#252 Exploring the Dark Side of the Internet: Phishing and Insider Threats With Tyler Ward

0:00:01 - Mehmet
Hello and welcome back to a new episode of the CTO Show with Mehmet. Today I'm very pleased to have with me Tyler, joining me from Florida at the US. First of all, thank you very much for being with me today, Tyler, and the way I love to do it. I keep it to my guests to introduce them set, so the stage is yours. 

0:00:18 - Tyler
Yeah, awesome, mehmet. Thank you so much. I appreciate it, and we're on different times zones here, so thanks for accommodating to my time zone. Yeah, just a short introduction about myself. My name is Ty Ward. I've been in cybersecurity for 17 years now a little bit more so I feel like I'm getting old in the field, definitely have some gray hair coming in. My career has been through the Air Force, so I was Air Force Cyber when I first got started out, and then I went on to some of the three letter agencies out of the DC area for a period of time and bounced all around the United States and spent a lot of time overseas, and after that, went into the commercial sector to start building cybersecurity companies, mostly in New York and the Northeastern regions, and then in 2017, started my own small business, creed and Solutions Group, otherwise known as CSG Cyber. So we do all sorts of stuff in security penetration, testing, responding to data breaches and hacks. That is what we do, and also virtual chief information security officer engagements are really our bread and butter. 

0:01:29 - Mehmet
Great. Thank you again for being on the show today. Ty Now, maybe it's a little bit traditional question, but what attracted you to cybersecurity? 

0:01:39 - Tyler
Yeah. So this is actually a funny story and I, you know, looking back on it, and there's always there's like pivotal moments in your career or in your life that send you into a certain direction, and I believe in that. I believe that things happen in life that send you into a certain way. So I've always, I've always wanted, you know, since I was a little kid, and I think some little kids have this inclination to want to protect you know, to want to protect something else, something else of value for somebody else. So I had that. 

However, what had happened was when I was 17 years old, I was in my senior year of high school and I worked the whole summer with my parents in their asphalt business, and if anybody is familiar with the asphalt and petroleum chemicals business, it's very dirty, it's very hot, it's very, very hard work. So I worked that job for quite a while alongside my dad, saving up money. So I saved up about $4,500, which, when you're 17 years old, it's a lot of money, and even today it's still a lot of money, right. So I saved up that money and I go on eBay and I go to buy my first car. However, I Western Union money over to a cyber attacker group in Romania instead of buying my first car. So I lost the money, I lost my savings. 

But I was super interested in how. How did they do that? And it was something as simple as just creating a fake eBay page with a link on a real eBay page where when you clicked on the car it brought you over to a fake site. A clone site looked exactly like it and the money was gone. So that really piqued my interest. So for a little while I tried some community college routes and kind of bounced around between subjects locally in New York where I'm from, and then finally took the plunge in and got a really good offer from the United States Air Force to join them and had a guaranteed job in that career field and from there it was just kind of a track from there and I feel like I haven't stopped running since. 

0:03:41 - Mehmet
So this is something which I think it's common, especially with people like yourself, like who they say they get actually a hit and then it's kind of they take it as a passion to protect others, which is something, yeah it's good to be on the good side and fight these bad guys Right Now. 

With your experience and the long time you've been in so I'm sure you've seen all the changes and the tactics that these bad actors they do. But for me, what you just mentioned, which happened a long time back, it's still efficient till today. So why do you think they are still able to trick us all of us, by the way, regardless of our backgrounds into these phishing attacks? Why do you think they are so successful in getting results out of these kind of attacks? 

0:04:42 - Tyler
Yeah, I mean, you know it's interesting how they're able to use these similar attacks, or even an exact same attack patterns and tactics to compromise victims. Nowadays, they use that because it's effective and humans, we want to inherently trust other human beings to just be normal human beings, to not be a criminal. So that's where that comes from. It also comes from us being overwhelmed. So if I take a look at the amount of education from the time that I stepped into this career field until 2023, going into 2024, which is crazy If I look at the amount of education, one would be one. 

One should be able to say we should have no problem with phishing attacks anymore. We have the technologies, we have the education. We've all had phishing attacks happen to our organizations. We should be over this by now. However, our dependency on technologies and the amount of platforms that we use and how much time we spend behind a screen, how many alerts we have coming to our watches, our phones, our computers, our emails, our text messages People are sometimes blinded by the amount of information coming at them and it's just that one quick, one-liner phishing email that looks real enough that gets people to click on things, and it's still very effective. People are just moving fast and they can only concentrate on so many things at one time. 

0:06:07 - Mehmet
Yeah, and you know, this is something very efficient because you know, as you know, Ty, like they call it, social engineering also sometimes. So they are very good at knowing even, for example, when you will be overwhelmed at work and then they will just send the email like this and then, you know, the other day I was talking to someone. I said, OK, with all these awareness things that we did, with all the technology, still they are able to do that. And here, you know, this will lead me to the other question but do you think really we have educated non-tech people especially enough to be safe against such these attacks? 

