Ep. 2 – The 2023 Cyber Threat Landscape
Steve Rivera, CRO @ Logically
Caleb Barlow, InfoSec Entrepreneur
June 5, 2023 | 39 mins
In this episode, Steve speaks with information security entrepreneur, Caleb Barlow, formerly of IBM’s X-Force, about a wide range of topics including the current threat landscape facing mid-market businesses and government trends towards more prescriptive cybersecurity regulations, cyber insurance, and organized crime.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- Government regulations becoming more prescriptive in response to cybersecurity challenges
- Differences between organized crime and nation-state threat actors in the cyber realm
- The rapidly advancing AI innovation for cybersecurity and the broader business landscape
- Immediate steps to enhance your security posture and upcoming cyber threats to be prepared for
The 2023 Cyber Threat Landscape – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with the top experts in their field. You’re going to learn how to keep your data safe, your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE
Today we’re speaking with Caleb Barlow, who comes with a plethora of experience and some really cool stories. So I’m going to ask Caleb to introduce himself. And our listeners are going to be at being for a great treat today. Caleb, could you introduce yourself, please?
CALEB
Sure.
So full disclosure, Steve and I are buddies and we’ve worked together before, too. We should probably note. So there may be a little back and forth there. But hey, I’ve been in the cybersecurity industry for a long time. I ran Thread Intelligence and is a response at IBM, rebuilding the IBM X-Force. I’ve also run a working with Steve, a public company focused on compliance and the healthcare and for DOD contractors. And more recently, I do a lot of private equity work, all focused on cyber as well.
STEVE
That’s fantastic. Well, thanks for taking some time to join us today. I really wanted to start out specifically talking about the mid-market and how the mid-market is handling the ever-changing cybersecurity landscape. So could you share in your opinion how that market addresses it or needs to address it?
CALEB
Well, I think mid-market is really tough, right? Because if we look at the broader landscape and then work our way down, if we were talking about large global banks, these are heavily regulated industries where even where there’s not regulation, there’s going to be expectations of how you protect someone’s information and the privacy. But as we move down into the mid-market, two things happen. It’s not that regulations aren’t there. I mean, there’s 52 different priest disclosure laws across the US.
But they’re far less applicable. They’re very unlikely to be enforced, interestingly enough. We have all these disclosure laws and expectations on cybersecurity in the US and even more so around the world. But rarely do you ever see a case of someone paying a fine that’s in any way substantial. But also, the challenge you run into in the mid-market is I think we were all working on the adage for years. In fact, I said this countless times, a cybersecurity incident is kind of like a bear attack.
You don’t need to, you don’t necessarily need to outrun the bear. I just need to outrun you, Steve.
STEVE
That’s good way to put it.
But that’s part of the problem, right? I can’t tell you how many times that I would be in a boardroom when we’d be reading out an assessment. It might be a horrifically bad assessment. Your cybersecurity posture is just barely above having anything.
And the only question you would get would be, well, how do I compare to my peers? And I think that has been the trend in the mid-market for a lot of time and for good reason because honestly, that’s kind of what mattered at the time was as long as your defense is a little bit better than everybody else.
Well, now enter AI, now enter the ability to scan for vulnerabilities anywhere on the internet. And it really doesn’t matter because, you know, Nair DeWells have automated these attacks. They don’t care if you’re a big bank or you’re a tiny real estate agent. If they can get money out of you, it’s equal pickings. So I think what that, what this really changes to is a model where whether you are a small mid-market company doing, you know, real estate or a law firm or a bank, you know, small regional bank, you have to have the same security posture as the big guys. And you know, now the good news in all of this is that the way you’re going to do that is through leveraging cloud environments and outsourcing some of this. And so it’s, it is very attainable, which it wasn’t probably five or 10 years ago, but you’re going to have to pay attention to it.
STEVE
No, that’s really good. Which industries do you still believe needs kind of, you know, there’s industry segments that still needs that kind of catch up and prepare for the inevitable? I mean, what industries are most vulnerable in your opinion?
CALEB
Well, I don’t even think it’s so much most vulnerable. It’s about where are people paying attention and where are people putting money at this problem? Right? In a lot of ways, I think everybody’s vulnerable. If you move money in any way, shape or form, if you have goods that are of value, then yes, you’re vulnerable, right?
