When you think of cybersecurity, what may come to mind are things like antivirus software and suspicious emails — and you would be right. But cybersecurity is more than that.
For Cybersecurity Month at Technical.ly, we revisited BarCode, the award-winning cybersecurity podcast by Chris Glanden, a Wilmington, Delaware-based cybersecurity consultant whose professional cybersecurity experience includes working for ChristianaCare and Comcast.
The ‘cast busts the myth that cybersecurity is a boring topic. Its guests span sometimes unexpected areas of the industry, with a casual, hanging-out-over-drinks vibe. The vibe, and the humorous skits featuring “Tony the Bartender” at the beginning of each episode, aren’t there to make you forget that the subject matter is dry. It sets up a storytelling atmosphere — and Glanden’s guests have some stories to tell.
Yes, physical cybersecurity is a thing
Take Matt Barnett, a certified forensic analyst who works as a physical cybersecurity agent. What does a cybersecurity person do in this “real world” position? In the episode “Legal Robbery,” Matt describes his sometimes-harrowing job, which essentially involves breaking into buildings and pulling off heists on companies that hire him to help identify weaknesses in their own physical security teams.
“I didn’t know physical security was a thing when I started down the cybersecurity journey,” said Barnett, whose background includes working in law enforcement. “The closest thing I could compare to [is] being a movie star acting. You’re breaking into buildings, you’re pretending to be somebody else, and it’s just a it’s a very cool thing to do.”
In the episode, Barnett shares stories of pretend break-ins that can potentially become very real, especially since building security and police are not only unaware that a fake break-in is happening, they often don’t know that this aspect of physical security is even a thing. The paperwork they carry from the employer — their “get out of jail free card” — will keep them from being prosecuted, but in the moment, things can get very real.
“I’ve had guns pulled on me,” he said.
“It’s a unique position because you have to be very skilled in the technical attributes, but also very skilled in the social attributes as well,” Glanden told Technical.ly. Physical cybersecurity includes “being able to talk your way into places, using tools to break into places, tapping into those technical skills to if you get in front of a computer system, being able to exfiltrate credentials or run security tools that get data. It’s sort of a hybrid of skills that you need, which makes it really interesting to me. And at the end of the day, you don’t get arrested and taken to jail.”
The companies that use physical security services are usually large companies, including banks that need to ensure the highest level of security, and large buildings that house multiple businesses. For most small to medium-sized businesses, simulated heists are probably not needed to protect your data — but it’s a reminder that if your place of business isn’t secure, neither is your data.
Ransomware persists despite perceived low risk
Smaller business owners also need to know that the big, scary cyber crimes often associated with big corporations are also a threat to them. Ransomware, for example, may be associated with massive attacks such as the one that struck the Colonial Pipeline in 2021, but smaller businesses can become victims, too, especially if employees are not careful about phishing, which Glanden says opens the door to most ransomware attacks.
A conversation on BarCode in February with Jim Tiller, the chief information security officer of Harvey Nash Group, highlighted what Glanden calls the growing attack surface of industries that are typically considered low risk.
“We now look at manufacturing, transportation and agriculture, as well as small to medium-sized businesses, mom and pop shops, small pizza shops in the shadows of these corporate giants, literally and figuratively,” Glanden said. ”Supply chain attacks and other technical integrations now place these organizations right in the crosshairs of cyber attackers, because they have access to assets that the cyber attackers want, and it’s a lot easier now with that digital transformation. Nobody is safe.”
The value of cyber insurance
One way to protect your business from potentially business-destroying cyber attacks — keeping in mind that once you’re hit, if you don’t pay the ransom in a ransomware attack, you still could be looking at shelling out even more money to recover from it — is to have cyber insurance, which generally covers the costs of data recovery, system repairs, customer notification and legal fees and expenses.
Cybersecurity may be included in your business insurance, but business owners shouldn’t assume that it is. And if it’s not, Glanden recommends that his clients make an assessment on whether the cost of a good policy is worth it.
“You really have to look at the industry and what you’re doing in order to really determine if you should pay or not,” he said. “But I always say if you get to the point where you get infected with ransomware, you’ve lost. You have to have as many controls in place to prevent that as possible. You can go different routes with insurance, but you need to be covered as best as you can.”
Criminals’ demands are evolving — but the basics remain
As ransomware evolves, and as the legality of paying cyber ransom is increasingly called into question, cyber criminals are moving from holding companies hostage to extortion and even blackmail where demands don’t necessarily involve money.
“The root issues here is the fact that we are storing too much data,” said Sherri Davidoff, CEO of LMG Security and the author of “Data Breaches,” in the BarCode episode “Alien Invasions.” “Data is a hazardous material, and we need to start treating it that way. Some of the root problems trend towards what I call exposure extortion, and how that’s likely to continue over time because if hackers don’t have to deploy ransomware software, if all they have to do is steal information and threaten to publish it, that’s a lot less work. We really need to shift that mindset in our laws as well as our actions and start thinking about extortion in general, as opposed to just ransomware specifically.”
At the end of the day, some of the best things you can do are things you’ve heard over and over again, but can’t be overstated:
“Just enforce strong passwords,” Glanden said. “Strong passwords and multifactor authentication are extremely helpful when it comes to protecting accounts. Another super lightweight, high level thing is patching your systems, making sure that the software that you’re running is up to date.”
If you want more BarCode and are in the PA/NJ/DE tri-state area, you can catch monthly BarCode Live happy hour events, featuring engaging chats with regional and national cybersecurity experts.