Lessons - The Cybersecurity Expert The Wall Street Journal Calls After Every Major Breach | Mark Sangster - Author of No Safe Harbor

➡️ Like The Podcast? Leave A Rating: https://ratethispodcast.com/successstory
In this "Lessons" episode, Mark Sangster, cybersecurity expert and author of *No Safe Harbor*, shares the essential habits that help individuals and organizations prevent costly cyberattacks before they happen. He explains why strong cybersecurity starts with simple practices like password hygiene, multi-factor authentication, and secure home networks, before breaking down how ransomware attacks unfold and why preparation is far more effective than reaction. Mark also discusses the role of law enforcement, insurance providers, and crisis planning during a breach, while offering practical strategies to strengthen digital security, minimize risk, and respond confidently when incidents occur.
➡️ Show Links
https://successstorypodcast.com
YouTube: https://youtu.be/5tsrypjHUMw
Apple: https://podcasts.apple.com/us/podcast/mark-sangster-cybersecurity-author-and-expert-the/id1484783544
Spotify: https://open.spotify.com/episode/5yomF5180tj7hRiIrcUArW
➡️ Watch the Podcast on YouTube
In this lessons episode, discover the essential cybersecurity habits that prevent costly attacks before they happen. Understand how ransomware incidents unfold and why preparation matters more than reaction. Explore the role of law enforcement and crisis planning during a breach. And uncover practical ways to strengthen personal and organizational digital security. Are there protection because we mentioned the people problem, quote unquote. What are the other protections that somebody could put in place to protect against something like this? So there's there's lots of different security tools and technologies, but there's some basic things that I always say to companies. Brush your teeth and floss. Right. Do the hygiene part of this. So things like proper password security use two factor or multi factor authentication. And those things are even offered. Right. In your consumer side, like Apple iTunes, Google Play, Amazon, all these services will offer, you know, they might call it OTP, but that, you know, it's where you log in and it'll send you a code to your phone and you have to enter that as well. Those secondary controls slow these bad guys down. Using encryption, so having a VPN, I think now with COVID, we all know what a VPN is if we didn't before. Just some of the basic hygiene effectively narrows the entry points. And what it does mean now is it's a bit like, you know, channeling them through that canyon. I know where they have to come out. And I know when they pop out, yes, there's lots more things they're going to do. But those are where I can now put my spotlights or put my sentries, and I can wait for them to emerge from that point. And it makes it easier to detect them. So, you know, for many companies doing the basics, uh, is critical, right? And, you know, and that's going to eliminate the new that's going to eliminate the what I call the background radiation of the internet. It's also going to eliminate the kind of the moderate threats. And then we get into the high level threats. That's that's a different story, right? That is where you're going to absolutely have a Noah's Ark two of everything kind of security program to be able to protect yourself. And one point, as I was going through the book, one, I guess, topic is a gray zone or a gray actor. I don't know what that means. So what is that? Yeah. So the gray actors is kind of back to a little bit of what I talked about destabilization, right? So gray actors are countries that we haven't declared war with. China, Russia. Partial, you know, possibly the Ukraine, Iran, you know, Iran, Iraq, Syria, all these kind of countries where we're not at war. So there's not a kind of let's call it a global entitlement to fly rockets over airplanes and bomb them. They're not doing the same to us, but effectively they do seek the same kind of outcome. Right. They wanted to stabilize our economy. They are sowing mistrust. Like everything that's going on right now just plays into their hands. Right. Like, look at COVID. Do I wear a mask? Do I not? Should I get vaccinated? Should I not? And I'm not trying to advocate for one side or the other. But what I am saying is probably 20 years ago, we had just done what we were told. And now we won't. Right. So you've got that going on. You've got a distrust of government agencies, of science, and all that kind of stuff plays into their hands because they're aligned and we're no longer right. We don't even want to trust the messenger or the messenger. And then you've got the economic side of it, which is, can I take down that big major bank? No, but you know what I can do? I can cause a lot of problems. Like your example earlier, I can hit a meat processing business. And what do I know that's going to do? That's going to spike the price of chicken. And that's going to be one more point of evidence to show that law enforcement is incapable of protecting its constituents or the government can't stop a foreign entity from extorting control over our economy. And, you know, it's just that sort of cycle. And like I said, it's everything south of, you know, physical war, right, of sending tanks and airplanes and ships. But we're pretty darn close. So what happens, and I guess this is hindsight of 2020, I probably should have asked this question at the beginning of the podcast, but I still think it's a good one to break down. So what happens when a company is a victim of a ransomware attack? What are the steps that actually take place that they would be experiencing or their employees would be