Recap of Season 1 - Receipts from The Tea on Cybersecurity
Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. We did it. We made it to the end of season one of The Tea on Cybersecurity. I don't know about you, but I don't find cybersecurity as daunting as I once did. As season one of The Tea on Cybersecurity wraps, I am coming to you with the ultimate receipt because you know we spilled the Tea, so we have to come up with receipts. And in The Tea on Cybersecurity, our receipts are our main takeaways, and there are a lot of things that came out through all of my episodes with each guest. So during this mega ultimate receipt, I will be breaking everything down to what, why, how, and when. We will talk about what is cybersecurity, why it is important, how it should be implemented, which things that you can do to keep yourself secure and when you should take cybersecurity seriously. Hint, hint, it's from day one. All right, let's dive in. So before we define what cybersecurity is, Rob actually talked to me about the fact that cybersecurity just seems scary to people because they're unfamiliar with it. It just takes a little education. So let's listen to what Rob had to say about that.
Rob: When people don't understand a problem, it's really hard for them to fix it. People may go, well, I don't get this. I'm going to ignore it and hope it goes away or hope it never happens to me. And that can be a really costly mistake. Think about how much more comfortable people are talking about computers since they carry one with them all the time. This will happen with cyber as well, though we feel it's really critical for the industry to keep focusing on simplifying, bring that terminology down to the masses.
Jara Rowe: What Rob said totally made sense to me because there are several topics that I'm not all that familiar with, but the more I was able to learn about it, it wasn't as daunting. Like say math. Now, what is cybersecurity? One of the things that I took away, my definition is ultimately cybersecurity is just about protecting data held on any device. But I will say that Jim did a great job at explaining this to me, and he was even able to explain and relate cyber crime to a burglary, which helped me a lot. Let's hear what Jim had to say.
Jim: Very often I talk about an analogy of a jewelry store or something like this. In this case, the asset that we're really trying to protect, it's not the cyber device, it's not the laptop, it's not the phone, it's the data that one can get to through that. So you have to look at the computer or the phone as almost like an unlocked door. If you go back to physical crime, burglary, that kind of thing, they wanted to break into a brick and mortar store. What would they do? They would look for an unlocked door. And so what we're saying is when you have an electronic device, be it a phone, be it a Ring camera, be it a laptop, what have you, you have to look at that as potentially an unlocked door into the true asset, the true thing you're really trying to protect, and that's your personal data, your financial data. If you're a working person, the data of the company that you work for, the data of your customers.
Jara Rowe: So another receipt I took away just about what cybersecurity is just simply about how everything is connected. I think we understand that concept, but who really thinks about it? So I think about everything that's connected to my personal wifi from my work laptop, since I work from home the majority of the time, my cell phone, my doorbell, my TV. Everything is connected through the wifi. So if someone was able to hack into one device, they pretty much have access to all of my devices, which is relatively scary. Before I talk too much, I want to share Jim's take on why cybersecurity is important.
Jim: The reason why cybersecurity is so broad now, basically it says anything that has a computer chip in it is potentially in that realm of cybersecurity. Unfortunately, people hear the word cybersecurity and they immediately shut down and they think, well, this is way complicated. I'm not that smart. I couldn't possibly do this. And so they bury their heads in the sand and then they also say, well, I don't have anything worthwhile on my computer, et cetera. I really don't have to worry about this. And nothing could be farther from the truth. All right? In fact, you do have valuable things on your electronic devices and you can be more secure than you are.
Jara Rowe: So cybersecurity really does affect us all every day. Like I mentioned, all of my devices that are connected to the wifi. But let's dive into talking about cybersecurity in the business sense. So when it comes to running a business, cybersecurity can truly make or break your company. It's essential that your product is secure, especially if you're like a SaaS company. But cybersecurity should be about more than just your product. It should be about your organization as a whole because it affects everything. And Jake actually opened up to me a lot about this, and I found it all extremely insightful. Let's listen.
Jake: We don't just focus on the product, which is something I think specialists as an engineering and development partner. We also focus on the organization. So a lot of times I'll see founders that will think, I just need two developers and we're going to go hands on keyboard. In reality, you're not just building a product, you're building an organization. And think about what would your processes be? What would your policies be? How are you going to introduce your team to security? You really need to have a roadmap to get there. So don't wait until you're year in to figure out what those things are. All those things matter way upfront. Don't forget that you're building an organization, not just a product.
Jara Rowe: I definitely think as business owners, you're always looking for ways to get ahead of your competition. And for B2B companies, cybersecurity is honestly a competitive edge. This was something that never really stuck out to me until I talked to Adam from Casted about this. So let's tune in to what he had to say.
Adam: I think we really knew from the beginning that cybersecurity and risk management was going to be critical to us to gain favor in the enterprise space, but it's also part of who we are as a culture and a company. Casted positions itself pretty uniquely. And as you work with enterprise customers, it's of course really critical to them. They have millions of users and millions of data points, and when we become a part of their tech chain, we don't want to be the weakest link. And so in order for us to have a go- to- market opportunity, we need to make sure that we can demonstrate some competencies to help them feel comfortable.
Jara Rowe: So after listening to Adam talk about that, I was definitely able to relay as a consumer. I'm much more likely to do business with someone that could prove to me that my data, the information that I give them is secure over a company that cannot. So another major receipt that I have is actually from cyber insurance. We should all be prepared when it comes to cybersecurity, but honestly, no matter how much you prepare, there are mistakes that can be made. But as a business owner or working for a company, how do you overcome this? And cyber insurance is what can help you. Shay educated me on the importance of cyber insurance. So let's listen to what Shay had to say.
