In this Episode
- [02:39]Leia shares her journey from studying psychology to becoming an entrepreneur and IT professional.
- [05:40]Leia introduces the concept of insider threats, explaining that anyone within an organization can pose a risk.
- [11:03]Leia talks about the increasing sophistication of phishing scams, enabled by AI and Deepfake technology.
- [14:52]Leia advises against using the same password for multiple accounts to prevent compromises. She recommends using a password manager to generate and store unique passwords and turning on multi-factor authentication (MFA) wherever possible.
- [19:06]Leia tackles turning on MFA for all accounts and using physical fobs or authenticator apps instead of SMS for better security.
- [24:11]Leia explains the importance of having cybersecurity liability insurance for businesses to cover potential losses from attacks.
- [31:27]Leia recommends adopting standards and frameworks, such as the NIST Cybersecurity Framework and the Center for Internet Security CIS.
- [35:01]Leia discusses the use of infiltration testing, including automated scans and penetration testing by white hackers.
- [46:59]Leia advises cryptocurrency investors to use hardware wallets and keep seed phrases and passcodes in a secure location.
Leia, it’s so good to have you on the show.
It is a pleasure to be here with you.
I’d love to start with your superhero origin story, because I like starting with that. Yours is pretty incredible, and you’ve really overcome some obstacles. So, if you could share a bit of whatever you’re comfortable with as a startup in this episode.
I studied psychology at university because I thought that I could solve the world’s problems from an easy chair. It was kind of like the path that I put myself on. So, I worked in supported employment. I was a crisis counselor in a teen shelter, and I was even a special educator for two years in public school with kids who had psychiatric issues. But, I knew that I was supposed to do more, and found myself loving to build and create.
I recognized that I was an entrepreneur, which is a sickness that has no cure. So, when you realize that’s what you are, you know you have to go out and build and create things.
I recognized that I was an entrepreneur, which is a sickness that has no cure. So, when you realize that’s what you are, you know you have to go out and build and create things. I started my first business at 23, offering professional writing and design services, and then decided to open an IT company. It was very much outside of anything I had ever done, as I was using my husband’s knowledge at the time to start that company.
He’s a brilliant systems engineer, and I had to learn because our business started to grow, and I needed to figure out all this stuff. I can remember not knowing even simple things back then, such as what a switch was or basic concepts that anyone in the field should know. As my knowledge grew, I noticed a lot of stuffiness inside it. Sometimes I decided to take on a moniker to make it more fun. As you mentioned, my name is Leia. I do get a lot of comparisons, like to Princess Leia from Star Wars.
Do you ever get tired of people saying that?
No, I really don’t get tired of people making a reference to Princess Leia. I love Star Wars, so I decided to make it fun. I was going to adopt the moniker “IT Princess of Power” because I want to help organizations. I want to make it more fun, and I want to remember what it is that I’m doing, so I’m helping people.
That was something I wanted to do when I studied psychology, and I continue to do so to this day, in many different ways. In fact, even though it doesn’t fit, psychology has been incredibly helpful to me, whether it’s in sales and marketing, delivering service, or even managing employees.
Yes, a necessary—I won’t say evil, but a challenge—is having employees and managing them. It’s amazing, but it’s also not an easy thing to do. So now I’m curious: what are the implications of having employees on your cybersecurity team, given that you now have all these additional points of potential infiltration?
A social engineer can fool your assistant or IT personnel. A manager, whoever is working for you, may be better than they seem, as they could be a very savvy entrepreneur, just like you. How do you deal with closing those loopholes?
In reality, anyone internal to your organization can pose a threat to the organization.
Your audience may or may not be familiar with the term “insider threat.” Typically, we talk about insider threats, and most people think of a rogue employee who is going to steal information or take money from the organization, or allow a malicious actor in. In actuality, anybody internal to your organization can be a threat to the organization for that same reason that you mentioned.
You receive an email from someone, and they change the display name so it appears to be coming from me. If you see the name in your inbox, but the email address is not from me, but rather from someone else, it’s surprising to me still how often that can fool people. The continuous education of my team on the tactics, techniques and procedures that malicious actors use, especially in social engineering, is just part of the culture in my organization, and everybody questions it, which is good.