So I don’t even think it’s so much the targeting anymore. It’s who’s actually investing. And there are a few industries where this is very problematic, you know, probably the worst of which, which you and I have worked in is healthcare. And it is for a couple of reasons, right? One, a cybersecurity incident is not the worst thing that happens in a hospital on an idle Tuesday, right? I mean, all kidding aside, it is not the top priority. There are far worse things that can happen in a hospital.
We just lived through two years of COVID, right? The second thing is a hospital is a distributed environment, right? The, you know, sometimes you have academic medical centers. You might have a situation where the doctor’s practice operating the hospital is a totally different company, right? With totally different IT that runs on the same network. So there’s a really good example of where things are really difficult for a whole lot of reasons. But also if we look at critical infrastructure, you know, I think people assume, okay, if you’re an energy company, you need to have really robust security.
Logically Speaking Quick Byte – Supply Chain and Critical Infrastructure
Well, what if you’re the supplier to that energy company? And that’s, that’s I think where, you know, people’s eyes are really starting to open up is to recognize that it’s not just about what you do. It’s about what the people in your supply chain do that really also becomes deterministic in this. So, you know, I think the, the other challenge in this, and this is particularly applicable to the mid market is not so much looking at your company, you know, so I’m going to change your question here a little bit, Steve, but really looking at your supply chain. Who in your supply chain is vulnerable? And you know, let’s face it here in the US, we love small businesses. We love the mid market. We love the idea of buying that difficult part from a small family owned business. That’s great. But if that small family owned business isn’t, you know, is your weakest link to a cybersecurity incident, then you know, that becomes really problematic.
STEVE
You mentioned supply chain and I know that you and I worked a lot with regards to like CMMC and the DOD supply chain, why is that taken so long for the DOD to kind of put that stake in the ground and say, this is what we’re going to do to the 300 some odd thousand suppliers to the government.
CALEB
Well, I mean, the short answer to that is, you know, like anything government, it got mired in politics, so, you know, but I think in fairness, we all knew this going in, right? Anything that’s a government issue, it’s going to be slow. It’s going to get recast three or four times. I don’t think that’s so much to what to look at. What’s to look at is the momentum and the momentum behind this is something’s going to happen. Even if it is a fraction of what people wanted to start. The difference is if you look at almost every regulation out there today, they got get all wishy washy on things like what exactly do you need to have in place?
What is great about CMMC and frankly, where I think other regulations are headed is we start to get fairly prescriptive about what you need to have in place. I mean, five, 10 years ago, people were always scared to say, oh, you need to have certain capabilities because technology changed much faster than regulations. I think we’re past that now. I think that if you don’t have endpoint detection in place, if you don’t have multi-factor on everything, if you don’t have your network segmented, it is flat out negligence at this point. Like this is not the case of, oh, the bad guys broke in. It was a sophisticated attack. This is a case of owning a building and not having sprinklers and fire alarms. That’s where regulations are starting to shift is there are some minimum expectations you need to have in place.
Again, EDR segmentation multi-factor. You don’t have those things in place. Don’t cry when you get breached.
STEVE
You bring up a great point. This is something that we see, and I want to ask you your opinion on cyber insurance and whether or not at some point cyber insurers will stop pushing down these countermeasures as you lay them out and just go, I’m getting out of this business. It’s too risky. I know you don’t have a crystal ball, but what are your thoughts on that?
