Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
18 Tim Herman: Cybersecurity Evangelist and Life Enthusiast
97 Plays2 years ago
What goes bump on the internet? Yeah, you'd think it was a joke from two Dad joke kings but it's a real concern for businesses - being safe. We talk to Tim Herman, cybersecurity expert (who's an inspirational fellow in his own right) about what catfishing is, intrusion points over the internet, and how if can really, really screw up your day. Then Tim tells us about how his company wargames out solutions to keep people safe.
…
Dial It In Podcast is where we gathered our favorite people together to share their advice on how to drive revenue, through storytelling and without the boring sales jargon. Our primary focus is marketing and sales for manufacturing and B2B service businesses, but we’ll cover topics across the entire spectrum of business. This isn’t a deep, naval-gazing show… we like to have lively chats that are fun, and full of useful insights. Brought to you by BizzyWeb.
Links:
Website: dialitinpodcast.com
BizzyWeb site: bizzyweb.com
Connect with Dave Meyer
Connect with Trygve Olsen
Recommended
Transcript
Introduction to 'Dial It In' Podcast
00:00:05
Speaker
Welcome to Dial It In, a podcast where we talk with interesting people about the process improvements and tricks they use to grow their businesses. I'm Dave Meyer, president of BusyWeb, and every week, Trigby Olsen and I are bringing you interviews on how the best in their fields are dialing it in for their organizations.
Meet Tim Herman: A Cybersecurity Evangelist
00:00:24
Speaker
So Dave, I know we wanted to do an episode about cybersecurity, and then we have a guest who's going to help us today to talk about cybersecurity, but I kind of forgot something about him.
00:00:33
Speaker
because I call him and I said, hey, can you do that? Would you like to do the podcast? And he said, well, sure. I said, great. How about this day? And he's like, eh, maybe back it out a week. And I said, Oh, what's going on? I'm having my kidney removed.
00:00:46
Speaker
Oh, well, there you go. Well, I mean, that's a perfectly good excuse not to not to be available for a podcast. And as I thought about it, I thought the guy we're interviewing today, he said a lot of interesting ups and downs in his life, but he continues to remain perpetually positive. So I thought,
00:01:05
Speaker
What a great guy to talk to just about cybersecurity, but also just life in general.
Tim's Professional Background in Cybersecurity
00:01:12
Speaker
Our guest today is Tim Herman. He's a cybersecurity evangelist and an account director at Online Business Systems. His job is to help companies and organizations with digital transformation and cybersecurity. Welcome, Tim.
00:01:28
Speaker
Thanks, guys. Thanks for having me. I forgot something. Tim is also the president of the Minnesota InfraGuard Member Alliance, which is an FBI private sector partnership to protect our nation's critical infrastructure. He also serves in the Minnesota Cybersecurity Summit Think Tank Advisory Board and spent three years on the Minnesota Information Systems Security Association Board. Wow, that is a lot to put on a business card, Tim.
00:01:56
Speaker
Yeah, that most of that goes on the back of the card, right? Right. Perfect. Yes. Tim, as I think about your last two years, a couple of years of your life, I'm reminded of that before memes were popular, that you used to see signs posted around town sometimes where you'd see a lost dog, burnt tail, one eye, three legs, answers to lucky.
00:02:25
Speaker
And
Overcoming Personal Challenges: Tim's Health Journey
00:02:26
Speaker
that's kind of how I think about you because you've had a lot go on in the last three years and you still are perpetually peppy and affable and warm. What all has gone on in the last three years for you? Well, I'll even start five years ago. Five years ago at the age of 47, New Year's Day, freaking cold outside. And I was outside with my dogs and I started experiencing chest pains.
00:02:53
Speaker
And then later in the day and I didn't think of it because I just thought it was that cold that wow, you know, I Went back inside and was fine then went out later in the day and found myself face planted in a snow bank and my wife found me called the ambulance I had a heart attack and a stroke to areas my brain that I don't use on that day and
00:03:14
Speaker
On that day, I was 300 pounds and very overweight, which runs in my family. And that caused me to decide to start taking action and losing weight. And so that part of what you're referring to, Trigby, is this last July.
