Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and certified informational privacy professional and I provide practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:37  

Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches. And this episode

 

Jodi Daniels  0:55  

is brought to you by a weak drumbeat there, buddy. Well, you

 

Justin Daniels  1:01  

took away my you took away my water. My water jugs

 

Jodi Daniels  1:07  

is brought to you by Red Clover Advisors. We help companies with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e-commerce, media agencies, and professional and financial services and short. We use data privacy to transform the way companies do business. together. We’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. I’m so excited to welcome to our show today. Victoria Beckman. Victoria, it is so nice to see you today.

 

Victoria Beckman  1:44  

Very nice seeing you today. Absolutely.

 

Jodi Daniels  1:48  

So Victoria leads the America’s Digital Crimes Unit at Microsoft, which is responsible for implementing strategies to disrupt cybercrime and advancing policy and legislation throughout the region. Prior to practicing law, Victoria was an industrial engineer in the technology and automotive sectors and a competitive figure skater for her native country Colombia. I love that I wish we could see some of the actual figure skating today, not today. No. super fascinating. I love Love, love, love figure skating, except I can’t even put on escape. That’s like the end of my capabilities right there. Well, it’s so lovely to meet you. And for anyone who has not met Victoria before you must follow her on LinkedIn, she produces some of the most amazing content, which is how we met. Because your your insights and the way you summarize what’s happening in the privacy and security industry is very, very, very helpful. So we’re delighted to have you here today to talk more about the world of cybercrime, which is very busy these days.

 

Victoria Beckman  2:58  

Yes, well, thank you. It is indeed very easy. which gives me a little bit of job security, I guess. But it’s not good for everyone else.

 

Jodi Daniels  3:08  

No, no. So talk to us a little bit about how you got to dealing with cybercrime in today’s era.

 

Victoria Beckman  3:18  

And who, it has been kind of luck, to be honest with you. Most of the things in my career haven’t been planned or something that I had this goal or work in doing this or the other. Most of it has been that I kind of had to reinvent myself. When I move to a different country to move, you know, when I moved to the US from Colombia, then I have to move the states from Arizona to Ohio than Ohio to Florida. And so it’s been the result of mostly just what do I do now that I leave here. Um, but in an in a nutshell, I was an engineer. And that because of immigration requirements, having to go back to school to maintain my visa, and I’m out of a bed really, I ended up going to law school. I came here almost 20 years ago on September 11 2001. And I didn’t speak any English. And when I decided to go back to school, and one of my friends kind of made a bet and said, Oh, you should take the oath that he has a lot of reading comprehension. And you will know if you’re actually fluent in English, and if you can take on standardized tests in English. And that’s how the idea came about. No one in my family is an attorney. I never even kind of care about what attorneys and that’s how I ended up in in law school, basically. And then because of my background, my heart was really And being a public defender, but because of my background, they, they gave me issues related to intellectual property a first, and then a case related to a hacker. And I didn’t know anything, I didn’t really understand anything with that first case, but, but I did like the subject area and I say, Well, this is what I’m gonna do, and I’m going to work for that firm, then I like this. And then I started to do kind of, you know, work and and learn about it. Now, Microsoft, language and Microsoft. And it was also kind of luck. I have a Colombian friend who is an attorney and Microsoft in Brandman. And she originally contacted me and said, Oh, they have a rule that has been vacant for months, because they’re looking for a very specific profile, and someone who is bilingual in English and Spanish and unlicensed in the US and all kinds of things. But it is in Florida. And one thing No, I’m not interested I, I wasn’t planning to move. Um, and then after conversation conversation, somehow they convinced me, my family lives all in Colombia. So there was a lot of a lot of push from that side, too, because the closer and easier and cheaper to come visit in Florida than in Ohio, and ultimately, I accepted the job and I’d been there for about six months.

 

Jodi Daniels  6:31  

Well, congratulations on the new job. And welcome to Florida, someone who used to live right where you are. It’s a good place your your I think you’ll enjoy Florida, especially in the wintertime.

 

Victoria Beckman  6:42  

Yes.

