Buck: Welcome back to the show everyone. Today, my guest on Wealth Formula podcast is Rob Embers. He is with ITC Secure, which is a cyber security company. And Rob is here to tell us what we ought to know about the cyber security world and how it affects us. Rob. Welcome to Wealth Formula Podcast.
Rob: Hey, thanks, Buck. Thanks for having me on.
Buck: Maybe just start out. Tell us a little bit. What is this organization you’re with? ITC Secure.
Rob: ITC Secure is a full scope of security services company, from assessment to understanding how organizations are adopting cyber maturity and looking at risk right the way through to actually managing a 24/7 managed detection and response service for organizations of the size that kind of need something like that. So full suite of services.
Buck: And for those of you who are business people, you know how important this is. I would just tell you to just say, in general, that I would be shocked if your business has not had to deal with issues related to cybersecurity and companies that are similar at least to what Rob’s company does. But I want to focus because of so much of what we do and what the community members here are all about our solo investors at home and they’re using their computers. They’re using phones. I guess the question broadly is how big is the problem of cybersecurity? How big of a threat is it to individuals now, just for perspective. I mean, we are talking about people who have accounts with a million or couple of million bucks at a time. So it’s not like just a few bucks here and there.
Rob: Yeah. Look, the cybersecurity industry is worth billions. My industries are not worth billions because they’re not a problem. There’s a whole scope and breadth of type of cybersecurity problems and incidents and the actions that individuals may actually need to undertake a completely different out of a corporate organization. I think there’s always been the view in the public that they’re easy pickings ransomware, which I’m sure you’re familiar with. And I’m sure a large number of your listeners are familiar with it. It’s a problem. 99% of individuals have no idea how to protect themselves from it and what to do to try and evade it. So if they are duped into clicking on a link that actually then ties up their computer and access to the bank account, access to whatever systems they use, they may have spreadsheets which they’re tracking investments on or programs they’re tracking investments on. If this is all rendered unusable, how does that work for an individual? So I would be less concerned about a cyber attack on the bank because I think the banks actually you can’t access your bank without using multi factor authentication. Now, either on your phone and your computer or retina face ID. There’s a number of those. And I think the important thing for individuals is to use whatever technology is out there, it’s there for a reason.
Buck: Yeah. So let’s talk a little bit about what you can do or maybe what you should do. You talked about computers and phones. I always talk about sort of the bare minimum, what you really ought to be doing with your computer, with your phone. Can you address some of those?
Rob: Yeah. I think one of the biggest areas of the biggest reasons why devices are compromised is because they’re outdated. So people who don’t implement patches and software updates on Windows software updates on Apple. Again, those updates are largely to address either functionality issues, but more often than not, security issues. These organizations spend a tremendous amount of money, literally hundreds of millions of dollars a year on security. So when they issue these patches and when they issue these updates, it’s full of users benefit. It’s not just because they want to acquire more information. Although I understand a lot of people think that’s the purpose, but really outdated versions of software, unpatched devices, unpatched phones and phones now, and computers are largely the same. The functionality. There’s not much you can’t do on your computer that you can do on your phone. Now, the big thing is to keep them updated.
Buck: Yeah. So keep them updated. Is there a big difference? Maybe this is completely myth. Maybe it’s advertising, but somewhere along the line, I was told that having an Apple product and iOS device is generally harder to get hacked to have viruses and hacks and stuff. Is that true?
Rob: It depends on the applications you’re running. A lot of people use Apple Mac and then put a Windows, Outlook or Word or Excel. So there’s that crossover. Nothing is infallible. Right. So I would make the assumption that everything could be hacked, and I’ve got to have a plan in mind if I do. And there’s some, you know, keeping it updated, not trying to use the same passwords for all the different services that I use. So if I’ve got my Gmail or my Hotmail or whatever male client I’m using, let that not be the same one that I’m using for my Instagram or my Facebook or Snapchat or whatever these services are, try to separate them. And people say to me all the time, I can never remember so many passwords. Well, you don’t need to now, because there’s some great applications that you can download onto your phones, onto your computer that you don’t even need to remember a password. You just need to remember what that has to get into that application.
