatever malware that then later on detonates when they take that, you know that laptop or whatever that device is, and they go back into their work environment. So it’s trying to help them understand what the targeting the risks look like, but also how kind of well-engineered near these things are right. That they, they know what they’re, you know, they know how to go after you, they build elaborate schemes.

(13:55):

I really want people to understand that it’s notSkynet that delivers terminators and they go off and they lock one laptop that they’re a lot more clever than this. There’s a bad guy. There’s another human at the other end of this equation, who is actually consciously maneuvering. Is deploying. Malware is moving around your network, is looking for the best opportunities through which they can generate their revenue. Robbing you effectively. Stealing information to resell and understanding that. So you understand, it’s a complex thing. It’s not, some people buy a box. And like I said you plug in a firewall and you think you’re, you’re safe. That’s locking your windows and your doors, but we know people’s still houses still get broken into.

(14:39):

So Mark, you know, listening to your story about the breaking into her, Wi-Fi, it seems to me the key takeaway from that story that might be generally applicable is for hedge fund. The security perimeter is now the hedge funds wife’s cell phone, and that asset isn’t owned by the company, but it has significant consequences if there’s a breach of that non-company asset that directly impacts the company. Can you talk a little bit about that?

(15:12):

Yeah, so that’s absolutely, I think the biggest problem that we have right now in particular with a mass drive to remote workers is that most companies, and this is another issue, you know, I’d sort of predicated their security programs on the notion of a physical perimeter, right. This, you know, like take your traditional bank, you know, but you’ve got bricks and mortar. You’ve got doors that are locked in security guards in a vault and, you a passcode for that vault. And it only opens up so many hours and all that kind of thing. Right. And it’s all this notion of keeping people out. And what they don’t understand is that there isn’t a perimeter anymore, right. That has dissolved, or there’s an infinite number of perimeters. I think you get to the same place.

(15:53):

It’s just a different, you know, a different approach. That’s the risk now. So we are blending more and more personal and professional technologies and roles and responsibilities. So for example, in this case, you’re right, you had the, the managing partner spouse and their phone now with remote, you know, the remote workforce that we see, you have home routers as an example, right. That have been provided by your ISP that have default settings on them. And most people don’t know what they need to do to secure those, right. Like putting a password on their wifi and encrypting the wifi and changing the username and password for the administrative account on it. So that other people can’t go in and make modifications to it. They don’t know that stuff. And nor to some degree you know, I would say, should they but now we have to get to this point where we are starting to downdraft some of that expertise and we, and we have to do that.

(16:43):

Right. So companies have to reframe a, the way they protect those mobile devices and there’s technology that helps with that. But then B it’s also expanding the way that they manage awareness training to not just go from like, look, don’t click on a link. When you see something suspicious to, you know, is your router at home configured when you use your device? You know, what are you doing? Like what, how do we secure, you know, your personal device that has access to corporate assets and that’s become the normal sort of joke we used to in the industry, they called it BYO or bring your own device, which was very, of course, the Loring companies. Cause they weren’t buying all these phones. People were supplying them anyway. The downside of course is now you have that blurring of, well what’s corporate, what’s personal. And what rights does the corporation have? When it comes to you know, manipulating that device. And now we go to bring your own home BYOH where it, you know, it gets even more blurred, you know, like you know I can’t imagine what would happen in a case was let’s say for example, you need to secure forensics information after breach and it’s on somebody’s home computer or it’s on somebody, you know there’s a script

(17:50):

On the router, right. Are they necessarily going to say, yeah, no problem. I’m going to hand that over to you or are they going to refuse to effectively provide that support because it’s an invasion of their privacy. And I don’t use that term legally, you guys would know better than I.

(18:04):

Yeah. I think that’ll make sense. You know, it’s interesting because in my world I’m really making sure that companies are aware of the different privacy laws and in those there’s there’s implications, if you have a data breach and, and an issue within them, but at the same time, some people are kind of right. Well, I’ll just deal with the law when I need to. Right. When, when I’m required. So I’m, I’m curious to hear from you, where’s the pivoting point for some of these companies to realize, especially in this environment, now I have this BYOH bring your own home And I have that scenario and it’s not only BYOH and such a trend to more remote work. Where’s the pivoting point that you’re starting to see companies realize, okay, this scenario that you’ve just described, that could happen to me.