0:06:48 - Tyler
I mean it depends, right? I've seen security awareness training program, and when I say programs, I don't mean just software. The software is, I think. I think we've fallen into a trap with a lot of things in security and training is no different to where organizations will put in a piece of software, a training software, and then they'll say we're good, we've checked a box, we're training our employees. They get trained once a year but it's not really effective. They need that constant reinforcement. So I would say that we have put training out there, but it's become like safety training, right? 

If you're familiar with safety training or OSHA training, is you're a factory worker. You go into work on your first day, you watch a 30 minute video and then you forget about it, right? And until something happens, until somebody slips off of a ladder and hurts himself, you don't go through your safety training again. And it's the same in security and I see we see it all the time is where organizations will have a training program in place. They'll have a major cybersecurity incident or a data breach, and then they'll all come together and now you have everybody's attention and you can see on their faces that they are learning new things when they're talking to my team or presenting a webinar or a situation report of what happened. They are learning new things. 

So I think we do still have an educational gap, and most of it probably has to do with the fact that we haven't really incentivized employees to become more cyber aware, right, we have given negative incentives, right. So, where you know, if you click on this link or do this, then you could get fired from your job, those things are definitely out there. Incentives as far as somebody you know reporting a cyber attack or helping to thwart a cyber attack, those are very rare, right, those are very rare. And some organizations do have rewards programs that are set up to where normal employees who are going about their day to day work those who do not work in cyber. If they recognize something suspicious, they report it. They get some kind of a reward for it, and I think those programs are really nice. If a business can do that, you know, financially, then they should definitely consider something like that, because it is effective. 

0:09:03 - Mehmet
You know it's a cool idea, I believe, because this will push you know, as you said, because you know I always give the example of. You know you gave a safety training, which is the safety instructions on anything, even in the plane. Sometimes you know, like when the people you should read the safety. You know instructions on every plane and no one actually looked at that. So it's something very similar. I believe in cybersecurity, but when you do the incentive part, I believe at least someone would take action and you know they would at least educate themselves about it. Now, you know, I've seen, you know you have done a lot of work regarding something which is underrated in my opinion insider threats, right, yeah, and corporate spies. So how common are insider threats, you know, in attacks usually, and what are their typical characteristics? 

0:10:06 - Tyler
Yeah. So insider threats are a very interesting category, right. They can span from, you know, long-term employees who become disgruntled one day and they're preparing to exit the company. They can include employees who know a company may be going through financial hardship and you know, let's say, a company is on a downslide and they're preparing their own parachute for when they leave. They're, you know, taking customer information with them. They're preparing to go to a competitor and bring some information over. Or there are legitimate corporate spies who they were hired and they were already a spy, right, they already knew they wanted to be part of this company. They made it through interviews, they had a good resume, they had good references and they passed the background checks. Like those are the ones that are, I think, more difficult to catch in some cases. Now, the characteristics of them are usually the same, they're usually the same, it's. 

I always tell organizations that if you have a lot of people, these kinds of things can be difficult for one central, you know kind of security department to manage and to over, provide oversight with. So your staff should be aware of key indicators like requesting access, elevated access to things that they really don't need access to, and you should have a way to look back in time to see what it was that those employees or those consultants were doing on your network, downloading data, things like that. So you know, how common are they? I would say not very common that they are caught. How common are they to be within organizations? I think fairly common. I think every. 

I think most organizations have at least a few people who hold grudges and you know, sometimes that's normal and we have to do our best to you know, one as company owners. Curb that behavior is to address it, like why are you angry with the company? Let's figure it out together so that we don't make a mess and also have a way to track and report on those things. But those are interesting cases that we do because they are so sensitive, right. They involve sometimes they involve somebody who's been at the company for 20 years, right? 

So, those are very difficult situations to have with employees and there's a lot of emotion behind them, so those are always very difficult situations. Rather than dealing with, you know, an outside attacker that the organization doesn't know. This is somebody who you know the boss is going to lunch with, and when they come back, they're doing things that they shouldn't be doing. 

0:12:48 - Mehmet
And I think they can do more damage, right Ty. 

0:12:51 - Tyler
Oh yeah, they can. They can. They can stay on the radar for a very long time. You know, point in case, we are one of our more recent ones here. We dealt with an IT manager who was an insider threat and that's very dangerous because they have essentially the access that they need. They have access to everything and you know they were, they were a threat, observably, for two to three years. It was quite a while Reading the yeah, reading the owner's emails, reading their private conversations, saving their private conversations, all sorts of different stuff that they should not have been into, and but you know, they can remain under the radar for a long time. 

