May 17, 2022
In this episode, TCE Strategy’s Bryce Austin shares his expertise on cybersecurity and crisis communications. With host and Axia Public Relations founder Jason Mudd, he expands on data breaches and how to prevent them. He also talks about CISO, next-generation antivirus, password keepers, and multifactor authentication. Lastly, he and Jason discuss who’s responsible for promoting cybersecurity within your company.
Tune into this episode to learn more about cybersecurity and crisis communications.
Watch the episode here
5 things you’ll learn during the full episode:
- Why you should prioritize cybersecurity
- How to protect your data
- Most active cybercrimes in 2022
- Who’s responsible for promoting and managing cybersecurity within your company
- Information about CISO and next-generation antivirus
- Listen to more episodes of the On Top of PR Podcast
- Find out more about Axia Public Relations
- You can contact Bryce Austin with any questions.
- Connect and learn more about Bryce Austin on LinkedIn. Visit TCE Strategy for more information on its practice.
- Additional Resources from Axia Public Relations:
[01:13] How Bryce Austin got into this business
- Started in 2001 when he became the head of IT for a small company called Payday of Minnesota.
- That company was bought by Wells Fargo in 2004, and that’s when it got big.
- Bryce moved from CIO of Wells Fargo business payroll services to Target, where he ran its tech programs.
- He was laid off due to a cybersecurity breach in 2013-14.
Bryce: “I decided to start my own company to help other companies understand what these cybersecurity issues are so that they can make good, real-world decisions about them.”
Jason: “You don't only have an incentive of protecting our corporate brand reputation by doing the right things to protect the company from cybersecurity breaches, but it's also in your best interest from an employment standpoint.”
[04:35] Information on the Home Depot and Target breaches
- The cybercriminals found the source codes for the cash registers in the development environment and modified them.
- The malware was BlackPOS.
- Cash registers were programmed to give the criminals credit card information.
- Target held a press briefing in the Target briefing room, which made the audience associate the breach with the company itself.
- Home Depot representatives held their press briefing without wearing their signature orange smocks. This minimized the association between the breach and the company.
Bryce: “It's something I don't want to minimize, but on the grand scale of bad things that can happen in the world of cybersecurity, losing a credit card is not very high on that list, from one consumer to another.”
[08:06] Why should I worry about cybersecurity?
- Many accounts these days require passwords.
- If one person hacks your one account, they can have access to all of your accounts (like bank accounts) if you use the same passwords.
- Use different passwords for different categories of accounts: hobbies, personal, etc.
- You can’t remember every single password, so you need a password keeper.
Bryce: “There are three different ways of telling a computer that you are who you claim to be. One is something you know, like a password, right? You climb the mountain and say, “Open sesame,” and the door is open. The second is something you have, like a car key. That's how car authentication works. If you are the hand-holder of the car key, then you have complete control of the car in most cases. The third is something you are. That's what keeps your spouse from hitting you over the head with a frying pan when you walk through the front door — they just recognize you, and computers can do that with a facial recognition scan, a voice print scan, a fingerprint, that kind of thing.”
[10:50] Password keepers
- Programs designed to safely hold your passwords for other sites in a locked vault that requires one password to open
- It can automatically log you into your other accounts.
- This saves time, too.
[12:34] Multifactor authentication
- Determines that you are who you say you are by making you sign into your account with multiple steps, such as sending a code to your phone or email, or scanning your face
Bryce: “It changes your phone instead of just being a phone into a … type of authentication, like a car key.”
[16:11] How to protect your data
- The U.S. has laws protecting the privacy of people that require you to send as little data as possible (Ex: HIPAA, which is a federal law restricting the release of medical information).
Bryce: “It's easy to let everyone have access to all of your data because they can all do their job. If one person has their account taken over by a cybercriminal, all the data they have access to is now exposed to being stolen — to being ransomwared. You want to limit that exposure as much as you can.”
[17:33] Most active cybercrimes in 2022
- There are two huge ones:
- The first one is wire transfer fraud, which is getting people to immediately transfer you funds by convincing them they owe you or another trusted person money.
- Strong education in your financial department can help solve this issue.