(19:00):

Yeah. Unfortunately in many of the cases, I’d say at least more than half of them probably pushing towards, you know, two thirds of them is they have an event. Right. And that doesn’t always mean it’s a significant breach. It may be a material incident and, and, or it’s a close enough brush, right. With, with that badness that that’s the wake up call. So unfortunately, all too often, and I kind of used this I use this comparison in the book where I talk about, you know, we have, they have to touch the stove to figure out that it’s hot and they get burned before they, before they learn or the other, the other where I do see a pivoting now. And I think this is, this is becoming more of the norm is that you have pressure through your relationships and your supply chains.

(19:44):

Like when I talk about what assets you have and those what obligations come along with those, we are seeing that organizations that are part of some kind of of chain or production or services then is sort of pulled along by the bigger parties in that, in that group. Simple example, B many law firms went through significant due diligence work when it came to contract renewals with major banks and financial institutions, because of course they’re heavily regulated. And, you know, as those regulations change, like in New York with the department of financial services a couple of years ago you know, they, they went through that down drafting, right? So suddenly those, you know, questions that were being asked by the regulator were literally getting thrown in an Excel spreadsheet and emailed out to the firms saying, yeah, yeah, we, you know, we want to retain your services, but you know, you have to answer all this stuff. And certainly over the last five or six years, I’ve seen a mass change where, you know, I think at first it was completely new and they didn’t know what the heck to do to then it became, okay, we’re being overwhelmed by this stuff. And now they’re at a point where they, you

(20:48):

Know, they’ve got ways of managing those kinds of DDQ type requests. But that’s, that’s the other big piece, but a lot of companies haven’t figured it out. And I think the other thing that happens is we have these times where things shift significantly. I’ve talked about in, if we use New York, right, nine 11 back, you know, 2001, and that really shifted the mindset around security and or business continuity and operations. But the focus was on the, you know, the primary facility, right. What happens if the building, you know, is not available right? Or the networks and the systems within it. Let’s hope it’s not a terrorist attack, but you know, it could be a flood or it could be a power failure.

(21:29):

So they put everything on the other side of the river, right. In Hoboken, New Jersey. And they had all their backups there. And then, you know, a little over a decade later, hurricane Sandy in 2012, rolls up the coast, floods out, Manhattan, floods out New Jersey. And it turns out that wasn’t good enough, right? The geographically, it wasn’t far enough apart. And even the ABA came out and their cybersecurity framework and said, you know, this is a new test. That hurricane Sandy will become the new standard for business continuity. So are you geographically separate enough if you thought about having hot swapping and fail overs and so on, so you don’t lose these systems. I think COVID, you know, is the same thing now, right? We’re, we’re seeing another one of these factors in 2020 where it’s made us rethink the way we look at security.

(22:11):

Now I think we live in a virtual world, right. We have, you know, assets in the cloud. We have distributed workforces and we are at workforces and we have distributed controls and models and mechanisms. So you don’t have to be in a building. You don’t have to be in a factory floor and a lot of these, these cases. So this is another one of those moments where we have to rethink security and realign to that mode. I think the other place I’ve actually seen this just recently talking about this as insurance, where, you know, it’s making sure that, you know, what is part of your, your network what is protected under that insurance claw? Do some of these personal devices fall outside of that. So if you know, something happens with those devices, are you covered right? Or if that’s the cause maybe that, you know, negates that coverage.

(22:59):

Yeah. I know Justin’s so excited and has lots of questions, but I have a follow-up. So I’m going to jump in I’m so glad that you brought up the supply chain, because I see that all the time from a privacy standpoint, I often get people calling and realizing that they have to take their privacy program or security program up a level, or even pay attention, especially on the privacy side, because they’ve gotten a contract that says, I won’t do business with you until you get this in order until you can show me you’re complying with GDPR, or until you can agree to these security terms. And so all these will come across my desk and someone’s going to say, can I, can I agree to this? Or I need your help. We have this big deal. And I can’t it until we’re, we’re able to say, yes, we’ve checked the box on those things. So I’m so glad to hear that you’re seeing something really similar.