They are very difficult to detect. Now I will say that spies, professional spies they're different. They are different. I will say that they are, most of the time, I won't say masters in their tradecraft, but they're good at what they do. They they were good enough to walk through the front door of a building to get the job, to pass through HR, to pass all the checks, to make friends with their coworkers. They were good enough to do all of these things. So they are also very difficult to detect and they have a plan in place usually when they go in and they have some form of cyber knowledge as well. We've seen a pretty big increase in those corporate espionage cases because of remote work Now. 

I will say this if you're a business owner out there, please, if you don't do anything else, conduct a video interview with your employees before you hire them up, Believe it or not. We see businesses who are either in the software space or the blockchain space and they'll hire employees, but they don't conduct a face-to-face or live interview with them, they don't do the proper reference checks that they should be doing and they wind up hiring hackers from North Korea to be on their team, and then they find out later. 

But yeah, I mean, these people they're out there. They're definitely out there and they're looking for companies that are in specific sectors, particularly the financial sector. They look for companies that are in there. But there are corporate spies out there. They're good at what they do, they speak perfect English. Like it's very difficult to tell unless you do a face-to-face interview with somebody and you can really start to get to know them. Right, Very difficult. 

0:15:19 - Mehmet
Wow. So actually you answered the question that I wanted to ask you later how to detect that and how now. But let's say how we can minimize the damage here, because you just mentioned that they can go under the radar for a long time. So let's say, I'm a business owner today and I'm hearing this or I'm watching this. I'm getting worried now, right, so you gave some hints about, for example, having the video interviews, but maybe it's someone who's been with us for a long time. So there must be some signs, there must be something that I can do. Or also, you know countermeasures, because in CELAPID script you always talk about cyber measures. So what can we do, ty? 

0:16:10 - Tyler
Yeah, yeah, there are things you can do. And you know it's interesting because you know Robert Hansen, the famous United States spy, who was working for the United States government. He was with the FBI I think it was the FBI or CIA and for 20 years he was spying for the Russians and he was also in charge of the department that that spied on the Russians, right. So he was spying for the Russians and he was spying against the Russians and that was a really interesting situation. But I think a lot of parallels to this trust that we have in everybody and we want to trust people and we have to trust people. Our coworkers are, they are our friends, right, and at the end of the day, they are working with us. So there has to be a level of trust and there's always that boundary and you know we work with business owners who are very suspicious of their employees and it can create a bit of a toxic work environment for people. So you have to be very careful with the situation of not pointing a finger at your employees, obviously, until you have dead rights proof of something happening, but also having the capability to monitor what is going on within your organization. 

Now, the first thing I always say find where the most valuable information for your business lives. Find it. If that's in the cloud, if that's in Microsoft 365 or in SharePoint or it's on server somewhere, find out where that information sits. Where does that information sit? And then determine who has access to that information. That may take your pool of you know. If you're running a 500 person company, it may take your pool from 500 people down to 20 people. Now you have a pool of 20 people that have access to the most sensitive information that your business has or your organization has, and you can start to, you know, monitor the activities around that data or around those systems or around those personnel. Right, if you have 20 people, it's obviously a much better, much better window than looking at your whole company. 

But it all starts with a data inventory and this is tough because sometimes you know, if you're a business owner, you look out to your business and you say, well, you know that data is important, that data is important, that stuff's important too. This is my financial data and this is, you know, our customer information and our proprietary software. It all depends. But I always say is look through the lens of if all of this data went away today in like a ransomware attack or data destruction attack? If all of it went away today, what would be the one data type that you would need to get tomorrow to start your business up again? That's really your important data. That's where the value is. So data inventory very important. 

0:18:56 - Mehmet
Great insights. I would say yeah, very important to know where the data is. But now let's assume and we hear this word a lot let's assume that the breach going to happen. So what are the things that we should do? This will lead me, of course, to the response part of that. So usually, what's the best way to respond when such attack happens? 

0:19:25 - Tyler
Yeah, so the response for an insider threat is definitely different than the response for an outsider attack. I'll say that the response for an insider attack is usually very quiet. Right, if my team comes in to respond to an insider threat, usually one person in the company knows who we are. Nobody else knows who we are. We're coming in very quietly and it's very under the radar to find out what is actually going on inside of the company. Because it could be the chief financial officer Right, it could be the CTO, it could be somebody who is in the C suite of the organization that we're having to uncover things about External attacks much more frequent. 

You have to have a plan, and when I say have a plan, that does not mean having an 80 page incident response plan that you pulled off of a template site and you put some names into. That's not what that means. What it means is practicing. It's practicing different scenarios, and I know this can be hard and some organizations they'll say, well, we don't have all the time in the world to practice these things. We don't have, you know, two hours a week or two hours a month or two hours a quarter to even dedicate towards practicing what our response would be. What I say is, at a minimum, if you are a business owner and you have partners or other co-owners of your business is sit down with them and just ask the question what is our plan when we have a cyber attack? Do you know? Do we know what we're going to do, who we're going to call or what our resiliency plan is? That is the main thing. 