- Secure passwords and multifactor authentication can also help avoid this.
- The second one is ransomware. Cybercriminals will encrypt your data, destroy backups, and steal information (mostly likely to sell it).
[20:07] Who’s responsible for educating employees on cybersecurity?
- Cybersecurity awareness training needs executive sponsorship.
- You need a little bit of funding to build a program for cybersecurity awareness.
- If you have a training department, you want them to own the responsibility.
- Your IT team can help with specific tasks.
- If you don’t have a training department, whoever makes the most sense to you should lead training, like your HR department.
Bryce: “It needs executive sponsorship where an executive, preferably the CEO of the company, embraces the fact that cybersecurity awareness training is a critical pillar of any company's success in 2022 — that's the beginning.”
- Stands for chief information security officer
- Key tenants:
- Patching program: You patch a hole that a cybercriminal pokes into your programs
- Protecting your emails: education on phishing and spearphishing
Bryce: “Your responsibility is to help the company that you're representing be secure enough from a cybersecurity standpoint. And that's going to vary from industry to industry or from company to company on what the risk tolerance is.”
[25:43] Next-generation antivirus
- Old-school antivirus had a prominent signature on it, so you could tell what it was.
- New-generation antivirus uses polymorphic encryption, which makes the antivirus unique and hard to detect.
- This helps a lot, but you need a defense-in-depth profile, where you have strong antivirus and patching programs, as well as secure usernames, passwords, and multifactor authentication.
[27:14] What you can do to prevent cybersecurity breaches
- Perform internal marketing with a cybersecurity training program.
- The PR department should push the organization to have a solid incident response plan.
- Talk about the response plans at an executive level.
- Use secure passwords, multifactor authentication, a strong patching program, cybersecurity awareness training, and a next-generation antivirus program.
- Have backup copies of your information so you will always have access to it, even in the case of a ransomware attack.
[29:46] Have I Been Pwned?
- Type in your email address in this website to see if your data has been included in a breach.
- Many breaches don’t include passwords, so don’t panic if the site says you’ve been compromised. But, it’s better safe than sorry, and changing your passwords is the safe route.
About Bryce Austin
Bryce Austin is an expert, author, keynote speaker, and adviser on cybersecurity. As the CEO of TCE Strategy, he is an active voice on emerging technology and cybersecurity issues. He actively advises the boards of companies in industries as diverse as financial services, retail, health care, technology, e-commerce, and manufacturing.
Enjoy the Podcast?
If you did, be sure to subscribe and share it with your friends!
Post a review and share it! If you enjoyed tuning in, leave us a review. You can also share this with your friends and family. This episode can give you professional insight into media coverage. Know your rights and the regulations to follow when it comes to the media.
- [Narrator] Welcome to On Top Of PR with Jason Mudd presented by ReviewMaxer.
- Hello, and welcome to On Top Of PR. I'm Jason Mudd, your host. I'm with Axia Public Relations. And today we're talking about cybersecurity because we want to help you stay On Top Of PR. And we want to make sure that you and your organization are thinking wisely, broadly, and proactively about cybersecurity and the cyber threats that are out there. And so to that end, I want to welcome our guest today, Bryce Austin, with TCE Strategy. Bryce, welcome, glad you're here.
- OK, thank you so much, Jason, I appreciate it.
- Yeah, my pleasure. So I wanted to have you on the show today because I feel like crisis communications, that's a practice we have, and cybersecurity are obviously top of mind for employers and corporations, both large, medium, and small. And if it's not, it definitely should be. And I want to bring that awareness to them today, but our PR agency has pivoted and started a practice specifically to cybersecurity, helping companies communicate both before, during, and after a data breach or other cyber incident, both to internal audiences and external audiences. So let's start off by just asking you Bryce, how did you get into this business?
- Well, I started in 2001 when I became head of IT for a small company called Payday of Minnesota. They did payroll services similar to ADP, Paychex, Ceridian, and then in 2004, we were bought by Wells Fargo to provide the same service just to their clients, as opposed to ours and we got big. Payroll is ripe with cybersecurity concerns. If you think about what payroll does, you take a big pot of money and you move it into a bunch of small pots. What a wonderful place for a cybercriminal to hide.