00:03:35
Speaker
Ended up doing a bariatric surgery a gastric bypass or what's called a ruin why procedure? Where they reroute your stomach plumbing essentially and so I've lost over 70 pounds since then this morning I weighed in at 193 pounds and so this weight since high school and Yeah, I feel feeling great today. But but yeah, there's a lot been going on and
00:04:00
Speaker
And then what happened just this last couple of weeks is I found out about a month and a half, maybe two months ago that I had kidney cancer, stage one, early caught. And so they went in two weeks ago and removed my right kidney, which also had a stone that was almost the same size as the tumor. But clear margins, everything went well and fully recovered two weeks later.
00:04:29
Speaker
But you know my joke with people and you know kind of you know playing on your I'm always peppy hey man I want to lose weight so bad that I just you know get rid of my organs you know I don't need my gallbladder got rid of that I don't need my kidney got rid of one of those no but in all seriousness yes I've been challenged with some health things but I do remain positive that's the number one thing that you have to do is
00:04:53
Speaker
stay positive and live your best life. Well, that's a lot in and of itself. One of those things is a moon shot. You've had two. Then the third is you met your father for the first time recently.
A Life-Changing Reunion: Meeting His Biological Father
00:05:10
Speaker
That is correct. I'm actually living a Hallmark movie story as well. Or a country song. Or a country song. Play it backwards.
00:05:24
Speaker
My biological dad, I knew about him from the time I was probably in my early 20s. I grew up with a stepdad. He and my mom got married when I was five, so I knew that I was adopted by him. But I was always too afraid to ask the question to my mom, because, oh, it's going to be too painful.
00:05:46
Speaker
As kids, we just make excuses for our imagination runs wild. I never really asked about it until I was in my 20s. Then I got to the point where I decided I really want to meet my family. The best way to do that is, hey, let's sign up for 23andMe and let's see if
00:06:10
Speaker
if i'm connected with anybody you know from his side of you know from his family and and they then we can connect kind of sideways and and that is in fact what happened about a year after i signed up for twenty three in me we ended up
00:06:24
Speaker
getting a message in my email saying that you've got a half-brother. My brother signed up for 23andMe as well and started talking with him a month or so later. I went down to visit him in Iowa where he lives. He's a paramedic down in Iowa City area. Then he introduced me to dad. We went out for lunch for the first time.
00:06:51
Speaker
You know, when I say that, uh, that I'm living a Hallmark movie story, every kid's dream. My dad is a drag racer. He is actually a race car driver at 73. He's still driving a 1965 Plymouth, uh, you know, a fuel altered, uh, altered wheelbase, uh, dragster, uh, uh, race car that, uh, I actually got to go this summer and, uh, spend a couple of races, uh, being part of his crew. So, um,
00:07:19
Speaker
That I can't tell you how exciting that was Probably the one of the highlights of my time with him so far is He took me down at the starting line starting gate with these short-body dragsters and
00:07:37
Speaker
Um one on each side put me in the center where the light pole is and literally I got you know to feel the rumble Of you know the burnouts and then when they hit the hit the starting light you get that uh, you know, there's nothing like getting sprayed from both sides of you
00:07:55
Speaker
Um, you know with uh with nitro, um, it's it's ridiculous. Um, but uh, it's exhilarating beyond beyond what I can can even explain But uh, that was probably the highlight is he just you know, he's just staring at me What's big ear to ear granny's like, isn't that cool? Like yes, it was very cool I'll say wow so amazing tim
00:08:20
Speaker
How do you get out of bed every morning with all of this going on just in your own head? Hey, every day is a new adventure, right? I really have no classy or inspirational way to transfer or do a subject change into cybersecurity. So let's just make it bad and say, let's talk cybersecurity now.
What is Ransomware and Its Impact?