Ransomware has shadowed everything else. It has eclipsed any other cyber attack that's out there because it is so damaging. There are new tactics in ransomware now to where they will delete your data. You know different types of things that are happening out there. So I say that you need to have reliable backups of your data. You have to have copies of your data so that you can pull back from an attack as well. But I digress. It all starts with having a plan. Have a plan that is actionable so that when something happens, you're not asking for the first time what do we do and who do we call. 

We've been in cases before to where an organization is hit with a cyber attack and it took them four days to even get a hold of a cyber security company who would take their case Right. It happens on a Friday afternoon usually and they try calling everyone, and everybody in the cyber industry is now like hey, we'll deal with it on Monday. You're not the first one. This isn't anything special. We know we're going to make money, but we'll be there on Monday. And that's kind of the attitude with incident response firms now is that even the incident responders have been burned out Right. So burnout is real in this field as well, and they're they're treating these things like kind of like a nine to five case in some some ways as well. So I would say, don't leave yourself in a position to where you can't get a hold of experts and you have no idea who to call. So that's always a recipe for disaster. 

0:22:33 - Mehmet
So you mentioned a couple of things at the time. Burnout is something you know. Multiple guests they they agreed on this. What about, also, skill shortage? Do you think we have a shortage in people who are trained actually to do these responses? 

0:22:54 - Tyler
I do, I do. It is one of the things that worries me. We have. I would say there is a skill shortage there. I would say there is a skill shortage, but it is in specialized areas that not a lot of people would like to touch. So I talked to a lot of people who are coming into the field and they all want to, you know, either be security engineers creating security software products, or they want to do penetration testing, the fun stuff like that's fun. Right, that's fun. I like to do penetration testing as well. 

As as much as the next person where I don't see many people coming into the field Is where they are coming in the field to be incident responders. They want to respond to attacks. I don't see a whole lot of them and I see a shortage there. I see security teams that are very well formed, that have good levels of expertise, but they don't have incident responders because they're hard to find. It's a very stressful job. You're always moving, you're always looking towards the next case, and I would say that that is a pretty big area of lack in the community right now, since the response. 

0:24:07 - Mehmet
Yeah, like it's. At some stage there were some places I do in the US and in other countries you know where they were having shortages of having police in crime scenes. Right, and dealing with cyber security attacks is exactly in a let's call it cyber way or virtual way. It's like going from one crime scene to the other and, just for people who are interested, it's something I was interested in. Forensics actually, back in the day, was something that always, you know it's like a mysterious thing but it's not easy because you need to deal with a lot of evidence, you need to talk to a lot of stakeholders, you need to know a lot of things and these bad actors keep changing. And you just mentioned time now, like because you mentioned ransomware, like again, this is one of the attacks that it's always successful majority of the time. 

What do you think the reason is it's they are successful. 

0:25:08 - Tyler
And you know it's. It's super interesting because ransomware in itself is so simple. You know it's like when it came, ransomware when it first started, I want to say that it was probably back in 2015, about 2015 timeframe. I know a lot of the hardcore people. They're going to say Ransomware has been around since 1997. I get it, I get it, I know it's been there. But in 2015 or so is really when it started to rear its ugly head and really affect businesses in a very impactful way. 

Look, they keep changing ransomware tactics. From a delivery mechanism standpoint, those are changing. If it's fishing and antivirus evasion and exploitation of external systems. Those initial attack factors are different. They can vary. The exploitation of systems with ransomware generally tends to be similar. 

I would say that there are always common flaws in ransomware attacks to where organizations have not done a proper job with system patching, with the maintenance and updates of systems and software and keeping those patching up to date. That is a problem. But generally they're abusing legitimate user accounts and administrator accounts within organizations. That is a commonality that I see across. All of them is that we have improperly set up Active Directory domains most of the time to where the Threat Actor is able to get in, exploit user credentials, escalate their privileges and then move laterally along the way. There's nothing in the middle to stop them. That would be one of the most common things that I do see in ransomware. Attacks are improperly set up, active Directory networks and lack of patching of systems. That is definitely a problem. 

I will say that new strains of ransomware that are out there. They are very crafty. They worm around networks by themselves. They have auto detonation packages to where, if certain technologies are found within the organization, let's say, a piece of advanced malware, a piece of advanced ransomware delivery mechanism, worm type, is moving around a network and it runs into an EDR product. It runs into an EDR product. If it recognized that EDR product, it will self destruct. It will delete itself from the system and remove its tracks before it trips it. It will check things out before it trips it. 