CALEB
Logically Speaking Quick Bytes: Cyber Insurance and Ransom Payments
I’m starting to see cyber insurance premiums go up by a factor of five, six times. That’s how they make it not risky, Steve. It just charges a fortune. I mean, seriously, there are two fundamental things to recognize with cyber insurance. It is risky, so it’s going to cost a lot. That’s how they’re managing their underwriting risk. The second thing to recognize with this is that they still need to sell the insurance. There is a definite balance between, thou shall have these capabilities in place or you’re uninsurable and realizing that, hey, I still want to make a buck selling insurance, so I’ve got to take some risk. In a lot of ways, that industry is self-balancing, if you will. The challenge on cyber insurance is it’s unregulated. It’s not like auto insurance, which is regulated in most states. It’s a little bit of the wild west. Again, I don’t know if that’s a problem. You could argue that as a problem or an opportunity. The other thing to recognize in all of this is the reason why cyber insurance is so expensive is because we keep paying the damn ransoms. I mean, hard stop. At some point, we’ve got to snap the chalk line down and stop paying ransoms. What’s happening in this is that the entire supply chain is making a ton of money off of this, not just the bad guys that get the ransom or might get the ransom, but the companies that facilitate those payments. There’s an awful lot of money going out the door because we’re paying ransoms, and in almost every case, it’s because we didn’t have the security basics in place. The optimistic side of me says that what’s going to happen here is defenses are going to improve because if you don’t have, again, key things like endpoint, multi-factor, and a segment of network, you’re going to be uninsurable. On the other hand, the more negative way to look at this is maybe we should ban ransomware payments, which is something that gets kicked around every year or two. There’s always the inevitable critical company that would go down and you wouldn’t get your data back and nobody likes that. It’s a really tough call, but what we have to recognize is this is a, cybercrime is now a trillion dollar market. It’s bigger than the GDP of most, if not almost all European countries. At some point here, if we want to fix this problem, we’ve got to be willing to suffer a little bit, make it unprofitable, and if it’s unprofitable, it goes away.
STEVE
You bring up an interesting question just popped into my head. What do you think should governments role be in this addressing this? Or should the government not be involved at all and leave it to the private sector? What are your thoughts on that?
CALEB
Well, every governor around the world has a different approach, but let’s talk about this from a US-centric standpoint, just because that’s where we’re having this conversation. I think what we’ve historically done is we’ve defined our enemies as nation states, and we all know who those are. In addition to that, we’ve defined our critical infrastructure off of a World War II mentality. If you think of critical infrastructure, we think of water, power, dams, healthcare, that type of thing. I don’t know about you, but in the dark days of COVID, that wasn’t my critical infrastructure. My critical infrastructure was Amazon, Zoom, and Comcast. Those are not… Well, Comcast might be considered critical infrastructure, but Zoom and Amazon definitely are not. We’ve got to first of all really rethink what we depend on as a society now and reboot our thinking there, because if you don’t have a robust internet nowadays, it gets really dark during days of COVID and things like that. I think the second thing to think about in all of this is government needs to really rethink who’s the enemy in this. It’s not just nation states, it’s also organized crime. Espionage is an accepted international practice. It’s been going on since the start of time, it will go on for millennia. There is limited things you can do when you bring politics into this.
There’s always… Cyber security is going to be an element of the battlefield from here forward, but there’s a lot we can do, working even with nations that we may not get along with well on the organized crime side of this. I think that’s one of the areas we really have to pivot dramatically is to think about the organized crime side of this and use that as the playground to develop cyber norms. I’ll emphasize the word playground here, because you’ve got to run experiments, you’ve got to try things, you’ve got to see what works. There’s a lot we can do on the cybercrime side without causing all kinds of political challenges and I think our governments need to get a little more active there.
STEVE
Yeah. I just want to clarify, did you actually say Amazon was now critical infrastructure?
CALEB
It is just in my opinion. I mean, think about it. But in all honesty, if you did not have Amazon, life changes dramatically. If you can’t, well actually, let me be even more focused. If you don’t have the ability to order goods online, have them delivered. There’s a lot of stuff you just can’t get now. Yeah. And there’s a lot of businesses that start to have really significant supply chain issues.
STEVE
No, at the Rivera household, it was, yeah.
CALEB
I mean, put it another way. Could you work now without Zoom or its equivalents?
Not at all. No, if we sit really here for the absolute right. Yeah. I mean, what would happen if we all had to go into the office next week? It would get ugly. I don’t think I’d have an office to go into.
STEVE
Exactly. But all right. So what about like cyber warfare? I mean, how do you define that and how do you see that evolving? Because you mentioned it, right, because nation states and I mean, we’ve even seen recently with the conflict in the Ukraine that there’s an aspect of that that’s cyber related. I mean, you’ve been on the forefront of some of this. Can you talk a little bit about like how you see this evolving even further?