We use Slack internally for communication. If I Slack someone a request to make a technical change anywhere in our environment, I will receive a phone call from that team member. They’re like, “Just calling to verify that this is what you want me to do,” because they are that concerned about the impact of security on those changes that they make. It’s very cultural. You can sign up for or have your team sign up for online classes, including those little quizzes and other similar activities.
You can conduct a phishing test to see if they can pick out a phishing message. Those are all really, really good, and they’re helpful, but if you don’t change the culture and the organization to have them be very vigilant all the time, then all that training is for nothing.
And so, whether you’re a business owner, an employee, or a regular internet user, you can face devastating attacks in the form of phishing, ransomware, or identity theft, all sorts of things that can happen if you’re not savvy. And these malicious actors are becoming increasingly savvy by the minute, especially with the advent of LLMs. They’re certainly using them to improve their language and sound incredible and persuasive.
AI is a valuable tool when used for good, but it is also being exploited for evil purposes.
Oh, yeah, absolutely. AI is a great tool for those of us who use it for good, but it is absolutely being used for evil, too. You’re right that in the older days, there were punctuation, grammar, and spelling issues. You could look at a message and think, “Bah, this isn’t right.” Today, you can just ask ChatGPT. You can just feed them some information, and they can spit out something that not only is grammatically correct, spelling correct, but it also sounds like the person that it’s supposed to be coming from, because you can feed it those kind of prompts so that it will even speak in that person’s voice.
Being vigilant and having a key eye on “what I’m receiving” and “is this legitimate” is really huge. I remember once I got a request for a quote from a public institution in Pittsburgh for some IT services. My first instinct was not, “Oh, wow, this is a great opportunity for my business. It would be a wonderful contract.” My gut reaction was, “Is this legit?” I picked up the phone and called the procurement office. I didn’t use the number in the email.
I went to the website to get the number because it was out of the blue; I wasn’t expecting it. That’s cultural. It has to be a learned thing. You have to get over that initial excitement about something, or in the case of somebody who’s an executive assistant or another employee, they have to get over that initial, “My boss wants something,” which is good, that they want to jump into action, but right in front of that, you have to have that, “Is this legitimate? Am I 100% sure this is legitimate?”
And was that legitimate? Did you find out that it was a scam?
It was legitimate, and that was a very profitable contract for us for many years, but I’m a zero-trust girl. It’s ingrained at this point.
Have you been fooled before?
Oh gosh, no, I haven’t. But I feel like I want to knock on some wood somewhere here. We always say when you’re going to get compromised, or if you’re going to get compromised, it’s like, when are you going to get compromised again? Because you probably already have. I’m very lucky that I haven’t fallen for a phishing scam, but they did try to do more than just phishing. You know, now on these devices, they’re sending you text messages for things like you probably have seen.
One of these is where you’ll get a text message about a toll that you owe somewhere, and they’ll send you a link and be like, “Hey, if you don’t pay this, we’re going to pull your driver’s license. All you have to do is click on this link and pay this man.” If they only use their powers for good, how much better society would be because they’re pretty smart.
What are the newest trends that you’re seeing in terms of the scams and the kind of evil out there?
Something they will always do is, if there’s anything occurring in the media that might heighten emotions, they will leverage it. You also see increases in phishing, as well as smishing, which is when you receive text messages. You see increases in that, aligned with big things that happen—the United States recently had the presidential elections. If you can only imagine, I wanted the election to be over more than anything else, so the freaking text messages stopped.
I’m a zero-trust girl. It’s ingrained at this point.
I’m like, “I don’t even care who wins, I just want these text messages to stop.” But how many did you get that asked you to give money to a campaign? And while I understand that from the perspective of a politician, it’s relatively inexpensive, and you get to reach a lot of people very quickly. They’re sending you links to visit a website and make a donation. How do you know, as a consumer or a constituent, if that’s legitimate or not? It’s hard.
You will continue to see these kinds of things. I always tell people picking up the phone and calling a known number or going directly to a site and navigating that way is always going to be much more safe and have a higher confidence that you’re going to the right place talking to the right person, than responding to an email message or clicking on a link that sends you to a site.
