Look at disaster recovery capabilities like backing up servers and testing your restore process as something to help against ransomware. And make sure the processes are tested regularly to ensure they work because ransomware should be considered a potential disaster as well.
[vcex_divider_dots color=”#dd3333″ margin_top=”10″ margin_bottom=”10″]
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Matt Hathaway.
Matt Hathaway is the chief marketing officer for TrueFort. Matt has extensive knowledge of security users, buyers, and landscape as well as a track record of building high-performing marketing and product teams. He has over 15 years’ experience in the security market that span fraud prevention, vulnerability management, SIEM, cloud workload protection, data security, endpoint protection, and application security.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. What is your vision for cyber defense?
I think an important approach for cyber defense is similar to the concept of “assume breach.” But I prefer to think of it as “assume human error” because there’s a reason that the majority of all breaches involve some version of human error — somebody falling for a phishing link or somebody misconfiguring something. But it’s just human nature and people are trying to do their job. They’re not thinking constantly of security. So I think if more tools and processes and the overall approach to cyber defense takes into consideration that humans will make mistakes, the better you’ll be equipped.
Organizations that plan for and expect human error assume that no one control is going to stop everything. So they try and prevent 99 plus percent of attacks. But when the attackers get in, what’s the second line of defense? What’s the third line of defense? The buzz word for it is “defense in depth,” but it’s assuming that no one security control will be enough.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was working at RSA, one of the worldwide leaders in security when we experienced a very serious breach in 2011. At the time, it was my first job in security. I was more in anti-fraud than security. But just seeing just how well executed and serious the attackers can be really made me more interested the security side and made me want to help in that area.
Can you share the most interesting story that happened to you since you began this fascinating career?
For me personally, I’ve probably learned the most when I was the product manager at Rapid7 and we were launching the user behavior analytics submarket of security. I had spent hundreds of hours with customers trying to understand challenges they had. And we and a few other companies all recognized it’s very hard to improve security when you don’t know what the users are doing on a day-to-day basis.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
For the first one, I guess curiosity is the best word for it. I have always just wanted to ask more questions and know more. And it led to spending hundreds of hours with customers and security professionals just asking what are their goals for their organization, what do they do on a day-to-day basis, what is a pain in the butt, and what do they wish they could do on a day-to-day basis. So just trying to understand without an agenda — not trying to solve their day, just trying to understand it. It really led to identifying problems they probably didn’t realize they had and working with them to try and build better solutions to it. So curiosity has been very big for me.
Also, I believe everybody should strive to have adaptability. I’ve changed companies multiple times, but more than that, within companies, I’ve changed roles because of what the business needed. We were expanding as a company or we were going IPO, or there was something I truly believed I could help with. And then I said, “Okay, yeah, let’s give it a shot.” Adapting to change is important, especially at smaller companies, because change is constant.
A third trait is just being genuine — always being able to say, “I don’t know what that is” and never having to pretend you know something. Because if you pretend, then you usually end up throwing up your hands because you don’t know how to accomplish something. Just because you didn’t say, “I don’t know what that is. Can you help me understand?”
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. To ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
I think it’s tough to really depict any attack as one thing, but the techniques that everybody always has to be cognizant of is phishing and how incredibly prevalent and how effective it is. It’s often the way in, and it’s often just a start to find more and more in the organization. Then I think everybody knows about ransomware, but it’s just since the rise of cryptocurrency that ransomware has really exploded in the last 10 years, because there’s a way to pay somebody that’s anonymous. Previously, there was no way to pay the ransom to the criminal without them being tracked. And that’s the reason it took ransomware so long to become common.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Both should be concerned. But attackers are thinking of it like a business as well. And they know there’s a lot more money in going after businesses. So, yes, there are times when they’ll steal a credit card number and reuse it, but often if you’re using a credit card and not a debit card, you can usually get that money back. The only real threat to individuals is identity theft, and it’s a lot more elaborate than ransomware at a company.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
The FBI would be the first step for an organization. They’re well equipped and help organizations notify people who might have been affected. Sometimes the FBI are the ones notifying a business that they’ve been compromised. They’ll help connect you with the right organizations for incident response if you need it. They’ll also help you determine what attacker group was involved or what external data has already been seen from your organization.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Most often, it’s human error. It’s often somebody thinks if they change the configuration of something, maybe it’ll make everything run faster. They’ll get more efficiency. They don’t realize that this makes them very easy to attack because of that configuration. And it was initially set up that way to avoid vulnerabilities. Other than that, it’s often out of date software and old, unpatched servers because IT is worried about taking down production or having any downtime, and so they don’t bother to get to that update. A lot of software vulnerabilities are published on a regular basis. And people have that information available to them, but they just didn’t get to it because they were worried about losing money by having downtime.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
One thing that was done very well recently was the executive order around Zero Trust architecture and adopting that framework. For the most part, that’s only a requirement for federal agencies and other government entities, but it goes a long way if businesses also take that on. And I think we’re starting to see that for more and more regulators as well.
I think business leaders need to recognize is that security is more than just a cost to the business. Historically they tend to view the security team and security products and everything as a cost, but it’s more like insurance than it is a cost. You’re paying a small amount now to avoid paying an enormous amount later. And the more they can think that way and confirm with their board that this money is good for the company, they can even use that to build their reputation as a more secure organization that you should trust.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do to Shield Themselves From a Cyberattack” and why?
- Go beyond simple security awareness training to treat employees as the humans they are. Explain that people make mistakes, but it’s important for everyone understand why security’s important to the company. It’s more than just training and not clicking a link. And the more they can instill that in the company culture, the better off they’ll be. It’ll make it more likely somebody reports they made a mistake instead of thinking they’ll be punished. And, in general, employees will probably be more understanding when security comes and asks for help.
- Stop viewing security as a cost. I would repeat that point because that’s on business leaders.
- As the company has new projects and initiatives, like moving to the cloud, or acquiring another company, see those projects as an opportunity to enhance security. Pull in the security team early on because you’re getting a chance to rebuild something that was probably done in a rush the first time.
- Look at disaster recovery capabilities like backing up servers and testing your restore process as something to help against ransomware. And make sure the processes are tested regularly to ensure they work because ransomware should be considered a potential disaster as well.
- As much as possible, adopt a positive security model. Try to ensure any activity that is known to be good and needed is protected. Only look to block or investigate and respond to what is not normal. Because the negative security model of only blocking known bad is notoriously right behind the hackers. It’s a day late.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.
Well, it’s probably going to sound odd given my title, but to me, one of the biggest problems in the security industry for 10 years has been what I call “silver bullet marketing.” That’s companies emerging and claiming, “we’re the only solution you’ll ever need for security.” I would love to get to a more realistic approach to marketing and messaging about security solutions to have the entire industry as a whole try to be as honest as possible. Yes, there’s always going to be capabilities that you claim you can do, but none of this “we solve everything for you.” It hurts the credibility of the industry. And in the end, some organizations will spend all of their budget on something that should only be a fraction of what they get, so they’re left with vulnerabilities.
How can our readers further follow your work online?
I’m on LinkedIn at LinkedIn.com/in/matthathaway
I’m on Twitter at TheWay99
And you can read the TrueFort blog at Trufort.com/blog.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!