Some of the stuff out there is becoming very advanced because nation states are putting money behind this. Now Organized criminals are putting money behind this. Now you have a huge influx of money from questionable organizations and criminal organizations that are now flowing to the software development of malware. That's something that we haven't really seen a whole lot of until, I would say, the last three or four years. With the world being in various wars and conflicts right now, you now have a very large portion of populations who have now been displaced. This has always been a problem. It was a problem in the Iraq war, in the Afghanistan war and all the wars that we've modern wars that we've been in is that when large populations of people are displaced, removed from their jobs, lacking opportunity to make money, they turn to stealing crypto, to creating malware and hacking organizations. I think that with everything going on right now, we're probably going to see much, much more in cyberattacks here pretty soon as well. 

0:28:52 - Mehmet
Yeah To your point. I have to highlight and agree with you on the point, like when you said people will say, yeah, it's 1997 and so on. But I think cryptocurrency made it so easy because now you can hide your identity behind a crypto wallet so no one knows who are we paying for? 

Back in the days and always I tell people think about it this way, when it was like a physical ransom kind of thing, so you need to give a location and you would be able to recognize the voice. You would be able to somehow identify and actually sometimes they used to identify themselves. Hey, we are like a gang A and you have to pay us money so we can return the hostage to you. Now, of course, technology changed and with crypto, they're allowed to hide completely their identity, whether they are a nation state, whether they are just leaving kids, sometime they do it. Someone sitting in the garage or in the basement, and people think that this is science fiction. It's not. I've seen and I've read stories, especially from, as you said, areas of conflict. Usually they create these. I would say let's call them stereotypes actually. 

Of course they're not wearing the hoodie as they show us. Yeah, but they are very creative and. I think now to your point and I want to ask you, ty, how AI is actually helping them in advancing, let's say, much faster. Now they can create malware, and I've seen articles about creating what you call this, this morphology of the malware, in a very different and very smart way that even the best EDRs in the world and the best detection in the world cannot actually find about them. 

0:30:50 - Tyler
Yeah. So this is definitely a problem and I can say that AI I have hopes for AI to help us to really take a team of one and maybe expand them by a factor of 10 in their capabilities. That is my hope is to take that one person or the five person team and be able to expand their capabilities. So I do have hope for it. But it's being abused. It's being abused for software development on a malware perspective as well, and we are seeing more antivirus and EDR evasion techniques, or EDR removal techniques, than we were before. Now, where they're exactly coming from, whether or not they're manually coded or that there's a person within the EDR company who's got the source code and they're feeding it to their buddy, they're selling it right, because those things happen as well. Insider threats again, or if it's AI, we're not really sure yet, and that's part of the problem. Now I will say that, beyond the EDR and antivirus and ransomware perspectives, we're seeing a lot of really big organizations Microsoft, cisco. Cisco just had one yesterday with NetScaler, okta huge. 

We're seeing huge breaches within these organizations and exploitation of things that we normally see once in a while. Once in a while, you'll have something as big as Okta, or you'll have something as big as this new Cisco vulnerability that's out there, where they say patch right now, imminent danger, 10 out of 10, those kinds of things. So we're seeing more and more of those which indicates that human research is being facilitated by AI in some way to find new vulnerabilities, to do bug bounties and to create new malware that's out there. This year has been crazy for cyber attacks, just from our perspective. I can't speak for the rest of the industry. I talk with peers who are in similar spaces and everybody's generally saying the same thing of we've never seen so much ransomware attack. We've never seen so much malware in our careers, and we feel the same way. This year has been very busy for malware and ransomware extremely busy, more so than any other year that I've been around. 

0:33:14 - Mehmet
Wow, this is an interesting statistics. I would say, of course and I'm highlighting this because I would relate this to the next question so there is a belief, and sorry for repeating myself, but I do this on purpose. People now, by this time they know that I like to repeat stuff just to get it make sure that I deliver the message. People think, hey, these gangs after they are after the big guys, I should not be worried much. I'm just a startup, I'm just starting now. I don't have much to worry about, but I'm a small business owner. Why someone would come actually try to steal from me something or even encrypt my data? They better go after the big supermarket chains, the big banks. The money is there. I hear this Now. I know that you deal a lot with startups and small businesses, want to from you to highlight why it's important, even if you are a startup or a small business. 

0:34:26 - Tyler
Yeah. So what I can say about that is that Cyber attackers they I won't say that they don't care, because they do care. I've actually had a conversation with cyber attackers that have given the money back. So they're people. At the end of the day, they are people. That is rare, don't get me wrong. That's very rare to see. Now, cyber attackers will attack individuals. So we've had calls and we don't work with individuals. That's another area. But we had a call from an elderly lady that had her entire life savings stolen from her. 

0:35:01 - Mehmet
Right. 