(23:55):

Yeah. Supply chain, I think is actually one of the biggest areas of risk now. Conversely, on the other side, it is one of the biggest drivers of improved standards. Certainly in manufacturing right now, that’s a massive area. I’d almost call it a panic where they have what they’re calling it the fourth industrial revolution of effectively, which is the fully internet connected devices for remote management. You know, somebody sitting in an office in Houston is, you know remotely controlling manufacturing processes out in an oil rig, sitting out in the Gulf of Mexico as an example. Right. That’s really shifted and yeah, supply chain, I think the privacy laws also really drove a focus on supply chain.

(24:46):

And GDPR is a great example, right? Where you have that, the notion of controller and processor process or whatever right. Where you really have to understand what that looks like and where you fit and why are you doing this? And, and it all really comes back to you. I think with companies is often a lot of the times with supply chain, I think it’s a want, not a need. So, you know, some, you know, getting that consensus in the organization, understanding why you’re doing it in the first place. So putting those Gates in, like, what’s the business case, right? Why is it we want to outsource this, not to say we shouldn’t, but you know, if this is the best means, let’s make sure we looked at our options now that we’ve done that, how do we assess risk? So, you know, that would be conducting due diligence, looking at where you think the gaps or the vulnerabilities are.

(25:27):

And then again, putting something in place, right. Establishing minimum security standards, as an example, throughout that supply chain. And then of course in the event that something occurs having one clearly having to find things like roles and responsibilities and then also notifications. So I a lot of times say like, make yourself a mini GDPR, you know, like, could you ask for 72 hours notice or hear, you know, specifically to find the things you want to know about? You don’t want to hear about some of the nuisance stuff, but you might want to know about some of the more specific things. Right. You know, I sort of joke, right. If whatever your spidey senses started tingling, then I want to know about it until we normalize and figure out what needs to be reported. And what’s noise and what’s, what’s what’s signals. So I think some of the privacy laws in the last couple of years, actually, what was the 2018, I guess, with GDPR has really, I think, opened the eyes of a lot of companies. But even then I found for a while, a lot of companies didn’t think that it applied right until they realized, you know, based on their, their constituency, that it just, yeah. Yeah.

(26:30):

So, so wait a minute here, team, I’m going to pile on with this topic, but I want to put it in a different context. So both of you were just talking about how third-party supply chain can play a significant role for companies having to care more about security and obviously privacy. So let’s take that into the context of an M and A deal. And what I typically see in the context of M and a deal is they’re trying to do due diligence on the seller. And now you’re saying, wait a second, I’m going to go and have to do due diligence on the top 10 suppliers of that stuff, because obviously that’s a big vector of vulnerability as we’ve just discussed. But then how do you tell the financial people who are in charge of the deal that, Oh, wait a second, guys, I may have to disrupt your cadence on the deal because we need to do this additional.

(27:21):

I think you’ve, you’re highlighting a major problem. Right. Which is, which is exactly that, that they don’t. That’s, I think one of the biggest issues we do see in supply chain is that the business side often drives the, the need and the relationship, the fulfillment, and then it security kind of gets chucked in after the fact it’s like, Oh yeah, you know, we signed with these, this company, they’re going to supply whatever it is. And you know, that’s fantastic, but I know you guys have some checklists you need to, you know, go through and it, and it is very much an afterthought and in M and Ayou are absolutely right. I mean, let’s be realistic about this. They are not going to stop a billion dollar deal because they think there might be some security concerns. Right. They’re going to look at that and be like, Oh yeah, I figured, you know, and we’ll figure that out after the fact.

