Lisa Ryan: Hey, it's Lisa Ryan. Welcome to the Manufacturers' Network Podcast. My guest today is Bryce Austin. Bryce started his technology career on a Commodore 64 computer and a cassette tape drive. Today, he is a leading voice on technology and cyber security. Bryce holds a CSM certification and is an internationally recognized professional speaker. In addition, Bryce has first-hand experience of what happens during a cyber security crisis, as it did to Target due to their 2013-2014 data breach.
In his free time, Bryce is a high-speed car driver and coach. He's driven cars from a 65 horsepower mini Cooper to a 650 horsepower Porsche 911 turbo. He has had over 100 students, none of whom have died while under his instruction. So, Bryce, welcome to the show.
Bryce Austin: Thank you so much, Lisa.
Lisa Ryan: Please share with us a bit about your background. You went from car racing and coaching to cybersecurity.
Bryce Austin: There are many twists and turns that a career takes. I thought I would be a Ph.D. chemist, and after a couple of years of Grad school, I decided I didn't want to be a Ph.D. chemist. I went into technology for fun. I had done consulting for years and ended up in the payroll space. Payroll is the right target for cybercriminals. Think about what payroll does for free for your company. You take a big pot of money, and you move it into a bunch of small pots. If a criminal can get in there, make up a janitor. See how long it takes someone to notice.
Wait till one of these law firms runs their quarterly bonus. They run it for eight bazillion dollars and change all of the bank accounts to yours and never be seen from again. These were not theoretical issues we were dealing with. This was the real world. I did that for a small company for a few years, and then for Wells Fargo, I was the CIO of their payroll division for eight years.
I went over to Target, just in time for the breach. That was a significant transition in my career, so I decided to go off and start my own company, helping others understand these cyber security risks so that they can make good conscious decisions about them.
Lisa Ryan: Well, and 2013-2014 is when we started hearing a lot about these breaches, wasn't it? Why did it all of a sudden become such a forefront topic?
Bryce Austin: Well, it started hitting people like you. Before that, there was the Stuxnet attack where the US and the Israelis allegedly went after the Iranian nuclear centrifuges. That was 2010 - it's been going on for a long time. I think Target was the first large-scale breach that most of the world knew about, and a large section of the US was impacted by it. We had Home Depot, and then we had a whole bunch of others that went down. A few years later, we had Equifax, and essentially every American taxpayer had most of their sensitive information siphoned off. Now it's being used to trick us into doing things that we shouldn't be doing.
Lisa Ryan: It sounds like to back in the day, it was the cybercrime, where they got all of the information so that they could attack, but now, it seems that they're taking it, the next step further with this ransomware. Now, they are not only stealing your information, but they are also shutting you down. With this crime hitting companies left and right, what happened?
Bryce Austin: Sure, well, some companies have valuable data on the black market on the dark Web. If you are an Equifax, they don't need to shut you down to profit from you if you're a healthcare company. They can steal that data and resell it the same thing. That happened with the manufacturers' network podcast, Target, and the credit card numbers. For most of us, though, particularly in the manufacturing industry, there isn't a treasure trove of easily sellable data that we have. The cybercriminal figured out that they don't have to steal your data and sell it to someone else. They can steal it from you and block your access to it, and you will pay to get it back. That's the very tenet of ransomware. That's how it works.
They will get into your systems; they will encrypt your data using some ridiculously long decryption key that no one would ever be able to guess. And unless you pay up, you don't have access to your data which typically means you can't run your company, and it's a very profitable business model for them. You've heard about the colonial pipeline, where they shut down the eastern seaboard the ability to transfer fuel.
JBS foods is the number one meatpacker on the planet. They have 20% of the market. They got popped. Then, CSN financial is one of the ultimate ironies in that they are a large insurance company that offers cyber security liability insurance, including ransomware payouts. Well, their payout set records. They paid $40 million to the cybercriminals to get their data back. To the manufacturing industry, this has become a more and more serious issue because, to be honest, manufacturers hadn't had to worry about this until recently until the last few years. It was a small enough risk to where you can ignore it, and now I'm guessing most people in the audience either have dealt with some cybercrime or know a company that has, so now, we do need to worry about it.