0:35:03 - Tyler
All of her savings, everything that she had worked for. Not sure if she got it back. But cyber attackers will go down to the individual level and to the small business and startup level, because they understand that you don't have as many protections in place that big organizations do. Mgm. Sometimes you get an MGM that's thrown in there and you say, well, you know, they're going after big, they're going after both. They don't care the size of your business, they just have different protocols to follow. If they're hitting a five 10-person startup versus MGM, right, but essentially it's all the same. They're using similar tactics to make their way in through social engineering and fishing. 

Fishing is a huge problem, you know that's a very large problem and it's what gets most of businesses. But startups are particularly risky because there's a lack of governance from the jump within startups. Right, you have to move fast. Maybe you have investor money or you're an entrepreneur and you've started your business and you've got a six-month runway of cash before you run out and you have to go back to your job. So you're moving quickly. You're subscribing to new software products that are out there. You're pulling on subscriptions. You're hiring new people. You're bringing on consultants. You're bringing on consultants who are overseas. People are asking you if you need this and you need that and trying to sell you everything. 

So you're very busy as a startup founder or startup founder team, and that's where you make mistakes. That's where mistakes happen. And cyber attackers they don't really care because they know you probably have cyber liability coverage and, at the end of the day, if you don't have cyber insurance to pay them a ransom, they just take your data anyways and sell it. So they'll take your data, your customers' data, and they'll move along the chain. So you as a startup and here's the thing that I've definitely noticed is that as a startup, you're in some kind of a supply chain. 

You may not even know where that supply chain goes, but your supply chain let's say you're a startup of five people in the energy sector. At the very top of that chain you have national energy organizations and you're the small startup and there's 500 businesses in between you and that large government entity. They will start at the bottom of that ladder and work their way up through to disrupt the entire supply chain, especially if you're in those sectors, if you're an energy finance. So banking is kind of an interesting one. Crypto, that's also another one and then many other sectors as well manufacturing if you're in a supply chain, somebody has their site set on you as an organization. Doesn't matter what your size is. 

0:37:50 - Mehmet
Yeah, yeah, true, and I like what you said. There are people like us, which is a matter of fact, and we used I used to have a colleague who, when he was talking about cybersecurity and how it's evolving, and said, yeah, like kind of a joke. They are like us, they have wives and kids and they need to think about the bills, so they need to always to come up with new creative ideas, of course, between quotes for them. But back to the point of small businesses and startups. So this is why I always tell them it's maybe. They tell me sometimes I don't have data yet I should not be worried. I tell them it's not about your own data, but you're dealing with potential customers, prospects, so you have even email addresses, phone numbers and this is personal identity, pii, right, so it's a personal information and by this alone they can do the relation Okay. So you as startup, as you said, you are dealing with X, y and Z companies. So they start to do these correlations and I always show people. 

In threat intelligence, there is this famous thing where you correlate data, for example, between IP addresses, geography, past history, and then I try to explain. You are small part of a larger mesh of interconnected actors, let's call them. So you are just one part and everything counts for them. So there's a famous say in sales we say every dollars count. So for the hackers also, every dollars count, because these guys they need to pay salaries, they need to do their R&D, they need to keep the lifestyle on, as they say. So 100% true. Now someone might say, hey, okay, I understand, I get it, but I cannot hire a full time someone who takes care of my cybersecurity. Maybe I don't have enough budget to purchase all these expensive solutions. 

0:40:07 - Tyler
So what you can tell them to I so I have two suggestions for and we have these conversations a lot with organizations if you don't have money for cybersecurity, you can find everything for free. You can find all the answers for free. You can find all of your education to become a business owner and a cybersecurity expert and I'm not making a joke of that situation because I know it's impossible. I know you as a business owner. You're focused on your business, but that option is out there. There's a lot of information on YouTube, free books, open source software. You can cobble together a pretty good cybersecurity program as a startup. 

Now, will it stand the test of time? Probably not. Will it hold up as your business grows or scale with you? No, it won't. And if you get attacked, are things gonna be probably even worse because you don't know how these tools and methods function? Probably, so you have to be very careful with that. But there are fractional models that are out there and I hate to do a business plug for my business, but that is what we do for the majority of our clients. We have a fractional chief information security officer program that's really designed to fit to smaller budgets at times and then scale up to larger budgets as well. 

But if you don't have the money for that, at least have an assessment done of your organization to give you some kind of a roadmap. Right, have a professional come in and they don't have to be a Deloitte, right, they don't have to be a huge. Nothing against Deloitte, right people? But if you don't have the money to spend with a Deloitte, you may wanna have a smaller cybersecurity company come in and perform a gap assessment or a baseline assessment and give you a plan and say here's the plan, we've listed everything out. These are all the things that you should do as an organization to become secure. Here's critical, here's medium priority and here's your low priority ones that you don't worry about those in three years. You need some kind of a plan to walk forward with, and we'd see a lot of startups make the mistake of their first three years in business of having their CTO. Some CTOs are very knowledgeable and secure, so I know many CTOs who could be great CISOs. 