 

Justin Daniels  6:44  

Just don’t drive from Atlanta to Florida.

 

Jodi Daniels  6:47  

Now, don’t don’t do that.

 

Victoria Beckman  6:49  

Now, there are a lot of things that I’m learning here. But I like it so far.

 

Justin Daniels  6:55  

So why don’t we kick off and talk a little bit about the number one tip that we get on our podcast, which is what is the best security tip and everyone inevitably says MFA and we’d love to start from your perspective as to, in your opinion, why is MFA so critical to protecting against cybercrime?

 

Victoria Beckman  7:16  

Well, authentication in general, I think is very important because it enables organizations to give their their networks their assets, and secure by allowing only authenticated users or processes to have access to the resources they’re trying to protect. But obviously, multi factor authentication is safer and better than a two factor authentication. This kind of multiple layers of security ensure that that the users are who they’re claiming to be, I think is also a little bit of the beauty of Eric is that is not very complicated to implement. And it could add a level of security remotely. And now with with the pandemic, you can manage that. It is also because there’s been a rise in instilling passwords, you know, with with phishing, and all this kind of brute force attack. And so having this multi factor authentication, reduces the risk and reduces the consequences of any of the things from a legal standpoint. It also sometimes helps you meet legal requirements. There are some, like, companies don’t have to deal with the PCI DSS standards. It is required some laws that have been enacted lately that provide the Safe Harbor defenses to to negligence cases, if you implement a cybersecurity strategy or an information security program. basically say you have to follow these type of things, including multi factor authentication. So it’s, it’s just great, and why not?

 

Jodi Daniels  9:07  

What are some of the mistakes that you see companies make when they’re deploying security tools, right, and you’ve just talked about MFA how that one’s fairly simple to use. There’s also other ones that are a little bit more complex. We’d love to hear what what you see from from different companies.

 

Victoria Beckman  9:24  

Well, and we have to consider that I’m an attorney, I’m not necessarily an experiment can be part aspect of things. So there may be a lot of technical mistakes, but kind of from a global perspective, I think one of the mistakes is companies following fads or kind of having this knee jerk reaction to, to regulation or to attack. So for example, when, I don’t know two years ago, when companies had to implement the California consumer Privacy Act, you see Companies saying, Oh, we have to implement this out, or we have to buy this software, when they didn’t even know if they law apply to them, and what they had to do, and whether or not they actually needed some tool or some software. So it’s just because everybody was talking about. So that’s that’s kind of one thing, which, which results in this kind of decentralized policy management that I don’t think is ever a good idea, you have to have an information, information security and privacy policy, that that is unified that everybody understands. And that is not this kind of like silos working separately. I also think another mistake maybe is that companies tend to concentrate a lot on detection of threats, and not too much, and prevention of threats, and kind of doing their homework and investing and preventing things not just reacting to something, which is kind of similar to what I said, but but it is also you know, there’s a lot that can be reduced in terms of time and resources. In doing all these threat hunting, if you prevent with with a stronger system ahead of time, I also see that sometimes there is no pre implementation testing. So some organizations just buy software or buy tools, without even testing if there’s something that that is the result they need, or that is going to fit their organization and their internal policies. And kind of again, with keeping with the trend is not keeping these systems or these tools updated. I think we have seen that a lot of the attacks and deleted attacks have been the result of not patching, not having updated, even backups. And so the companies tend to you, okay, I stole this, I have this great, we don’t even look back at what’s going on, or whether we have to update it or whether this is not something that we still need.

 

Jodi Daniels  12:21  

Well, thank you for sharing, I think it’s really important for companies to understand what some of those big risks are. And we appreciate you highlighting some of those big ones.

 

Justin Daniels  12:32  

So, going through another fun topic we often hear on this show is, hey, it’s in the cloud, so it’s safe. And there’s nothing more we need to do, check that box. And as you know, we have a lot of data moving to the cloud, that is one of the larger trends we’re having in business. So I’d love to hear your perspective on why that comment might not be right.