00:08:40
Speaker
So Tim, you know, we brought you on, I think in the last 10 years of your life, you really changed into a cybersecurity expert. So what are some of the biggest cybersecurity threats that face businesses and individuals today? Wow. That's a, that's a big question. Um, and you know, probably the biggest, uh, the thing that's scaring most businesses and people right now is, is, um,
00:09:07
Speaker
is ransomware. That's the thing that's shutting down businesses and is really affecting everybody. What is ransomware?
00:09:16
Speaker
So ransomware is where a bad actor will get into your system. They'll lock everything down and you have to pay a ransom. Usually it's a couple of Bitcoin, which is fairly expensive. And if you don't pay, they will end up locking you out of your systems and encrypting everything. And then they'll sell sensitive information on the dark web.
00:09:46
Speaker
It ends up getting pretty bad. Cyber insurance companies are starting to not pay ransoms. The FBI doesn't want you to pay ransoms because that helps just foster, hey, we're going to get paid and we're just going to keep doing it because we get paid.
Understanding Phishing and Spearfishing
00:10:11
Speaker
the other thing about ransomware is You know, there's been a lot of training available now for ransomware prevention as well and and one of the biggest ways that people get ransomed is they they They get emails from people phishing attacks Somebody lets them into the kingdom you know because they didn't know any better or they weren't paying attention they click on a bad link and
00:10:38
Speaker
Well, hold on let me introduce a new term there explain what phishing is because it's not it's not you know It's not that kind of phishing phishing is with a ph uh phishing is when somebody sends you an email or uh or a text, uh, and they are you know, essentially socially engineering you And maybe even ahead of time they've you know reviewed your facebook and your linkedin and they learn about you what things kind of make you click um and
00:11:06
Speaker
say you're a CEO of a company and they know from your website that you also have so-and-so as your executive assistant, they can actually send you
00:11:25
Speaker
An email saying that they are the executive assistant and hey, you know, I need to pay this bill Or you know, hey, we've decided to switch to a different payroll company and you know Here's the link that you need to you know need to set everything up with and people end up losing their whole company's payroll because they got fished and I mean there's just there's all kinds of crazy stories that we've heard over the years and
00:11:50
Speaker
But that's probably the biggest thing right now is the human component is the biggest impact. So the more that we can educate users of computers to not click on those things, that's gonna be the best protection.
00:12:11
Speaker
Tim, is that called fishing when people are posing as other people, or what are the common terms that our listeners might have heard? Fishing is the tactic that they use.
00:12:28
Speaker
Yes, the phishing is the tactic where you actually try to infiltrate a company by sending an email or a text or you're socially engineering somebody's information. So let's reverse engineer that a little bit.
00:12:45
Speaker
How can I protect myself as an individual? How can I protect myself as a company? You know, I shouldn't have everything public on Facebook, you know, I mean, you know, kind of go back to, you know, hey, I'm posting on Facebook that I'm going to Mexico for the next week. And, you know, I'm gonna have a lot of fun. Well, gosh, you're now a target.
00:13:08
Speaker
for thieves who might know where you live and they can come and raid your house because they know you're in Mexico. I mean, fishing is the same kind of concept where people put information out there thinking that everybody is good and that can be used against you. What's spearfishing?
00:13:30
Speaker
Spear fishing, as I understand it, is more of a targeted. Let's take this. Dave, I can see your background. You've got different things in your background that can, if I can zoom in enough, I can actually see things that might be of interest. If
00:13:54
Speaker
if I see that you've got a big fish hanging on the wall, you're a fisherman. I can use targeted things to actually get an easier conversation going with you because we have common interests, things like that. So spearfishing would be a little bit more targeted type of fishing where you're not just sending it out to everybody in the company, it's I'm targeting a specific person.
00:14:23
Speaker
And this stuff really happens because I've received emails or people on my team have received emails claiming to be me or texts claiming to be me saying, hey, just just quick approve this thing. Or, you know, there's there's another one that's pretty common that I was just looking at your Facebook marketplace is a big thing and there's all kinds of scams out there. And the thing that I couldn't figure out, I was selling like an old chair or something.