Yeah, that makes total sense. What are the common mistakes that you see people making that our listeners or viewers should be most aware of?
Honestly, the biggest thing is this idea that “it’s not going to happen to me.” It happens to other people. It’s out there, or it’s in the media, or it’s these big names of people who are famous or have a lot of followers, or things like that. It’s like, “Why do they want me? Why do they want my data? I don’t have anything that they want.” When you start with that kind of mentality, you actually position yourself to be more vulnerable.
Unfortunately, today, you do have to walk around recognizing that you got a big bullseye on your back.
If you really, truly walk out there, be like, “No one wants my information. I’m not that valuable.” Yes, you are. Everybody is a target. Unfortunately, today, you do have to walk around recognizing that you got a big bullseye on your back. So that’s one of the biggest things. The other is not to have a good idea about your digital footprint in general.
Your digital footprint encompasses all the online accounts you have. That could be sites where you buy things from. It could be social media. It could be logins to things like your bank account or other financial institutions. And having a firm understanding of your digital footprint and what could potentially be leveraged to get something from you, money, information, or even have your identity leveraged by a malicious actor to get into somebody else’s account, or get them to do something. That happens often.
Some accounts are obvious to protect, such as your bank and credit cards, and so forth. But some are not so obvious, and they can be used as an entry point. Someone hacks into your account or your ex’s account, and then uses that to access another account, and then another account, and then, next thing you know, they are in your bank. What are some of the not-obvious accounts that they would need to protect?
One of the things that’s important is to think about how hard it is for us to remember all the different accounts we have throughout the internet. It’s really difficult. So, a very good practice—I’m sorry, guys, this is going to sound like a pain in the rear end—is not to have the same password that you use on different sites. Now I understand that it’s challenging, because at the top of your mind, you can probably think of 20 or 30 different accounts, and you likely have three or four times that number out there somewhere.
But as humans, we want things to be easier. We choose a password we can remember, even if it’s a secure password, even if it’s 20 characters in length. You’ve randomized it somehow. If you’re using it in more than one place, and it gets compromised in one place, then that can be easily leveraged to gain access to other accounts. So, having unique passwords is huge, and you’re like, “’Well, how do I do that, Leia?” Well, here’s my rule of thumb that I teach.
Cybercriminals don’t just target celebrities or CEOs; they also target ordinary individuals. They target everyone. We’re all walking around with bullseyes we can’t see. Share on XThe first is that you need a password manager. Whether you use an online password manager or a physical notebook to keep track of your passwords, you need a secure place to store them. If you have a password manager, it allows you to generate random passwords and store them all for you easily, whether that’s web-based, such as Keeper or LastPass. Apple has a feature that helps you generate passwords, which it saves on your phone to make it easier to access.
However, creating random, unique passwords is very important. I also tell people to ensure that they’re turning on MFA, multi-factor authentication, everywhere they can. Most banks, to my knowledge, force everybody to do that these days, which is good. But on some platforms, you don’t have to turn it on. It’s an option. If it’s an option, turn it on. Get used to needing to authenticate two different ways to prove your identity.
You think it’s a pain in the butt, until you get compromised, and the time and the effort and the emotional stress that you go through trying to fix that is not worth it. Take the pain in the butt on the front end so that you have less pain on the back end.
How many people do you think have been hacked in the last year?
If I give you a number, it would be wrong. We have stats in the United States for the Internet Crime Center, and that is some business stats, mostly consumer stats, but that is an underreporting of how many people have actually been compromised. We’re talking in the millions, which is reported to the government. That’s a small fraction.
Whether you use an online password manager or a physical notebook to keep track of your passwords, you need a secure place to store them.
How many people were hacked or had an account that got compromised, at the top of your mind, to go to the government site and tell them about it? No, it was not. I would guess that it’s like ten times that number of people who are getting compromised throughout the year, and it is only going up.
So it’s tens of millions. It’s a growing problem. The sophistication of cybercriminals is only increasing, so we must take action. You mentioned multi-factor authentication. Let’s go deeper into this. For example, should they get one of those sticks that you insert into your phone or computer, which validates you? Should they use an authentication app like Google Authenticator or Authy, or both?