Buck: Yeah. So let’s talk a little bit about that, though. I think that’s very useful just in terms of trying to give people actionable information when you talk to individuals who maybe got a lot going on. As you said, lots of different professional accounts and investment accounts and passwords. It’s just password after password. Like what people say, can you talk a little bit about some of the useful software, whether they be specifically cybersecurity related or even with the latest. I remember there was Last Pass and some of these other password things. Are there some basic software or apps that you could suggest for an individual?
Rob: It’s difficult working for an organization to necessarily recommend individual products because there’s paid products. There’s free products. And I think in the interest of every vendor that has a key pass type, I’d hate to discriminate against discrimination.
Buck: Well, how about, like, broadly, then broadly, let’s say. Okay, so some sort of password app?
Rob: Yeah. I think you can go to the App store. You can go to Google Play Store and you can type in passphrase reminder kind of stuff. And I would personally recommend people go for a paid version because I think there’s a little bit more to it. I guess a lot of this stuff all comes down to risk. How much risk am I prepared to take now? There’s risk investing, but actually, how much risk am I prepared to associate with my own personal information?
Buck: How about antivirus stuff? Malware? What other sort of broad, sweeping apps would you suggest looking into?
Rob: I mean, you’ve got to have anti malware. You’ve got to have antivirus, you’ve got to have a keypad. You’ve got to use all multi factor or authentication services that your individual software package offers you. And it’s just like sometimes people think it’s annoying and it can be. But in most cases, we’ve got up to date phones with retina or facial ID and a lot of these now, actually, it’s a one time setup, and it’s worth investing the time to set it up, and then it just recognizes through your face ID. Now it’s kind of like that can be difficult when you’re wearing a mask, but it’s just one of those things I haven’t quite figured out how to do it without a mask yet. But again, there’s all of these little ancillary services that manufacturers of software now offer that people just kind of disregard. And that’s where a lot of the problems lie, because actually, they’re there for a reason.
Buck: How easy is it for email to be hacked? Just general Gmail or Yahoo?
Rob: Yeah. I mean, it comes down to how complex is your password, right? Because actually, there’s tools out there which are available to pretty much anyone that will take a complete database. And on the dark web, there are databases of compromised Confidentials, right? This is not rocket science anymore. This is pretty one on one computer hacking. You can go and buy a database of leak credentials and you can go through and try them. A lot of organizations don’t always know that they’ve been hacked, so those credentials will often work. So if it’s a weak password, you can apply what they call brute force attack against it. And it’s like seconds now with processing power as it is a six character, no special characters or numbers, just a word like your dog’s name or whatever dictionary. Second, start increasing the complexity to ten characters with special characters, lowercase uppercase and not dictionary words. And I think that’s one of the key things people think I’ve got a 15 phrase password, but it’s all dictionary words string together, which doesn’t help because these tools, these cracking tools, have figured that out. They’ve understood the mechanism that people have employed to develop passwords, so you need to break them up. You need to reverse some of them. You generally need to create generally a really complex password. So going back to my previous point about password keepers and locks, et cetera, a lot of these tools will come with a password generator, which are 24 random characters. Absolutely no sense to them whatsoever. So the whole point of using this software on your phone, which you can link to your laptop or your desktop or whatever you’re using, you can have them synchronized. They will actually generate passwords for you. So the need now to create complex passwords is negated because you can inquire at all to look after that for you.
Buck: I want to switch gears a little bit because we’ve been talking about at such an individual level, and I think that’s important for people. I think the bottom line is like you said, there’s sort of a low hanging fruit, and we’re probably in greater danger than the institutions and stuff. But the reality is, some of the big threats to the economy are actually from cyber attacks. I think maybe you can address some of the things that I think we ought to be really concerned about, sort of systemically out there, whether they’re cyber attacks of the grid or things like that and what kinds of measures? What are some of the exposure that you think we have right now?