00:14:50
Speaker
and somebody wanted me to click on a link to verify a Google voice number. I just need to confirm that you're a real human being. It's like, no, you don't. That was it. What's the goal in that? What are they trying to do?
00:15:07
Speaker
Who knows all kinds of bad things. If you click on a bad link, they could release some kind of malware to your system that locks everything up. I know that I had a client
00:15:23
Speaker
A couple of years ago where they were a Native American tribe and the tribal offices, among all the people that are on their e-mail system, 17 people ended up clicking on a bad link and that 17 times that link was infiltrating and locking everything down. The whole tribe was shut down for
00:15:52
Speaker
Uh for the better part of uh, you know two weeks right around the christmas holidays. Yeah. Yeah, so they couldn't do payroll They couldn't do you know, I mean everything was locked up. That's him When you watch tv and somebody's the victim of a cyber security attack Immediately a skull and crossbones flashes on screen and an evil laugh happens Does that happen in real life? It can all depends on the bad actor they'll
00:16:19
Speaker
They'll uh Yeah, they they use things like that Um, you know, I haven't seen them personally because you know, I haven't been I haven't fallen for that yet But uh, but yeah, you know it it can be whatever, you know, whatever they use you know, what's interesting now is
00:16:38
Speaker
You mentioned being president of InfraGuard Minnesota chapter, working with the FBI in the cybersecurity space, the FBI actually hunts down and gets the keys to unlock some of these bad actor groups as well. So just because you've been hacked and everything's been locked up, when you reach out to your insurance company and then you reach out to
00:17:07
Speaker
an incident response company that can come in and help kind of get things back up and also gather forensic data so that you can determine who was the baddie and how did they get in and that kind of stuff. That's all necessary to do.
00:17:23
Speaker
But the FBI might be able to say, hey, you know what, we've had experience in other parts of the country with this same group, and we've actually arrested them, and we've actually had the keys to unlock your kingdom, so you don't need to pay a ransom, that kind of stuff.
00:17:40
Speaker
That's um, that's a real, you know real world happening um infra guard actually You know plays a strong role in that, you know, we have 80 000 members across the country among I think like 70 some chapters um and
00:17:56
Speaker
InfraGard is about protecting our nation's critical infrastructure. And how we do that is sharing not the secret sauce of all of our companies, but sharing threat intelligence between each other. And so when something happens at a ABC company here in Minnesota, they can actually report to other of their InfraGard members
00:18:24
Speaker
in their same infrastructure, say it's a transportation sector or an energy sector. Sometimes we'll get briefings that, hey, right now this bad actor group is targeting the transportation sector
00:18:40
Speaker
Well, now we can talk amongst ourselves in that transportation sector and share that information, not just locally, but nationally. And that way the FBI can leverage those relationships with these business leaders all over the country. And then that is what leads to a lot of these arrests as well. My fridge is connected to Bluetooth.
00:19:07
Speaker
and one of those things called the Internet of Things now. So where companies will, if a particular thing needs a software patch, they'll just have it automatically connected to the Internet.
How to Secure IoT Devices
00:19:19
Speaker
So is my fridge going to rise up and eat me if it gets cyber-attacked?
00:19:25
Speaker
Yeah that is a fantastic question and it is a vulnerability and so what can i as an individual do the first thing that i always ask is have you changed the default password on your firewall or on your on your router you know i have.
00:19:45
Speaker
you know a separate a separate modem from my from my internet router because i didn't want them you know be just like a concast or a you know or a century link your dual your system i wanted to be able to control one and the other and so.
00:20:05
Speaker
changing your default password. So many people don't do that. That means that anybody that comes to your neighborhood, they can be parked out front and they can log into the numbers.numbers.numbers and they're now into your network and everything is vulnerable. That's a big thing to do. The other thing is buy a firewall as well and set those firewall things.