The second part of your question was what we do about it well. We could write books on that. But the short-term takeaways are as follows multifactor authentication or MFA. This is something that keeps 95% of the bad guys out of your systems because if they get your username and your password, there is another step they have to take to get into your systems, and it's called MFA.
If you shop online, Google MFA space, Gmail APP, even your personal, social media accounts with your business social media accounts MFA space Facebook, MFA space LinkedIn. All of these platforms support MFA. It takes you five minutes to set it up, and it makes you and your company a porcupine in the land of squirrels. When it comes to cybercriminals, they're going to go after the squirrels you want to be a porcupine, and the thing is huge.
Many companies aren't patching their computers; to be honest, I recommend they set them to autopatch, and walking through doing that isn't that difficult for most of my clients. It's something that you can also Google and figure out how to do. But as soon as someone finds a vulnerability in a piece of software, typically, the software manufacturer makes a new version of it. That's great, assuming you patch it and put in that new version; otherwise, the vulnerability sits out there, so patching is critical.
We have a lot of technology out there that wasn't designed for today's Internet, where the world's been trunk to the head of a pin. We can have bad guys halfway around the world trying to get into our systems. That old technology, if it needs to be hooked up to a network, typically those networks are hooked up to the Internet. They have to be ready to have a reasonable level of cyber defense, and if you can't put antivirus software on that new CNC lathe that you put in, this new Internet of Things is a heating and cooling system that you put in. If you can't defend it against the Internet, it shouldn't be on the Internet.
Many of these companies that got hit are putting this antiquated technology out on the Internet, and then they're so surprised when someone takes advantage of it.
Lisa Ryan: Wow. Well, there's one question. It seems with ransomware that if a cybercriminal comes in, and they shut down your system until you pay in that one case, you said $40 million. What is the integrity of the criminals? What do they have to then turn on your systems? I mean, they got the money. Are we talking about criminals with integrity when it comes to ransomware? When that does happen, do you know where the vulnerability was, or does that take somebody coming in and finding out so that it doesn't happen again?
Bryce Austin: Lisa, great questions. First and foremost, integrity is far too strong a term.
Lisa Ryan: Right. I realized that.
Bryce Austin: Categorically. These are business people, they are criminals, but they are criminals looking to make money. If they do not often. Usually, most of the time, give up that decryption key, and the decryption key works to at least get back most of your data. If word gets out that no one will pay the ransom, their business model will fall apart. Typically, they give up the key to massive caveat to that, though, is – one, if they find that you have sellable data or could just be damaging to you, there are several instances where first you pay for it the decryption key. Then they try to extort more money from you, saying, well, we've made a copy of your data, and we're going to leak it unless you pay again. That can go on forever.
So, integrity? Absolutely not. Right business -makes sense.
Lisa Ryan: Looking at it from a business standpoint, now that does make sense. The whole blackmail scheme again takes it to a whole other level.
Bryce Austin: It does, most of the ransomware cases that my company's work, regrettably, we don't get back all the data and the reason is twofold. Criminals are not known for their rigorous error checking and thorough scrutiny of their code. So, yes, it encrypts it, and usually, it gets it back, but have we hit times where their software made a mistake, and it's not retrievable anymore. One tip I give to my clients is to have at least 30% of their hard drives empty. They need to have 30% free space on them.
When you encrypt data, in theory, it doesn't get any bigger, but in practice, it does, and in almost every ransomware case that we've worked, there's some big network share where they were running low on space that had 5% space free. So then the bad guys hit, and the encryption starts, and it runs the drive out of space. So the ransomware keeps on going, and everything after that point gets turned into hamburger; you can never get it back.
So yeah, so that's the other part of your question, do you get the key typically yes, does the critical work for a lot of your data? It works, but for all of it, I've never gotten 100% of it back, not once.