experiencing, excuse me, or even what happens when law enforcement gets involved? Do they want to get law enforcement involved? Will that have an impact on the outcome of them being able to pay off the ransomware attack or maybe give them give law enforcement potentially access to more information that they actually originally didn't want to even open up? So a lot of variables there. There are a lot of variables. So if a company is in a position where they feel that they have to pay a ransom, right? So they've been, you know, absolutely shut down. And what we see is really good multi-pronged tactics to extort that, right? So things like they may not shut down everything, but then they say, you know, pay me now. And when the company says, we're not going to negotiate with you, they shut down something more critical. They'll often publish information as well to show that they've gotten in. They'll contact partners, they'll contact clients and say, by the way, Hey, Hey. We broke into this company and we know they're a major supplier of yours. We've got access to your, you know, your secret intellectual property, your designs, all that kind of stuff, just to kind of put more pressure on them to pay. When it comes to doing that, I would recommend that they engage law enforcement because law enforcement is not there to criminalize the victim. They are there to determine attribution and to build a case for prosecution. but they also know what's going on in the world, right? So they see this stuff. So they may even have decryption keys if they haven't been rotated by the bad guys and they're being lazy. They can help determine whether or not it's a legitimate threat. Like, okay, this is a major ransomware gang. You need to take this seriously. Engaging their insurer. So if they have coverage for this kind of thing, the insurers know how to negotiate, right? So the other piece of this to understand too is the criminals before they detonate, They've probably done a lot of reconnaissance within the environment. And one of the things we see them going after is things like insurance documents. So they figure out what kind of coverage do you have? So let's say you have five million in coverage. They're going to come in and they're going to negotiate for ten. And they know that you can't pay ten, but they know they can walk you down to five and you'll walk away thinking you got a bargain per se. And they know they knew you were going to be you were capable of paying it. Right. So they understand those kind of things like you have to they've written the rules. They already understand it and they haven't told you what the rules are. Right. So it's difficult for you to play. Law enforcement can help there. They can determine, like I said, they can determine attribution. They can they can share the forensics, which is critical, too, because otherwise we all suffer in silence. And that's one of the things I talk about in the book. Right. It's when these stories don't get shared. We don't have a way of vicariously learning. So it's like each one of us individually, unfortunately, learns the same hard lesson instead of us being able to observe what happens to others. And so, yeah, it's a terrible experience because, you know, one of the things we don't talk about in the security world or in the business world is the emotional human side of it, right? So you're under a lot of stress. You've got a board that's threatening your job, right? Your name is in the paper. You have to deal with crisis communications and, you know, go in front of, Whoever it is, some media outlet that's called you at 4.30 wants to run the story at 6 o'clock. And they've done that to put more pressure on you, right? Nobody's your friend at that point. And if you're not prepared, you know, you're going through a lot because, you know, again, you're trying to determine, you know, right back to the beginning of our conversation is what the IT people telling me is that legitimate? How do I even pay in cryptocurrency? We don't have a Bitcoin wallet or whatever it might be. How do I do this? And that's where law enforcement and insurers and incident response firms help, right? So that's their job. They're first responders. They know how to deal with things when they've gone wrong. But the best thing I'd say for companies is prepare, right? It's a Schwarzkopf quote about the more you sweat in preparation, the less you bleed in battle, right? And in this case, it's the less you bleed in response. And it's very true, right? Knowing what to do, who to call when, having the right people come in like HR, right? Marketing to help craft communications, having a crisis communications player to get involved. It reduces a lot of that, right? So it's still terrifying when it happens, but, you know, at least you know what to do versus, you know, the first 24 to 72 hours are spent in a kind of a panic of just even determining what the next step is, let alone fixing the problem. Now, of course, some companies that aren't as prepared, they may be taken, you know, they would be surprised as attacked. They actually get things locked out, systems locked out. Law enforcement should start to be preparing a little bit more, but do you find that law enforcement is properly keeping up with these threats or do you find that they're still a little bit behind some of the actors that are attacking these companies? Yeah, I think they have access to a lot of information that we don't see publicly. I think part of the challenge is there's a little bit of a PR issue, right? So a lot of companies are hesitant to call in law enforcement because they think that they'll lose control. That, as you said, right, information that they didn't want made public will be