(28:04):

And that’s certainly an issue that, that I’ve personally witnessed where I did work with a food supply and their security, hygiene and posture was quite good. In fact, I’d say it was actually fairly advanced by many standards. That said most of the growth in the business came from acquisition. Their food supply. So they’re going out and buying automated farms and smaller, grower operations and so on. And their security is a two out of 10. Or a one out of 10, it’s almost oblivious, compared to the mother ship. And so then there’s that risk that, that introduces and that’s what we saw with them was that it was a look, you’re not stopping these deals because, you know, time is money and we’re here to make money and this, these people grow chickens or corn or whatever it is we need. That’s key to getting into a specific market or a geo. And so they do it. Then the consequences come on afterwards. So that’s where they were trying to look to us to say what can you do in a, I don’t even call it temporary fashion, but, you know, there’s a, almost like a quick triage, a quick support where you’re going to monitor the smaller companies until we get them back up to our standard. Right. And then we’ll kind of roll them in house because they saw that as a significant risk.

(29:24):

Because Mark, I’m going to relate this comment back to what you said earlier in your story about, from your book about the managing partner’s wife for the hedge fund. Yeah. So let’s say you’ve hacked her phone in the way that you’ve described, but instead you’re now able to get a window. What investments, the hedge fund, maybe you then go in shrewd that company. Can you talk a little bit about why most times it’s not like we go and intrude into a system and all of a sudden we’re going to engage in mayhem. We’re going to do what we’re going to stop and wait. So I was hoping you could elaborate a little bit on that, using that other example.

(29:59):

I can use a parallel one. So you’re right. When it comes to cyber attacks, we’re used to, I think that the, the, the, the big ones that we see now are the opposite operational disruption place. Right? That’s the, you know, we deploy ransomware throughout the organization. We, we shut you down. We asked for a whole lot of money to let you start up again. Right. And often those become public, but there are the sort of secondary kind of acts like what you’re referring to. So, you know, if we go back five, six years now, there were two major law firms on wall street that were hacked. And it was the same thing. They weren’t, they weren’t going for the basic, like, look, let’s get funds out of escrow accounts as an example, or, or managed accounts.

(30:39):

It was the theft of what we consider almost an innocuous kind of information, marketing reports, press releases. And the reason they were doing that is they were looking at those firms were involved in managing investment portfolios. And on the other side of the river, again, you had biotech firms. And so they were doing things like looking at FDA reports, and then there were front running trades. So in those cases, you know, you could think of you know, the example I, you know, from the pharma industry that I worked in, you know, would be that they have a new allergy pill that they’re coming out in in a, you know, delivery mechanism for children, right? So, you know, the, the normal drug or the parent drug has been approved for adult use, but now they’ve gone through whatever new testing for, you know, pediatric application.

(31:25):

And that’s great. Well, if you know that drug got approval from the FDA or past whatever initial tests, their stock is going to go up on Monday, however, if that drug fails the test, their stock’s going to crash on Monday. So knowing that information you can you can effectively front run, right. Run those trades, it’s insider trading. And you’re absolutely right. You have access to non-public information that you have used to gain a profit on a public market, right? The sec doesn’t like that kind of stuff. And they, they come after you. And the story of those two wall street law firms, they did charge three Chinese military officers with the crime, but, you know, good luck. Cause I doubt they’re showing up in lower Manhattan to be arranged. Right. It shows that that’s a great example and you raise a good point, which is you yourself, as part of a supply chain may not actually be the intended target, but you either have access to information or you’re a back door into that target organization or whatever it might be. And yes, it’s not always an immediate smash and grab like a look I’ve sent you some fake invoices. Cause I see you have some clients with a bunch of money sitting in an account. It’s more of, the information I steal from you then later on gets used in a larger crime and it’s profitable. Like in that case, I think they figured that the bad guy has made, like, I think it was $9 million in one trade. Just, you know, not a bad day’s work.

(32:49):

No, very good. I’m laughing when you said target, because how did Target get hacked?

(32:54):

That’s right. Their HVAC vendor. Right. So their supply chain that’s right. And you know, and that one I mean, there’s even more issues in that one, because of course there was a, you know, a lot of talk about how it was actually flagged, right. That it was noticed because that one, and again, I, I’m not trying to point fingers here, but there would be forensics information. So for example, if you have telemetry going back and forth between your head office and the HVAC system, as an example, you can baseline the level of traffic you’re seeing. Right. So it kind of normalizes and you’re like, okay, it looks like this. When you start to see massive spikes, right. Where you’ve got huge pockets of data, like all the credit card information that’s being, exfiltrated those kinds of things are indicators of compromise, right? That’s where you start to go, wait a minute, what’s going on? And you need to check with that vendor to say, Hey, are you doing something different? You know, maybe you’re, I don’t know, uploading a whole bunch of, localized data that you need to pull. And you only do that on an annual basis or semi-annual basis. But finding out what’s going on because often those, those oddball behaviors are a good indicator that something nefarious is happening.