- [Jason] That's right.
- Make up a janitor and hope no one notices, wait until one of our law firms runs their quarterly bonus run for eight gazillion dollars and change all the bank account numbers to yours and never be seen from again. These were not hypothetical concerns that we had in the payroll space; they were very real-world. So I was the CIO of Wells Fargo Business Payroll Services for a number of years and then moved over to Target to run their technology programs that would touch the stores themselves, things that would change the customer experience, the team member experience.
- [Jason] Right?
- Very exciting, a lot of fun just in time for the breach, and that 2013, 2014 breach ended up with a layoff of almost 2,000 people in 2014 and regrettably myself, and a good portion of my team were among those. That was a difficult period to go through. It was challenging. I had a 15-year career where things were moving up and up and up. And I went from bonus checks to unemployment checks because of the cybersecurity breach.
- [Jason] Right.
- So I decided to do something about it. I decided to start my own company to help other companies understand what these cybersecurity issues are so that they can make good, real-world decisions about them.
- Absolutely, that makes perfect sense to me. And you're doing me a favor by echoing what I talk to our team about on a frequent basis, which is you don't only have an incentive of protecting our corporate brand reputation by doing the right things to protect the company from cybersecurity breaches, but it's also in your best interest from an employment standpoint, right? That we maintain that reputation and that technology and that we're being proactive and smart about how we behave at work. In addition, I'm always talking about the importance of how you behave online or on connected devices at home, because there's probably nothing more distracted for a productive employee than to have a personal data breach or other things happen in their personal life that makes them distracted and not able to work with the efficiency that they want. So from our payroll department, like you described, obviously where they've got social security numbers and salary information and probably access to some health care records, or at least some health care accounts, if you will, all the way, the data that we're securing for our clients. The good news, bad news, for what we do is most of the things we do for our clients eventually become public information. Although, the crisis stuff and things like that are in competitive intelligence probably isn't ideal to be public. So we have to safeguard ourself and really try to follow best practices as well. You mentioned before we pressed “record” a little bit about comparing and contrasting Target's data breach to that of Home Depot — give us a little background on each of those, what happened, and why it matters. And then we can talk about how they handle them.
- Sure, well, the differences between them from a technical standpoint were very minuscule, make a long story short with both of them, there were account credentials that were somehow compromised. They did not deal with a system that was directly related to the cash registers or the POS system, as it's called in retail, point of sale.
- [Jason] Point of sale, yeah.
- So someone got a hold of credentials that gave them some sort of foot in the door. They were then able to pivot from different parts of the network until they eventually found the development environment. And the development environment does contain the source code for the cash registers, and they were able to modify it. They injected new pieces of code into that software that enabled them to get a copy of the credit cards as they went through. The malware in question was called BlackPOS, but that isn't really important. What is important is that as credit card transactions were going through each cash register, the cash registers had been reprogrammed to give the bad guys a copy of the credit card numbers. Obviously, that's a real problem and is at the heart of the credit card breach. The big difference between how they were handled, though — it was very interesting. If we think back all the way to like 1979 when we had Three Mile Island, right? So if I say the word “Three Mile Island,” almost everyone in the audience is going to think about the nuclear power plant incident, where we had a partial meltdown. Lot of bad things happened — who owned that power plant? No one knows. It's called the Three Mile Island breach. It turns out it was a group called Metropolitan Edison. But I know that only because I looked it up.
- [Jason] Right.
- They were able to brand that breach in a way that it had nothing to do with the actual company that was running the power plant at the time. Well, when Gregg Steinhafel, the CEO of Target, went to the press in 2014, he had the best of intentions. I think he's very good onstage, but he did it in the Target PR briefing room with the red and white paint, the Target bullseye all over, and pictures of the Target dog. And that's not really where you want to be holding your press briefings about a breach.
- [Jason] Yeah.