 

Victoria Beckman  12:59  

Well, first that not only because of where I work, but in general, and I’m a firm believer of the cloud, just because of the principle of leaving the experts be experts at what they do. So if you’re a company that I don’t know, manufacturers, shoes, but you have to have, you know, a system that is secure, then there are companies that are spending time and money in making sure that the cloud is safe and and so then you kind of take a little bit of the headache with with letting the experts do all their security. But in terms of the considerations that companies have to have is that one is not a one size fits all. Obviously, there are different models of migrating and different ways to do it based on priorities and costs. You could also have a hybrid model. Um, again, from the legal perspective, which is kind of what I’m always worried about. I think there are some considerations, for example, the software that you have made require some kind of additional licensing do go into the cloud, they have to review that you also have to review contact all relations that you have with vendors and with clients sometimes that some of the contracts say, you know, have a specific requirements as to whether or not the information could be stored in the cloud or web servers can be located. So you have to ensure that you’re complying with all those contractual requirements. Um, I also think that adopting the cloud or migrate to the cloud is kind of a change for the organization, a cultural change and an environmental change in a way. So you have to make sure that you have the capabilities not only the resources Do you need that you train your employees, and that everybody kind of knows, that is not just Oh, it’s in the cloud, we’re fine. There is a lot of a lot of training and understanding what’s going on, and how the cloud works in your system and how even those in the cloud, you still have to follow the protocols and whatever else you need to follow. Um, so yeah, I think that would be the main would be some

 

Jodi Daniels  15:30

of those key players, that company should think about to have that conversation you mentioned, you know, the contracts. So to me that that’s legal, then we think about training of employees, someone might it, there might be one person who’s responsible for implementing it. But that could be different for the person who’s responsible for securing it. Maybe in your experience, if you can share, who are some of the key people who are a part of that conversation, they’re protecting the data that’s getting moved to the cloud?

 

Victoria Beckman  16:00

Well, I think my personal view of who I think should be involved is different to what happens in in real life. In the sense that, obviously, you see a lot of like the IT department, or the more technical people involved in this, when, in reality, I think it should involve everyone, just different levels and different ways to to disseminate information. So there has to be buying from the executive and the MSD level, into, you know, believing that cybersecurity is important, why you have to have it, why you may want to migrate to the cloud, what systems you want to have in the cloud. So all that at the end of the day is also a business decision. So you have to evaluate the risk, just like you will have to evaluate for anything for buying a new building. So you have to involve the CFO, the CEO, even even from that kind of logistics and operational standpoint, bad, anyone else in your organization is equally important. Because at the end of the day, what you have is your employees, people handling and having access to the systems. So you see, we see a lot of a lot of the attacks as a result of human error. And so you have to train employees, to, again, now have this concept of a well our IT department has these in the cloud where we’re all good. And then you know, they don’t realize that they could be opening the door to a cyber attack, or that they should be having some considerations on their steps they have to follow in securing the information in transferring the information. So in my opinion, everyone should be involved. And then you just kind of address the message differently depending on the role.

 

Justin Daniels  17:59

Well, you talked about part of the challenge being the human errors that we make, but kind of looking over the horizon. From my perspective, I think the next type of threat from cybercriminals is they’re going to go after the integrity of data where they’re going to manipulate it and say, Hey, Airbus, are you sure that your avionics work the way that they should? And do you want to fly that commercial flight from your perspective? Looking over the horizon What do you see is possibly the next set of threats from cyber criminals that we’re going to have to grapple with

 