00:20:33
Speaker
You know, I also think that that having your wireless password not be password Having your having your password be something unique and different than everything else that you have You know, that is a big key. I use a password manager called keeper Last pass one password. I mean, there's a lot of different, you know password managers Apple has their own password manager Samsung has their own password manager and
00:21:00
Speaker
But it doesn't matter which one you use, use one and make sure that every single thing that you log into has a different unique password. I'll tell you my secret sauce that I share with people is
00:21:14
Speaker
Use a password that is four or five separate words that do not make a sentence that do not you know, it's not the song title or it's not anything that makes sense and put underscores and spaces in between those and uh, it is going to be incredibly nearly impossible to hack that password, you know with brute force because
00:21:36
Speaker
It's not a unique, it's not a name of a song. It's not your birthday. It's something that can't be socially engineered. Wow. Long answer to your question. That was brilliant. I'm afraid of my fridge now.
00:21:53
Speaker
Well, I've got a washer and dryer that does the same thing. And because I've actually done these things, I feel better about it. For the longest time, I told my wife, we are not going to have a smart house because I just am not confident that it's not going to be a threat vector. I mean, how many people use a Hey Google speaker or an Amazon speaker that is also an IoT device?
00:22:20
Speaker
So yeah, well and all of those are inherently not as secure. So this is something that I do and I probably shouldn't even say that on a public thing. So hackers, please tune out right now and then.
00:22:33
Speaker
If you're a hacker, put your fingers in your ears for 10 seconds. Ready? Go. On all of my IoT things, and I have a few smart home things, I just keep them on the guest network. So it's at least separate. And they have pretty good passwords for both of my Wi-Fi passwords. Is that okay? Or should I do more than that?
00:22:53
Speaker
Having a guest that's welcome our hackers back as they've taken their fingers out of their ears now Go ahead. Sorry. Yeah Yeah, um, yeah, I will tell you that um That uh having it on a separate guest network, uh, that is firewalled between you know And a lot of times, you know home, you know home routers modems are going to have you know, three separate networks so so you can actually have You know those those you know iot devices. Excuse me those iot devices on a separate
00:23:23
Speaker
network. Got it. But that's really good. That's good practice. Okay. Tim, one of the things that in our last episode, or previous episode, we actually interviewed chat GPT as a guest. So that's obviously an emerging technology. Is that something that affects cybersecurity and that machine learning aspect of it?
AI's Role in Cybersecurity
00:23:49
Speaker
Absolutely. Yeah. And I'll tell you that chief information security officers, CISOs in our industry that I know are trying to figure that out is what vulnerabilities are out there. And I don't think we've seen, we haven't seen a lot of bad actor stuff yet, but it's coming. I would say it's not a matter of if it's when.
00:24:16
Speaker
Because now you've got, you know, think about it. If you've got a tool like this that can actually write a paper for you, it can do a lot of stuff for you just given the data and information.
00:24:32
Speaker
how well do you think that's going to be used to socially engineer somebody or to get into a network because it'll be able to figure it out? I mean, it's a little bit scary, but there are things that I think that can be used for good as well. So it's out there and I think the marketplace is trying to still figure out, okay, what are we going to do to protect ourselves?
00:24:59
Speaker
What are the most common mistakes people make that leave them vulnerable to cyber attacks? We talked about a couple of them in terms of passwords, but what else? And phishing. I would say that if you're working for a
00:25:19
Speaker
mid-sized to larger company, you probably are getting a training from a company like KnowBe4 or Shield Academy or some other kind of cybersecurity awareness training. And I think
00:25:35
Speaker
The downside of that is a lot of people don't take that seriously. They're multitasking while they're doing it. They're listening intently enough where they can answer the three or four questions and pass the quiz. They do that 45-minute training once a year. The reality is that's not enough. That needs to be a monthly thing, if not more. You've got to pay attention to it and take it seriously.
00:26:05
Speaker
Really, you as an individual, whatever company you're working for, you are the biggest vulnerability breach access point if you're not astute to what's going on out there.
00:26:22
Speaker
Nobody wants to be that entry point where the bad actor gets in and shuts down the company. Right now, a scary statistic is 60% of all businesses that go through a major breach go out of business in the first couple of years post-event. That's a staggering number, but it's true.