- Home Depot when they did the same thing, I don't recall seeing a lot of press where people were wearing orange smocks that had a Home Depot logo on it. It's not that you need to divorce yourself from it, but don't need to paint it all over the room to have your logo be part of this. The other piece is that the real-world implications to consumers are significant when there's a credit card breach, because it's inconvenient to get new cards, and they may have to deal with fraudulent transaction. Those things aren't going to be fun. They also aren't the end of the world. It's not like someone found out about deep, dark secrets that you really want confidential about confidential medical issues. It's a genuine inconvenience. It's something I don't want to minimize, but on the grand scale of bad things that can happen in the world of cybersecurity, losing a credit card is not very high on that list, from one consumer to another, I don't think that Target did as good a job, bringing up the real-world implications of what it meant to customers versus Home Depot.
- OK, got it. So what's on my mind, Bryce, is that we'll call them, maybe that obstinate employee or individual who just thinks, “Why does it matter what my password is and why should I make a special effort?” Kind of talk us through kind of the things they need to be thinking about, and how do we make it real for them?
- You're making my teeth bleed here Jason, don't say words like that. OK, so in the world of computers, you convincing a computer that you are who you claim to be is the name of the game. When it comes to getting access to certain systems, it's called authentication. And we're all used to using a password. There are three different ways of telling a computer that you are who you claim to be. One is something you know, like a password, right? You climb the mountain and say, “Open sesame,” and the door is open. The second is something you have, like a car key. That's how car authentication works. If you are the hand-holder of the car key, then you have complete control of the car in most cases. The third is something you are. That's what keeps your spouse from hitting you over the head with a frying pan when you walk through the front door — they just recognize you, and computers can do that with a facial recognition scan, a voice print scan, a fingerprint, that kind of thing. I wish we didn't have passwords anymore, but we do. And we're going to, for some time. A lot of people are working on getting rid of them. It's a slow process. Here's the problem. At last count, I have a password to 587 different systems. That's a large number. Now, this is what I do for a living. Most people don't have that many, but if you think you might have 50 in your world, that's not unreasonable from your bank account to your retirement account, to your email address, to the hobbies that you have. “ILovePorsches.com,” “catsrs.com” — all of these systems often want a username and a password. I do not have high confidence that “ILovePorsches.com” — if that's a real site, by the way, I've made that up. So my apologies in advance, but I don't have high confidence that a hobby site like “ILikeShootingPelletGuns.com” is going to have the same sort of security on it as my bank or Amazon or eBay or Etsy or other e-commerce sites. It's going to be a completely different level of concern. If I'm using the same password at all of those areas, if one website gets popped, my whole world just got popped, and it can be a problem for individuals because someone getting into your bank account is a completely different level of concern than someone seeing what posts you've made at ILovePorsches.com. It's an issue for employers as well because many of us have work email accounts. Many of us have VPNs or virtual private networks that let you from the internet into the internal network of a given company. And if you're using the same username and password for those critical things that you are for your hobbies, you're exposing yourself to tremendous risk. You need to have different passwords for different areas. There is no human way to remember different passwords for 587 different areas, it just can't be done. You need a password keeper. Password keepers are programs that are specifically designed to hold one master password, to open up the vault of all the others. And then the password keeper can automatically enroll you. It can log in for you to the various websites or applications that you use and when done properly, they can actually be a real time saver because typing in a good, long password is time consuming. And if the computer will do it for you after you've authenticated yourself to the password keeper, you're in a much better place.
- Dealt with that personally, just the convergence from using the passwords in your head or saving them in your browser, which clearly we don't recommend to using a password environment. And it took a lot of time and some headache and frustration to adopt it. But now it's so convenient, right? And I'm no longer worried about it because each site I log into has a completely unique password to it, no longer worried about like you're describing a more vulnerable site or a weaker site being penetrated and accessed. And then next thing you know, I'm going around changing all my passwords. And that was something that drove me crazy was having, like you, I've got hundreds of passwords, and I had to go and change a lot of them because at one point years ago I was using similar passwords with the same password, and then to adopt and make that change — once you realize how foolish that is — was a lot of work.
