Connect with James Fair
Website: executech.com
LinkedIn: https://www.linkedin.com/in/jamesmfair/
Lisa Ryan: Welcome to the Manufacturer's Network podcast. Our guest today is James Fair. James is an IT and cybersecurity veteran with 35 years of experience. He's held every role from entry-level tech to senior VP, and now he's working in cybersecurity. James, welcome to the show.
James Fair: Thanks, Lisa. It's an honor to be here. I'm very excited.
Lisa Ryan: Great. Please share a little about your background and what led you to do what you're doing in those 35-plus years.
James Fair: Yeah. I've been doing this since computers were around; I'm an old-school guy. What started for me was a passion for technology. At age 13, I got my first real PC. At age 16, I would deep dive into that, and no one would see me for two years. When I came out, I would know everything about it. It's always been a passion of mine to dive into technology. I've been doing technology for a long time, but part of that has always been cybersecurity because back when I was doing it, there was no separate role for cybersecurity. Now you did everything.
No one realized there was a separate need for that, and there wasn't because there wasn't much going on out there, or at least we weren't aware of it anyway. Over time, I have developed a passion for helping organizations stay protected, prevent attacks, or deal with them when and hopefully if they ever happen. Hopefully, they never happen to anybody; if they do, I want everyone to be prepared.
We do not wait until the cyber stuff hits the fan before deciding to take action. Now, we'll make a plan. They're like, Ooh, what? What do we do in this situation? Let's get ahead of that. That's what I'm after. Let's help organizations be protected and respond better when something does happen.
Lisa Ryan: Yeah, and it's scary stuff with all the ransomware and everything else that you're, I've had friends that have gone through that and without proper backup or thankfully they had outside backup, it didn't cost them as much time or money as it could have, but it was a pain to deal with. So, what are some common cybersecurity threats you see in manufacturing?
James Fair: We see some similarities across all industries, but mainly manufacturing is, first of all, the common one, ransomware, right? As you mentioned, I want to caution your listeners for organizations and home users; please have backups. You can recover from about anything: fire, flood, theft, ransomware if you have good backups. And I've had tough conversations with people to say, Hey, this lady called me up, just, it was awful. She said, my grandmother passed away last month, and I have all the pictures of her, and they're on my computer, and now there's this ransom note on my computer.
What should I do? And that is not a conversation I ever want to have with anybody. Please make sure you're backing up. I don't care what product you use; I'm not selling anything, but please ensure you're backing up your home machines and organizations. Okay, back to your original question.
Lisa Ryan: Since we're talking about that, what do you think of cloud backup? I've been using Carbonite for years, but is there something about it going into the cloud, like a product like Carbonite, or should it be a physical backup as well? Or is there? It doesn't matter. Like, where does that fall for? Yeah, home and business.
James Fair: The cloud is perfectly acceptable for home and always works. Business may be different in that you may need to recover the data quickly or a lot of data very quickly. And if it's all in the cloud, you have to download it.
What's your internet speed like? Because now the rate at which you can recover is based on your internet speeds. We want to have that conversation with each business or organization to see how long they can deal with an outage; let's say ransomware hits, and everything's cleaned up.
Now, we're doing the recovery process. How long can they take? Can we prioritize files first? It depends; it is not a great answer. But it depends on the organization that we're working with. Whether they can do both in many cases for larger organizations, we certainly encourage both.
Have a copy locally that you can recover quickly. Have a copy on the cloud in case someone gets ahold attackers get ahold of that backup. We worked with one organization that got hit by ransomware, and the attackers had gone in and formatted the hard drives they used for backups. Like they wanted to make sure they could not recover from them.
Remember, when attackers are going after organizations, particularly larger ones, they're going to do everything they can to ensure that you cannot recover from that, including one thing we haven't mentioned yet: an exfiltration of data. Nowadays, we're seeing a lot of this: I'm also going to steal your HR data or intellectual property.
So, when I come to you and say, Hey, will you pay this ransom? And you say, Nope, I got good backups. I'll go okay, but I have this information. You don't; you do not want to release it to the public. Now, that's being held over people's heads as well.
Lisa Ryan: What is X infiltration? What? What is that term?
James Fair: I'm sorry—x filtration of data, meaning, okay. I'm going to take information on your servers that you don't want out there in the public, and I will grab that first. Then I will say, Hey, I will sell this unless you pay me.
Lisa Ryan: Oh, wow. Yeah. Is there honor among thieves? When you pay the ransomware, will you get your data back, and then you're going to fix it, or will they keep coming after you? That's why it's such a crooked business.
James Fair: It is. Yeah. And how do you have any trust in here? To give it a no, I don't want to put a positive spin on this. There is nothing positive about this, however. The attackers want credibility because if, for any reason, you believed that they would not come through on their side of it, people would stop paying.