Should they turn off their SMS notifications if their phone is cloned, or use an alternative method? For instance, if they opt not to use Google Authenticator, they could consider using SMS authentication instead, and then enter their bank account information that way. What are the ways we need to start hardening our security here?
You’re referring to an app-based MFA or fob-based authentication, which involves using a physical fob, so you have something tangible in your hand. Either one of those is going to be more secure than SMS. My bank will either call me or send me a text message. I don’t have another option, unfortunately, but if you have an option, you definitely want to choose a physical fob or an authenticator, and it could be any of them: Duo, MS Authenticator, Google Authenticator, Authy, or Okta.
There are so many different ones. One is not better than the other. It’s just that the apps are going to be better than SMS. SMS can be faked. SMS can be intercepted, so that’s not as secure. Another thing I didn’t mention that everybody should also consider is ensuring that you have a service you’re subscribed to that searches the internet for compromised passwords, and also checking your credit, and alerting you to credit checks or credit changes, or things of that nature. It sounds relatively elementary. It sounds like, “Do I really need to have that service?”
And again, it alerts you to things that there’s no way for you to be searching the dark web to know what’s been compromised. And often, when a malicious actor breaks into a corporation, one of the first things they do is steal all the user accounts and encrypted passwords. Often, they can decrypt these, so they are posted on the dark web in plain text for the highest bidder. When those services are doing that work for you, they are searching the dark web.
They’re letting you know when those passwords have been compromised so that you can change them. Don’t just change them by adding an explanation at the end or saying, “Oh, well, that’s not exactly what I use. It’s a little different.” Heck, if it’s out there, then that’s a breadcrumb for a malicious actor to use technology to gain access to those accounts. So, make sure that you change those. I also advise people to ensure that they log in and freeze their credit when they’re not making transactions that require it to be open.
Remember, of course, to unfreeze it when you’re doing something. That is a great way to make sure that transactions aren’t happening in your name if your identity is stolen. They won’t be able to do that once the cat’s out of the bag; you’ll just have a big mess, and you’ll have to go back and remediate it. So again, remember that you’ve frozen it.
This was funny. My dad got really ticked off. My mom, who is on top of this and very concerned, froze her credit. They went to buy a car and were going to finance it. You know that 0% financing option they have? While they were sitting there, they couldn’t actually get the financing because my mom had forgotten to unfreeze her credit, and my dad was upset. He’s a type A personality, and he’s on the phone with me, “I can’t believe your mother,” and I’m like, “Look, I understand that that was a little bit of an inconvenience.
Creating random, unique passwords is very important.
The car isn’t going anywhere. You will still receive the financing. But Mom did the right thing here. She’s human and she forgot to unlock it, but she’s actually doing the right thing. And hey, Dad, maybe you actually should consider doing this as well with your credit.”
Yes, there are different ways to freeze your credit, including the fraud alert and the security freeze. What are the various ways to do this? I believe some are free, while others are paid. Some only last for a year, and then you have to redo them after the year expires.
I recommend logging directly into the credit bureaus and freezing and unfreezing your credit with them. That’s where an institution will go to check your credit if something is being opened in your name. It serves as a source of truth. So if you go in there, you have complete control by law. You need to be able to log in and perform tasks such as freezing your credit and then request a free report from each of those agencies once a year. That’s required by law, and that way, you also have control. Hopefully, you save all those accounts in your password manager so you can access them when you need to unlock them. That seems like the best way because it’s not like you have a third-party service that’s doing it. You’re in control of that.
What if you are compromised, heaven forbid, but you have some sort of insurance that you hope will cover that loss, identity theft insurance? Is that something you can get? What about if you’re a company with cybersecurity insurance? What are the insurances or the options with the regular policies that you want to turn on that feature?
So, for services that you subscribe to as a consumer, like LifeLock, for instance, they do promise to help remediate a situation if you’re compromised. It’s better than trying to do it all by yourself, but don’t expect white-glove service for that. Still, they will provide you with a lot of support resources to help you get that done. If you’re a business, you will typically have much more in the way of assets, much more in the way of cash, and much more to lose than a consumer.
Get used to needing to authenticate two different ways to prove your identity. You think it’s a pain in the butt, until you get compromised.