They just don't want the job. They're like, give me out of there. Now I will say that CTOs are usually the ones who have the cybersecurity hat within startups for the first three years and they are dealing with software development and web development and managing people and then also have security and compliance now that they have to deal with. So I would say be aware of where you're putting these responsibilities as a business owner. Just because somebody has the title of CTO, they may not want the title of chief compliance officer and chief information security officer. That is a very large responsibility for one person to have. So we just see that a lot where you have one person wearing 10 hats and unfortunately the hats of compliance and security are very big hats to wear. So I would say, be cautious of that. 

0:43:23 - Mehmet
Yeah, and just if you allow me to add one thing I know in the startup world it's very normal to wear multiple hats from the founder, the CEO or the co-founders if they are more than two, but cybersecurity is like a special kind, because you mentioned actually two very important points and I try to repeat them again so to make sure that they are implanted, I would say in everyone's mind. You took money from investors, so you better protect the money that you're gonna use, because if someone destroys your infrastructure when I say destroys, of course, maybe you, hopefully you have backup and you're gonna bring it back, but still this is time wasted. So instead the product to go, for example, on First of November, now you're gonna do it maybe 15th of November because you're gonna rebuild everything back. The second thing is compliance, especially if you are a startup. You know dealing with healthcare, maybe dealing with, you know, bank or financial information, so you have to comply with a lot of things. You know, of course, we keep saying PCI DSS. We know the HIPAA in the States for the health each country they started to have more Strict. You know, if you are in in Europe, like you have the GDPR and all this stuff. So it's not a joke and you can end up paying really, really, really like high bills, not only for the penalties, because you will be forced to do incident response when these things happens, especially if you are a, you know, regulated Vertical. 

So I wanted to repeat this and thank you for bringing this style here and again. Guys like, don't think about it just because you know I'm trying to save. I know that you are tight on budgets and and this is, you know, the question time, and that applies not only for startups, that apply everywhere. It is hard to Justify Investment for cybersecurity usually, but I'm sure you know there are ways where you know they can, they can put something where they can justify. So what are the best practices you would give to someone who are going to seek, you know, to justify funding for a cybersecurity weather service like the ones you offer, for example, the virtual CISO service, or just for buying a product? 

0:45:47 - Tyler
Yeah, yeah, budgets always an interesting thing and you know if, if you're an organization that's regulated by law to have a cybersecurity program, you have to have one, like you have to have one. People can go to jail if you don't like. In the United States there are new laws that are coming around for publicly traded companies to where CISOs are worried of, you know, in working with publicly traded companies, because they can go to prison, right, if they don't do the right thing. It can be criminal, criminal things that can happen for them, right. So that's an interesting one. I've got my thoughts about that, you know. I don't, you know, really like putting good guys in in prison, so that's a weird one. 

But Budget always comes down to risk and you have to talk money with business owners and you know If this situation does happen, what is the financial risk to the organization. If we're hit with a cyber attack today, do we have recourse? So you can lean in on Cyber insurance policies. So your insurance policy likely has some kind of a rider or claws. Or even if you have a set aside Cyber insurance policy, it should list out all of the things that you should be doing as an organization to be reimbursed in the event of a cyber attack and we see so I can tell you what happens. When an organization is there with a cyber attack and they have a cyber insurance policy, the first thing that the cyber insurance company does, if you report it to them, is they bring in their own people. 

They bring in their own Insider responders, forensic people, and their only job is to not pay you. That's their job. Their job is to Find ways to really not pay you, your, your money back and your reimbursement. And that's the position that we're in with a lot of startups is. We're creating this program to where, at the end of the day, when something happens, the cyber insurance company, they can put their Inciner responders in play and they will see all of the good work that's been done. So, even if something happens, we will have this mountain of due diligence that everybody performed. Everybody was on board, all the right things were done, but the bad guys got it right once and the cyber insurance companies pay out when they see that kind of stuff. 

Now, if you sign on the dotted line and check the boxes on your cyber liability policy but you're not really doing anything and you don't have any idea what's going on, don't activate that policy. Don't bother activating it when you have an incident, because they're they will pick through that and they'll Likely find that you weren't implementing these things. So I bring these things back from a startup perspective, because that's usually the question is how do we, how do we lessen the damage when we do have a cyber attack and it's always based on that cyber liability policy. If you don't have a cyber liability policy and you're regulated by Healthcare or some of the regulation, then that track is pretty easy to justify from a budget perspective. You know, like HIPAA, if you have HIPAA data, you know you have to have a cybersecurity posture in a program in place. So those conversations are generally pretty easy for us to have. 