So, they have a vested interest in proving that they will recover your files. Now, I've only done this twice, but in my experience, two times at least. Yes, they got almost all the files back. A couple of corrupted ones couldn't be recovered, but in general, yes. If you pay, you get the files back. Statistically, I've heard something closer to 80% of the time. But in my experience, I'm two for two. Yeah, because the attackers have a vested interest in ensuring their reputation stays good; otherwise, no one would pay these ransoms, and they would no longer be in business.
Lisa Ryan: When I also think about phishing, when the CEO is going out of town, and supposedly that person calls the secretary or sends them an email, Hey, I need this kind of cash. And they don't even think, because it's oh no, the CEO's calling me. How would you educate your staff? Because the phishing emails are getting better than Holy cow. I always check the return address and email address to ensure it's something instead of XYZ@GmT@yahoo.com or something.
James Fair: Yeah. That is, that is a great question. The most effective technique we see is doing an internal phishing campaign. Some organizations like that feel "big brother" to attack our own people. But I have a different perspective. It's meant to raise awareness. It's intended to get people to look at the reply email because we are humans first. We make mistakes.
We get busy. We respond emotionally before we respond logically. If you've ever been cut off in traffic, you may have experienced this. That's what the attackers are leveraging. All these great tools that we put in place, the anti-ransomware, the antivirus, firewalls, everything else, are programmatic, and they're much more challenging to get what you want.
But humans, conversely, can manipulate them to some degree. Internal phishing campaigns to raise awareness are probably the most effective tool. And again, it's not meant to get someone; it's meant to look like, hey, here's a quick training for you. In five minutes, you'll know how to quickly check to ensure you're not clicking on something you don't want to.
And you'd rather have us, the white hat folks, doing it than find out that someone sent credentials out that they shouldn't have via phishing email.
Lisa Ryan: So do they know if management hires a company like you to white hats to send the phishing emails, or do employees know that they may be coming, or do they have training before and then, afterward, to see how much they learn? How, what does that look like?
James Fair: Some organizations will dictate what that is for us. Our engagement looks like a very, and yes, they will come to us saying, hey, we have been phished before. We don't want it to happen again. What should we do? And we proffer this suggestion, and they buy off on it.
Then we'll do a very easy-to-catch one. Very few people may get caught in that first one to create a baseline that we can do more difficult ones to see how we're improving, where we're, maybe there's a particular group or a few members who need more training than others.
And then maybe we come in and do an hour-long security awareness training. I do a lot of those. I'll go into an organization and spend an hour talking about what we're seeing out in the wild. Best practices for security, those kinds of things. These days, you need all those great security and IT tools in place, but you've also had to train the users because we are humans, make mistakes, and are busy.
Lisa Ryan: Yeah. On your list of topics here, ransomware was one of them, but you also said breaches through third parties. Is that the same as ransomware, or what would that mean?
James Fair: If you consider, I don't know if you recall the target breach from long ago. Target wasn't directly attacked. Someone got in through their HVAC system. The H V A C folks had put a computer in their network that they could connect to do work on the system, which unfortunately had been connected to the rest of the network's backbone. The attackers could break into that H V A C system and then into the rest of the network.
So, was that a direct attack on Target? No, not necessarily. It was through a third party. We want to ensure we're careful about engaging with third parties and that they have the proper security tools in place. Because you may have all the best ones in the world, but if the person you're working with doesn't, that can be a challenge.
So it's not about us having them; it's also about the people we work with, having those in place.
Lisa Ryan: You think about how interconnected everything in manufacturing is with the H V A sys C systems, the production lines, accounting, HR, finance, and everything woven together. So yeah, that would be quite the danger.
James Fair: Yeah, it's a challenge. Best practices, and I don't want to get too technical here, is to segment those pieces off that you can't talk to each other except by. Pre-designed paths that any new path can't suddenly show up and start connecting through there.
But I want to touch on something because if there's a relevant story, that applies here quite a bit. It was a manufacturing company. They were working with a large vendor of theirs, and there was an email exchange going back and forth between someone in finance and on both sides. And no one knew that the vendor side's email had been infiltrated.
Now, many times, we think, all right, someone gets ahold of my credentials, they're going to jump in and start doing stuff immediately. But we've found that's not the case. Often, we see it hanging out; maybe we'll call it. They're watching, seeing what's going on. They're learning; they see who you talk to, who speaks to you, who you report to, and who reports to you.
Who are you doing business with? What kind of language do you use? What's your signature? They're learning as we go. They stayed in the system for, we do not know how long because it was into somebody else's organization. This email transaction went back and forth, and they finally agreed to a $150,000 invoice.