Most of the time, we recommend that everyone have cybersecurity liability insurance. And for a long time, those agencies were actually upside down, so they were issuing this insurance to people. It was relatively inexpensive. They were paying out far more than they were getting from the cost of those insurances. Now, there are many different flavors of insurance that provide a little help to a lot of help, with varying limits—$ 500,000, $1 million, $ 2 million, $ 5 million.
I recommend that if you’re a business, you have at least a million dollars in coverage for cyber liability. If you have a major incident, you would be surprised how quickly that money is spent trying to remediate it, ensuring all the right people are notified, and addressing similar matters. The companies have gotten much wiser. They give you, oftentimes, a much more detailed questionnaire.
What I would encourage your audience to do, if you’re a business owner, is to look at that questionnaire not just as a checklist. Look at it from the perspective of, “Why is that question on there?” Because insurance money agencies are not in the business of losing money. They’re in the business of decreasing risk. So if that question is on there, then they have these smart actuaries who are saying, “If this is in place or not in place, it’s going to be more or less risky for our organization.” If it’s more or less risky for them to cover you, then it’s going to be more or less risky to have or not have that practice inside your company.
What would be an example of that?
They ask questions such as, “Do you have MFA throughout your organization, an MFA to access your office, or your network remotely? Do you have a SIEM tool in place that collects log files from all components of your network, including your computer, firewall, applications, and even Google or Microsoft 365, and you’ll have a security operation center team on the back end that is looking at all those logs 24/7, for indicators of compromise?”
Trust is earned. When it comes to cybersecurity, operate on zero. Share on XOften, they can react and stop a compromise before the malicious actor gets too far into the organization or causes significant damage. So that’s a lot on there. “Do you have an incident response plan in place?” Some organizations think, “Okay, well, I don’t have an incident response plan. Could someone please provide me with an incident response plan?”
Then they’re like, “Okay, this looks good,” and they put their logo on it, and they say, “We have an incident response plan,” but if it doesn’t follow it, it’s not very helpful. It’s just CYA paperwork, and it doesn’t bring value to your organization. Therefore, you should certainly have a plan in place for when an incident occurs, because something is bound to happen, and everyone needs to be aware. “What do we do? How do we respond? Who do we call? What kind of information do we collect? What actions can I take to prevent the compromise?”
Everyone in your organization and anyone helping you with it needs to be on the same page about that. Other questions are: “Do you have a business continuity and disaster recovery plan?” They want to know, have you done the thought exercise of, “If some key systems go down, how long will I be unable to work and make money before they’re restored?” because that’s oftentimes covered in this insurance. “Is it going to be 24 hours? How long will it take to restore my working environment so that my team can return to work?”
What’s the cautionary tale you want to share about somebody not having a plan like this in place and having to scramble afterwards?
We work with numerous manufacturers, and not only do they have computers similar to the ones you and I are using, but they also have operational technology devices, such as CNC machines. Those often have integrated computers that can or sometimes cannot be hardened and secured very well. There was, in fact, a company manufacturer in Ohio that lacked proper security and engineering measures in place, and they were subsequently ransomed.
It spread to every device on the network, including those used to produce their product, which is how they generate revenue. Because they had no plan, they were actually down and not able to operate and produce anything for three weeks. That’s how long it took them to restore the system and be operational again. So I just ask you. You might say, “Well, I’m not in manufacturing.”
I want you just to think right now, “If my organization, my company, could not produce what we do, whether it’s a service, whether I produce a product, whether I have a website that’s up there selling for me 24/7, if that was down for three weeks, how much money would I lose? How ticked off with my clients be that I can’t provide them what they’re paying for?” And when you go through that exercise, you look at what the possible failure points are, and consider whether there’s something you can do to either make the time, restore it faster, or even completely eliminate the risk of that thing occurring.
This can feel overwhelming to somebody, whether they have a business or if they’re just trying to protect themselves, personally, all the kinds of planning and policies and procedures and lists they’ve got to prepare just that alone, let alone go and actually apply these new principles, like to their passwords, to the access privileges they give out, to the different kinds of tools that they use for things like file sharing and VPNs and all this sort of stuff. It’s like, “Wow, this is so overwhelming,” and then they don’t do anything. What do you tell somebody who’s feeling overwhelmed by all this?