(33:56):

Great. Thanks, Jodi. You want to take us home? Yeah. So Mark, you’ve shared a lot of information that I think is incredibly valuable and if you need it to just, or if you could distill it down and share with us something that you do in your personal life, so share a privacy or security tip that you use every day in your life. It might be hard to pick. You probably have a lot in your book.

(34:18):

No, no, no. That’s, that’s a good question. So, you know, a big, a simple one, I think is things like password hygiene and not sharing passwords across various systems. Right. And, and I use different sort of sets of, of passwordsdepending on the, kind of the risk. Right. So I tend to try and avoid signing up for things in stores, you know, can I get your email so we can send you something? Cause that’s just the stuff that gets, you know, that gets stolen easily. And then they use that to Phish you. But when it comes to things where credit cards are attached, so, you know, online retailer, you know Google play or iCloud or things like that I use more sophisticated passwords and I also don’t share them. So I know my kids are atrocious at this, so I have a guest wifi, right.

(35:03):

And I have a, you know, common password for that, which doesn’t have anything to do with anything else. So, you know, their friends show up, they’re on the they’re on that wifi. I’m not giving them the core password because then that’s where I worry that they’re kind of in our, they get into our network. So it’s, you know, it’s basic things. Right. And and, and even that changed slightly recently. So, you know, we always used to say, change your password frequently now NIST, as an example is recommend that you don’t do that, but did you come up with a longer chain that you can remember? That’s easy to remember like a line from a song or a movie or something because then there’s, you know, there’s less risk and you actually using that, that’s harder for it to, to to be brute force hacked than it is you constantly changing and running it down and, you know, leaving evidence and other ways that that can be captured or, you know, the classic is having the spreadsheet called passwords that then has all your passwords in it. And I know it’s like if you laugh, but it’s, it’s more common than you think

(36:00):

Jody is going to have a new password phrase it’s called. I love the Steelers. Hey, last question we wanted to ask you just on a personal note, you know, Mark, can you tell us about your favorite hobby besides writing really cool cybersecurity books?

(36:19):

I love,uhiking is a big one for me. So, you know, I guess with, with some of the travel restrictions that hasn’t been as fun and mostly I prefer a more hilly,esert kind of climbs. So, you know, going to Arizona and New Mexico and places like that, and going up and down rocks is, is my sort of free time being out there. I know they call it like tree bathing or something. We just to that idea, right? Like I just love getting out in the wild and standing up on a Hill somewhere and, you know, feeling the dirt on your boots is a way of really transitioning from the day-to-day world that we live in

(36:54):

Outdoor. What is your favorite thing?

(36:58):

They’re the best place to be? West is the best,

(37:03):

Best as best. Well, Mark, thank you so much for joining us, tell everyone how they can grab a copy of the book and how they can contact you with any questions.

(37:11):

Yeah, absolutely. So a book, No Safe Harbor. It actually drops October 22nd. So just, just over a week away today, which is fantastic. You can, pre-order it now on all of your popular resellers, like Amazon and Barnes and noble so on, and if you’d like more information or you have any questions go to MB as in Bob Sangster, it’s not for Bob, but a MBsangster.com and I have contact information there and more on the book and you can even get some I think there’s a, there’s some sneak peek and preview kind of information there.

(37:43):

Excellent. Well, thank you so much. Just anything else you want to add?

(37:47):

Nope. It’s been a great session and as always great to have you in the house, Mark.

(37:51):

Yeah, thanks again. Yeah I love collaborating and it’s always great way, a great way to sort of look at the different aspects of cybersecurity and privacy and so on. So again, thanks for having me on today. Absolutely. Thank you.