What will 2023 Bring in Cybersecurity? Predictions with Jim Goldman, CEO and Co-Founder of Trava Security

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is the Tea On Cybersecurity, a podcast from Trava. What is being predicted for cybersecurity in 2023? Hey, there. You're tuning in to Episode Seven of the Tea On Cybersecurity. Cybersecurity is one of those industries that is truly ever changing, for many reasons. Through hosting this podcast, I have learned that many of those reasons include new technologies or those cyber criminals evolving and finding new ways to infiltrate. But through learning all this information about cybersecurity, it has really got me wondering, what does cybersecurity actually look like in 2023? During this episode of the Tea On Cybersecurity, we will be talking to Trava's CEO and co- founder Jim Goldman on his 2023 cybersecurity predictions plus more information.

Jim Goldman: Thanks, Jara. I'm so happy to be here.

Jara Rowe: I am happy that you're here as well. So for those that may be tuning in for the first time, can you just give a brief intro of yourself?

Jim Goldman: Brief, huh? Okay. So, yeah, it's hard to compress 30 years in cybersecurity briefly, but in a nutshell, I've been at this a long time, almost since there's been a cybersecurity or a network security. Started in cyber forensics and reverse engineering malware. Spent some time with the FBI as a task force officer with the FBI Cyber Crime Task Force. And then went back to industry, worked for ExactTarget here in Indianapolis as their first Vice President of Information Security, and probably spent the next 15 years or so in what's called security governance, risk management, and compliance for both ExactTarget and then eventually Salesforce. And putting those three things together, security governance, risk management, and compliance, it's full circle. You do the right things, you see where your vulnerabilities are, where your risks are, you do the right things to mitigate those risks, and then you gather evidence and you confirm that those risks are properly mitigated, and you document those and you have a third party auditor come in and confirm that you're doing them correctly. And that's the compliance part. And that way if you've got customers or whatever, they don't have to just take your word for it. There's a independent third party that's saying, " Yeah, this organization is actually doing what they claim they're doing."

Jara Rowe: Awesome. So in other words, you are a cybersecurity expert.

Jim Goldman: One never wants to claim that, but, yes.

Jara Rowe: I think so. So before we jump in to your cybersecurity 2023 predictions, there is a new term that I have seen a lot of places that I am just not familiar with at all and I honestly don't know the hype around this term. And that is ChatGPT.

Jim Goldman: Right.

Jara Rowe: So what is that?

Jim Goldman: So it's really a new artificial intelligence application. And in some ways artificial intelligence is nothing new, and it's almost misnamed in that there's really not all that much artificial about it in that what it is you're taking human knowledge and then you're applying computing power to a massive amount of human knowledge and having really the computer sort of digest that and produce the desired results based on all the human knowledge that's been put into the computer. So it's not a science fiction movie where the computers are literally thinking on their own, but it could seem that way or one could try to lead people to believe that's going on. But that's not really what's going on. And so what happens is it's a very advanced artificial intelligence application that you can ask to do certain tasks. You could ask it to write a poem, you could ask it to write an email. And like any technology, it's all about in whose hands you put that technology and what are the motivations of that individual. Good and evil is a relative term that people could argue about all day long, but ChatGPT is no different in that one can use it for good or one can use it for evil or not so good. And so the concern is that this could be because one of the things it can do is it can write computer code, at least some level of computer code. And so the concern is that this ChatGPT could be used to write malware, ransomware, et cetera. What that does is it potentially opens up your capability to launch ransomware attacks to a wider audience. Now, we could argue about how much of a wider audience it really opens the situation up to, because for some time there's been something that we call the ransomware economy. In that it's important to understand that every ransomware attack that was launched was not launched by a misguided but brilliant software engineer literally writing the attack him or herself. In other words, ransomware has been out there on what's called the dark web or the black web or whatever you want to call it for some time. And so people have been able to purchase ransomware and they purchase space on service to run it on, et cetera, et cetera for some time. There's a whole ransomware economy that's been around for a long time. So in some ways, it's not like ChatGPT is this whole new thing that took ransomware from the individual attack to the democratization of ransomware, because the ransomware economy has been around for quite some time.

Jara Rowe: So just to reiterate, to make sure I understand why ChatGPT is relevant to cybersecurity is that the AI is able to write potential code for cyber texts like ransomware.

Jim Goldman: Yep.

Jara Rowe: Okay.

Jim Goldman: That's exactly right. Yep.

Jara Rowe: So terrifying. Okay, so let's talk about some other trends or terms that you think will pop up in 2023 before we get into your actual predictions.