Lisa Ryan: Well, and it sounds like just that one tip that you said, as far as keeping 30% empty on your disk, I mean that can save that's not only something that you can do right now to check that you have that. But it's easy enough to implement. Maybe not cheap, but easy enough to implement as that insurance against cybercrime.
Bryce Austin: Well, it's like being healthy or driving safely; there's not any one thing you can do, but there are some small tips that can make a huge difference. Having that drive space helps multifactor authentication absolute silver bullet in this industry offline backups this is huge. If you get hit having a copy of your data sitting in a drawer somewhere now, if it's up in the cloud, it's a virtual or not a literal door, but if it's on-premise, I mean a literal drawer. Go out and buy a large hard drive, or if you're a larger company, a set of hard drives and something called a NAS device or network-attached storage. You can make a copy of your data doesn't have to be every day, once a week, even once a month, yes, you might have month-old data, but it beats no data. Having that in a drawer makes it much harder to hack. It needs to be off of your network. If it's on the network, the bad guys will often try to find your backups and delete them before they begin the ransomware attack again and again and again.
Lisa Ryan: Wow. This is all fine and dandy for businesses to protect themselves, but I knew a couple of weeks ago that I had a friend who got the quote email from apple about the $4,000 system they were sending him. And he is a consumer. I said Dick, you didn't answer that, did you? And he said yeah, I called them. Well, 1500 dollars later, he had to pay to get his own computer system back. That's the scary part; this is not just companies. This is hits of computers of family members.
As individuals, what are some of the things that we can do to protect ourselves?
Bryce Austin: That's a great question. I wish I hadn't lived examples of what you just talked about but absolutely. I'm a family as I've had clients that are business owners or executives. They're pretty easy to look up on LinkedIn, so they know who to go after. The bad guys are very bright. If only we could get them to use their power for the light side of the force. So what can you do as an individual? I want to reiterate that multi-factor authentication or MFA, all of your essential systems should affect your local computer. It needs a password, and it needs to be a reasonably strong one. Using the same password everywhere is a big problem.
Yahoo was breached in 2013, and they got all the passwords. Linkedin was breached in 2016. They got all the passwords. Well, if you're using those passwords everywhere, if you have the same password pretty much everywhere, think of it like your housekeeper. If every single door that you walk through in your life has the same key and you lose one copy of that key that you use that a grocery store that you use to some retailer. Well, now, they have your whole life. So a password keeper is a program designed to randomize your passwords everywhere, and then you have one master password to unlock the password keeper.
I'm a giant fan. There are lots of them, and they all work well. There's the last pass; there's one password -that's the number one—the word password. There's dash lane; there's key pass- any of these are fine. But a password keeper lets you use different passwords all across the Internet, so if one of the websites you visit gets hacked, one website gets hacked, not everything in your life. Having conversations with your loved ones about how cybercrime works and how these schemes work that you will get fake emails or fake phone calls, or I've even had to fake letters in the snail mail in our old school mail. They try to get you to do something you shouldn't do, or they claim to have video of you cheating on your spouse, or they claim to know about your business misdealing. Suppose you don't pay up this that and the other. Education about that is critical.
The last thing that you can do is to encrypt your devices at rest. That means that if your smartphone or laptop is lost or stolen, you're only out the equipment; the information on it is protected by that password we talked about initially. For windows computers, it is called bit locker. It's easy to turn on for MAC computers. It's called file vault on your iPhone will automatically do it unless you disable it, so don't do that.
For android devices, it varies all across the board. Having these devices encrypted at rest means that your data is safe. Even if your device isn't with you, that's a big positive.
Lisa Ryan: So when it comes to this, these are just scary things. I know every time I'm at a program and a cyber security person is talking there, I know that I'm just going to be terrified by the end of the program. We spoke about password lockers. What about companies like LifeLock? Is locking your credit cards, freezing your credit score - are those other types of things that are out there worth it?