CALEB
Well, I think the conflict in Ukraine causes to learn something really interesting that we kind of weren’t expecting, right? You know, I can’t tell you how many times I’ve been asked like by reporters, like, is there a cyber Armageddon coming, right? And you know, or a cyber 9-11 event, those types of things. And you know, the answer is always, of course, that’s in the art of the possible. But I think we learned something really interesting in the conflict in Ukraine because in the role up to that, everybody was talking and worried about large scale cyber incidents because, you know, Russia, you know, Ukraine was Russia’s playground for trying out various forms of cyber-attacks for the last decade. But one of the things we learned is once actual kinetic bombs start flying, what do you need a cyber incident for? Right? Like, do you know, what’s the point of breaking into the critical infrastructure if you’re just going to blow it up with a kinetic bomb?
You know, and as horrible as that sounds, it’s kind of interesting because a lot of this stuff actually backed off. You know, the other interesting thing we saw is that various forms of cyber incidents kind of took a backseat because the last thing nations want to do is cause further opportunities for escalation while actual kinetic bombs are flying. So in a lot of ways, you know, we saw cyber take a step back in all of this. And my conclusion is that in a lot of ways, cybersecurity has kind of a new definition. You know, in the U.S., if we’re unhappy with something that another nation does, that we don’t want to get into a full scale armed conflict, you know, we use economic sanctions as our weapon of choice, if you will, to really kind of try to change and influence what another country might do. I think what we’ve started to see is that same level of response from companies that maybe don’t have the ability to execute economic sanctions. When they get agitated, they lean towards cybersecurity as kind of their means of flexing their muscles. We’ve seen this both with the theft of intellectual property. We’ve seen this with responses to various actions that people may not like. And we’ve seen this in the opportunity to influence, you know, various forms of influence operations, misinformation, things like that. So, my conclusion out of this, and this is just kind of a gut feel, not necessarily based on fact or research, is that cybersecurity is becoming the go-to tool for countries that are disgruntled at the West, where the West’s go-to tool is oftentimes economic sanctions. And that is probably where these things are going to settle. The one exception to that is there are a few countries, you know, mainly North Korea is an example that are using cybersecurity actually generate revenue. But those are kind of singular in orientation.
STEVE
So and I appreciate those insights because those are very, you know, at the highest level, right? All companies operate in this global economy. And these things have these geopolitical issues have cascading effects. So I appreciate you bringing that up and mentioning that. So how do you think the cybersecurity landscape will change over the next five to 10 years? If you indeed had a crystal ball, what do you think the mid-market specifically will have to face over the next decade?
CALEB
Well, I think the biggest thing that we’ve got to recognize, if we look at ransomware as a attack pattern is, you know, when someone initiates a ransomware incident, they’ve got access to your systems, right? They can access your data. Otherwise, it would be really difficult to lock it up. You know, one of the things we’re going to have to deal with at some point is Nair-do-well is realizing that rather than locking up the data, it’s far more efficient for them to change the data. And you know, when you have an incident where someone has changed data and you can’t trust what’s in your systems, that can be far, far more devastating. So I think one of the things we’re going to really have to deal with over the next few years is kind of data integrity events. Now, again, imagine things like a supply chain or pharmaceuticals or things like that, where all someone has to do is allege and prove that they can change your data and now you can’t trust anything. So that can be far more devastating.
Logically Speaking Quick Bytes – AI Innovation
I think the second thing we’re all going to have to deal with this is AI. And you know, we really don’t know what that’s going to look like yet. The most fascinating thing about AI is the pace of innovation is not measured in years, which is what, you know, we’re all used to new technologies coming out that pace is measured in kind of years in terms of how fast things innovate, how fast you see new releases. In this AI world, we’re seeing new innovations literally every three or four days. So, you know, I think what everybody’s a little bit spooked about there is there’s a lot that could go wrong with AI. There’s certainly a lot that can go wrong from a privacy and security standpoint. And we’re just moving so fast that we really don’t know where this is going to land. Now, on the positive side of this, I think what we’re also seeing as models that are going to be capable of solving some of the problems people haven’t been able to solve. I mean, an average SOC nowadays receives more than a million events a day. There are SOCs out there that get several billion events a day. There’s no way you’re getting through that with human beings.
So you know, the promise that people have been talking about for years where a, you know, intelligent agent could go through and really resolve a lot of these issues, find that needle in a stack of needles, likely starts to become true in some cases. But you know, again, it’s a little too early to see how these things unfold. And the other thing is, although in the fullness of time, I’m sure we’ll end up in the right Spot. We don’t know which is going to, you know, we don’t know which is going to innovate faster. The bad ideas are the good ideas to protect them with AI.