Victoria Beckman  18:35  

I feel like we’re always in price or price tags. But I will think based at least on what we see and kind of the trends that we’re seeing obviously nation response or attacks are a big risk and are increasing there are some players that they’re kind of well known and I think there may be an increasing what other players kind of join in this this circle of attackers I also think as we have seen that they increasing like supply chain and a managed service providers attacks will increase just because it is more effective you know, if you’re if you’re attacking the supply chain, and then you’re having all these kind of wave of attacks that happen and wave of consequences and therefore more victims that you can probably get money from. So I think that that’s going to be a trend. We also have seen an increasing amount of attacks to critical infrastructure. And we’ve seen the the phenomena, I guess of firmware, which is the the attack, unlike ransomware is kind of an attacks that attack the operating system. This firmware are kind of like for high functioning electronics or Internet of Things and is attached to kind of the base of the operating system. I think they’re more complicated to do from the attackers perspective, you have to have very specific skills. But if you actually get there and you attack, then the consequences could be worse. And, and that also means that they could attack a little bit less sophisticated systems that run water, like treatment plants or, or an oil or gas pipeline, as we have seen. And then I also think that ransomware is here to stay that is increasing the demand for payments. And they are based on the studies that we do, the amount requested is constantly increasing, is more sophisticated. And they’re also changing in and we’ve seen some wiper malware when it’s not just encrypting, but they they wipe your entire system, just for the fun of doing it, I guess. So definitely, I’m increasing the sophistication of the attacks.

 

Justin Daniels  21:06  

And ask you to follow up if you might want to share your opinion. So in my cyber circles, one of the big debates that’s been raging is whether or not ransomware, payments should simply be outlawed, and made illegal and just wanted to know, if you had any thoughts or what you think of that debate.

 

Victoria Beckman  21:25  

I haven’t really thought about it, but just at first glance, I don’t think is necessarily a good idea. Just because we’re not prepared, there are a lot of companies that have to have to pay the ransomware because it’s the only way to recover their systems. And I mean, if if we talk about, for example, municipalities that don’t have a lot of resources or procurement agencies, and, um, they can pay the ransomware or like the was the pipeline’s name along with them, Nicole on your

 

Jodi Daniels  22:02  

air in our backyard?

 

Victoria Beckman  22:05  

So we we later learn that, you know, they have paid and maybe they shouldn’t and, and all the debate, but but there are companies like that, that that are essential, and that the only way they have is so I think before all lowing ransomware payments, maybe we need to do more work, and improving the infrastructure, improving the training, improving the response that companies have to to these incidents, so that they actually, you know, can rebuild their systems or can function and respond to those to those kinds of attacks without having to be

 

Jodi Daniels  22:44  

on the theme of training, which is been something that we’ve talked to a couple times about here. What are some of the best practices that you see for how to get a company employees to really understand and absorb the training? We see sometimes they’ll do here’s the ones a year I’ve checked the box so they can show that they did some training? There’s others who have monthly communications, role based training, top down approach, would love to, you know, from your career experience and working with different companies, what do you find a successful?

 

Victoria Beckman  23:21  

Well, I think a little bit like I said before, I think the key to success in any kind of training is that the company truly believes and knows the importance of cybersecurity there is buying from, from the executive level and all the way from the top down. Because otherwise he will be that exercise of check here. And we’re done. But I also think that it’s important for people for all of us for being on that day to day basis to understand and make it relevant to their jobs. So I don’t know if I, if I’m working in a manufacturing plant, for example, and my job is to do something very repetitive, I may think like, what what do I have to do with that. So the training has to be relevant to their particular function and maybe use I like to use a lot of real life examples that are kind of that we all understand. So I talk a lot about for example, the target breach because a lot of to target someone versus paying a lot of time and money and target. You know, talk about Equifax in the sense of your credit report and when you need it when you’re going to buy a house or a car or things like that. So I feel like if it’s more, something more, kind of the common your common day to day activities, you will understand and you will you will care more. Yeah, you know, if they attack your bank, and suddenly you take so it’s a little bit of kind of like storytelling making it fun, just kind of like when you teach kids, you have to make something bad, do songs, I get have to create a song about cyber security. But But something, you know that that makes it fun for people to learn.

 

Jodi Daniels  25:17  

And very business, we’re going to create a song for cybersecurity.

 

Victoria Beckman  25:21  

I shouldn’t be singing anything either. So feel free.