Bryce Austin: I have mixed feelings about those. Let's start with credit freezes - I'm a fan. Because of Equifax, you can lock your credit for free, and you can unlock it for free. They used to charge for that, which I think was criminal. I'm glad it's free now, but unless you need to take out a new credit card and take out a car loan to take out a home loan, freezing your credit with all three of the major creditors - Experient, Trans Union, and Equifax - you have to do all three of them separately.
It makes it hard for someone to pretend to be you and take out a loan in your name or try to buy a car and your neighbor that kind of thing, so I'm a big fan. However, if you happen to own rental properties or change cell phone plans a lot, I want to warn your listeners. If you need to transfer the utilities for your rental property into your name between different renters, they will need to check your credit for that. You'd have to unfreeze it, and if you want to move from T mobile, Verizon, or Verizon to Tmobile - they'll probably check your credit.
I still think it's a good idea. I believe there is some utility there. Someone spending a little bit of time to shore up their own defenses is far more powerful than a tool or a service like LifeLock. You can't pay someone else to do the work you need to do to be healthy, and if you want to be cyber healthy, there's some work that you, you should do yourself. For example, getting rid of that old Windows 7 computer that you can't patch anymore because it's been out of service for a year and a half, but you don't want quite to get rid of it. I'd rather see people put the money into buying a new Windows 10 device fully patched with good antivirus on it than I would see them subscribe to something like LifeLock.
Lisa Ryan: OK, so we've talked about the main things like having an MFA for all of your personal and business accounts. Having a password keeper freezing your credit, what would be some of your other best tips for protecting yourself from Cybercriminals?
Bryce Austin: Educating you and your workforce on cybercrime is a very good idea. There are lots of programs you can use. For example, sending fake malicious emails so phishing. That's where the pH fishing your employees with emails that look like they could have been from a cybercriminal but there you trying to teach them. Spotting those so they don't click on a link that they shouldn't is a big step forward. I have a lot of my clients doing that every month, and it pays over actual dividends.
Bryce Austin: The last thing you can do, it almost turns us on its head, where it can be more of competitive advantage for your company. There are some certifications that your company can get to show you have a good cybersecurity program. Things like a sock to soc and the number to a sock to certification or for those of manufacturing apply familiar with ISO ISO 27,001 is the ISO cyber security certification. These can take some time. It's not the right thing for everybody, but if your company's product or service is providing. Others could be given a competitive advantage if your salespeople could go into a meeting saying, well, we are ISO 27,001 certified. Here's how that keeps our customers safer than our competitors.
That's a good, positive conversation. That's what Volvo did 40 years ago, saying our cars are safer than the others, and here's why you should buy them. It's the same sort of thing is just in the cyber world now.
Lisa Ryan: Bryce, you have given us so much information to keep us safe. How is it that you work with your clients? If people did want to get a hold of you, what's the best way for them to do that.
Bryce Austin: Well, short, my company is called TCE strategy, which stands for technology and cybersecurity education. We act as a company's "attorney on retainer" in the cyber security advisory space. We're not attorneys. But we try to give good unfettered fiduciary style advice about what makes up a secure enough cyber security posture for you as a business owner, as an executive for the company you work for, and as an individual.
Please feel free to look us up at TCEstrategy.com. I've also written a book to help educate others on this topic. It is called, Secure enough -- 20 questions on cyber security for business owners and executives. It is available on Amazon. I recommend people buy it often and in large quantities.
In all seriousness, though, it's a couple of hours read, and it will give you a lot of the basics that you need so you can ask good questions to your IT staff or your outsource source managed service provider that runs your IT staff. Finally, my company and I provide speaking services if you'd like to have someone speak at your company or the organization you're a part of about real-world cyber security.
Lisa Ryan: Wonderful. Bryce, thank you so much for being on the show today.
Bryce Austin: Hey, thank you for the opportunity, so I appreciate it.
Lisa Ryan: I'm Lisa Ryan, and this is the Manufacturers' Network Podcast. See you next time.