Erik Flegal
All right, everybody. Thank you for joining us for another episode of thought and action. Have an awesome guest today, Megan Stifel. She’s the executive director for the Americas at the global cyber Alliance. And I just want to talk about something that I think is on the forefront of most people’s minds, which is cybersecurity. And for a multitude of reasons. I mean, I think people read about hacking, phishing, things like that, know someone that’s had their identity stolen. But I was also noticing, I just pulled up a simple statistic. This is from the beginning of this year. So this is obviously even a greater number now. But over the past five years, remote work grew 44%. Over the previous 10 years, it grew 91%. So you obviously have more and more people working at home. And I know, you know, Megan’s going to talk about this. But there are different, you know, obviously, ways that her organization can help both individuals, businesses, and everything. And I think that remote work is something that is touching more and more, if not all the viewers that we’re going to see because obviously, being a tech platform, you’re getting the internet, how do you keep yourself safe? So just start off with just a simple question. For the people that don’t know, Megan, what is the global cyber Alliance? And what is your role there?
Megan Stifel
Sure, thanks, Eric, for having me. And I’m delighted to have the opportunity to talk with the audience. So the global cyber Alliance is a nonprofit for a 501 c three based organization. We are a global organization, we have offices in New York, London, and Brussels. And our objective really is to it used to say eradicated cyber risk, but I think anybody who puts like a definitive word out there, like eradicate is slightly fooling themselves, it’s really to reduce cyber risk in the internet ecosystem, which essentially means any connected device, we would like to help reduce the risk of that device becomes a point of compromise. And therefore, as you mentioned, the point at which someone might have their identity compromised, or financial information compromised, bank accounts accessed without authorization, and the like. I’m the executive director for the Americas region. So I cover all the way down to the tip of South America all the way up to Canada, which means there are about 110 or so partners in my region, we are a partner-based organization, which means that for-profit entities pay us a minor contributing partner amount, and not for profits, academia and the like are able to become partners without any contributing fee. We have been up to 260 partners globally across 30 different countries, and all critical infrastructure, all sectors of the economy. So critical infrastructure is one that we often talk about. But that means that we have Partners in Health Care and financial services, energy, telecoms, and the like. And we work with those partners to identify and hear the ways in which they are experiencing cyber risk in the ecosystem and how organizations like ours, which the closest analogy, I think, is often Doctors Without Borders, or the Red Cross. So we’re looking to provide free resources to individuals and organizations that are, in many cases fall in the market gap. They don’t have the capacity or the resources to acquire cybersecurity services, yet they still remain vulnerable. And their vulnerability really can have a butterfly effect in the negative sense in the ecosystem. So we’re trying to help by giving away and training people to reduce risk in the ecosystem.
Erik Flegal
Got it. So that being the case, obviously, you’ve got a very broad lens, what are the specific threats you’re seeing in 2020?
Megan Stifel
So you mentioned work from home, and the other one I would point out is, you know, my kids are thankfully for right now in school for a couple of more days or weeks, we’ll see. But telling education as well, the work from home shifts that happened quite abruptly was not something that a lot of organizations had planned for. And that’s, I think, contributing a part to the figures that we’re seeing for 2020. That being said, there are, it’s I think we’ll see a shift in those figures, hopefully over the next couple of years, because we will begin to use more scalable solutions to bring down risk. So as opposed to having a real Frankenstein set of capabilities within a larger organization, they will begin to pull those capabilities into, for example, the cloud, which then allows you to use a smaller number of points to really push security out to the in many cases I’ll use the phrase enterprise but the corporation. So we do see an increased risk as a result of work from home. And that also happens because not everyone is able to use a company-provided device to access the corporate network, they may be running, they may be accessing the corporate network from the same place that the kid might be doing school that’s kind of unlikely. But if you have you know, if you’re kind of either that or you have the adult has the good laptop, and the kid has the crummy one. And it’s the kid who also uses it to do gaming or something that exposes the family to risk. And potentially everybody who’s on the home network. So thinking about how we can educate users on how to reduce those risks. One of the simplest things to do is to pull out your router every once in a while and plug it back in, that refreshes the router. And that was actually a recommendation that DHS put out. I think it’s been two years ago, we had a threat that was going around, it involves the exploitation of home routers. And so one way to solve that is not something overly sophisticated, but just pull it out and plug it back in. So those are the shift to an operating environment that had not really been contemplated by a lot of organizations. And the shift and a rapid timeframe have really put some pressure on the ecosystem. But I think it’s also been very educational and given people an opportunity to see where some real market opportunities are too. And whether you whether it be I think Microsoft is selling people, they can work from home for forever. And you see a lot of that coming out of particularly Silicon Valley. There are similar ways to bring actual cybersecurity to the home where we haven’t been able to reach that point before. A new area for growth too.