0:49:07 - Mehmet
Yeah, good one. And you know, like again To the point of you know the cyber insurance and how you know these guys, they act it's similar to a normal insurance policy. So especially, for example, if you do like third liability Only insurance for your car, so they would try to say, hey, like you hit them, they didn't hit you right, so, and you will get these reports back and forth and the same thing will happen in cyber space. Yeah, so absolutely, tyler, we. I think we covered a lot, but was there anything that we Missed or skipped that we should spoke about? 

0:49:51 - Tyler
I mean, there's always so much going on in this field that it's hard to it's hard to keep up on. You know, like everything that's going on, I, you know, I will say, you know, as I reiterated before, that we're we're seeing more attacks than we've ever seen before, more desperate people doing desperate things and, obviously, with glowing, growing global conflict. Protect your business. You know you have to protect your business and, and you still have to maintain that balance as well. So Find, find, find that fine line between those of not closing the gates, completely walling off your business from the outside world, or even Ostericizing your employees against your business, because that can happen if you're not careful but also protecting yourself from the imminent danger that is out there, and we're just seeing this growing so much, and you know it has to do with with everything going on in the world. So I would say organizations have to protect themselves and, you know, also have fun with their business while they're doing it. So it's oh, it always feels like doom and gloom when I talk because of my field. It's like crime, you know. We're talking about crime all the time. 

However, we have so many success stories too, which you don't hear about those. You know what I mean. You don't. You don't hear about the businesses that we've worked with for five years who have never had a security incident. Knock on wood, right. Well, you don't hear about those things because they're they're not exciting, they don't they. They're not awarded those accolades, but we award them those accolades, we give them kudos on those notes as well, because those are huge. Those are huge, and if you can go that amount of time without having a cyber incident, you're. 

You are now in a very small pool of businesses and organizations that have defended themselves. So I think that's something that is an organization. You have to give yourself pat on the back. And if there's business owners who are listening and you have a cybersecurity team in place and you have a Bunch of employees and you have not had a cybersecurity incident in three, four years, your team is the reason for that. So please give them a pat on the back, because nobody else is it. It can be a Thankless job when everything is quiet and there's nothing going on. Is that's where we win? That's where we're winning. But the bad guys? They only need to get it right once. We have to get it right a hundred percent of the time. 

0:52:17 - Mehmet
So how the percent I agree with you. 

Tie on this and yes, please, please, please, you know, like give these kudos to, to the everyone you know in whether it department, whether it you are dealing with a cybersecurity consultancy company, because if one every night I would say you're sleeping without having even the smallest incident. So this is because you know the proper measures were in place. It's not because you know the hackers didn't decide to come to you like A hundred percent on this and again, maybe I'm repeating again and again and again startups, small businesses. You are very Important part of every economy, like I did every single study to see how much startups and Small businesses contribute to each economy. Of course, like, the numbers might shift a little bit by two or three points up or down, but usually you know you are doing most of the, you know heavy lifting. I would say maybe you don't know it because you say, hey, just, I'm a small business, I'm less than, let's say, ten million dollars per year revenue, so I'm not that big, you know company. I'm not like the other guys who are doing billions, that's true. But you are very important part of the whole ecosystem and this is why it is important to protect yourself, because if you are protected, the economy is protected and everyone else is protected, so we don't have job loss. 

And, by the way, tai, if you allow me, because just I remembered one thing. We've seen Businesses wiped out because of cyber attacks. I've read a lot of articles in the States, in Canada, in Europe, even here in the Middle East. I know a couple of situations where the guys had to go out of business because they didn't have any data left. They lost everything. So this is very, very important. You know, I really enjoyed the discussion time with you today. It's like very nice and I think we should do. We should do this Again. So thank you very much for your time. I know that you have a very busy day ahead of you today when people can find more about your. You know yourself and your company. 

0:54:23 - Tyler
Yeah, so I'm on LinkedIn. I'm not sure if there's a way that I can. 

0:54:28 - Mehmet
I will, I will, I will put the show in the show notes, all the links, don't worry. 

0:54:32 - Tyler
Okay, perfect. Yep, I'm on LinkedIn. Csg cyber comm is our website, so those are the two places really where you can find myself and my organization and, yeah, my man. It's been a lot of fun. I love talking about this stuff. It's it is very exciting, and I don't see it slowing down anytime soon, so I'm sure we'll have a lot more to talk about. 

0:54:56 - Mehmet
Yeah, sure, and hope to have you again as a guest very, very soon. I thank you very much for joining today and here's the way I close every episode. I hope you know you find this useful if you are a first time Listener or viewer watching us today. Thank you again and I hope you enjoyed the content with trying to bring everything related to technology, of course, cyber security, startups, and if you are interested also to be a guest on the show, don't hesitate. Like actually I mentioned at the beginning of the episode, like we are in different time zones, but it doesn't make a a problem, I can afford any time zone you are in, so please reach out if you have something interesting to talk about. And until we meet next time, thank you, bye, bye. 

0:55:39 - Tyler
Thank you. 

Transcribed by https://podium.page