Jim Goldman: Sure. One of the terms or trends that I've heard and that I've seen, and it's almost like a misconception or a misguided perception if you want to look at it that way, is many, many companies these days, for very good reasons, don't develop their own applications anymore. There are so many good SaaS applications out there. And so then when they want to have a talk with their customers internally about how secure are you, they say, " We don't have any problem at all because we're 100% SaaS. We only use other companies cloud- based applications to run our business." And there's almost like an implication that therefore, we don't have to look into it any further than that. We're 100% secure. That's a bad assumption. It's sort of like therein lies the fallacy right there, because these days there's more and more of an emphasis on what's called vendor risk management, third party risk management, service provider risk management. It's who are these SaaS providers that you're using, whose applications you're using to run your business, and how secure are they and how secure are those applications? It's almost like there's still a naivete out there about that. And I don't mean to make this sound condemning, but there's a lack of responsibility being taken on the part of the businesses using those SaaS applications to actually ask questions and assure that those applications are secure, especially if they're putting their customers information on them. It's too easy to say, " That's not my problem because I use such and such SAS application."

Jara Rowe: And that's not true, right, depending on the company? Like you were saying, you take on those issues and openings and things like that. Correct?

Jim Goldman: Absolutely right. It's like the moment you accept data from a customer, you have to stop thinking of data as almost like an inanimate object. And if they're giving you their child to take care of, you're are responsible for that child, right?

Jara Rowe: Right.

Jim Goldman: You can't say, "It's not my responsibility because I hired somebody else or whatever." No, no. It's like as soon as they hand over their data for you, at that point, you are responsible for the security of that data, whether it's in an application you designed and you host, or whether you're was using this function from this application and this other function from this other application over here. And then we are hosting all that on some cloud environment somewhere. That's why with our customers, we continue to stress the importance of doing scans on your cloud environment. So again, people have this naivete, they say" Everything's on AWS or Azure or GCP, and we know they're secure." And that's true. However, the part that gets overlooked is they're only as secure as the configuration that is the responsibility of the users of those cloud environments.

Jara Rowe: Make sure you're taking it serious, everyone. All right, so to switch gears just a little bit, and to actually get into your predictions for 2023, can you talk to me about what you think the top three cyber threats will be for the year?

Jim Goldman: Sure. I think we're going to see a resurgence in ransomware. And, again, this is all crystal ball, just based on gut reaction. I think that we're going to see a blurring between ransomware and cyber warfare. The world is in turmoil now. What's going on with Russia and Ukraine and North Korea and Iran and China. And I think more and more cyber platforms, it's like ransomware is almost one weapon in an arsenal of cyber weapons, but the battlefield is cyber if you want to look at it that way. And so I do think that we're going to see an increase in cyber warfare kind of battles including an increase in ransomware. Partly because in some ways this is not a difficult concept to understand, you've got offense and you've got defense. And it's partly because many companies, government agencies, public, private individuals, whatever, they don't take prevention seriously. And it's that old expression, an ounce of prevention is worth a pound of cure. And so they're not willing to invest in that ounce of prevention. And so as a result, we're going to see more and more reactive type of stuff. This hospital gets shut down, this university gets shut down, et cetera, and it's like, " Oh my God, the sky's falling. What are we going to do?" Well, it's like closing the barn door after the horse has gotten out. Not to condemn anybody, I get it, but the time to look into the risks and close the barn door and put a better lock on it is before the horse gets out, not after.

Jara Rowe: Just to reiterate, was that three different ones or are we still just one? Are we still just on ransomware and cyber warfare?

Jim Goldman: So I think it's more ransomware, it's a broadening of ransomware into cyber warfare, and then I think the other one just has to do with this awareness that I was pointing out before, that more companies have to get over the notion that SaaS applications are inherently secure and therefore as long as we're using SaaS applications, we don't need to worry about it. We've already seen examples where a ransomware attack starts at a SaaS application, and then it uses that one entry point to then attack 100 users or a 1000 users of that application. So whatever we want to call that, a multi- tiered ransomware attack, a multi- tiered cyber attack, I think we're going to see more and more of those.

Jara Rowe: Just want to make sure I got all of that. So resurgence of ransomware, which will also just lead into cyber warfare as a whole.

Jim Goldman: More broadly, yeah.

Jara Rowe: And then for people that use SaaS applications, we need to stop assuming that just because we're using them and they're in the cloud, that they're secure and that you should still make sure that measurements are taken to make sure you and your customers are also secure.

Jim Goldman: Exactly. Exactly. If you think about protecting the physical asset, how do you do it? Well, you have multiple locks or you have an outside door and an inside door. Well, it's the same kind of thing in the cyber world? You want to have multiple gateways, multiple places we can stop and attack, closer to the, how do you shut off access from a SaaS application? Have you even thought about that? Do you know how to do that? Et cetera, et cetera. And then where internally do you drop that second door? That kind of thing.

Jara Rowe: Awesome. So we were talking about how small businesses, typically, you don't do all of their own coding because they're partnering.

Jim Goldman: Right.

Jara Rowe: And are customers of SaaS companies. What is one thing that you would predict more small to medium size business would start doing in 2023 and why?