Erik Flegal
Absolutely, absolutely. So you. I mean, you have a basket of tools at the Global Cyber Alliance, you take us through because I know you talk a lot about education, what maybe some of those education tools are, and the different, you know, kind of buckets that they plug into are.
Megan Stifel
Sure. So we have a number of resources, they are simply brought together in something called a toolkit. And so we have three toolkits, the one that’s probably most relevant for this audience is a toolkit for small businesses. And that toolkit has six toolboxes in it that are really designed to help users do very basic cybersecurity, cyber hygiene practices to significantly reduce their cyber risks. So the toolkit will take a user through identifying all the devices in their network, you know, did somebody in the office install a printer that nobody knew they had, and that printer has not been updated in four years. And it turns out the printers that we point in the office that can then lead to the compromise of the financial account, something like that. So the first of them identifying what you have, you can’t defend what you don’t know you have. So, all that may sound intimidating. And if you go to the website and check out the toolkit, it will say something like “May take four hours”, that really depends on how many devices you have. So if you’re talking about the average home or the average small office, it’s not really that long. So don’t be put off by that. There are explainer videos, each of these toolboxes that I’ve mentioned, explain to users how to use a tool and what its significance is. So I’ve explained if you have a device you need to know how to protect it. And then some of the other resources involve doing what’s called automatic updating of software and automatic backing up of files. So the big trend in 2020, another big trend in 2020 has been a continuous rise in something called ransomware. Where either a computer or files are basically encrypted, and the user doesn’t have access to them unless they pay a ransom, often in the form of a red coin by having a backup of one’s files, and the second point of that is to try and keep it separate and offline. So you update your files every night and then you unplug it from the system and store it separately. If your computer is locked up, you’re able to basically restore your files by taking that copy and plugging it into a new machine. Another piece of the puzzle though, which is if those two sound too complex, a more simple solution to that also is effective is two additional ones. One is you mentioned at the beginning, or when we were talking earlier, two-factor authentication or something called multi-factor authentication. So now your bank your phone, I have an iPhone, I like Apple products not to put a blog, I don’t own stock in Apple. The facial recognition technology and the other ways that you can use the tokenization of access to different platforms, anything that’s a critical activity if it’s your healthcare information, your financial information, anything that would contain PII personal information that can be used to identify you or compromise your identity. Having two-factor authentication enabled on those apps or accounts is critically important. So the toolbox contains some instructions on how to do that. And the last piece really is thinking about when we browse the web, we type in an email or excuse me, a website address. Something called the domain name system sends the data out to the phonebook of the internet, the domain name system and sends you on to your location, oftentimes, the DNS address that the URL address at the top newyorktimes.com, or whatever it is, people can register look-alike addresses that are actually addresses and websites that hosts malicious computer information, well it’s just information. There is a very simple tool called quad nine, so it’s 9.9.9.9, that is, can be installed within 90 seconds. And if you go to the website, you can use this it’s called a protective DNS service. So it protects you as you’re doing DNS, essentially dialing up the phonebook of the internet so that you are redirected or prohibited from reaching these bad sites. But there are also resources for elections offices and journalists. But the bottom line at the end of the day is that we try to help enable users from feeling helpless. You know, yesterday in DC remotely. And the conversation was, some people think they’re too small to be hacked, and others think it’s just hopeless, there’s nothing they can do. And that’s, I think, nothing, nothing further from the truth. The reality is small steps, small hygiene actions, just like we wash our hands now, more than we ever used to. We use hand sanitizer, we wear masks, small steps can actually also have a meaningful impact in cybersecurity as well.