made public or that they'll call a regulator or they'll call the media. They're not going to do that. At the same time, while I do think they help, the other side to look at is they're not there to fix the problem, right? So, you know, they're not going to give you first aid. They're not the surgeon who's going to, you know, repair whatever damage has been done. They're there to talk to you to say what happened, to figure out who the bad guy is to chase them down. So you kind of have to remember that is their mandate. I do think – So they have a lot of information to share and they don't – they could do a better job of having that public arm that gets out there, that offers free awareness training for executives, that walks them through – we call them tabletop exercises or sort of simulations of these events to help the executives understand what all the steps are, what their requirements are, and what it looks like when it happens. They could do a lot more of that. And I think that's the kind of the good work that would happen. That's the walk in the street or the walk in the beach. So that people know they know you by name. They don't know you by 1-800 number. And I think that's where they could step up. And, you know, local police, the FBI, Treasury, Secret Service and so on. Right. They all have engagement here and they all have field offices. So I would encourage executives and companies like reach out to them. bring them in ahead of time. Right ahead of time. Yeah, absolutely. Absolutely. Yeah. Because this is only going to get, you know, COVID, everybody's working from home. I know I've been guilty of it when you have a work laptop and you just start working on your personal laptop and vice versa and back and forth. So it's only going to get worse. It's only going to get worse because people are going to be less careful. Yeah. Some companies have VPNs. Not everybody logs into everything with a VPN. You know, maybe some of the systems you need to, but not everything. You'll just, you want to jump on your computer. You know, I have my Mac, but I have my HP for my work and I'll have my Mac in bed and I want to check my emails. And I'm just going to jump on my, you know, my, I'm going to log in through a web portal and I'm not going to worry about going through a VPN. It's not good, but it's human. It's human. That's what's going to be. Yeah, it is. And you're right. And that's something that we need to get to, right, is we live in a kind of, you know, we used to call it BYOD, right, bring your own device. Yeah. That's pretty, you know, common nowadays. In fact, I think now we may be retracting that. But we've moved into BYOH, which is bring your office home or bring your own home. And you're right. And one of the biggest issues we saw with COVID, and I think it's still... occurs today is that you're connecting through a very or a less secure device to get into your environment, your home router, right? So whatever box that you receive from your ISP that provides your internet service. Okay. Those devices are consumer grade. They're not commercial grade or enterprise grade. They're not designed to do this. Most people don't even know what to do with them because they plug them in, whoever it was, the tech set them up and they have no security on them by default. And they have factory kind of administrative rights. So for example, to log into it, most of them are admin admin. And, you know, and you could publicly look that up, go ahead and Google it, look up Verizon or Rogers or AT&T. They all pop up on, you know, right at the top where, you know, Google's done a great job of stripping that right out of the manual. And so it's easy for bad guys to do this. And then they can, you know, keys to the kingdom here. Right. So from a consumer perspective, encrypt your Wi-Fi. Don't name your Wi-Fi network after your home address or your family name or your pet, because that stuff is super easy to work out. You know, change the default password on the device. Even if you just do that, you are limiting, you know, the access that they might get. But this is a bigger ongoing thing for companies, right? And I think this is, frankly, an opportunity in the security world where we're going to start figuring out, you know, how do you do that dual model, which is, you know, on your devices having... multiple profiles. I mean, you already see that with browsers where, you know, Google, for instance, you can have multiple profiles, like a personal and a work one. So when you're logging in, it's, you know, tracking bookmarking or history separately, things like that, I think are going to become more common and, you know, additional security layers on home, like a, you know, light firewall kind of thing like we see in the office, because the end of the day, you know, If you're not encrypting things, like you said, if I haven't connected through a VPN or some other equivalent technology, bad guys can drop a script on there. They're collecting whatever information off of you. You are far easier to socially engineer and, you know, hook with a phishing lure. And then you still have, you know, access to the company in particular where people have used whatever their password is. You know, it's the same for their email as it is, you know, their personal email. as it is for, you know, shopping on Amazon or some online retailer and their corporate, you know, access. And that's a huge problem. Thanks for tuning in. If you found this valuable, don't forget to hit that subscribe button so you never miss an episode. And if you want to dive deeper into this conversation, check out the links in the description to watch the full episode. See you in the next one.








