- Indeed, indeed. I'll say that passwords, they're not great security in general because no matter how complex or how different they are, if someone tricks you into giving up a password you still have a problem. So the reason I started this part of the show with the three different ways that you can authenticate yourself to a computer — something you know, something you have, and something you are — are because it's very important for us to consider multifactor authentication. That's an area where you tell the computer. If you see me on a new computer, a new laptop, a new smartphone that you haven't seen me there before, well, if I log in with a valid username and password, great, but the other end of this connection wants something more. It wants to send a six-digit text to your phone or it wants you to pull up a rolling code that you have programmed into something called an authenticator of your phone. It changes your phone instead of just being a phone into a — something you have — type of authentication, like a car key. When used properly, this is the closest thing to a magic bullet that we have in the world of cybersecurity right now. Every large website supports it, your bank supports it, Google supports it, Amazon supports it. Etsy supports it, eBay supports, Snapchat, OK? The thing that our teenage sons and daughters are using to send pictures of each other to other teenage sons and daughters that they don't want us as their parents seeing — that supports multifactor authentication, and it's free.
- [Jason] Right.
- Turning it on takes five or ten minutes. And it is an incredible step up in the overall cybersecurity posture of any individual or any company.
- I absolutely agree, and I think it's a hundred percent worth the effort, but you have to have a commitment to the effort and to realize why it's valuable and why it's important. Bryce, we're going to take a quick break, come back on the other side. I want you to kind of walk through your recommendations. If you can wave a magic wand at corporate communications departments at, say, Target and Home Depot, et cetera, what should they be doing? And we'll cover that on the other side of this break.
- [Narrator] You're listening to On Top Of PR with your host, Jason Mudd. Jason is a trusted adviser to some of America's most admired and fastest growing brands. He is the managing partner at Axia Public Relations, a PR agency that guides, news, social and web strategies for national companies. And now, back to the show.
- Hello, and welcome back to On Top Of PR. I'm your host, Jason Mudd. We're joined today by Bryce Austin with TCE Strategy. We're talking about cybersecurity and why it's important for corporate communications professionals to be aware of it. So Bryce, welcome back to the show.
- Thank you.
- We were talking a little bit at comparing Target and Home Depot and how they handled their situation. You said the breach started in the development environment. When we get involved with clients, we talk about how a lot of breaches. I mean, breaches are happening, not because, you know, of a computer issue but mostly because of a human issue. And sometimes it's the employee that becomes kind of the accidental or on-purpose gateway to that cyber breach. And I talk with clients about how they'll often bring in an outside development company to work in a development environment, but never encrypt the data that they send that development environment or use fake data, right, in that testing environment, on the development side. And instead they're giving real customer data to a third-party developer who may not have the same security process and protections in place that they do corporate-side. And so, I like to call that personally minimum necessary. So if you send customer data to a mailing house to send out a mail, or maybe you don't need account numbers in that database you send to that mail, or maybe you don't need social security numbers if it's not appearing in the communication you're sending. Bryce, how do you talk to clients about things like that?
- A number of approaches to protecting data. First and foremost, some laws require you to send as little data as you can to let someone still do their job. A HIPAA, which is health care data, or data around PHI, that sort of data needs to be minimized, or else you are breaking the law in the United States, and a flagged disregard of HIPAA have gotten people landed in jail. So this isn't just a best practice anymore. It's a necessity.
- [Jason] Yeah.
- What I let my clients know is this: It's easy to let everyone have access to all of your data because they can all do their job. If one person has their account taken over by a cybercriminal, all the data they have access to is now exposed to being stolen, to being ransomwared. You want to limit that exposure as much as you can. You want to go from the security that most people have in our homes, which are locks on the outside doors. But as soon as you're in, you can get pretty much anywhere. You want to move to a safety-deposit-box style of security, where people have access to the worlds that they need and no others because it minimizes the potential exposure that you have.
- Yeah, that's a good point, I love that illustration. So what types of cybercrime are most active in 2022? And we're recording this Jan. 20, 2022.