Now, what I’ve noticed is that oftentimes businesses will take more of a, I guess, spastic approach to thinking about their security, because they maybe a friend tells them something that happened to them. Then it brings it to their attention, or they get burned in an area. Then suddenly they’re like, “I understand now why this is so important. We have to put something in place.”
It doesn’t really serve you or your company very well, so taking a strategic and structured approach will help you identify the risk and then put things in place to either mitigate it or transfer it away, giving you a clear picture. Security is not just the tools you have in place, as we discussed, but also the plans in place when something goes sideways. My philosophy has always been that, with companies willing to engage with us in this way, it is to say, let’s adopt standards within your organization that address IT and security concerns.
There are tons of standards out there, different frameworks, if you will. Some of them are related to regulations that you already have to follow. If we have this set of standards, then we can say, “Okay, what is important to the organization from a standards perspective that will decrease our risk?” We typically use controls or safeguards, rather than getting too technical. But, the National Institute of Standards and Technology (NIST) has some of those standards within the Cybersecurity Framework, and also specific standards for things like HIPAA. If you have protected health information, NIST 800-66, and NIST 800-171, if you have special sensitive government information.
There is also the Center for Internet Security (CIS), which maintains a list of these safeguards, so you don’t have to come up with them yourself. In other words, you don’t have to sit there and be like, “I don’t know where to start.” You can go to either one of those sites and see a list of standards that really smart people populated, and then get an idea about what kinds of things you should have in place, select the thing aside to implement all of it or just part of it, and then create an action plan for implementing that, which will include documentation, things like the policies and plans we already talked about.
Insurance money agencies are not in the business of losing money. They’re in the company of decreasing risk.
Then you need a mechanism to check that over time. This is your business, and you want to identify the risk so that you can protect this asset. How often will you go back and check the alignment to those standards? My people are doing the processes the way we said. For instance, if you decide to implement an accounting control where two different people in your organization must approve a wire, then verify that this is happening. Whatever that is.
How often do you plan to check it? We typically do that once a quarter. You could even do it twice a year, or once a year at the very bare minimum, but you need that cadence to check back in and make sure that those things are happening and that they are aligned, because last thing you want is for something to happen, and you’re like, “How did this happen?” Then you discover that what you had thought was happening in your organization was not actually happening. That adds insult to injury when you’re in a crappy situation like that.
Do you also conduct infiltration testing for your clients, looking for security vulnerabilities in their systems and potentially hacking into them as a friendly hacker?
Yeah, we do. We have a couple of different levels of that. There is a scan that you can run that automates that. So in that particular one, it’s not that somebody is sitting there and trying to hack into things. It’s just an automated scan that’s run, where it tries to do those things in an automated, scripted fashion, and then presents a report, saying, “Here are a lot of the vulnerabilities. Here are the things that the automated scan finds.”
All I did was press a button, and these are all the things it was able to do, which, in and of itself, is eye-opening. And then we also do penetration testing, internal or external, where a real person who’s like a white hacker, is attempting to break into the security and it can oftentimes, sort of simulate or mimic what a malicious actor would do, and then come back with a report what they were able to accomplish.
If they’re able to accomplish it with very little information, well, certainly a really smart malicious actor could do the same thing, and you can have that information in advance of compromise and see what holes you can close.
Yes, there must be monitoring tools. As I’m in the SEO world, I ensure that our clients’ websites are functional and their tools, such as Pingdom, check that the website is still up and so forth. You don’t have to just check that by hand, and I’ll send you an alert if the site goes down. Are there tools that continuously monitor for security threats?
Yeah, that tool that I’d mentioned before, the SIEM. Some people will say SIEM, and then take it a step further, referring to it as SOAR. We love our acronyms in it.
Yes, I noticed you used one earlier. CYA, cover your backside.
Yes. So tools like that, if they are deployed properly, then they should be collecting logs and information from all of your assets, computers, cloud platforms, firewalls, wireless access points, things like that, aggregating all that information together, having some automation to that’s a lot of noise, so that’s a ton of information. There’s a bit of automation to clarify the most important events and information, and then correlate them to tell a story.