00:26:45
Speaker
Think about your business, Dave. If your company was shut down for two weeks because of a breach, you didn't have the ability to invoice your customers. You didn't have the ability to pay your employees. You didn't have the ability to do all those things for two weeks. What kind of things would shut down? Could you recover from that? And so one of the things is having a cyber insurance policy that covers
00:27:14
Speaker
that gap of just like if your business gets flooded, you have insurance that can actually cover that gap of being shut down and that sort
Governmental Efforts Against Cyber Threats
00:27:27
Speaker
of thing. Well, we need to make sure that our cyber policies are doing the same kind of thing because it's real. And we're seeing an uptick
00:27:39
Speaker
you know, year over year of probably an additional, I don't know, 30 or 40% every year. And so, you know, talking to the FBI agents that I know, every single one of them will say it's not a matter of if it's when you get breached, you've got to you've got to have a plan. I'll tell you, in addition to what you had asked, Trigvi is
00:28:03
Speaker
I spent two years working for a cyber research institute prior to where I'm at now with online, but what I sold was what are called tabletop exercises, where you actually do exercise, you prepare for the worst by doing exercises, kind of like how military does drills in the exercise scenarios. In the tabletop exercise,
00:28:29
Speaker
we can walk you through a real world or as close to real world scenario that takes into account all of the different factors about your company and the people that are within your company and the different roles that people are in and you can actually walk through a decision based exercise that simulates
00:28:51
Speaker
what could happen if things go sideways. You can look at your processes, your policies, your procedures, the decision-making tree, and challenge your assumptions, identify where the gaps are. That preparedness is how companies are making sure that they are ready for when things go sideways. That's one of the things that I'm bringing to the table with the company I'm with now, Online Business Systems,
00:29:20
Speaker
Uh is that experience in working with companies and doing those exercises? So I find that fun because you get to uh You get to learn about your businesses and organ you're helping that is exactly war games. Shall we play a game? Huh? Wow tim you mentioned the fbi what uh for people who don't know what what role does the government have either on the national level and then also on the state and local level and Combating this kind of risk and these kind of crimes
00:29:51
Speaker
The government is actually throwing lots of money at research and development. I mentioned the Cyber Research Institute I worked for. Homeland Security has spent some $35 million over the last 15 years helping fund that exercise platform that they
00:30:15
Speaker
That they use they developed it and then we're able to do five years of exercises in the banking and finance sector they've done three years in the energy and transportation sector and doing you know as close to no cost exercises in those in those sectors but the government right now through executive order.
00:30:37
Speaker
out of the White House last year. Now the TSA is regulating the airport industry, the rail industry, the ground transportation, air transportation pipelines now have to adhere to new cybersecurity policies and procedures and have to demonstrate
00:31:00
Speaker
they've got an incident response plan. They've identified where gaps are. They're doing self-assessments and then they're working with companies like Online Business Systems to help come alongside and do additional risk assessments to help them become compliant with those new guidelines. And so the government is taking a very proactive approach
00:31:23
Speaker
Right now, the DOD, if you're a DOD contractor, even a subcontractor, you make a bolt that sits on a turret that goes on a tank. That bolt manufacturer has to have the same cybersecurity posture that the tank company does. Because if you're a DOD contractor, you've got blueprints to the kingdom.
00:31:51
Speaker
And so you have to have those same cybersecurity maturity, processes, procedures, response plans, that sort of thing. So the government is actually playing a big role in a lot of good ways. So tell us a little bit more about what your day-to-day life is for you and online business systems.
00:32:10
Speaker
I've been with online for just since the end of November, so only a couple of months, but a day in the life for me is really just working with the people that I know. Through InfraGuard and through some other business groups that I'm a part of, the cybersecurity summit as well, I get to meet a lot of business leaders in cybersecurity.