- Yeah, it will be interesting to see if I'm proven right or wrong. There are two huge ones. No. 1 is wire fraud transfer. And that's where you try to get someone to convince them to send money that either they are owed or that they owe someone else, you try to get it to come to your bank account versus the real bank account. And you do that by taking over people's email accounts — you pretend to be them, you see who owes them money. And then you pretend to be the person whose account you've compromised. And you convince the other side to send it to a new bank account number, or it works in reverse as well, where you take control of the other side and you work with the person to see if you can get them to send you money for whatever you owe them and get them to send it to the wrong account. The No. 1 prevention against this is strong education of your finance people — anyone who's going to pay a bill, anyone whose going to receive a bill. You don't accept email as a means of how you get to your bank information. It has to be a phone call, even better, a video chat, in person is ideal, but it's 2022, when we're in a world of COVID, that's not always practical, but don't take an email word for it. If an email comes in and says, we want to use a different bank account, pick up the phone. That is the No. 1 part to avoid that. The second is that we need good passwords with multifactor authentication on our email accounts so they're a lot less likely to get taken over. The second most common is ransomware. And most companies, most people don't have data the way Target did where it's easy to simply sell the data. You can sell the credit card numbers to other criminals and you make money from doing that. Most of us don't have that kind of data, but we need the data, we do have to do our job, whatever our business happens to be. So the bad guys encrypt your data. If they find any backups, they destroy those backups. And then they demand money from you to give you back the data that you used to have. That's the ransomware business model. To keep that from happening, it's all about basics. It's all about general cybersecurity hygiene that some companies do very well and others don't.
- Yeah, you're giving me a little heartburn thinking about all these scenarios. You said earlier that the importance is informing and educating.
- Employees, who do you sense owns that responsibility? I mean, I imagine it's owned from the highest level to HR, to corporate communications, to IT and cybersecurity specialists. What's your ideal scenario of kind of owning that, and how does a company go about making sure they are informing and educating employees?
- So it needs executive sponsorship where an executive, preferably the CEO of the company, embraces the fact that cybersecurity awareness training is a critical pillar of any company's success in 2022 — that's the beginning.
- [Jason] OK.
- Then you need some reasonable level of funding and it doesn't take much by the way, so that you have some sort of program around this, the same way that some industries have to have it, like the construction industry or manufacturing, they have physical safety training that everyone has to go through before you can hop on a job floor or you work a construction site, those kind of things, you need some sort of funding around it. That's typically fairly minimal. Around who owns it, well, it varies from company to company. If you have a training department that trains in any form or fashion, that's where you want it to be. Your IT team can help with specifics as to what sort of training it ought to be. But if you don't have any sort of training department in your company, then you have to figure out where it makes most sense. Oftentimes we see it in HR because disregarding the training or a lack of understanding the training. Well, that is an HR issue, especially if you're someone that has access to a lot of data, or if you're in finance or if you're in HR, because you have access to all the HR files. There isn't a perfect answer as to who should own it, but the executives need to make it one of the core tenants that companies need to be successful in this internet age.
- Well, and a lot of companies have a chief information security officer, CISO, or I hear different ways of pronouncing it.
- We pronounce it CISO (see-soh). My company provides virtual CISO services for many other companies.
- Yeah, I hear CISO (sih-soh), CISO (see-soh). I'm not going to say who's right or wrong, but at the end of the day, at least they're talking about it, is what I say. I think that's really important. So let's see. And so, talk about that office and what kind of things are they doing as far as building awareness and education?
- Sure, so being a chief information security officer, a CISO — it means that your responsibility is to help the company that you're representing be secure enough from a cybersecurity standpoint. And that's going to vary from industry to industry or from company to company on what the risk tolerance is. It starts with education. My hope to add to the areas of education that the industry as a whole has, was to write a book on the topic: "Secure Enough?: 20 Questions on Cybersecurity for Business Owners and Executives," which I encourage everyone in the audience to buy often, in large quantity.
- And where can they buy that?
- Sure, it's available on Amazon and Barnes and Noble, but in all seriousness, it means the world to me to have the opportunity to be on podcasts like this. So if someone's interested in a free copy, they are welcome to send me an email directly. And my admin will send you one out as an electronic version. It's simply Bryce@Bryceaustin.com.
- [Jason] Perfect.
- And we'll put a link to the Amazon, saying “Buy” from the show notes, also. Yeah, that'd be our pleasure.