Rob: When we talk about public services, public utilities, I honestly don’t know if there’s any point in worrying about it because there’s nothing we can do about it. Anyway, I think if I’m responsible for an organization, that’s a different story, right? I have to look at the organization and I have to understand the risk associated with the organization, and I have to make adequate or take adequate measures to protect that information. Yeah, I’m personally less concerned. Obviously, we all suffer the consequences if there’s a fear that we’re going to run out of gas on the Eastern seaboard because the pipeline has been compromised by ransomware. But there’s nothing I can do as an individual or indeed an organization to prevent that. If I’m running a business, if I’m responsible for an organization and I need to keep that organization operational and protected, I think the first thing I need to do is understand my maturity and understand my risk. How big is my risk? What’s my level of maturity? Because until you really understand what point you are on the road of cybersecurity. And I think a lot of people make two mistakes. One is they think it’s a short journey and the other is they think it’s cheap or it should be cheap. It’s neither of those two things implementing proper security at a corporate or enterprise level is extremely complex and very expensive. The potential consequences of not doing it could be devastating and could wipe you out.
Buck: It may seem like a very simple thing from investors is basically when you ask a question, what do cyber criminals want? The answer generally is going to be probably be they want your money, right. But there’s lots of other things that at a corporate level that are other than money.
Rob: Well, yeah you know, I think everything is monetized, right. And I think whether or not it’s personal data, whether or not it’s corporate data, which could be in a sensitive bid environment or could actually be some IP, some patents. Ultimately, everything that is being all of the attacks that are being perpetrated are now in a position to be monetised. So it used to be a Social Security number or your passport number and your bank account details. Now it’s like, well, actually, you’re finding today that ransomware is such an easily perpetrated attack. Actually, I don’t even need to go to the trouble of doing some of the original things. I’m just going to launch a ransomware attack on somebody.
Buck: Could you clarify ransomware just so I mean, I know probably most people know it, but talk about what do you mean specifically when you see ransomware?
Rob: Basically, it’s essentially a virus that runs through your system and locks out your files. Right? Renders them inoperable and inaccessible. It’s invariably something as you’ve downloaded or visited, which has put some malware in, which is the same. It’s not encrypted at all. You’ll then get an email saying your files are encrypted and we want $20,000. It can depend on the type of organization. These things are not done randomly. There’s a lot of research that can be done with these. They’ll look and see who’s clicked on the ransomware and then they’ll determine a bounty for it. Essentially because if it’s a big organization, it might be two. $300,000 might be two $3 million if it’s an individual. Well, no individuals might be paying that amount of money. It might be $5,000.
Buck: Is there a general way that an organization like yours would recommend people address the issue once they’ve already had some kind of criminal demands of ransom?
Rob: It’s a really tough one. There’s a lot of guidance and leadership that says we shouldn’t be paying ransomware because it just proliferates the problem. Every ransomware attack that is successful to a criminal gang fuels more ransomware attacks. My point, I think a lot of the points from the industry would be that this is a problem that we’re aware of. This is something that’s not new. So let’s look at ways and let’s look at solutions that we can do to prevent the outcome. Right? Because have I got backups? Can I access my backups? Do my backups work? How quickly does it take me to restore them? It’s literally damaged limitation, because if I’ve got assistive, I’ve got processes and procedures in place that actually look at my corporate infrastructure, for example, and I have it replicated and it’s completely unattached to the current environment but is easily rolled back. Well, then ransomware is no longer as big a problem for me because I may only lose 6 hours of work, which can also be devastating for a production line. 6 hours of non production can be the difference between a quarter earnings. So it’s all relevant. I think on an individual basis, use the cloud and don’t rely on things being on your desktop. Use backup. Make sure that things are backed up to the cloud and again, use the complex passwords and the multifactor authentication to prevent the ease of traversing from one to the other.
Buck: How do you see the role of distributed ledgers blockchain other distributed ledgers? How are they impacting cybersecurity systems? Are you seeing this as something that’s going to really be a game changer?