If you look at different pieces of that information, it will tell a story of what’s happening in your digital world, and then real humans are looking at that information and putting it all together to determine whether what’s happening is just normal behavior or if there is concerning or abnormal behavior here.
What would be considered abnormal behavior?
Things like what we’d refer to as lateral movement on a network, which is a technical term for seeing somebody most of the time. It’s a privileged account, some kind of administrator account, moving from computer to computer, computer to server, moving across the network. Sometimes that’s legitimate, but that would be something that would be highlighted to look into. Is this a legitimate move, or is this something that is a malicious actor?
Enable multi-factor authentication wherever possible. It feels like a hassle—until the day you're compromised. Then you'll wish you had. Share on XThings like a lot of information being deleted, a lot of information being downloaded or uploaded, or words we would use is exfiltrated. Those are the biggest things. But you can also turn on alerts for things that have been changed. For instance, many of us have set up alerts on our bank accounts. This is very relatable. If your password has changed, you will receive an email letting you know that your password has been changed.
That might sound irritating to receive that email until you’re not the one who changed the password, then you’re very happy you got that email. And also different kinds of changes within a platform. So if somebody adds a user account to somebody, if a user account gets disabled, or if somebody changes their password, those kinds of alerts that you can turn on are often helpful so that you can see that kind of behavior.
And sometimes it is legitimate, but when we see that somebody has tried to log into an account on Microsoft 365 a hundred times, if it were a real user, they wouldn’t have been trying to hack into that account. They would have reached out to us and said, “Hey, I forgot my password. Can you help me?” That’s a really good indication that something malicious is occurring.
And you can use that same philosophy of looking for abnormal behaviors or activities with anything really that where somebody’s going to scam you, “I’m traveling internationally, and my passport was stolen, and all my money, can you wire me something from Western Union so I can get out of jail?” That sort of thing that doesn’t sound like my family member or my best friend, or whatever, sounds like a scam.
That’s an obvious one, but they are things that just don’t mesh with the usual behavior patterns of somebody that you know, and you’re getting an outreach request for help.
Security is not just about the tools you have in place, but also about the plans you have in place when something goes sideways.
The malicious actors are getting so much better at trying to fool you and prey on your emotions. I’ve heard stories about a grandmother. The grandson was legitimately in a different country. She got a call from somebody who said that they were an attorney and that he was in jail, and that he was not permitted to be able to speak or make a phone call, and that she had to wire $5,000 so that this attorney could represent the case, or her grandson was going to be put away in some jail forever.
First of all, when your emotions are high, especially when they’re negative, high emotions, anxiety, frustration, fear, anger, your brain physiologically turns off some of that logical capability, because you’ve gotten yourself into fight or flight. Survival is the only thing that you’re thinking about. So, logical, “Is this true? Does this sound legit? Is this the right decision to make?” That’s suppressed.
You have to remember that when you get a call to take a step back, it’s unlikely that your grandson is already in front of a firing squad, and the person that’s calling you is the one that’s about to pull the trigger. That’s very unlikely. So, you can take a moment to step back, take some breaths, and maybe even call them back, saying things to buy time, such as,”I have to go to the bank,” “I have to talk to my husband,” or “I have to do whatever.”
Make it sound like you’re going to do the thing, even if you just need to take some time and reassess what’s going on, buy yourself that time, bring your physiology back down so that you can think logically about it. It doesn’t have to be something quite so crazy and big, getting a call from someone in a different country, it could be simple things like a call from your bank. I question that stuff all the time. I get a call from the bank. I’m like, “Well, I need you to prove who you are.” “Well, I’m not able to do that.” “Well, then I won’t be able to give you that information.”
To be able to sound like the person that is your business partner, your employee, or your family member, they can use software to emulate the person’s voice.
And it’s really good. It does a really good job, unfortunately.
Yeah, crazy, crazy, crazy. What do you think about past keys as a way to help with security and limiting access? Is that a panacea, or is that just another annoyance?
Your medical file belongs to you. It does not belong to your doctor. It does not belong to the hospital. It belongs to you.