Jim Goldman: Well, what I hope they would do is start with a risk assessment. And this is something that you and I have talked about on other podcasts many time before that don't go spending money trying to fix things unless you know what the problem is. It's like going to the plumbing department of the hardware store and buying a bunch of stuff, and you don't even know where the leak in your house is coming from. It's not a great analogy, but you get what I'm saying. It's determine exactly where our risks are and then prioritize our spending according to those risks. Because small businesses especially cannot afford to waste money, especially in the current economy. And so they have to take this kind of measured approach and invest wisely. The only way you can invest wisely is to know where your serious cyber risks are and then start to tick down that list. And it's like I always say, Jara, you don't have to be perfectly secure. You just have to be more secure than the next business down.

Jara Rowe: For sure. So in 2023, for small to medium sized businesses that are just starting, or don't even have a cybersecurity program, the one thing that they should do is start with the risk assessment to see where they are vulnerable.

Jim Goldman: Right. 100%.

Jara Rowe: So then on the flip side of that, what is one thing you wish they would just stop doing?

Jim Goldman: Some of it's so old. That's why I start chuckling. It's like stop writing down passwords on post notes and put them-

Jara Rowe: People still need to be reminded of that.

Jim Goldman: Stop using the same password everywhere. That's probably actually the more important one because a lot of the ransomware attacks come from the fact that someone has used the same password on a personal account, on whatever, LinkedIn or something like that. And then that environment, that platform gets attacked, all the data gets exfiltrated, including that person's password on that platform. Well, it turns out that's the same password they use in their business. So now what's the ransomware do? It says, " Okay, I think I know what their account is at their place of business. Let me try this password I already have."

Jara Rowe: Yeah, so if you don't do anything else in 2023, stop writing your passwords down.

Jim Goldman: Stop using the same password all over the place. And then remember to, even though it's a pain, remember to change your passwords frequently. Now, if I was to say one thing in terms of technology investment, everything we've said so far doesn't really cost you anything, except a little bit of time and some brain power. If you want to spend a little bit of money and it's what would I spend it on? If folks don't have multifactor authentication, that's probably the single most effective technical additional tool they can put in place to prevent a ransomware attack. Because ransomware, at least right now, they may know your password, but if getting into that account also requires you to get an authentication code on your cell phone or an authentication on an authenticator app or something like that, in other words, you need that second factor? The ransomware perpetrator isn't going to have access to your cell phone, hopefully. That's an example of you just made that one degree more difficult to hack into your account as opposed to someone else's.

Jara Rowe: All this information has been extremely helpful, not even just for business owners, but us every day people.

Jim Goldman: Absolutely.

Jara Rowe: As well.

Jim Goldman: Individuals. Yep.

Jara Rowe: Yeah, for sure. So is there anything else that you think we may see more of in 2023?

Jim Goldman: Well, it's interesting what we were just talking about, the point you just made about individuals. It's almost like as businesses get wiser, as businesses start protecting themselves, I think we're going to see more attacks on individuals, especially high net worth individuals. They're going to get attacked in their home accounts.

Jara Rowe: I just finished our training where it was talking about how anything that's connected to the internet pretty much is open access for a cyber criminal to come in. So they're going after those higher individuals. They get in one piece, unfortunately, they can get into all of your technology.

Jim Goldman: Well, that's exactly right. So it's like your refrigerator and your stove are now connected to the internet. Okay. Every one of those connections to the internet, you have to look at an unlocked door.

Jara Rowe: So scary. But through the Tea On Cybersecurity, we are learning ways to not only protect our businesses and our employers, but ourselves as well. So, Jim, I greatly appreciate your knowledge. And listeners, I hope you stay tuned to Trava as we will come back to see if Jim's 2023 predictions come true or not.

Jim Goldman: Hopefully not the bad ones, yeah.

Jara Rowe: Now that we have Jim's 2023 cybersecurity predictions, it's time to go over the receipts. The first one is what is ChatGPT? What I understand about ChatGPT is that it is an AI application that can be used for many things, including writing code, which is what makes it a big deal for cybersecurity because it just all depends on the motivation of the coder or the writer. Are they going to be a good guy or a bad guy? And if they choose to go the bad route and become a cyber criminal, then they open up new attacks for ransomware and things like that. The next receipt is Jim's top three cyber threats in 2023. That includes one, there is going to be a resurgence of ransomware, again due to things like ChatGPT and other things changing in the landscape, which is also going to lead into, two, cyber warfare. With the state of the world, the new ransomware and the resurgence of ransomware is going to lead to more cyber warfare as well. And the third one is that a lot of SaaS companies don't necessarily write all of their own code, but they assume that the company that they are working for is secure. That is not necessarily true. You should still do your due diligence to make sure that your information and your customer's information and data is all safe. So even though you're using a third party that has their own cybersecurity standards and practices in place, you should still do your due diligence to make sure that those actually line up with yours as well. And the final thing is to all of my small and medium sized business owners that is just getting started or doesn't even necessarily have a cybersecurity program in place in 2023, at least start with a risk assessment, which will help you understand where your potential vulnerabilities lie. Tune back in to Trava to see if Jim's 2023 cybersecurity predictions come true. Thanks for tuning in to the Tea On Cybersecurity. If you like what you listen to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.