- Thank you, I appreciate that. So regarding the office of the CISO, there are some key tenants of cybersecurity that need to be considered for any company of any size. You need a patching program. Patching is no fun. In fact, just before this podcast started, I got an alert that it was time to patch Google Chrome. And I think that's the second or third time this year already. And it's only Jan. 20. Windows needs patches, Adobe Acrobat needs patches. Your Mac needs patches. Your smartphones need patches. The problem is as soon as someone finds a way to poke at a computer in a certain manner to where they can take control of it, that's really bad. So a patch comes out for that. Well, it becomes a race against time. How quickly can everyone get patched versus how quickly can a cybercriminal figure out how to exploit the vulnerability on the unpatched computers? The CISO needs to be at the front of a patching program for your company. If you're a smaller organization, simply set everything in your life to auto-patch. And if you're not sure how to do that, hop on Google, type in things like “Windows 10 auto-patch,” and it'll walk you through it. Protecting your emails, we already talked about authentication with passwords and MFA, but educating people on what phishing is — phishing is when you get certain emails come in that say, “You might find this interesting,” and there's just a link, or “Saw this and thought of you,” and there's an attachment, but those links and attachments are malicious. Well, we need to educate people on that. And it's gotten a lot worse. Spearphishing is a big problem now where a cybercriminal will take the time to customize something just for you. And it can look very convincing. I've gotten them myself about how there's a really hot public speaking engagement, and they need me right now. And can I please respond? And I'd be perfect for this conference and see more information at such-and-such website. And it's all real, except the person asking. And they're trying to see if I'll give them my bank account information where they can give me my speaker's fee deposit.
- [Jason] Right.
- And what they're going to do is work with a malicious bank and suck money out.
- [Jason] Yeah, exactly.
- We all need antivirus, it matters. It matters on Windows 10, it matters on Macs. The CISO should be aware of that endpoint protection. We need to make sure we don't have end-of-life computers. There are still a lot of Windows 7 computers, Windows Server, 2008. These end-of-life computers can't be supported anymore. They don't get patches, even when these critical vulnerabilities come out, and the CISO needs to help with both the understanding as to why this is so important and a reasonable budget behind it.
- Yeah, yeah. And we've recently clarified as well the next-generation antivirus, right? So, not true. Yeah, not just, yeah.
- So old-school antivirus would look for certain signature or certain sets of data inside a file. And people knew those because that had been identified as a virus already — that if you see that signature, then it's bad. Well, there's this new technology called polymorphic encryption. And the bottom line is it's very easy to make old viruses look unique from anything anyone's seen. So next-generation antivirus does what's called behavioral detection. And it tries to tell friend from foe on what the application in question is trying to do. And if it's trying to do something that doesn't look right, then it locks it down. This is a constant game of cat-and-mouse. So next-generation antivirus helps a lot, but we need what's called a defense in-depth profile where you have good antivirus and a good patching program, and list providers to your data and strong usernames, passwords and multifactor authentication. And if you can do all those things, I think I just solved 90% of all cybercrime in the last 30 seconds.
- Nice, that's great. Well, that's highly valuable. So beyond what you already shared, what can we do to keep ourselves ahead of the bad guys? And more specifically, what can people who are sitting in that PR corporate communications, chief marketing officer, external communications-type role do on behalf of their organization, their employer, the enterprise they work for, maybe the small business that they work for. How can we help the company prevent cybersecurity breaches and issues?