STEVE
It’s funny that you mentioned that because I’m thinking, you know, in our industry in cybersecurity, we’re always playing that cat and mouse, you know, kind of reactive. And so I think that the bad actors are going to leverage AI and we’re going to have to respond to it unless we leapfrog there. And I just don’t see that happening. I just always see where maybe you can comment it. I personally.
CALEB
Well, here’s the one thing we know for sure. If that giant sucking sound you hear right now is all of the money leaving the cybersecurity startups that have been the, you know, the coolest thing to invest in and all go into AI, right? I mean, you know, we’ve got RSA coming up here in another couple of weeks, at least one of recording this, I’m imagining every single vendor on that show floor is going to be talking about their AI solution, even if it’s not real. So you know, on one hand, hey, that’s great. That’s exciting. But it’s definitely going to change the dynamic. I think the other thing that’s going to happen here is that, you know, today we all view ourselves as security professionals and kind of have a fairly well understood definition of what that means. I think trust and safety are really going to start to enter our lexicon in a very robust way where historically kind of trust and safety positions were really things that were reserved for companies like Amazon and Google and Microsoft. I think that’s going to be a dynamic that lots of companies are going to be thinking about because, you know, when you start turning your operations or your systems or your supply chain or your plan over to AI systems, you know, you’re going to need a robust trust and safety component to that because you’re going to need to know how those algorithms think and what their boundaries are.
STEVE
Yeah. No one wants to run into a cyberdyne system launching AI that becomes self-aware.
CALEB
Well, I mean, there it is utterly fast. You know, and I guess for the uninitiative, you have not played around with some of these solutions, you’re missing out. Like some of what they can do is astounding. And but, you know, again, in the same front, some of what they can do is I mean, you can write a phishing email with chat GPT that there is no way you wouldn’t click on. It’s just too good. And I don’t know how you put, you know, they like obviously if you prompt it, can you write me a phishing email for Steve Rivera? It’s obviously going to say no. But if if I, on the other hand, put in a couple of your interests that I get off of, you know, your Facebook page, it’s going to write a phishing email that’s so good, there’s no way you’re not going to click on it.
STEVE
Yeah. And we used to chat GPT recently for an exercise to come up with a slogan for our company. And we inputted a bunch of information and it came back with something pretty slick. And I thought, why are we spending all this money with a company to tell us what our marketing slogan should be our rally cry. And we were all pretty impressed. We didn’t go with it. But but yeah, you’re right. The AI engines are becoming astoundingly good at providing some of that information that’s taken people, you know, humans a long, long time.
CALEB
But that’s the other side of this, right, is there are entire jobs that are going to get disrupted, industries that are going to get disrupted. But the difference is that’s not what we’re used to, you know, we’re used to scenarios that when a particular profession gets disrupted, it takes a course of like five years for that to occur. This is going to happen in weeks. I mean, I’ll give you an example. Just because I was recently going through this in our family, you know, my daughter’s been off applying to colleges and all that stuff. The college essay is done. Absolutely done. There is, I mean, we’ll see how many colleges ask for an essay next year. But it’s useless. I mean, every one of those essays is going to be put through a chat bot and it’s going to be absolutely perfect tiered for her next year. So why are you wasting your time? Now I’m guessing most schools will probably still ask for them next year. But I literally think my daughter’s generation is the last to actually put pen to paper and write an essay. And, you know, a perfect example of this. So, you know, all of her applications had to be done around like that October, November, timeframe, right as all this stuff was coming out, right? So, she actually literally wrote all this stuff and it took weeks to do it. And we’re driving in the, she’s driving in the car. And I’m like, what was the toughest essay you had to write? And I’m like, what did they ask you to do? And I’m putting this stuff into chat GPT. And I read her what it wrote. She almost drove off the road. She’s like, dad, that is so much better than anything I could have written or anybody else. How did you do that? I mean, it’s done, right? But I show that as one example as security professionals that we’re going to have to deal with is, you know, anytime there’s disruption, there’s opportunities for various security or trust and safety issues. But this isn’t going to happen over a couple of years. Some of this stuff is going to happen nearly instantaneously. And that’s going to be part of the problem is we’ve got to be ready to jump on this stuff really quickly, which means we’ve got to really be paying attention to it.
STEVE
So you paint a picture that is both exciting and frightening at the same time.
How can organizations prepare themselves for that onslaught of AI driven fishing, spear fishing attacks that are going to invariably kind of attack their systems? What do you?
CALEB
Well, I mean, I think I do think there’s some things we’ve really got to think about that we know about now, right? So, you know, if you ask me this question two weeks from now, I’m going to have a different answer and two weeks after that, I’m going to have a different answer, right? So, you know, and that’s part of the point of answering this is that, you know, this is a cat and mouse game. We’re going to be thinking about this constantly. So, what I’m telling people right now is two things you need to think about.
One, your company likely has very strong controls around its intellectual property and confidentiality. You know, you probably when you joined your company signed a confidentiality agreement, those things need to be immediately updated to talk about, are you allowed to put confidential information into a chatbot or an AI engine? Because remember, the difference is if I’m using something like Word to, you know, write a confidential document, big deal, Microsoft Word isn’t learning anything from what I’m putting in there. On the other hand, if I’m uploading the secret formula into a chatbot, the chatbot is absolutely learning from what I’m putting in it. And you know, different chatbots, different algorithms are going to have different expectations around intellectual property. But I think companies need a strong policy on what is acceptable use. And the answer is it don’t put anything in a chatbot because that’s just not going to happen, right? But I do think, you know, there are some very sound ideas on what you should and shouldn’t be putting in a chatbot. Okay, so that’s one.
The second thing is that, you know, we have to recognize that our incoming email is very rapidly going to be written by a chatbot. I mean, anybody in a sales position is using this thing for writing every email they write now, because it’s just so good. And you know, what that means is that the historical mantra that you open every email and you read it, that probably has to go away, particularly at high executive levels, because the level of detail in there is likely going to cause you to click on things to open things. And what you’ve got to do is really change policy. In particular, you probably shouldn’t be opening any attachment that doesn’t come from a known source hard stop. I don’t know what we do with things like recruiting, where there are lots of documents that are exchanged over email. I mean, you know, the opportunity to use a recruiter to get access into your company is just so easy right now, because you know, you’re sending around resumes and people are loading and things like that. So you know, there are a few areas where if you move large amounts of documents, you’ve really got to get some tight controls in place because the opportunity for phishing is just too large.
STEVE
Yeah, I read an article this morning about a Samsung engineer who had put sensitive information at GPT and I thought, yeah, what you said is absolutely happening. There needs to be controls and needs to be policies because it’s happening. Yeah. Unbeknownst to them.
CALEB
Well, and I think there’s some common sense. Like for example, I’ve used it a couple of times for a document that would be quote unquote confidential if you knew who I was talking about. But if you didn’t know who I was talking about is totally benign. So you know, I just changed the company names because I wanted to use chat GPT to help me get a point across. And it was fantastic doing that. And I just didn’t want it to know who I was working with. So you know, there’s a really simple thing you can do as an example to kind of clean that up. On the other hand, if you have some incredibly unique piece of code that no one in the world knows about, I would not be loading it up into a chatbot.
STEVE
Yeah, that’s very true. That’s good advice. I want to pivot me and something more recent with I’m sure you are well aware of the Pentagon leak, right? It’s all over the news. The 24-year-old had access to these classified documents. You know, the Justice Department is still kind of looking at how sensitive government secrets were shared like in a chat room, right? He was using what was it? My God, it was a discord or something like that. It was basically like a gaming fraud, right? So I mean, you know, some of the data he had access to was Ukrainian troop movements, whether or not Putin would use and when, what scenarios he would use, nuclear weapons. I mean, this type of data leak, the insider threat, I mean, how is this still possible in the environment that we live in? What are your thoughts on that? I mean, do you have any insights, any thoughts?
CALEB
Well, I mean, so we’ve got to look at it in terms of categories of stuff. Like, so first of all, insider threat is a really hard thing to protect against. I mean, you know, on the most basic and somewhat benign level, what salesperson has ever left company A to go to company B and not brought their contact list with them, right? I mean, you know, you know, that’s happening. On the other hand, we’re not dealing with sales contacts here, right? We’re dealing with highly sensitive classified information that in theory shouldn’t even have the ability to be easily copied onto a private network. So, there’s a couple of things that strike me that are a bit interesting about this. One is that it appears like these documents were photographed. So there’s obviously some location. I mean, you know, you can’t just take confidential information home with you, right? So our classified information, I should say, not confidential. So some aware somehow this individual is able to get a, you know, a phone into a skiff or wherever else they were using these documents. You know, the second thing that comes up, which we don’t know much about, but I think is a good learning moment in the private sector, is it sounds like more than a thousand people had access to this classified information. You know, same thing to think about in your company, how many people have access to your crown jewels, and they don’t do they all really need access?