Immediately, the attackers jumped in and did a reply to all. They had all the previous email transactions in the email, and they said, Here's the link to pay the $150,000 and the email domain, as they got even trickier. You caught that. It was not the actual domain it was coming from. They got tricky.
They bought a domain; they figured it was worth trying. The company had a W in the name. They bought a domain with two Vs. Right next to each other. It looked like a W if your brain wasn't paying attention, and unfortunately, someone clicked the link and paid $150,000; that company was out 150,000 and still owed the vendor $150,000.
Wow. Phishing is a big deal, and account compromises are a big deal these days; we must watch out. I cannot stress enough the value, and it's not a hundred percent; it's not a silver bullet. Nothing is, but the value of multifactor authentication or two-factor authentication or MFA or, however, you want to call it, having some additional level besides your login and password that you have to enter, that's a huge difference in security for a very minimal impact in efficiency for people.
Lisa Ryan: Wow. And I think about two, and this isn't totally with manufacturing because you do have to be at the plant, obviously, but there's still a lot of people working from home. My husband works for a manufacturer but is in accounting; he gets to work from home a couple of days a week. When you look at that rise in remote work and all the interconnected supply chains, What are some things that manufacturers can do to ensure that the remote work isn't potentially causing any problems?
James Fair: Yeah, the organization is mature enough. We can start looking at some sophisticated tools. For instance, internally, we use a product from Microsoft called Intune. Intune is designed for a remote workforce, allowing us to set the same parameters. On devices that we would if they were in the office.
So it has to have a screen timeout, and it has to have these specific password parameters, and it has to, it has to have antivirus. We can list a whole series of things a computer must adhere to before being allowed to connect and access company data. I encourage people to look at ways to lock down those devices only to have access if certain criteria are being met.
Lisa Ryan: And then we're also looking at things like, you want to be efficient, but you also want to be safe. How would manufacturers balance the productivity they need to make money and the cybersecurity that keeps all their efforts safe?
James Fair: That is a great question, and as much as it pains me to say it, security and ease of use tend to be at opposite ends of the spectrum.
The most secure computer in the world is the one unplugged, sitting in the middle of the room. It's not very effective that way. And the easiest one to use is the one that doesn't require a password, but we want to be somewhere in between, right? It is about finding a good balancing act.
The idea is for a security team to come in and say, you have to do this and this and make your work difficult. That's not the idea. That's never what, certainly what we want to present, right? We want to come in and add some security that works with the business model and the businesspeople.
And yeah, we'll add a little bit of MFA, right? We will add a bit of overhead to what we're doing in return for a lot of return insecurity nowadays. We want to base everything on risk. A lot of organizations are playing whack-a-mole, whatever's in the news.
That's what they're working on that day to try to block it from happening. They're playing whack-a-mole all the time. And while what they're doing is busy working, it's progressing, and they're making the environment more secure. We want to encourage people to consider the most significant risk to the organization.
So, let's make a spreadsheet. We call it a risk register. Let's make a spreadsheet and list all the things we can think of. Other people can think of imaginary scenarios. Who knew we were going to have a nationwide epidemic, right? But list all these things that could occur, their likelihood, and how significant the impact is if it does happen. And then, based on that, let's give it a risk factor. Then let's sort by the risk. And we start working on the things that are the highest risk to the organization first. And we're not playing that whack-a-mole with our time.
Lisa Ryan: Wow. That's something. It's funny when you talked about passwords; I don't think a day goes by that I do not utter the sentence. I hate passwords because I forget them all the time. I use one of those password keepers, but it only has some. Yeah. Right, there is that. That maintains that security and does not frustrate your employees.
James Fair: Better solutions are coming, and better tech is coming. If you think of it on your laptop, the windows, hello. You open it up; it recognizes your face and logs you in. You didn't have to touch a thing, didn't have to our password, right? Phones are the same thing. Passwordless tech is coming more and more. Hopefully, that's a pain that will soon be a thing of the past for you.
Lisa Ryan: And the funny thing is because I like crime shows, I think about the number of where they have the criminal, and they're trying to get into his phone, and they hold the phone up to his face and unlock it.
James Fair: Exactly. I thought the same thing. Why do you put a ping on it? Otherwise, put our finger on it, right? Cut your finger off. In the worst case, this is horrible. That's a possibility.
Lisa Ryan: Exactly. And it wouldn't be on television if it didn't happen at some point. Yeah. I know that you've worked with a lot of these different cases; what would be, and of course, you're not going into the minute details of it, but what would be a real-world case where you worked with a manufacturer and maybe this is a tale to warn what, what could happen if they're not careful?
James Fair: Yeah. We worked with 500 users. The organization here in Utah that had been hit by ransomware multiple times. And they brought us on, unfortunately, before we could get everything solidified. They got hit one more time. It was through one of...