There is no one thing you can do. People ask me that, like, “What’s the one thing you can do?” I should say being aware and smart is really the biggest thing. However, we continue to develop new technologies to support the fact that humans want things to be easier, and we’re also a little lazy in making it easier to build up our security. So, take a look at those technologies, and determine if they’re a good fit for you, so you can never feel like you’re not safe. Don’t ever feel that way.
Feel a little more confident when you turn on MFA or employ passkeys. Feel confident knowing that you have done something to help shore up your security, but you are never secure. Even if you turned off your computer and threw it in the lake, and you’re like, “I’m never getting online again.” You still aren’t secure, because your information is in thousands of databases across the world, and that information can be stolen. You have no control over it.
It’s kind of frightening.
It is. I could go on and on and on about where your information is, and then it belongs to you. And the issues with corporations or other organizations that have that information and seem to think it belongs to them, rather than to you, the one I think about the most is health information. Your medical file belongs to you. It does not belong to your doctor. It does not belong to the hospital. It belongs to you.
So, yes, I do get really irritated when I go into a hospital or a doctor’s office and see very poor practices with my information. They forget that that information belongs to me, not them. You are a data custodian for my information. Your bank is a data custodian, not just for your money, but for your information. If you have a Target card, Target is a data custodian of your information, and yeah, I get my feathers pretty ruffled if I see poor practices in that area, because I’ve entrusted you with my data, so it is your responsibility to protect it.
So you could have no technology. You could throw your laptop in the lake and your phone, and still have your identity stolen. You can have someone file a tax return on your behalf and receive the tax refund that you were owed, even if it’s not a real refund, as you may actually owe money. They made it sound like you got a refund, and then that you did, and then they went and cashed it. It’s crazy what can happen.
Your bank is a data custodian, not just for your money, but for your information.
Yes, and so that’s why people get really frustrated, and they go in that direction of being very extreme, in that I’m going to cut it all off. Well, the cat’s already out of the bag, so you can’t put it back in the box. You need to accept that and then put those best practices in place to decrease the risk as much as possible.
One last topic before we wrap. What if someone is investing in cryptocurrency? Of course, the big recommendation would be to use a hardware wallet and not trust exchanges with your crypto. But assuming that somebody does have a hardware wallet, that is also a security vulnerability, because you have to have a passcode for that device. You need to have the seed phrase in case you lose the device, or it breaks, or is damaged in some way. What are some best practices for protecting your crypto?
Even in the military, at the highest levels of security, they still write things down. They have things written down somewhere and stored in the safe, because it is very possible to become cut off from technology, have accounts deleted, or have your account compromised, and then not be able to reach anyone to get help. Consider what you need to have in written form. I do not like paper. I am the “IT Princess of the Power.” I’m a digital girl.
However, there are some things that I know are important to have on paper. I have a fireproof safe where I store important information I need in hard copy, and I also ensure I have a backup. So, obviously, my husband and I both know the combination to that safe. But what’s my plan, in case something happens to me, for like, what is it a letter in a safe deposit box somewhere that has the code to that build a fortress around your information and your assets that includes this kind of strategy so that if something like that happens, that it’s recoverable.
Lots to do. Alright, so what’s our next action for our listener or viewer? Let’s say that they’re concerned, not freaked out, and they want to take some action. How do they learn from you, work with you, get a checklist from you, or some sort of workbook or something that will help them with this process?
This might be very helpful to everyone. I’m sure many of your listeners are in business in some way and travel from time to time. We actually created a guide that you can find on my website. It’s called the Business Traveler’s Guide to Cybersecurity. Whether you are a business traveler or not, if you go anywhere outside your house at all.
There are actually some fantastic checklists on there, as well as some things to consider when you go outside of your home or office. That’s for free. You can visit my website at www.compliancyit.io to find the guide. I highly recommend that everyone obtain a copy of it and follow the instructions and checklist inside.
Good advice. Alright, awesome. Thank you so much, Leia. This is an important episode for our listeners to hear. Thank you for your time.
My pleasure.
Thank you. Listeners, now take action. Do something to improve your security and the security of your loved ones and your colleagues as well. While you’re at it, we’ll catch you in the next episode. I’m your host. Stephan Spencer, signing off.