 

Jodi Daniels  25:25  

But I can’t agree with you more, I was just talking with a company yesterday about the same idea, you need to tell stories, you need to find a way to connect it to the person because how many people are going to want their paycheck taken from their bank account, not very many. If you teach them how to secure that, they’ll get used to it and begin to apply that over here. The same with kids, we’ve had a couple episodes very focused on kids safety. Same idea, if you’re able to connect with parents and help them understand the dangers, they again might be able to connect it more to the workplace. Thank you for sharing, really,

 

Victoria Beckman  25:58  

I think social media is a good sample to say I can’t see here and tell somebody like well, so you know, this is this strategy. And this is deferring work. And then there was no one is going to care. But if you talk about you know, imagine if someone stole your password and getting to your Instagram account and posted days on, then they’re gonna care.

 

Jodi Daniels  26:20  

Yes, I can’t tell you how many people I know who have their Instagram accounts taken over and they don’t have multi factor on it. And then their accounts taken over. All kinds of interesting things happen from that.

 

Justin Daniels  26:35  

I’m thinking about how can we repurpose Billy Joel song we didn’t fire for cybersecurity. I think he can be done. I’m going to figure it out.

 

Jodi Daniels  26:44  

Conference. here we come.

 

Victoria Beckman  26:46  

I can’t wait for the release of this security privacy album.

 

Justin Daniels  26:52  

Thank you. Either you too can do a duet, but I’m thinking I’m gonna figure out purpose that song like MFA blown up? I don’t know.

 

Victoria Beckman  27:00  

You guys can change the ID I’m wrong.

 

Justin Daniels  27:03  

There you go. Like it. All right, well, anyway, as we ask all of our guests, what is your best cyber tip

 

Victoria Beckman  27:16  

that’s a difficult one. I think, I think for users for people like you and I is to remember that your phone and your mobile devices are very powerful machines and have very important unsensible information I think because we use them for everything we sometimes forget, you know, what we do in terms of security where we leave our phones what information we save on how we save it so that’s my advice for family and friends. I love it and for companies I will always say that prevention is better than reaction I often you know when I work at the firm I often heard people is that you know CFOs saying but this is so expensive. We’re not going to pay this much to implement this we’re not going to pay for the software and then you tell them well but you’re gonna have to pay this much when you have an attack and not only that, but you may have reputational consequences you may have to deal with with enforces with the law with so it’s better to spend the money now and do it right from the beginning that have the headaches later.

 

Jodi Daniels  28:31  

Excellent advice now when you’re not talking about privacy and security all day long, but do you like to do for fun

 

Victoria Beckman  28:41  

a lot of things actually pre-pandemic I like to travel a lot and I like to to just see you know new languages new I have lived in different countries and I always love that I actually and this is even before this I actually love podcasts because I have always been a radio person more than that TV personal My dad always always listened to the radio and I grew up just used to listening to the radio my whole life. So before actually my commute and listening to the radio was kind of my knee time and I remember you have coffee and I love that I’m after my days of of beta figure skater I like to exercise but I don’t like going to a gym. I just I just can so I I tried to do i do rock climbing and I have tried I don’t know I have tried like crossfader stop I have tried all kinds of things just to keep myself entertained. Um, okay kinds of things. I’m one of those people also that just will try anything for anything. So I any anything that people say oh Have you tried

 

Jodi Daniels  30:00  

All right. Well in your new home in your new city stand up paddleboarding is pretty popular. If you haven’t tried that, there’s a variety of houses nearby to be able to do that. My co-host over here is a huge stand up paddleboard.

 

Victoria Beckman  30:14  

Awesome, I’ll definitely have to try that.

 

Jodi Daniels  30:16  

Absolutely. Well, thank you again for sharing so much of your insights with us. How can people connect with you to continue to learn?

 

Victoria Beckman  30:26  

Well, um, I, the only social media I have is LinkedIn because of my paranoia, so yeah, Instagram or Twitter or Facebook or any of that. But definitely LinkedIn. Definitely, they can always send me a message. I have met tons of people, including you, God through LinkedIn, and I’m the messenger Oh, I, you know, I’d like to hear what you do or something like that. And that’s probably the best way. That sounds perfect. Well, again, thank

 

Jodi Daniels  30:56  

you so much for joining.

 

Victoria Beckman  30:58  

Thank you. Thanks for the invitation.

 

Outro 31:03  

Thanks for listening to the She Said Privacy/He said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.