00:32:34
Speaker
Just trying to have conversations. I'm not a twist-your-arm sales guy. I really work off of relationships and try to identify maybe key problems that business leaders are having and see if we can help them find a solution. And so with online
00:32:55
Speaker
We do a lot of assessments. We do what's called penetration testing, and we can dive a little deeper into that if you want. Yeah, because it might sound dirty if you don't know what it means. Penetration testing essentially is when a company say, Dave, if we were going to pen test your company, you would basically give us the keys to the kingdom and say, let's see how my team does to protect us.
00:33:21
Speaker
and let's see how long it takes you to beat your way into the door. Some penetration tests will actually be a physical where they'll come on site and try to talk their way into the card access door. They'll try to get to your computer or some computer that's not logged off and stick a thumb drive in it. There's all kinds of things that, again, based on whatever your business is,
00:33:51
Speaker
A penetration test can work on that. Another for your business, Busy Web, a penetration test might be a web application penetration test where we're going to actually go after your code and everything that you do for building websites for companies and see what we can do to take it down.
00:34:13
Speaker
And what that does for you as a business owner is that actually helps you see, okay, I've got a gap here, I need to fix that gap. And here's what I can do as a business owner to protect my customers' websites.
00:34:28
Speaker
so that based on what we're doing. So penetration testing is a really valuable asset, valuable tool for companies to see how secure am I? Because if you don't do a pen test, you're never really going to know. Right.
00:34:46
Speaker
So I know you've been in the industry for a long time What are some of the most uh, tell some good stories some fish stories About fishing and that you once caught a fish this big Yeah How how companies got affected? Just really some good bonehead stories that people have fallen into Well, if I tell you I have to kill you. Um, no, um You know Yeah, I was telling you about the tribal nation for one but uh, you know, it's
00:35:17
Speaker
There are so many horror stories, ones that I'm not even personally connected to, but you look at companies that are going down. I have used T-Mobile as my mobile service and they've been breached a couple of times.
00:35:37
Speaker
Then you also are seeing oh, there's an outage with t-mobile or there's an outage with uh, you know with verizon There's an outage, you know anytime there's an outage people in our industry are like, ah, yeah, they got hacked again Um, you know that like that's that's kind of code for okay for you might have gotten hacked um, and you know one one that everybody knows here
00:36:01
Speaker
in minnesota is before we go off that does that okay did south west get hacked is that when they were i have no idea but it's possible is there a rumor on the dark web because you you visit different places on the web i've actually never been on the dark web but uh i try to try to stay clear um but uh yeah i'm actually not sure but but it's it's certainly feasibly possible wink yep he's not sure wink
00:36:30
Speaker
Become an InfraGuard member and you can actually get intelligence briefings on that. Okay, all right.
00:36:37
Speaker
Everybody knows that Target got breached back in 2013. It cost them millions if not billions of dollars. They actually got in through an IoT device. They actually got through a smart thermostat that is how they got into Target and got over the credit card processing and were able to jump ship to a bunch of different departments and caused a lot of havoc.
Lessons from Target's 2013 Breach
00:37:06
Speaker
I'll tell you, Target has improved their posture a thousandfold. They actually have gone away from using a lot of third-party companies and people where they started developing their own internal security processes and procedures.
00:37:24
Speaker
everything. And so they are a completely different animal today than they were back in 2013. And so that's an example of learning from your mistakes. And again, back in 2013, that stuff just wasn't happening on a regular basis. But now you're hearing about that just about every week is some other company is getting breached in a similar fashion. And so
00:37:48
Speaker
We almost are getting to the point where we're almost tuning out that, or, you know, Best Buy or, you know, this company or that company or, and, you know, all these Fortune 500 companies are getting attacked all day, every day, you know, and
00:38:04
Speaker
Traditionally, what companies have is what's called layered defense, where they've got firewalls on top of firewalls, on top of firewalls, and a bunch of other tool sets that are eyes on glass. You've got somebody monitoring, looking for abnormalities. You're looking for things that are outside the norms.
00:38:24
Speaker
Those are things that the security people are doing. But I'll tell you, the human factor is still probably one of the biggest challenges. I'll tell you right now, I think the latest numbers now is there's a 700,000 open jobs in cybersecurity in the United States today. 700,000.
00:38:52
Speaker
How do you as a as a fortune 500 company deal with that? Where and the competition is so fierce the salaries are staggering You know if I had to tell my kid If I had a kid in in high school right now and I had to recommend what field they should go into Absolutely 1000% cybersecurity because it is a job that is never gonna go away and you're gonna make a ton of money and
00:39:18
Speaker
Um, but i'll tell you that the stress level is uh is is is you know king as well because there's a lot of burnout, um because the stress level of being in charge of All of that security if something you know when something goes sideways, you know who's responsible? Um, you know the human factor right now
00:39:41
Speaker
Some of the problems are is that companies just don't even have the staff that it takes to just even maintain all of the updates. You think about your single Windows computer and you've got to do updates periodically. Think about now you've got 20,000 endpoints, so maybe 10,000 computers and other devices that all need updates on a regular basis.
00:40:06
Speaker
how do you do that and so that's the challenge that companies are having right now is they've got your devices that are out of sync with updates and now that's a vulnerability.
00:40:19
Speaker
And so that just creates a whole other problem. So now you've got cybersecurity companies and tool sets that are trying to address those problems. We're going to automate some of these updates. This is also fostering a lot of innovation.
00:40:39
Speaker
in our industry to try to meet that gap of people shortage and what can we do to automate things so that it's not as people intensive as it used to be.
00:40:53
Speaker
It used to be manufacturing where everybody was afraid of all these manufacturing jobs are going to robotics. Well, the reality is there's jobs out there that aren't being done by the robots that you still can't find enough people for.
00:41:13
Speaker
It's interesting you talked about that. I think one of the things that when we deal with cyber attacks and one of the reasons why we've changed our business model too is what's called the denial of the service attack where we would build websites for people and then they would get hacked and then the website would go down. Okay, so then our evolution of our business was okay. So now we're going to maintain your website for you.
00:41:40
Speaker
We'd do all the updates. Like you talked about, make sure that everything was tip top. We'd run regular backups. So somebody took over the site and they said, you're going to need three bitcoins for that. And to get it back, we'd say, nope, never mind. We put up yesterday's site.
00:41:59
Speaker
What we just had the worst time trying to combat was the denial of service attack where if somebody wanted to take your site down, what they would do is because I made the joke earlier about all the skull and crossbones, a lot of cybersecurity attacks come from
00:42:17
Speaker
horsepower and having little pits of information on your computer that are used in inappropriate ways. So a denial of service attack is when if you have a website that says click here to enter or a button on it,
00:42:32
Speaker
Uh, uh, uh somebody is clicking it 50 000 times in a second because they're harnessing so much Of that of that in city is code on people's devices and then the server would go down so they can't break into the code but they can Burn down the building, right? Right Yeah, that's crazy. But that's yeah that that's happening. Um all the way Yeah, that's what that's why companies are doing these, you know penetration testings and um
00:43:03
Speaker
and things similar to that, risk assessments, what's your maturity assessment for security as well? Those are web application testing, OT, if you're an industrial setting and you've got a bunch of automated manufacturing equipment on your floor, how do we keep that from being an entry point? That kind of stuff.
00:43:31
Speaker
doing those tests and assessments and everything is really the only way that you're going to know how things are. Once you get attacked, what can you do to recover that? Tim, thanks for spending some time with us today. If people are interested in learning more about this or even exploring the risk assessment tests that you do, how can they find you? They can find me on LinkedIn. Tim Herman,
00:44:01
Speaker
On LinkedIn, they can find me at my company is OBSGlobal.com. I'm T. Herman at OBSGlobal.com. That would be probably the best ways to get a hold of me. Well, Tim, it looks like your LinkedIn is Cyber Tim, which should be easy. Yes, correct. All right. Tim, thank you. I'm going to end this now and go unplug the fridge. All right. Sounds good.
00:44:31
Speaker
Thanks Tim. Yep, thank you.