Erik Flegal
Right? I love that hygiene analogy, it’s just so apropos with washing your hands don’t touch your face this year. I’m curious, like the, and I’ve been on this like, as a plug I’ve been on the site, you know, and I’m a person that I look and I see there’s so much jargon, I don’t necessarily understand like, what’s a DNS what’s this what’s that, I mean, it gets very clear, and the steps are really easily put out. So I mean, I would just encourage anybody that’s watching, you know, take a look. And I’ll put the website on the blog, too. So people will have a chance to see it. But just take a look and read through it, it’s very easy steps. But from the hygiene standpoint, how often should you do this? Is it something you do once a year, or do you do it every day? Like I know, you don’t want to live in fear. But you also want to be proved. So where does it fall? How often should we you know, watch our cyber hands?
Megan Stifel
Okay, um, I think it sort of depends. Some of the tools that we direct people to use are available from the OS, the operating system developer, so Microsoft, you can set it to automatically update, you don’t have to do anything, it keeps the system up, just like your phone, Apple often requires you to do the update yourself. But so those were possible and you know, in smaller environments where there’s less likelihood that an update to one part of the system might throw off another. There isn’t much of a lift on the consumer or the user to have to remember to wash their hands. I think, thinking about it once or twice a year and sort of let me do me, I go to the doctor once a year for a physical I should go at least probably once a year, physical of my systems as well and making sure that you know, checking to make sure that the updates have been installed. The advice used to be that you should change your password like every three months that’s been thrown out. Yeah, one of the things that we recommend is that people use a password manager. So that you don’t have to keep the list of this is my to-do list not my list of passwords to my account. The password managers are a safe resource to use in addition to multi-factor authentication. So changing passwords less frequently than we used to be advised. But above all else, making sure that we don’t reuse passwords. Because putting together the email address together with an exposed or compromised password leads to a lot of trouble.
Erik Flegal
Right. So this is my last question, it’s more of a personal one I’ve always wanted to know. I used to put all my faith into like a McAfee or Norton Antivirus. And it was just like an antivirus, you’d buy it, you’d install it, and that’s it. And now when you go to buy it, there’s like eight different options. I mean, it’s like, I can’t even go through them all you probably know them like an internet, email, and it’s all segmented out. Can you still put your faith in that? Just say, I’m gonna buy this and it’ll take care of me? Or do you want to do that as a, is that part of the list of things to do now? Cuz it seems like everything’s kind of been parsed out. And I’m trying to, as a consumer say, all right, is there a one-stop shop to do it all? Or do I really kind of have to piecemeal it, you know, and follow the checklist to stay up to, you know, to stay with good cyber hygiene.
Megan Stifel
I think it depends on how many apps you have going. So if you are a fairly minimalist. People do recommend Chromebooks. Google keeps the Chromebook the operating system, which it updates regularly, there are separate issues you need to consider about what Google does with the data that it derives from your use of the Chromebook. And so looking at the fine print carefully is something I would also recommend. But I think the baseline of just using an antivirus is good, but not good enough. And so if you think about it, I mentioned that there are six toolboxes in our small business toolkit, it’s automatically updating software, automatically backing up software, complex passwords, multi-factor authentication, and secure browsing. So that’s where this protected DNS, the 9.9.9.9, if you type it in your browser, you’ll end up at the, at the website is our the source, you can count them on your hand, it’s not too many things, it can seem overwhelming, but it really is not, as I mentioned a couple minutes ago, set it and forget it. Almost, not quite, we don’t want to totally forget to make sure that if we do see something, you know, a mole on our skin, we need to go check it out. If something seems out of whack, you know, I wouldn’t also you know, one of the other things is to never ignore the possibility that something could be up if you’re getting lots of phone calls, or lots of emails from individuals or addresses that you’re not familiar with, it’s probably a cue that you’ve got somebody who’s got their eyes on you and not to be scared, but to just, you know, have your defenses up.
Erik Flegal
Super! That’s helpful, I’ve always thought that every time my Norton comes up, and like how much can I trust this guy? How much is he going to do? So it’s good, I like the toolbox because it is very simple. I think once you go through it, maybe the first time you go through, you kind of have to learn a little bit, but then it becomes super easy after the fact. Well, thank you very much, Megan. I really appreciate your time. Always informative, and I’ll definitely put the links out for people to read. I know they can listen to this, but then also if they go to the actual transcript, they’ll have a chance to see the website and everything else. So thank you very much for all you do. I really appreciate it. I appreciate your time.
Megan Stifel
Thanks for the opportunity!
Erik Flegal
Absolutely.
Megan Stifel
Have a good afternoon.
Erik Flegal
You too, bye.