- That's a great question. If the PR firm has the ability to perform some internal marketing to help with the cybersecurity awareness training program, that would be huge. The PR area should be pushing the organization to have a solid incident response plan. And that's a document where you go through: What do we do if bad things happen like ransomware, like a data breach, what have you. Those incident response plans should be talked about at an executive level, what the PR company should or do in that area should be part of it. But an ounce of prevention is worth a pound of cure. And a really good PR company will try to partner with the rest of the organization, the IT team, the operations team, the sales team, to keep a level of cybersecurity hygiene in the company to where the PR area is never needed for cybercriminal events. Now it's not going to happen a hundred percent of the time, but it's a very easy way to solve cybersecurity issues — is the same way to solve car accidents. If I could take all the tired people, all the distracted people, all the intoxicated people, and all the cars that need significant repairs off the road, I think we just solved 90% of our automotive accidents. If I can get good passwords, multifactor authentication, a strong patching program, some cybersecurity awareness training, all the end-of-life machines off of the network and a decent antivirus program, we're going to be in much better shape. The last thing the PR companies do is to help with their organization, to have backups of their data offline. In the unfortunate event that a ransomware system takes place, you need copies of your data that cybercriminals can't get to and destroy. And the way you do that is by having your data somewhere in a drawer. And sometimes, I mean that literally you need to pull the networking cable out of your backup device. You need to have more than one of them so that you've got one that's offline. If all your stuff's in the cloud, there are still ways to accomplish the same thing. It just takes a little bit different way of thinking, but you need backups that are imitable so that you don't need to pay a ransom. You simply need to recover the data that you had safe from cybercriminals.
- Bryce, a little stressed out, but-
- A lot of those things you shared, we are taking care of — we have taken care of — and we recommend our clients do the same and continue to educate them. Just as we're wrapping up here, why don't you talk for a minute about the website “Have I Been Pwned?”
- Oh, sure.
- Is that a site that people should trust, and explain how they can use it both personally and professionally.
- Absolutely, so if you think of the phrase, “Have I been owned?” but take out the O and make a P, go to haveIbeenpwned.com. And what that site is, is a collection of all of the old breaches that have gone on — the 2013 Yahoo breach, the 2016 LinkedIn breach, there are lots and lots of them. And if you type in your email address, it will let you know whether or not your particular account has been part of a breach. Now, if it has, don't panic. Many breaches did not include the passwords. And if they didn't get the passwords, then it's a good idea to change your password for that particular site. But I wouldn't jump up and down about it. But the two I mentioned, the 2016 LinkedIn and the 2013 Yahoo, the bad guys got the passwords. So if you still have that password in place anywhere, it is imperative that you change it. So if you go to haveibeenpwned.com, it'll give you a list of breaches that your account may have been involved in. Change the passwords, turn on multifactor authentication, and sleep a little better at night.
- Yes, that's what we're all trying to do is sleep a little better at night while using the technology to be productive and not be victims. So, Bryce, appreciate you being on the program with us today, the best way for people to get ahold of you sounds like the email address you shared earlier. Thank you for the offer on the book; in the show notes, we'll be sure to put a link to that through Amazon. We'll also put your contact information there, and, hopefully, folks who are interested in having a conversation with you will continue that through reaching out to you. Does that sound good?
- That sounds fantastic, thank you so much, Jason.
- Yeah Bryce, thank you. Thank you for making us aware of these issues and trends that we need to be mindful of both personally and professionally. And then also, if you're tuning into this episode, obviously cybersecurity is going to be important for your employer or the organization you represent. And you have to be that advocate to communicate that internally and externally from there. So with that, this has been another episode of On Top Of PR. And if you found this episode beneficial, I hope you will share this with a friend or colleague who would benefit from it. And perhaps together you two can work through and kind of figure out what's going on in your organization and what you can do to be better corporate communicator leaders and advocates for this throughout the organization. With that, this is Jason Mudd signing off with our best efforts of keeping you On Top Of PR.
- [Narrator] This has been On Top Of PR with Jason Mudd, presented by ReviewMaxer. Be sure to subscribe so you don't miss an episode and check out past shows at ontopofpr.com.
- On Top of PR is produced by Axia Public Relations, named by Forbes as one of America’s Best PR Agencies. Axia is an expert PR firm for national brands.
- On Top of PR is sponsored by ReviewMaxer, the platform for monitoring, improving, and promoting online customer reviews.
About your host Jason Mudd
On Top of PR host, Jason Mudd, is a trusted adviser and dynamic strategist for some of America’s most admired brands and fastest-growing companies. Since 1994, he’s worked with American Airlines, Budweiser, Dave & Buster’s, H&R Block, Hilton, HP, Miller Lite, New York Life, Pizza Hut, Southern Comfort, and Verizon. He founded Axia Public Relations in July 2002. Forbes named Axia as one of America’s Best PR Agencies.
Find more On Top of PR episodes on: