Cybersecurity: Specific Strategies to Protect Your Business from Hacks, Phishing, and Fraud With Nick Espinosa | Ep. 210

COGE 210 | Cybersecurity

Are you tired of worrying about being hacked or held for ransom by cybercriminals? Have you experienced the stress and frustration of having your data, money, and time stolen? Don’t fool yourself into thinking it can’t happen to you. The construction industry is not immune to cyber attacks, and protecting your business from these threats is essential.

Today, you’ll learn specific strategies and tactics to defend your company.

Nick Espinosa, an expert in creating custom cyber defense strategies for medium to enterprise corporations and the Chief Security Fanatic at Security Fanatics, is this week’s guest.

We discuss:

  • The intricacies of cyber defense strategies
  • The necessary defensive technology for your organization
  • The importance of maintaining confidentiality, integrity, and availability of your data
  • The benefits of creating silos within your business to hinder the flow of data and communication
  • The importance of taking a long-term, strategic approach and not relying on the latest security gimmicks

 

Watch the episode here.

Listen to the podcast here.

Cybersecurity: Specific Strategies to Protect Your Business from Hacks, Phishing, and Fraud With Nick Espinosa

Nick, welcome to the show.

Thanks for having me.

It’s my pleasure. I’m having you on because you are a cybersecurity expert. A couple of years ago, one of my clients got nailed by a massive attack that took them down for at least a couple of months. It was devastating. I wanted to bring you on and, right off the bat, ask you this. Why are construction companies particularly so targeted by cyber terrorists?

Thanks for having me, number one. Unfortunately, your client is the number one call we get, “Help. The world is burning down.” Unfortunately, the number two call is, “I don’t want to be that guy. What do I have to do?” Construction is targeted pretty heavily for a couple of different reasons. One, there is a perception out there, especially among criminals, that construction firms are always on deadlines. They’ve got cash on hand. Statistically, construction will pay a lot faster. Than other verticals because you want to meet those deadlines for your GC, the project, or whatever it is.

The other flip side to that is we see a certain level of complacency in construction firms, meaning you are excellent at building, maintaining, or installing whatever you install but one of those key competencies and core competencies is cybersecurity and technology that run the business. Oftentimes what we see are networks that are based on 20 to 30-year-old infrastructure, technology, and design, not to mention complacency and things like threat detection systems that make it much easier for cybercriminals or even professional hackers like myself testing systems to evade and get around. It’s a problem coming and going in the construction.

At what point do you see construction companies hiring someone specifically focused on handling these kinds of issues internally?

Honestly, it depends on the size of the organization. That’s not unique to construction. That’s simply the maturity of the organization. As a company grows, maybe you’re starting. You have 20 to 30 people. You tend to outsource a lot of these things, whether it’s HR or IT support. For the record, IT is not cybersecurity. They’re two different things, but the IT guy is expected to know everything, “I can install your server, defend it, rotate your tires, and fix your VCR.”

As organizations grow, they realize that to have good internal controls and smooth processes, they start to look at hiring internal teams, not just for IT or cybersecurity but also for business development. The larger organizations tend to be more robust and streamlined, but one of the issues we see as companies are going through that growth from small to midsize and midsize to below enterprise is they tend not to recognize and understand the need for the infrastructure technology that’s beyond standard IT moving to threat detection, meaning they are looking at IT departments as one giant pit of money that they’re throwing cash into when they don’t understand that IT and the technology is the engine of their economy.

It runs the business. Take away the computers and the systems. You can’t bill anybody. You can’t coordinate projects. You can’t communicate with your foreman, your GC, or anything else. This runs the business. There’s a total work stoppage without it. It’s not this giant money pit that you’re burning cash into. It is essential to running a construction company like any other company out there.

That’s good because I’m a construction company owner. I’ve got my IT guy or gal. I’m thinking they’re the geeks in the house. Therefore, they’re taking care of everything. For a smaller to a midsize construction company, what are they missing that typically cause one of these cyber attacks to take them down? What are they missing?

It’s the perception that an outsourced IT company is overwhelmingly one-size-fits-all. One of the biggest problems we have in cybersecurity is that IT companies will put out a shingle saying, “We are cybersecurity,” when they typically do data security, which is a subset of cybersecurity. They usually do it at a low to mid-range level. I’ll give you an example of this. A perfect example is this. Simply, a cybersecurity framework is 22 categories. It’s everything from asset management to data security, contingency planning, how you detect anomalies and events, how you protect the systems that protect you, and on and on, not to mention an understanding and quantification of risk.

People need to understand that not all IT companies are one-size-fits-all. Share on X

Your IT company comes in and says, “We’ve got a firewall, an antivirus, and a good backup for you.” That’s it. Those are table stakes things but by no means holistic to defending the organization. One of the biggest misses that we see is this reliance on oftentimes IT companies that are ill-equipped to keep up with the evolving technology. IT companies, as many organizations out there, tend to be complacent. That is the death knell of cybersecurity.

We vet our products here every 90 days because we never know when that fifteen-year-old kid is going to break Google. We have to slam on the brakes, figure out what on Earth he or she did, and now devise a new strategy for defense. You are using the same firewall you’ve used for the last 5 to 10 years because that’s what your IT company is telling you to do. We have outclassed it for the last three. That is a huge problem that we see all over the world.

This is great. You’ve talked about the table stakes. What areas beyond the table stakes do a construction company immediately need to take initiative on when it comes to cybersecurity?

The first thing that any organization needs to do, especially construction, is to understand your risk. Cybersecurity, at the end of the day, is the quantification and understanding of risk and then the mitigation thereof. If you cannot tell me as an organization how many computers are off or can be off for how long until it’s so economically unviable for your company torches and pitchforks at the CEO’s door, then how do you know what you’re doing is right? How do you know the backup is right?

COGE 210 | Cybersecurity
Cybersecurity: The first thing any organization needs to do, especially in construction, is to understand the risk. Cybersecurity, at the end of the day, is a quantification of risks and the mitigation thereof.

 

Maybe production can be down for six hours, and it’s so economically unviable after that. Maybe marketing could be down for a week, and nobody cares. If you cannot tell me these things, how do you know your backups are good? How do you know your recovery times are good? How do you know your threat detections are robust enough to mitigate that to ensure that you won’t go down for longer than X amount of time? If you cannot quantify that in hard and soft dollars, that’s a huge problem.

Therefore, the very first thing to get down the cybersecurity road is to run a risk assessment of the organization. Understand your strengths and weaknesses, understand the value of your information, and then understand that if you lose access to that value or that information is stolen and put out there into the dark web, what is that going to do to your bottom line?

We can see examples from the construction world of exactly this. You look at the massive target breach from around a decade ago. It was a mechanical contractor that was involved in that. It was a shared responsibility between Target and that mechanical contractor, but I guarantee you that when Target came out and declared a data breach, they threw that mechanical contractor under every bus on the bus schedule that week.

Guess what happens with that mechanical contractor when they go to the Walmart next door or the Home Depot next door to say, “We can do your HVAC.” Walmart and Home Depot say, “Aren’t you the ones that got target breached?” These are things that we have to quantify and understand. If we don’t get that and if we don’t fully integrate that into our business process for management, we are going to end up with a very serious problem on our hands.

Let me put my wall around my company, but in these matters of cybersecurity, it affects not only me, but it affects my clients and my project partners. As you do an assessment like what you’re describing with a contractor, what are the biggest weaknesses that you see on a consistent basis?

Some of the biggest weaknesses are one, there’s no real understanding of the indemnification of the organization against its employees, meaning we have employees that are allowed to do whatever they want to do because they have not been given good guidelines. For example, you might have that construction foreman or accounting person that says, “I want to work from home.” They bring in a flash drive or install Dropbox onto their computer and start transferring a whole bunch of your proprietary information to legitimately work, but God knows what junior is doing on that computer at 2:00 AM. Maybe you have to fire that person, and they are walking away with a ton of your information.

Understand that while you respect your employees, you want your employees to thrive, and you’re going to train your employees. You also have to train them on good cyber hygiene, but you as an organization have to get control of that as well. That is one of the biggest problems that we have. On top of that, we’re often seeing antiquated technology, even if it’s brand new because the technology that is being supplied to the construction companies through their third-party IT providers is often low to mid-range.

Train your employees on good cyber hygiene. However, you as an organization must also get control of that. Share on X

I finished a cybersecurity assessment for a construction company in Michigan. That’s exactly what we found. They had a firewall that was brand new and fully licensed. I could teach a third-grade class how to download infections through that firewall that the firewall never missed. I was able to infect that innocuously, but I was able to infect that network without tripping any of their systems. This is what we’re talking about. We are continuously evolving these things.

The other big thing that we see is that we see no real robust contingency planning in organizations. People say, “I have a backup disaster recovery plan that looks great on paper, but it’s never been tested,” but a contingency plan includes an understanding of the different types of threats to the organization. Maybe somebody walks away with your data. Maybe you do get a ransomware event. Maybe a tornado, an earthquake, or a fire rips through your building. Now, what? If you don’t have these things on paper, what ends up happening is you slow down in your reaction time.

We have walked into organizations. We had a large architectural firm that we were working with in 2021. They had a massive ransomware event. There was no real contingency planning. We had to figure out on the fly the priorities of stuff. Does email come up first? Does the database come up first? Does communication in some other way with the customers come up first? They had to figure this out on the fly, not understanding, “Email can be down for two hours, and then we’re going to lose money. The production platform we all share is more vital.” They couldn’t answer these things.

Having an understanding of that is one of the most important things any organization is going to do because it’s going to help you recover faster and more effectively. Everybody is going to know what to do as opposed to you’ve got 30 executives calling the IT staff and saying, “Are we up? Can we get up? Is email up?” All you’re doing is slowing down their response time as well. That’s a huge issue. Those are the big ones that we see almost right out of the gate universally in construction.

I got those three there. If I missed one, let me know. I’ve got employees, antiquated technology, and then a lack of contingency planning. Let me go back up to the employees then. I’ve got my kick-ass project executive and/or superintendent. They’re working out of their house. What are the lines that I need to draw to be able to do my very best to protect my data and avoid Johnny on the computer bringing in something from the dark web and hitting my system? What lines should I draw there?

As we approach cybersecurity or cyber defense for an organization, there is a large umbrella that we use. It’s called the Triad. It’s known as the CIA. I am not talking about those that spy on us.

I like this. We’ve got Triad and the CIA. This is beautiful. Let’s go for it.

There you go. In cybersecurity nerd speak, the CIA is Confidentiality, Integrity, and Availability. How do we assure the confidentiality of the data so that if it’s stolen, it’s not going to get dumped out into the dark web? You’re not going to get a ransom. How do we ensure integrity? Meaning, it’s not being altered maliciously. It’s not getting destroyed on you. It’s there. It’s consistent, meaning you can always log into that database and work. It’s not going to get corrupted.

Availability is uptime. How are we assuring that you are going to have access to that data while it is both confidential and secure and has integrity that you can get at 24/7 if you’ve got a job site that’s running 24/7? Those are the three pillars. We apply that through safeguards or controls. The big three in the controls are we have administrative controls. These are the paperwork side, the management side, and the training side of these things, meaning how are we training our people or that accountant that shouldn’t be going home with files? How are we training him or her?

These are things that we are talking about. That training is role-based because how you train the janitor should be different than how you train the assistant to the CEO. They have different access. Therefore, they need to be trained differently. On top of administrative controls, we have physical controls, meaning, can I walk into your office undetected, pick up a computer, and walk out? Do you have cameras? Do you have barriers to preventing things? Do you have a server room that is under lock and key? Is your sensitive data locked up? These kinds of things are so unbelievably important. Do you have a log of people coming and going out of your office, so you know who potentially is there?

You have administrative, physical, and then technical safeguards. Do you have encryption? Do you have threat detection systems? Do you have good logging to understand who is logging in and accessing what and why? Therefore, in the event of some attack or a loss of data, we can go back forensically in the logs and say, “It was Bill in accounting that took everything, said, ‘Screw this place,’ and walked out the door to the competitor because we have seen that too.” Those are the core things that we are looking at when we are approaching cybersecurity.

It’s very interesting. When you said integrity, I immediately thought of the integrity of the person, but you were talking about the integrity of the information.

The goal of the CIA follows data and protects the data. The data is what we are doing. By virtue of that, we train our people. The number one thing that I talk about when I say, “I’m building you a cyber defense strategy,” is awareness training because if I am building you a Ferrari’s worth of a cyber defense strategy and turning the keys to that Ferrari over to a chimpanzee, how far are we going to get? We have to learn how to drive. We have to learn how to protect ourselves and each other. That is the number one thing.

The Triad is confidentiality, integrity, and availability, and then the safeguards are administrative control, physical control, and then technical safeguards. I can already see the brains of the construction leaders beginning to almost explode. I’m going to get to how you can go through this process a little later. I want to go to the second aspect of antiquated technology. What is, in your mind and your opinion, the one piece of technology that is overrated and gets pushed way too much into construction companies that they don’t need to focus on? What is the alternative to that?

In terms of technology that they shouldn’t be focusing on, when it comes to defensive technology, honestly, there’s no defensive technology that shouldn’t be applied. What I mean by that is we tend to layer our security. There is no one-size-fits-all, “I have a firewall. I don’t need an antivirus. I’ve got identity management. I don’t need a firewall. I’ve got an antivirus. I don’t need a firewall.”

The goal of a good cyber defense strategy is to layer defensive technologies to build perimeters around the user and remove needless choices from the user, meaning they need to go to the control panel to change things or uninstall things and then train them appropriately in this. If you’re talking about antiquated technology versus, let’s say, replacements and evolution, traditional antivirus would probably be my answer for that.

COGE 210 | Cybersecurity
Cybersecurity: The goal of a good cyber defense strategy is to layer defensive technologies that can build perimeters around the user. You need to remove needless choices from the user.

 

The reason is if you’re looking at the Nortons, the Symantecs, the Webroots, and the McAfees of the world, that is all antiquated technology. We are now moving towards artificial intelligence-based endpoint detection response and managed detection response. We’re leveraging things like machine learning or deep learning so that the endpoint detection response understands unusual behavior. That is something that is vastly outclassing traditional or what is known as signature-based antivirus. We don’t use it anymore. It’s so easy to evade.

I wrote an article back in 2016 on how easy it is to evade called I Love Ransomware for a previous publisher of mine. The reason why I love ransomware is that it underscores that perception, “I’ve got my $20 Norton on my computer. Now, I’m Fort Knox,” when it’s anything but. These are things that are missed. When we see traditional antivirus, we did one out of Michigan, it’s so easy to get infections around that stuff.

I like this idea of the layering of technology. You’ve touched on this already but give us the essential layers that every construction company should have in their organization.

Think about the perimeters that you have to build. If you’re looking at the military and building a base in the middle of a war zone, you’re digging trenches, putting up wire, and building a perimeter to protect the horde of your enemy from running into camp and killing everybody. It’s the same concept here in cybersecurity as it is in physical security. In cybersecurity, as we were looking at perimeters, we have a perimeter around the user, the data, and the flow of data.

For example, think about all the ways that you interact, communicate, or use technology in your business. One of the core ways, as an example, is email. You might have Office 365 because every fricking business has Office 365 at this point. You can build a perimeter around Office 365 by using a third-party spam filter as opposed to the integrated Microsoft one, which isn’t that good.

What happens is all of your emails go to this perimeter and get checked for threats. If it’s good, it passes into your ecosystem. You’ve got a perimeter taking the hits. If you’ve got a physical building with wiring, cables, wireless, and all of that, you’ve got a firewall that sits between the internet and your office so that everything that goes out and comes in gets checked for threats completely. Inside the network, we also start building what are called micro perimeters for an approach we call zero trust.

Think about it this way. We will use easy numbers. You have 100 people in your building. The traditional network is you’ve got a firewall, 100 computers, printers, VoIP, and all this stuff. It’s one big happy family, but why do the accounting computers need to on a network talk to the marketing computers that talk to the sales computers that can also talk to the production computers and on and on? Why not wall them off?

The problem with the standard traditional perimeter-based network with a single firewall is if I’m able to infect one computer in accounting, I can infect all 99 other computers in the network, but if I silo accounting, marketing, or sales when there’s an outbreak in marketing, it stays in marketing. We’re protecting the company and the data. Building perimeters inside are also super important. It’s like the old castles of yore. You had a moat, an outer wall, space, and an inner wall.

COGE 210 | Cybersecurity
Cybersecurity: The traditional perimeter-based network with a single firewall will never protect your data. You need silo accounting, marketing, and sales to keep your data in case of an outbreak.

 

This is what we’re talking about. Compartmentalization and segmentation of this are one of those things. On top of it, you’ve got the total backup for threat defense, which is the endpoint detection response. If something gets through that small perimeter because somebody downloaded something and everything missed it, then you’ve got the endpoint detection response that works as a remediation tool.

If it senses a threat, it can then cut off all the other marketing computers. Of your 10 marketing computers, only 1 is infected. The other nine are now excised from that. This is the approach that we are taking. On top of this, we have a perimeter around the identity of the user as well. One of the big pushes that we have in cybersecurity is identity management. We have so many stolen usernames and passwords that are getting companies hit.

Colonial Pipeline is a perfect example. A stolen username and password logged into the VPN and knocked out the building system for Colonial Pipeline. Here we are, national panic. Build an identity management solution based on artificial intelligence that realizes, “Nick is not in Moscow or shouldn’t be in Moscow at 3:00 AM, logging in at 3,000 times a second. Something must be wrong.” Suddenly, I’m in Beijing trying to log in 3,000 times a second. I don’t have a Star Trek transporter. Now, it understands geo-velocity.

My identity, for example, on the platform that we leverage here on my platform only works in Illinois. I’m in Chicago. When I fly next week to Washington, DC, it will work in DC and stop working in Illinois and on and on. I’m mitigating the threat that is there. If one of the people at my office steals my username and tries to log in as me in Chicago, they can’t. My login doesn’t work in Chicago anymore. This is what we’re talking about. These are the things that we can approach and put in.

This doesn’t slow the user down. This doesn’t impede the user. These are natural things that we can put in that are simply there to defend the user. When all the technology fails, we have to rely on the training that the person can follow protocol and spot that phishing email or request verification when somebody says, “We have a new bank account. Here’s the new number. Please send our money here.” Those are things that we need to discuss and understand.

I was going to ask you that question because we’re doing walls within walls. We’ve got walls around computers, users, departments, and the company. The logic makes complete sense, but then the question is this. What about that flow of data? What about communication? How is the flow of data and communication that is necessary for the execution of the business affected by all of these walls that you’re describing?

A good cyber defense strategy doesn’t affect the user with the exception of possibly having to punch in a code for multifactor authentication. You don’t see this. It’s simply there and it’s simply running in the background. For example, with a good identity management solution, we are creating what’s called a software-defined perimeter or black cloud. Let’s say I’m logging into a major construction platform out there. I’m not advertising for Autodesk, Procore, or one of those but pick one of those that you’re logging into or any one of them. It doesn’t matter.

A good cyber defense strategy doesn't affect the user. It's just there doing its business and running in the background. Share on X

If I have a good identity management platform, I have multiple things going on when I log in. I’m on my phone or my device. Device one is recognized because of the unique hardware cryptographic signatures that are automatically in every device. Your phone has a different one than everybody else’s on the planet, as does mine. It automatically understands my geolocation. I’m in Illinois. I’m supposed to be in Illinois. I’m not in Beijing. I’m not in Moscow. It’s understanding a biometric. Maybe I’m using a thumbprint or face ID. I’ve got a password. I know my password.

All of these things have to combine to be checked to then allow me into the system. Long gone are the days of a username, a password, and a VPN getting you in. We are outclassing those kinds of technologies using the cloud and all of the artificial intelligence that we have. There are probably 7 or 8 different checks every time I log in to get access to any of my data. The only thing I see is the password that I punch in. Everything else is automatically there because of the hardware that I own.

If my phone is ever cloned, it won’t work because my hardware is not with the clone. If somebody steals my username and password, it won’t work because everything else that makes me who I am with my technology and my biometrics doesn’t go with that username and password. This is where we’re at and this is what we don’t see in construction overwhelmingly except at the largest companies. This is trickled down from enterprise. This is affordable for pretty much everybody, from small to midsize.

That’s not always the case. It’s the same with a Mercedes. You can buy a $200,000 Mercedes with every security bell and whistle ever. In five years, that $20,000 Ford Taurus will have all of it. We’re at the Ford Taurus level with the Mercedes defenses. Nobody understands this. The IT companies are not applying these because they’re not keeping up with enterprise security. This is the ever-evolving situation that we perpetually have when we’re dealing with construction organizations and other verticals as well.

You brought up the idea of phishing emails. We all know the story. Someone from some random country sends me the email. If you were doing a quick 30-minute course on phishing emails, and you were saying, “These are the types of emails where you need to be looking out for the subject lines or the content,” what are those top three phishing emails that are going to come in and knock me over easily?

The ones that we are typically worried about are the ones that are more sophisticated. Everybody sees, “Prince Ubuntu from Nigeria doesn’t need help with this revolution.” Few people fall for those anymore. I stopped supporting my last prince years ago. The ones that we see are typically in the vein of two different types. One is business email compromise scans.

As an example, I could have a financial advisor. Somebody hacks into my mailbox, takes it over, spoofs my financial advisor, and creates rules in my Office 365 because I did not lock my Office 365 down. We see that all the time too. My actual financial advisor is blocked. I’m getting emails from my fake financial advisor that knows everything. The signatures match, “How are your kids? My dog Fluffy is doing well,” or whatever those details are from that conversation, “Money from that account. We’re opening up a new account here.”

We see those perpetually move. We have seen organizations be taken for millions until they catch these things. Understanding that you have to put good protocols in place for those things is super important in the sense that if there are going to be transactions, there have to be multiple checks, or if I’m moving X amount of dollars, I have to pick up a phone and talk to the financial advisor because I know him or her personally. Those are things that we look at.

The other big side of this is spearfishing or whale hunting, meaning somebody is spoofing C-level executives and then getting the underlings to jump. I’ll give you a perfect example of this. It happened in our organization years ago. I’m running through O’Hare Airport. I happen to be the CIO of one of the companies that I own. I get an email from the president of that company that says, “I need you to do a wire transport for me real quick.” I had to smile because I have no idea how the hell to do a wire transfer. I’m not an accounting guy. I’m the cybersecurity nerd.

It said, “Thanks, Scott.” If you’re thinking, “The president of the company was hacked,” the answer is no. Somebody went onto that website’s page and saw my mugshot next to him in the executive leadership or who we are, and now they have a roadmap to say, “I’ll spoof the president to hit the CIO. I’ll spoof the president to hit the VP or whatever it is because a CIO or the CISO has the ability to move money, maybe.” Those are the things that we are talking about.

Those happen on the personal side when people get into mailboxes and then have the address book of the entire family and then start emailing the family, “Johnny got ripped off in backpacking in London. Please send money to London.” We see it in business all the time and we get called in a lot of times when people have fallen for these, “What do we do?” That’s a huge thing.

When spotting the fakes, you can put checks into 365. If it’s an external sender, you can have a big old banner that says, “This is an external sender.” If your CEO is sending you an email saying, “Move money,” and there’s a huge banner that says, “External sender,” that guy or girl is not going to be an external sender. They’re going to be inside the organization. That’s something that we can do as control, not to mention spam filtering, which cuts down on 90% of this more or plus, but it’s a huge problem overall.

It’s interesting because you’re talking about these particular scams where there are funds being funneled out of the business. I’m assuming if the criminals are smart, maybe the amounts aren’t so significant that you’re getting them right away.

They’re relative to the sides of the business.

There’s the gun-to-the-head situation where they’re holding you for ransom. Is that still happening a lot now?

Yes. I’ll give you this stat. From 2017 to the end of 2021, meaning the beginning of 2022, the estimate in 2017 was that you, me, governments, and the entire world will have spent $1 trillion collectively on cyber defense. Everybody from a grandma in Idaho up to you, the US government will have spent that money. Conversely, the hackers will have extracted over $6 trillion from us in the single largest wealth transfer in history. They exceeded that number by about six months. Understand that this is massive business for these criminal hackers all over the place.

Here are the two biggest things that we see that are sucking money out of businesses. Number one by far is business email compromise schemes when they are able to get you to wire and transfer money because you’re not usually doing it once. You’re doing it consistently because you think you are talking to a legit person, or for the last three months, you’ve been sending payments to your vendor at the wrong place. The vendor is like, “Why the hell haven’t you paid us?”

COGE 210 | Cybersecurity
Cybersecurity: The two biggest things that suck money out of business are email compromises and ransomware.

 

The other side of that is ransomware, which is number two in extracting money as well. They have been ramping that up for years. We are up to the point where quadruple extortion is what we are seeing now in the ransomware gangs. They’re making huge money. REvil, at its height, was making about $100 million. Conti was making about the same as well. These are massive amounts of money that they’re sucking out of everybody. It’s huge.

Is there ever a time when you don’t pay the ransom?

Yeah. We had one of these. I’ll give you a construction story. We had a construction firm around Silicon Valley that got hit around Christmas 2021 by one of these gangs. We immediately go to work excising the virus, trying to get them stabilized with their IT teams, and replacing antiquated technology as fast as we can, but we also get into negotiations with the ransom. For the record, all ransoms are negotiable.

When they come with this huge $1 million thing, you can usually knock them down to something because we wheel and deal all the time. The goal is to understand exactly what they took, not just what they locked out. For example, they might have been caught halfway through. They might have gotten innocuous folders that nobody cares about. Why bother with that? You’re not violating any compliances or anything along those lines. Why on Earth would you pay to get pointless data back?

The other side of it is our default recommendation is not to pay, but sometimes you have to because it could be a life-ending event for the organization. In the one that we had in Silicon Valley, we were able to say, “We want the files back, but we want to see a list of what you have.” I’m playing dumb, “I’m just this old construction guy. I don’t know what I’m doing. It took me forever to find the dark web.”

I’m stringing them along for a month or two while the IT teams and we are locking everything down so they can’t get back in. They gave us a listing of the files. The CEO of the company is like, “I’m not paying for this. This is pointless.” We strung him along, trying to lower the ransom down until we cut them off. The war in Ukraine started. He said, “I’m not paying Russians no matter what.” He wasn’t going to pay anyway. That’s what we do. We string them along.

A lot of organizations don’t realize, but if you’ve been hit with ransomware once, statistically, you have an 80% chance of getting hit again the next year. You get hit constantly because what happens is you excise the virus, everything goes back to normal, and then you don’t fix and upgrade anything. It’s just business as usual. The same vulnerabilities you had before are the same vulnerabilities they will exploit again or somebody else will find. It’s a huge issue as well. Complacency is the killer in cybersecurity.

If you've been hit with ransomware once, you have an 80% chance of getting hit again next year. Share on X

Tell me then about the importance of the senior leadership in executing an effective cyber strategy for a construction business.

This is one of the biggest problems we have in all verticals and construction as well because usually, the CEOs and the CFOs of the world are not technical when it comes to actual nerd things like IT and cybersecurity. This is usually how I coach CISOs, Chief Information Security Officers, or Chief Information Officers. I’ve got a room full of CEOs, as I will in DC. I’m talking to them, “Understand your organization.”

You have, let’s say, a five-year vision for your company of where it’s going to go and how you’re going to grow. Your CFO is going to fund it. Your CIO is going to build the infrastructure that runs and maintains the engine of your economy because the engine of your economy is not the construction work. It’s the technology that allows you to properly run the organization to get the construction work done. The CISO or the Chief Information Security officer is going to defend the whole thing.

We are the shield that protects the engine of your economy. Given the importance of the construction industry as a whole, it is beyond important to have good cybersecurity. You have that five-year vision. Imagine losing half of your clients when they find out that their sensitive information has been lost. Does that GC want to work with you again? If you’re a GC, does a major US government department or some huge corporation want to work with you again? No.

This is what we are talking about. We are talking about the indemnification of risks. The engine of your economy should be protected at all costs. If you are not doing that and understanding the risk of this, all it looks like is one, you’re going to be complacent or two, you think you’re going to blow money when you’re not. Understand that and then get good help on top of this as well.

I don’t go to my podiatrist for brain surgery and I don’t go to my neurosurgeon for footwork. I like to walk and think. We train differently. We have different specializations in cybersecurity and IT. I have a whole bunch of IT people. I love them. They’re great. They keep the lights on. I can set my watch to them. My cybersecurity people are nuts, but that’s what I want. They’re looking at creative ways how to destroy your life so we can figure out how to defend you.

These are two different animals. Don’t treat them the same and don’t assume one can do the other. You will never hire me to fix a printer. I would never take that job and I would charge you way too much. We have to understand that there are different roles in the same way that I understand an electrician is not a plumber. I’m not going to hire my electrician to start running the plumbing for my toilet. We don’t do that. It’s the same concept.

It’s interesting because what you’ve been describing here is that you not only have to have the technology in place but then you also have to have the right people trained in place to be able to execute a successful cybersecurity strategy.

You have to have the right core competencies. You need IT and cybersecurity. We are married at the hip, but we are different animals. When I’m talking to CEOs of IT companies on stage, I give them this example. If you have never sat down with your team and contemplated calling in a bomb threat to one of your clients, then you’re not doing cybersecurity, which was an actual conversation I had years ago with a junior cybersecurity hacker. We were trying to figure out a way, “How do we break into this building?” His thought was, “Why don’t we call in a bomb threat? Everybody will leave. We can show up in fireman gear, walk right in, and steal whatever we want to steal.”

You need IT and cybersecurity in your company. They are married at the hip but are two completely different animals. Share on X

My first thought was, “That would work.” My next thought was, “The cops don’t know we’re not terrorists, not to mention when we all show up in Subarus, Hondas, and fireman gear, we don’t have a fire truck. How is that going to work? Nobody is going to believe that.” The point is that it’s that kind of outside-of-the-box thinking that you want as a good approach to cybersecurity because we’re always looking to try and innovate ahead of the hackers who are always innovating. It’s a cat-and-mouse game, whereas IT is keeping the lights on. That is so insanely important, but it’s a different animal.

As we’re wrapping up here, what would you recommend as the first 2 or 3 steps that a CEO should take immediately to evaluate their cybersecurity and then act on the findings from that evaluation?

First things first, get a cybersecurity risk assessment. Understand in hard and soft dollars how many computers can be off for how long until you are out of business, your data is ruined, or you have no reputation. Understand and quantify that data as well. Understand and quantify your current technology, defensive standards, level of training and awareness, policies, procedures, and things that indemnify the corporation against the potential malfeasance of an inside employee.

These are things that we need to understand. Once you have that, build a plan of action that will execute fixing those holes. I don’t care what size you are. No cybersecurity project should be more than eight fiscal quarters or two years. Ideally, it’s a lot faster than that because we are innovating very quickly in cybersecurity, unlike standard technology in IT.

The iPhone 14 will be better than the 13 because it has a slightly better camera and a slightly better processor. The 13 is better than 12 for the same reason, but we never know when that fifteen-year-old kid is going to do something that flips everything upside down, which happened in the mid-2000s to Google, Apple, Amazon, and one other company.

A fifteen-year-old kid, a hacker named Cosmo, broke them all in a matter of weeks. We had to completely rewrite multifactor authentication and identity management. It was insane. It was a Mount Everest-level hack. It was crazy. These things happen. Understand as they evolve new tactics and technologies. You have to have a network and an infrastructure that is keeping up with those defensive technologies as well. Those are the core things that would get anybody down the road.

Nick, tell us a little bit more about your company and the work that you do.

I am the chief Security Fanatic of Security Fanatics. We do all things cybersecurity, cyber warfare, cyber terrorism infrastructure, and government compliance-related. Needless to say, we have been busy as hell in the last couple of years, given everything that’s going on. We have clients from small to Fortune 100s. Some of the interesting projects that we have been involved with or getting involved with are things like building cyber defense strategies for developing countries alongside the United Nations, ITU, and then everything else in between.

How can people get ahold of you and learn more about what you do?

You can like, share, and follow me on Facebook and Twitter @NickAEsp for as long as Twitter exists. You can hit me up on LinkedIn as well, Nick Espinosa, and come say hi. I would love to connect.

Nick, I appreciate you taking the time. You have deep expertise working with construction companies. That’s why I had you on. I would encourage any construction company or CEO to go out to SecurityFanatics.com, check them out, and learn more about what they do to help construction companies. Nick, thank you for coming on. Thank you for being very generous with your insights. I learned a ton. It was super helpful. Thanks for having me.

Thank you for reading my conversation with Nick. I know you enjoyed it. It was tremendously helpful. Check out Nick. Go to SecurityFanatics.com and connect with him on LinkedIn or Twitter. This episode has been brought to you by the one book every construction leader must read. What is that book? That book is Construction Genius. You can go out to ConstructionGeniusBook.com and grab yourself a copy right away. We have Audible, the paperback, the hardcover, and the Kindle version.

You can get that book and figure out how to solve the people’s problems that are costing your construction company millions. The book is packed with practical, simple, straightforward, and no-BS ways for you to be a better leader for you to be able to maximize the profitability of your organization. Go out to ConstructionGeniusBook.com. Buy the book. Enjoy it. Contact me by email. Let me know what you think about the book. Give us a good and honest rating or a review on Amazon. I don’t mind if it’s 3, 4, 5 stars, or whatever the case is. Go out and get the book. I know it will have a tremendous positive impact on you and your organization. Thank you for reading.

 

Important Links

 

About Nick Espinosa

COGE 210 | CybersecurityAn expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small businesses up to the Fortune 100 level for decades. Nick founded Windy City Networks, Inc in 1998 at age 19 and was acquired in 2013. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched. A internationally recognized speaker, member of the Forbes Technology Council, TEDx Speaker, strategic advisor to humanID, regular columnist for Forbes, award winning co-author of a bestselling book “Easy Prey”, host of “The Deep Dive” nationally syndicated radio show, on the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the President of The Foundation for a Human Internet and is the Official Spokesperson for the COVID-19 Cyber Threat Coalition. Nick is known as an industry thought leader and sought after for his advice on the future of technology and how it will impact every day businesses and consumers.