Rob: I’ve not seen anything personally, so it’s a little difficult for me to comment with any great level of authority. I think anytime there is rapid change in technologies and new things are coming on, there’s always a risk. There’s always a threat. I couldn’t necessarily assimilate blockchain or distributed ledgers with any increased attacks that I’ve seen.
Buck: But how about using the technology, actually to improve security through clouds and distributed clouds and that kind of thing.
Rob: Yeah. Again, I think it’s depending on where you are in the cybersecurity journey and what you’re doing. I think really for those that haven’t started on this, I think it’s literally where are we? What do we need to do? Because I think the danger is and I’ve seen this happen a lot with organizations. There’s a new technology that comes into the market, and it’s like you get some clever sales guys out pushing this technology from organizations, but it doesn’t necessarily address the issues that the organizations are having. And I think it’s literally for some organizations that they’ve not started this journey, I’d urge them to start it because I think that’s a too big a risk in today’s market not to engage with organizations to help you understand, because there may be solutions on a sort of blockchain technology that can help you. You might not need to go to that extent, and it’s working with the right type of organization who understands your risk and can help you reduce that and improve your maturity.
Buck: So is there any new kind of cyber threats that we may not be aware of that are out there right now that are emerging.
Rob: There’s lots of attacks happening in different bases all over. I think one of the challenges is how you can’t stop an attack, but you can manage how you deal with an attack. So again, those at home, those private investors not really in their sphere, but actually larger organizations, 500 employees plus really should look to have a 24/7 soc security operations center and a security incident and event management system in place, maybe with some management detection and response, because once you get to a certain size, people are operating 24/7 now. So I think that’s a relevant point. Your organization again, it’s ITC Secure. Tell us a little bit how you work with organizations and also who would be an appropriate client for your group?
Rob: Yeah. So what we do as an organization and we will go into a business and there’s a lot of discussions. What are we talking about? Why are we talking about it? Has there been an event that has led us to this conversation, or is this actually you as a business trying to get a gauge on how you’re likely to become the victim of an attack? I think we’re not a very pushy organization. We like to work. We do a lot of work within private equity firms, within venture capitalists, within the health care sector. So we have various facets to our business, manufacturing and retail alongside them as well. But it’s really about helping understand, where are we, what implementation, what policies, what procedures, what technology have you got in place and then looking at that and really sort of coming back with a report which says, well, actually, industry standard is here and you are above, below or industry standard in terms of your maturity. And from there you can then start building out a roadmap. It’s not about going in and selling a solution. It’s actually about going in and engaging and understanding where you are today, because if you’ve been operating within various sort of cybersecurity programs for two to three years, you’re obviously at a different stage from an organization that’s starting out. And therefore there’s no sense in recommending a solution to somebody who’s in the infancy of cybersecurity versus an enterprise team with 50 security guys because there’s capabilities and where they are on that road.
Buck: Are there resources that you would recommend people read, maybe even at the individual level, just to become sort of up to date with the latest ideas behind protecting yourself?
Rob: Yeah, my feed is full of various sorts of articles. Yes, but also the information I get. I mean, I think looking at CSER, which is an organization here in the US, looking at NCSC in the UK, I’m assuming that you’ll listen as a little more US based. Yeah, the presidential office is now putting out about cybersecurity and the importance of it, because this is where the basis starts. You can get bogged down. And actually, if you read everything, you might never open a computer switch on a computer again, but you have no choice. So it’s about being aware of attacks, being aware of ransomware, and really understanding what you can do as an individual to protect yourself. I think one important thing is that people use it. They expose a lot of information online about themselves, and a lot of it is unnecessary. And some of it can be used both in a personal attack, but also can be linked back to a corporate attack. So be aware of the information that you expose. Be aware of what you post because you just don’t know if anybody can utilize any of that information to help launch an attack against you.
Buck: Good stuff, Rob, I appreciate your time. It’s Rob Embers again with ITC Secure, you can follow him at ITCSecure.com. Rob again. Thanks for joining us in Wealth Formula Podcast.
Rob: It’s my pleasure. Thanks for having me.
Buck: We’ll be right back.