I mean, I can’t tell you how many times, especially during an acquisition, I would go look at who has access to the entire code repository and nine times out of 10, it’s every developer. That is utterly ridiculous, right? You know, even in the smallest of companies, you really only probably need three or four people that have access to the entire repository.
STEVE
Right.
CALEB
You know, otherwise people only need access to what they’re working on. So really controlling that access of who’s got access to what is a great thing to think about. Um, you know, the other thing is, you know, kind of pivoting off the whole fact that this was, you know, posted up in a gaming forum, just like the government needs to be looking everywhere for their stuff. So do companies. And the great thing nowadays is great automated tools that can help you find your information on the dark web, on the open web. And you know, if you’ve got any type of sensitive information of any size, you want to be looking for this stuff constantly. And it’s not even just the highly sensitive government classified information. Sometimes it’s even more benign stuff. I mean, I remember an incident a couple of years ago when I was working at IBM, I had this internal strategy presentation of, you know, what we were going to do over the next two years. And I showed it at a sale, an internal sales conference. And the next thing I know, those slides are posted openly on the internet, right? Now, I mean, I got it taken down. But if you’re not looking for this stuff out there, how are you going to know? And you know, in the example I was using, it was just, you know, a little bit of education that was required of an employee, but also some education on my part of being a little more sensitive about where I talked about these things, right? So, you know, there’s learning opportunities there are bound, but I think there’s a lot that can be learned from this incident is not that these things are never going to happen.
It’s doing two things. One, putting the right safeguards in place to limit how often it’s going to happen. But more importantly, putting the safeguards in place to limit the blast radius of what gets relayed out there. I mean, if we go back to the Snowden incident as a similar example, look at all the stuff that guy had access to. Why does one individual need access to all of that?
STEVE
Yeah, that’s a great point. It’s a great point. So just in wrapping up, look, we talked about a lot of great topics. I appreciate, you know, we talked about AI and the speed of the speed that that’s bringing and it’s increasing. We don’t track it in years anymore, the rate of innovation. It’s a matter of days. We talked about nation state actors, the importance of an integrity of data and how that’s kind of a threat vector that we really haven’t, you know, when you talk about the triad of CIA, right, the integrity is probably the last frontier that that that we’re going to start seeing some things take place. And we’ve talked about the changing infrastructure, right? I’m sure Jeff Bezos was happy to hear about your comments there.
CALEB
But maybe not. If he becomes a regulated critical infrastructure, he might not be too happy about it.
STEVE
So, so my question is, in closing, what are the two or three things you would advise our listeners that they should do today, keeping in mind our listeners are probably from that mid-market, you know, what are what are the two or three things?
CALEB
Yeah, so I think first and foremost, right, get an outside security assessment, right? It doesn’t need to be expensive. It doesn’t need to be overly complex but get a third party to look at what you’re doing. Because if you’re in the mid-market, you may or may not even have a CISO, you know, which is fine, but you really need an hour, or even if you do, you still need to get a third party to look at what you’re doing. You still need an outside opinion on, you know, how robust is your security posture? And once you get that assessment, you’ve really got to look at, you know, am I doing the basics or not? And if you’re not doing the basics, then frankly, you need to invest. You know, this stuff, unfortunately, is not necessarily inexpensive, but it is, you know, one of the things you’ve got to do nowadays to do business. It isn’t any different than paying for insurance or the sprinkler system in your building. It’s just one of those things now you’ve got to do to be successful in business. And if you’re not, it’s not a question of if it’s a question of when. And I can assure you from everyone that’s ever been breached, they really wish they had made the investment to prevent it.
STEVE
That’s really great. Caleb, I just want to thank you for your time for the very insightful and lively conversation. I appreciated everything that you shared.
And I want to just thank you for taking the time to be with us. Well, that’s all for this episode. Make sure you tune in next time to Logically Speaking and Stay Cyber First and Future Ready.