Mark Sangster - Cybersecurity Author and Expert | The Inside Truth About Cybercrime

Welcome to success story. I'm your host, Scott Clary. The success story podcast is part of the HubSpot podcast network. HubSpot has been a huge supporter of the show. They have so many tools that can help your business. The one that I want to just mention today so you go check it out is their new AI chatbot. It's called campaign assistant and it's a totally free to use AI tool made for marketers and business leaders who spend hours a day on content creation. Campaign assistant will transform the way you build marketing campaigns at scale. Craft personalized emails, ads and landing pages in a matter of minutes. Just pick the content type, add key selling points and let AI take it from there. It works seamlessly with all of HubSpot's marketing and sales tools to scale your output across email, social, and more. So AI your way to your most effective campaigns yet at HubSpot.com slash campaign-assistant. Well, I actually had delusions of med school as the way I like to put it, but frankly, I think I spent too much time in the wrong places on the university campus to get myself there. And then I moved into communications on more of the technical side and ended up working for a whole bunch of the small companies startups, but also giants. So the Cisco's Intel's BlackBerry. That was a great experience because I got to see those companies go through those different maturity and growth stages, which is always I think is a good lesson to understand what got you here is I'm going to get you there and the types of changes that are required. But throughout all of that, it was always about understanding the customer and building relationships. And you know, one of the I think the most valuable lessons I got out of, you know, Cisco was that every year they conducted this very comprehensive customer survey. And all of our security badges had this tag on it that they gave us every year that had like a score out of five, you know, said this year's target is a 4.85 out of five. And that was based on the customer feedback. And of course, that all related, you know, to your compensation and to bonuses, and they gave which which I thought was a really compelling way of doing it, right? Because there was pure transparency. You understood what was at stake. And I think the bigger piece from a business perspective is that they had come up with a good secret sauce that got everybody on board, right? That got you out of that mindset of, well, that's not my job, right? Or, you know, well, if the customers, you know, got a problem, that's the sales reps, you know, that's what they get paid for, you know, that kind of thing. And so we all were kind of, you know, banded together knowing that whatever I contributed, whether it was directly within my mandate, or it was something outside of it, you know, at the end of the day, that was, there was, there was, it was worth it, right? And, and that was one of the biggest things I saw. And they also, I had a good manager there who, you know, kind of walked me through a lot of, it's not about quantity, it's not about quality. Like you can keep creating white papers or case studies or documents, but the reality is, if the message doesn't resonate with the audience, who cares, right? More is not necessarily better. In fact, often it's quite the opposite, you know, coming up with that concise message, concise way of communicating value was, was so critical. So doing that, seeing a lot of technology evolve. And of course, on the IT security space, things have changed dramatically, right? From the beginning of let's call it consumer internet usage right through to, you know, the latest technology. And of course, now dealing with governments and major businesses and all sorts of different facets that, you know, are facing the kind of cyber attacks that we unfortunately read about every day in the news, right? And, you know, far too often, yeah, exactly. No, I was going to say, yeah, so you were working, you were working for all these these tech giants. Yeah. And what capacity was, were these roles, were these on these were on the more on the backend, IT infrastructure security side, which is I'm assuming how you pivot into what you're working on now? Yeah, ironically, it started in technical communications, writing, you know, documents and manuals. And then that kind of parlayed into, into things like marketing material. But I always sort of straddle the tech and the, the, the communications of the, you know, go to market side. So, you know, I think the difference there was that I understood how these things worked. I started to understand what it was like to do the job. And then I kind of moved more into the business side of it, right? And understanding what the, you know, what problems were those customers trying to solve? Or, you know, what kept them up at night? How to work with some of the constituents that they had, but also some of the governance that they had. So, you know, if they were like in finance and you're heavily regulated, it's like, what do you really need to do to satisfy these people? And you know, it kind of builds trust, right? And you kind of get to the point where they, you know, they started coming to me as, as, you know, I don't know about an expert, but, you know, it was kind of a, I need a sounding board, you know, here's what I'm thinking of doing. Does that make sense? And I also had, I think because I straddled so many different industries, right? I worked in, you know, I was working with players in finance and high tech and healthcare and manufacturing and legal and transportation, a whole whack of them, that, you know, I could start to say, I know you think in finance, you have special problems, but at the end of the day, they're all kind of the same problems that other people have. You just use a different vocabulary. You may have a different, you know, collection of letters for your regulator, but you're all trying to solve the same problems and you all kind of look the same, right? And that's where I could start to, you know, kind of parlay some of the lessons I'd learned and say healthcare and bring those over into finance because it's, you know, it's, look, we all get trapped in our own box, right? We, you know, we start to self-assuming prophecies because we're being driven by the same things. It's echo chambers because we talk to our peer and our peer tells us the same, there has the same problems in the same way of solving them. And then you kind of go outside of that mandate and all of a sudden, you get a fresh perspective. And, you know, so I think being able to do that and, you know, like I said, to kind of take the information from one camp and bring it to another was a value ad they weren't seeing normally. And, and what are the, what are the problems that all of these companies are trying to figure out in this, in this realm because obviously they haven't figured it out yet because we keep seeing all of these attacks non-stop, more prevalent than ever before, bigger, more money involved. So what's, what's the missing piece here? Yeah, so I think the big piece for me and it almost relates back to, you know, that career path is there's a disconnect between the ones and zeros of technology and the dollars and cents of business, right? So there isn't a Rosetta Stone that translates them well all too often. I think the technical practitioners fall back into what, you know, the comfort zone and what they think is the right approach. So they keep spewing more technical data and the business leaders are like, yes, so what does that mean to me? You know, like if I say to you, our domain controller has been compromised. Okay. Now if I flip that or I go, yeah, they have the keys to the kingdom and they can shut us down if they like, right? Or they can now send messages to our client base that we can't stop. That's something that's going to send a warning bell to, to an exact, right? So that's I think one of the biggest challenges, but the other one I think is that in the headlines, the headlines, it's what's beneath them, right? So we read about these, you know, pipelines and major manufacturers and government agencies and so on, utilities that I'll get hit. And that I think through inference creates a false sense of security because all these other companies like law firms or health care institutions or whatever they are go, yeah, we're too small for that, right? We operate in the middle of nowhere. And so how would somebody in the other side of the world know we even exist or we have nothing we're stealing? And that creates this false sense of security. And frankly, when you don't think there's a risk, why would you invest to try and mitigate it or prevent it, right? And then if they do know there's a risk, I think the real challenge is nobody's got a silver bullet and there's, you know, there's a lot of confusion around it. So as I said, sometimes the executives don't understand the risk or the IT people can't effectively articulate it so that the executives can understand it. If you don't understand the risk, you're certainly not going to invest in the resources it's going to take to, you know, to at least mitigate it if you can't eliminate it. And that is really, I guess, to just go back to your career and your progression. After working with all of these huge tech giants, that's where your career's taken you, right? That is what you're trying to solve for. You're trying to get those two units to communicate to better protect the organizations, right? Yeah, agreed. And I think the other piece of this is some of those big companies I entered through startups, right? So we were required. So I can think like a small company, you know, I'm willing to roll up my sleeves and do the work. And I understand they have limited resources. And I also see, you know, some of the advantages, big companies, but I see the limits, right? Where sometimes, you know, it's great to be able to say, look, we have good gates and controls when it comes to say developing new product, right? You know, we initially determined whether, you know, sort of conceptually, there's value to a to a market and how we'd access that market. And then, you know, now we'll do, you know, more work to prove it before we get into execution and production. And that's really great except, you know, now that stuff moves quickly. And that takes 18 to 24 months. And, you know, that can be a killer in a small company where you need to pivot. And it's the same thing in what I deal with today, which is you don't have 18 to 24 months, you know, to get your act together. So if you don't have the proper security controls in place, if you have a poor security posture, you know, there's little things you have to do immediately, right? This is not about boiling the ocean. This is about carving off pieces that you can manage. And, you know, something is better than nothing, right? And you're, you're going to slowly progress because otherwise, you know, throwing your hands up and just saying, you know, it's futile, we can't do what a major bank does. You know, you may as well unlock the doors, pull the cash out of the vault and, you know, do a, you know, just like in COVID, do give them a drive by pickup service where they can, you know, steal your assets because that's what they're going to do. And, and with, let's, so let's talk about the, the human component of this because I think that's a big component like the, you hear about fishing and whatnot and social engineering and how that leads to probably more so than one actually correct me from wrong, but probably more so than lack of security protocols. It's a human element that really screws a lot of companies. So walk me through how companies can prep for that because that's not a, that's not an IT component. That's just a knowledge, awareness, education piece. Yeah, totally great. So there's an expression that IT people like to use called PebKak, which is probably exists between the chair and the keyboard. And, and that's, and that's true, right? Now, part of the problem with that, of course, is it creates a bit of a blame culture, right? Like, you know, why did you click on that? But what people don't recognize now, and this is why you are being on, helping people understand what the threat looks like, understand how it manifests when it appears in your environment and what to do about it is so critical because so many people labor under this again, misconception that it's, you know, I'm going to get the goofy emails that are in our spam filters, right? You know, it looks like my streaming service, you know, my credit card's been rejected and click on the link to log in to, you know, put in a new payment method, or I've got a package arriving from whoever, right? Aunt Judy sent me something through a, through a career. And those are true, and they're real, but they're what I'd call the background radiation in the internet, right? There's stuff that's far more critical. These are ones where they have figured out socially engineered what your business your industry looks like. So a good example recently was a criminal individual who posed as a law student and used that persona to make connections to, to senior lawyers, to partners, to judges, and then of course it looked like it was part of a mentor program from a legitimate academic institution. And then once they'd done this for a few weeks, had built trusts with this person, then they said, you know, sent them a link and said, hey, can you click on this, you know, can you open this survey for me and complete it so that I get my credit? So I can graduate. And of course, those people are more than willing to help, right? And of course it was fake and, you know, it actually led to a legitimate document that had been stolen, but then that led to massive ransomware attacks. Those are the kind of things that people can, the face, right? So helping unpack how they work and showing them that this is more than some criminal, send you an email, you click on it and SkyNet sends down a terminator and locks your computer and demands money, that they are working you, that they've already, you know, they're reading the news. They are looking at shifts, things like the election, tax time, back to school, COVID, whatever it might be, and they're then creating campaigns that are tailored or worse, they've already stolen information from people around you, right? They have the credentials or the accounts of other of your peers and your employees or of partners or of clients, and then they come at you with that insider information, and suddenly it makes sense to you because you go, oh yeah, we do do work with company X or yeah, we are buying that from them. So I'm expecting an invoice to arrive. Those kind of things, right, are legitimate, contextually relevant. So we're going to click on those. So that's where you need to step up with them and say, okay, this is what it really looks like. Here's what you need to do about it, right? Here's the basics, you know, that you can put in place to protect yourself, protect the organization, and create and foster a culture where they're willing to report it and say, look, I got this email, I clicked on it, I thought it was legit, I made a mistake and say, thank you for telling me because that's a trip wear, right? That's an alarm bell, and the more of those I get, now I can take action, whereas if that person has been motivated to hide the fact, well, what happens is you get the bad feeling that day, you forget about it six months later, something massive happens in the organization, and you get that sick feeling in the pit of your stomach because you realize like, oh, I remember clicking on that fake career link, and that was a start, right? And so, you know, it's like bringing people together, that's the important piece. Why do you think there has been so many more notable attacks lately, ransomware attacks and otherwise? Is it criminals getting braver or more, you know, they're just understanding how to exploit companies better? What is it? Yeah, so Scott, that's a great point, and that's a great question, and really this is this is why there's two factors going on. One is that a lot of these groups on some level are state-sponsored, right? We've heard this term nation, you know, nation-states or whatever, and that's that would be like the military actors working for a government. State-sponsored are, you know, criminals, right? These are gangs who either the government, in the country that they reside, you know, turns a blind eye, maybe funds them through some indirect method, whatever it might be, right? And the reason they're doing this is because it's a bit of the, you know, the enemy of my enemy is my friend. And they realize they're creating confusion, they're sowing mistrust, they're doing economic damage to who they see as an enemy of their state, so like, why the heck not, right? But the bigger piece of this is that, and this is another, I think, misconception, is these companies operate like Fortune 500 industries, right? They resell ransomware, they resell their malware, somebody's got a really good version of it, they lease it, it's a SaaS-based model, they have revenue-sharing models. So, you know, if you're a little gang, you come along, okay, I can't write that stuff, but tell you what, I'll give you 50% of everything I steal, right? And they're like, deal. And they've got experts who are, it's not just technology, but then they have experts to say, you know what, I've got a really good secret recipe that I use to infiltrate hospitals. So pay me, and I'll do that initial work, I'll create the emails, I'll get in there, and once I've tricked these people, I'll hand it over to you, because you know what, I'm not really an expert moving around in their environment, figuring out how to plant ransomware everywhere, and turn off their backups, that's your thing. So, they're all kind of collaborating in this sort of economic marketplace, right? And it is basically, it's almost like, think about our traditional SaaS models. You may have the main player, right, whatever that is, and then you've got all the partners and plugins in extensions that bolt onto that, that increase the kind of the functionality of that core service, and that's exactly what criminals are doing. And, you know, ultimately at the end of it, there's economic payoff, right? They're making hundreds of millions of dollars to the point where, you know, you have the FBI in the US, coming out and saying, yeah, you know, we don't think we should ban making payments, because that may be the only, you know, option for some companies who have fallen victim. You've got US Treasury coming out and saying, if you pay a ransom, you know, you better make sure that they're not on, they have these lists where effectively it's like the enemy states, right? And just trading with the enemy, you're funding terrorism. So, you better make sure before you pay that they're not on that list. And, you know, it's, I think, to some degree, they're trying to, you know, dislodge or destabilize the economic engine, but the reality is, it's a very profitable model, and it ain't going anywhere, right? It's, frankly, it's only going to get worse. And you can see that with targeting things like utilities and hospitals where now they're really, you know, hitting where, you know, it's going to hurt us the most. A quick break from this podcast to recommend another podcast, the app to check out. It's called The Product Boss is hosted by Jacqueline and Mina. It's part of the HubSpot podcast network. If you have a physical product, this podcast is hyper tailored to you. It's going to help you take your business to the next level. In a recent episode, for example, they spoke about the power of TikTok or product businesses and how to use it to drive sales. And as somebody who is a little new to TikTok, I really learned some great tips for creating content that actually converts viewers into customers. They have a workshop style format that makes it really easy to follow along to take your business to the next level. So if you sell physical products, subscribe to The Product Boss wherever you get your podcast to unlock social media, marketing and business strategies that create your dream business and then your dream life. And that's what, so Biden put out that list of all these, it's a very, right. Now they haven't, they hit, you know, the ones that I'm thinking of is JBS meets colonial pipeline. Like these are the big ones. Pipeline is definitely core infrastructure. JBS meets is big, but it's not going to, it's not going to ruin a country like shutting down a medical system or a financial system. Um, maybe for some people, but for, for many of us, like these, these core things that were on that list could truly just cause massive amounts of chaos, the power of all these different things. They haven't gone after those, those types of industries yet. Do you believe that it's because they haven't been able to or they're waiting for the right time? Do you think they'll respect the list? I'm curious as you see the future of this type of behavior evolving, where does it go? Yeah. So I do think that's coming. Um, I frankly think we live in a, in a bit of a, you know, cyber cold war that like the 1950s post-World War II, right, with Soviet, uh, Russia and, and, you know, the West. And, you know, there's that constant detente. And right now we sort of exist in the same kind of world, right? I'm not going to pull the Russian spy in Washington DC and go to town to get their secrets because then I know they're going to pull the CIA spy in Moscow and do the same, right? And we're sort of in that same, I think that same kind of detente now where we're keeping it just south of military action, right? Um, and it's great the real warfare because, you know, these smaller nation states know, you know, they can't fight with the tanks and the bombers and all that kind of stuff. Um, but they can certainly fight in hills and mountains and caves and jungles and they're really good. And I think that's what's going on now. Will it boil over? Yeah, I think it will, right? It's almost like, you know, think of the doomsday clock we had in, you know, sort of nuclear war where I would say we're definitely in the 11th hour heading to midnight and a cyber one as well because, you know, I think there'll be that tipping point, right? It'll be a trade war or something that happens in another part of the world where they can affect, you know, influence or extort, you know, what they want, um, by doing this. And, and a lot of these attacks, I think are, you know, a proof concept, right? It's the, yeah, we could shut down a gas line and, and we saw what the secondary effects of that, right? You know, um, shortages at pumps, gas prices, spiking, panic, you know, all that kind of stuff. Well, what happens, as you say, what happens when we shut off water or we kill the electricity? Um, or, you know, the big one I keep waiting for, because it is, you know, things like attacks on airports and I don't mean traditional terrorist attacks shooting down and blowing up planes. I mean, shut down the baggage handling system for a day at Chicago or in Atlanta, right? Or Denver and one of these major hubs and watch what happens, right? Think of the billions that's going to create an economic chaos, um, and so on. And I think those are, are the things that are coming. So, you know, at some point, uh, you know, is the, you know, what are we going to do in the West here, right? You know, the US, Canada, the UK and other allies, are we fighting back? I don't know. I probably presume so on some level, but, um, yeah, at some point I do think it will boil over and I do think you're going to see, you know, this sort of like, you know, testing your muscle strength, right? And figuring out what works and what doesn't work. And I think the more scary part is that's the kinetic side of it, but what's the potential energy side of it? Like how many of these organizations have they already infiltrated? And it's, you know, a bit of the nuclear submarine laying off the coast, just waiting for the order to, you know, turn the keys and launch the missiles. Um, and I think that that's probably the case because a lot of these companies are simply not prepared. They've focused on physical security, like a pipeline, you know, they don't want to get said terrorist getting in and blowing it up. Um, and they've, they've not really put enough, you know, cyber defenses in, in, in, in place to adequately protect themselves. Are there protection? Because we mentioned the, the people problem, quote unquote, what are the other protections that somebody could put in place to protect against something like this? So there's, there's lots of different security tools and technologies, but there's some basic things that I always say to companies, brush your teeth and floss, right? Do the hygiene part of this. So things like proper password security, use two factor or multi-factor authentication. And those things are even offered, right? In your consumer side, like Apple iTunes, Google Play, Amazon, all these services will offer, you know, they might call it OTP, but that you know, it's where you log in and it'll send you a, a code to your phone and you have to enter that as well. Those secondary controls slow these bad guys down using encryption. So having a VPN, I think now with COVID, we all know what a VPN is if we didn't before. Um, just some of the basic hygiene effectively narrows the entry points. And what it does mean now is it's, it's a bit like, you know, channeling them through that canyon. I know where they have to come out. And I know when they pop out, yes, there's lots more things they're going to do. Um, but those are where I can now put my spotlights or put my centuries and I can wait for them to emerge from that point. Um, and it makes it easier to detect them. So, you know, for many companies doing the basics, uh, is, is critical, right? And, and, you know, and if that's going to eliminate the new, it's going to eliminate the, uh, what I call the background radiation in the internet, it's also going to eliminate the kind of the moderate threats. And then we'll get into the high level threats. That's, that's a different story, right? That is where you're, you're going to absolutely have a Noah's arc, two of everything, kind of security program to be able to protect yourself. And, and one point, um, uh, as I was going through the book, one, one, I guess, topic or is a gray zone or a gray actor? I don't know what that means. So what is, what is that? Yeah. So the gray actors is kind of back to a little bit of what I talked about destabilization, right? So gray actors are countries that we haven't declared war with. China, Russia, parts of the public, you know, possibly the Ukraine, uh, Iran, you know, Iran, Iraq, Syria, all these kind of countries where we're not at war. So there's not a kind of, let's call it a global entitlement to fly, you know, rockets over airplanes and bomb them. They're not doing the same to us, but effectively, they do seek the same kind of outcome, right? They wanted to stabilize our economy. They are sowing mistrust. Like, everything's going on right now. Just place into their hands, right? Like, look at COVID. Do I wear a mask? Do I not? Should I get vaccinated? Should I not? And I'm not trying to advocate for one side of the other. But what I am saying is probably 20 years ago, we did just done what we were told. And now we won't, right? So you've got that going on. You've got a distrust of government agencies of science and all that kind of stuff plays into their hands because they're aligned and we're no longer, right? We don't even want to trust the messenger or the messenger. Um, and then you've got the economic side of it, which is, can I take down that big major bank? No, but you know what I can do? I can cause a lot of problems like, like your example earlier, I can hit a meat, you know, a meat processing, um, business. And what do I know that's going to do? That's going to spike the price of chicken. And that's going to be one more point of evidence to show that law enforcement is incapable of protecting its constituents or the government, you know, can't stop a foreign entity from, you know, extorting control over our economy. And, you know, it's just that sort of cycle. And like I said, it's everything south of, of, of, you know, physical war, right? Of sunny tanks and airplanes and ships. Uh, but we're pretty darn close. So what, what happens? And I guess, you know, this is a hindsight of 2020, I probably should have asked this question at the beginning of the podcast, but I still think it's a good one to break down. So what happens when a company is a victim of a ransomware attack? What are the steps that actually take place that they would be experiencing or their employees would be experiencing, excuse me, or even what happens when law enforcement gets involved? Do they want to get law enforcement involved? Will that have an impact on the outcome of them being able to pay off the ransomware attack or maybe give them, give law enforcement potentially access to more information that they actually, they originally didn't want to even open up to a lot of variables there. There are a lot of variables. So if a company is in a position where they feel that they have to pay a ransom, right? So they've been, you know, absolutely shut down. And what we see is really good multi-pronged tactics to extort that, right? So things like they may not shut down everything, but then they say, you know, pay me now. And when the company says we're not going to negotiate with you, they shut down something more critical. They'll often publish information as well to show that they've gotten in. They'll contact partners, they'll contact clients and say, by the way, hey, we broke into this company and we know there are major supplier of yours. We've got access to your, you know, your secret intellectual property, your designs, all that kind of stuff, just to kind of put more pressure on them to pay. When it comes to doing that, I would recommend that they engage law enforcement because law enforcement is not there to criminalize the victim. They are there to determine attribution and to build a case for prosecution. But they also know what's going on in the world, right? So they see this stuff. So they may even have decryption keys that they haven't been rotated by the bad guys and they're being lazy. They can help determine whether or not it's a legitimate, you know, threat like this is okay. This is a major ransomware gang. You need to take this seriously, engaging their insurers. So if they have coverage for this kind of thing, the insurers know how to negotiate, right? So the other piece to this to understand too is the criminals before they detonate, they've probably done a lot of reconnaissance with any environment. And one of the things we see them going after is things like insurance documents. So they figure out what kind of coverage do you have? So let's say you have five million in coverage. They're going to come in and they're going to negotiate for 10 and they know that you can't pay 10, but they know they can walk you down to five and you'll walk away thinking you got a bargain per se and they know they knew you were going to be you were capable of paying it, right? So they understand those kind of things like you have to they've written the rules. They already understand it and they haven't told you what the rules are, right? So it's difficult for you to play. Law enforcement can help there. They can determine like I said, they can determine attribution, they can they can share the forensics, which is critical too, because otherwise we all suffer in silence. And that's one of the things I talk about in the book, right? So when these stories don't get shared, we don't have a way of vicariously learning. So it's like each one of us individually unfortunately learns the same hard lesson instead of us being able to observe what happens to others. And so yeah, it is it's a terrible experience because you know, one of the things we don't talk about in the security world or in the business world is the emotional human side of it, right? So you're under a lot of stress. You've got a board that's threatening your job, right? Your name is in the paper. You have to deal with crisis communications and you know, go in front of whoever it is, some media outlet that's called you at 430 who wants to run the story at 6 o'clock. And they've done that to put more pressure on you, right? Nobody's your friend at that point. And if you're not prepared, you know, you're going through a lot because, you know, again, you're trying to determine, you know, right back the beginning of our conversation is what the IT people telling me is that legitimate. How do I even pay in cryptocurrency? We don't have a Bitcoin wallet or whatever it might be. How do I do this? And that's where law enforcement ensures an instant response firms help, right? That's what that's there. You know, they're the that's their job. They're first responders. They know how to deal with, you know, things when they've they've gone wrong. But the best thing I'd say for companies is, um, prepare, right? It's a Schwarzenegger quote about, you know, um, the more you sweat and preparation, uh, the less you bleed in battle, right? And in this case, it's the less you bleed in response. Um, and it's very true, right? Knowing what to do, who to call when having the right people come in like HR, marketing, help craft communications, having a crisis communications player to get involved, it reduces a lot of that, right? So it's still terrifying when it happens. But, you know, at least you know what to do versus, you know, the first 24 or 72 hours are spent in a kind of a panic of just even determining what the next step is, let alone fixing the problem. Now, of course, some companies that aren't as prepared, they may be they may be taken, you know, in they would be surprised as attacked. They actually get things locked out systems locked out. Law enforcement should start to be, uh, should start to be preparing a little bit more. But do you find that law enforcement is properly keeping up with these threats or do you find that they're still a little bit behind some of the actors that are attacking these companies? Yeah, I think they have access to a lot of information that we don't see publicly. Um, I think part of the challenges, there's there's a little bit of a PR issue, right? So a lot of companies are hesitant to call in law enforcement because they think that they'll lose control. That as you said, right, information that they didn't want made public will be made public or that they'll call a regulator or they'll call the media. They're not going to do that. Um, at the same time, while I do think they help, the other side to look at is they're not there to fix the problem, right? So, you know, they're not going to give you first aid. They're not the surgeon who's going to, you know, repair whatever damage has been done. They're there to talk to you to say what happened to figure out who the bad guy is to chase them down. So you kind of remember that is their mandate. I do think, um, they, they, they have a lot of information to share and they don't, they could do a better job of having that public arm that gets out there that offers free, you know, awareness training for executives that walks them through, we call them tabletop exercises or sort of simulations of these events to help the executives, you know, understand what all the steps are, what their requirements are and what it looks like when it happens, they could do a lot more of that. And I think that's the kind of the good work that would happen. That's the walk in the street or the, you know, walk in the beat so that people know they know you by name. They don't know you by 1-800 number. And I think that's where they could step up and, you know, local police, the FBI, treasury, um, secret service and so on, right? They all have engagement here and they all have field offices. Um, so I would encourage, um, executives and companies like reach out to them, bring them in at a time. Yeah. Absolutely. Yeah. Cause, cause this is only going to get, you know, COVID, everybody's working from home. Um, I know I've, I've been guilty of it when you have a work laptop and you just start working on your personal laptop and vice versa and back and forth. So it's only going to get worse. It's only going to get worse because people are going to be less careful. Yeah. Some companies have VPNs, not everybody logs into everything with a VPN. You know, if maybe some of the systems you need to, but not everything, you'll just, you want to jump on your computer. You know, I have my Mac, but I have my HP for my work and I'll have my Mac and bed and I want to check my emails and I'm just going to jump on my, you know, my, I'm going to log in through a web portal and I'm not going to worry about going through a VPN. It's not good, but it's human. It's human. That's what's going to. Yeah. It is. And you're right. And that's that's something that we need to get to, right? Is we live in a kind of, um, you know, we used to cop out BW, BYOD, right? Bring your own device. Yeah. And that's pretty, you know, common nowadays. In fact, I think now we may be retracting that, but we've moved into BYOH, which is bringing your office home or bring your own home. And you're right. And one of the biggest issues we saw with COVID and I think it still occurs today is that you're connecting through a very, or a less secure device to get into your environment, your home router, right? So whatever box that you receive from your ISP that provides your internet service, those devices are consumer grade. They're not commercial grade or enterprise grade. They're not designed to do this. Most people don't even know what to do with them because, you know, they plugged them in, whoever it was, the tech set them up and they have no security on them by default. And they have, you know, um, a factory kind of, you know, administrative rights. So for example, to log into it, most of them are admitted men. And, you know, and you can publicly look that up. Go ahead and Google it, look up Verizon or Rogers or AT&T. They all pop up on, you know, right at the top where, you know, Google's done a great job of stripping that right out of the manual. Um, and so it's easy for bad guys to do this. And then they can, you know, keys to the kingdom here, right? So from a consumer perspective, um, encrypt your Wi-Fi, don't name your Wi-Fi network after your home address, so your family name or your pet because that stuff is super easy to work out. Um, you know, change the default password on the device. Even if you just do that, you are limiting, you know, the access that they might get. Um, but this is a bigger, ongoing thing for companies, right? And I think this is, uh, frankly, an opportunity in the security world where we're going to start figuring out, you know, how do you do that dual model, which is, you know, on your devices having multiple profiles? I mean, you already see that with browsers where, you know, Google, for instance, you can have multiple profiles like a personal and a work one. So when you're logging in, it's, you know, tracking bookmarking or history separately, things like that, I think are going to become more common and, you know, additional security layers on home like, uh, you know, light firewall kind of thing like we see in the office because the end of the day, um, if you're not encrypting things like you said, if I haven't connected through a VPN or some other equivalent technology, bad guys can drop a script on there. They're collecting whatever information off of you. You are far easier to socially engineer and, you know, uh, hook with a, with a fishing lure. Um, and then you still have, you know, access to the company in particular where people have used whatever their password is. Um, you know, it's the same for their email, uh, as it is, you know, if they're personal email as it is for, you know, shopping on Amazon or some online retailer and, and their corporate, you know, access. And that's, um, that's a huge problem. What, um, what is the, I want to ask some, some rapid fire career questions from you for the audience. Um, one, before I pivot, what is the number one lesson you want people to take out of your book? No safe harbor. Yeah. Yeah, everyone's a target. And there are things you can do to, you know, prevent yourself from falling victim, right? I'm not trying to say you can't, it won't happen. But what I want to, what I want to do is break that notion of futility, right? That, you know, if with some big, you know, ransomware gang shows up, we're done for. You're not. And there are signs and symptoms that something is going on, right? Uh, it's just like your health. If you've got a, you know, you're always tired, you constantly have headaches, whatever it might be, there might be a bigger issue at heart, right? Check into it. Um, because otherwise, if you don't, you, we're going to just keep falling prey. If people do want to connect with you, uh, your social, your website, where do they get the book as well? Yeah. So you can get it from, um, M, as an mic, B, as in Bob Sankster, uh, comm. So it's available there. And it's available from all the major online retailers like Amazon, Barnes, uh, Indigo and so on. What's your, what's your best social people want to follow? MbSankster on Twitter or cyber underscore MbSankster on Instagram if you want. Okay. Perfect. Okay. Um, you've had an incredible career. Uh, I want to pull it some career insights. Biggest challenge you've had in your career. What was that? How did you overcome it? You know what, being pigeonholed, right? So, you know, I talked about where I started and trying to move. And, you know, unfortunately, I think it's a little bit of the, you know, you either have to, you know, fix it, accept or leave it. And so, you know, I think quickly determining out of those three, which one is the viable option or options, um, and then making that decision. And, and it may change this for me, right? Where, you know, okay, you see me in one light. I want to change, you know, want to change that light and, you know, and that meant making some tough decisions. But, you know, what? That's the way to grow. Good. Um, one person who was really impactful on you could be a mentor. I know there's probably been a few, but who was that one person that comes to mind? And what did they teach you? Yeah, you know what? It was early on and it was a manager at Cisco who, you know, I was working on all these documents and all proud of everything I had done. And he literally showed me a cabinet full of all these, these documents and collecting dust. And he's like, that's what happens, right? And he goes, this is what happens in reality. So, he's like, get out in the field and see it from the customer side. And then you'll understand what they really need. Um, outside of outside of your own book, what would be another book or podcast? Do you recommend people go check out? Yeah, so along this, this lines, the 9-11 book from a colleague of mine, Bob Darling, he wrote about his experiences during the attacks on 9-11. He was in the White House as a military advisor, not a senior one. And he made some very stunning business leadership observations. And I really credit him for that because he's able to translate that sort of, you know, government administration military experience into something that all leaders can relate to, right? About knowing your job, being a good follower, you know, telling people what you want to see happen, what the end stage should be or the outcome, not how to do it and leaving it to their expertise. Amazing. If you could tell your 20-year-old self one thing, what would it be? Oh, you know what? There's enough people out there who are going to tell you what you can't do, so believe in yourself. I love that. Easy, simple. Okay. And then what does success mean to you? You know, success to me is actually seeing change in others, right? Seeing my own words or thoughts or beliefs kind of paraded back. And not just being paraded back, but when they've internalized it, and they see it themselves, right? They believe it. They believe it's their own and they take on ownership. That to me is real success. You know, you've made a change.