Shay: Every company should be buying a cyber insurance policy today. It is for any company that has any type of technology. And again, people think they don't have technology, but actually when you look at it and you scratch under the surface and you do a little questioning, they realize they're doing emails all the time with transferring funds or transferring customer accounts or whatever, and the hackers are very clever. They can figure out ways to get that information from your email system and get your account number or get an invoice and change the account number without you knowing about it. There's all sorts of exposures that are out there. It's just so ubiquitous this risk, and the hackers have learned to make money on it and they want to make more money. They want to find more victims. And so really it's not a matter of if they need it, it's a matter of when they need it.
Jara Rowe: So in this ultimate receipt so far, we have talked about the what and the why. So let's get into the how. How can we keep ourselves as secure as possible? One thing that came up, I mentioned it briefly earlier, is just education because you don't want to be phished or you don't want to be the person at your company that gets phished. And Rob talked to me about what fishing is, so let's listen.
Rob: So phishing is a form of a cyber attack, and this is where those bad guys that we love to hate try to get sensitive information from you generally by posing as somebody that you know or trust. So a common scenario is a hacker will send an email and make it look like it's coming from somebody you know, and they'll generally instruct you to click on a link that they include in that email, a link or a button or something. And you click on that, that takes you to a website that they own that maybe looks very similar or it looks like a trusted site. It looks like something you've been to before and prompt you for sensitive information. How do you prevent users from being the victim of a phishing attack? There's a couple important things you can do. One is you can install an email filtering system, refer to as email gateway, that all your emails will pass through and you can use those systems to try to pair down what messages get through, or we can detect messages that are obviously bad or coming from known bad sources. So that's one thing that really all companies should do. Another, and maybe the most important thing since this is all about people, is training. It's often referred to as security awareness training. Training people to know the common signs of a phishing message, to know how to detect that something isn't coming from who you think it is, how to avoid clicking on links that can get you in trouble. Maybe the most important thing that a company can do to prevent from a phish attack.
Jara Rowe: Phishing, it's honestly one of the easiest ways to get people. And I've actually worked at a company where someone was phished and clicked on that horrible link in the email and I never understood if they were reprimanded in any way. They definitely still worked at the company, but I didn't know what happened. So one of my burning questions has always been, who's at fault if something were to happen? And this topic, Scott joined me and talked to me about who's at fault if something were to happen.
Scott: In a general cyber attack, they happen a lot anyways, and it's difficult to stop every breach. There will be breaches if you're a big enough target. So I wouldn't even say who's to blame is the attacker. But the idea is a layered approach so that when somebody does get in, they can't do much from there, or if they do, if anything is broken, we can fix it quickly. So I mean blame is just life, but we can always improve our security. If we lose our most important assets, we blame ourselves because we should be protecting our most important assets more than our less important access. They should get the most attention.
Jara Rowe: Speaking of attacks, Jim mentioned to me an attack that I had never heard of and it honestly seems so innocent from an outsider, which makes it extremely terrifying. This attack is called watering hole. Let's learn about it.
Jim: Another one that I've seen before is something called a watering hole attack. Let's just assume that this company really didn't have any data that was of particular interest or value, but they've got a website and a lot of people come to that website and that website itself isn't secure. So what the cyber criminal does is he launches what's called a watering hole attack. And so he puts malicious software on this company's website. And then maybe it's a TV news station as an example, and somebody wants to check the weather or the news, and so they go to this TV news station. It's not connected to any data, but unfortunately there's an invisible malicious piece of software when they go to check the weather, that malicious software gets automatically downloaded onto their computer, they happen to work for a bank. And all of a sudden, yeah, the TV station didn't have any data worth protecting, but this person who logged in from a bank computer now has this malicious software that came from the cyber criminal.
Jara Rowe: Let's stay vigilant friends. So those are all things that we need to know about how to protect ourselves. But now let's get into what we need to do to protect ourselves. And one thing that I learned, I honestly need to be better about, is keeping all of my devices updated because not only do cool features come in with software updates, but important cybersecurity updates come in as well. So Jim and Marie both talk to me about this. Let's tune in to what they had to say.
Jim: If you have a laptop, it has a thing called an operating system, and chances are you're getting messages. If your operating system hasn't been updated, we use the word patch, take the time to patch your operating system. As each new attack on an operating system comes out, the vendors of those operating systems will provide patches. And so you have, it's kind of a one step behind catch game, but that doesn't mean you shouldn't do it, you really should do it.
Marie: You probably see often technology constantly changing, like your phone is constantly changing. Every year there's a new one. So as that changes, the security that protects those devices also has to change. You see that grow and evolve as technology does and as that's also changing, hackers are also evolving. So that's why it becomes so important for you to secure your devices and anything that you store on anything digital like anything is technology these days.
Jara Rowe: So I promise to all of you listeners, I personally will do better at keeping all of my devices and software updated. Another main receipt that came in through almost every single episode was passwords. Honestly, something else I'm guilty about not doing a great job at keeping up with. But passwords are super important. So when it comes to passwords, there are two things that have stuck out to me is that, one, password managers are lifesavers. So if you don't have one, get one. And two, which is one of the main things is about multi- factor authentication. So anytime you have an account that you can activate or flip the switch to turn on multifactor authentication, also known as MFA, do that. Let's listen to Jim and then Scott chat with me about the importance of MFA.
Jim: If folks don't have multifactor authentication, that's probably the single most effective technical additional tool they can put in place to prevent a ransomware attack. Because ransomware, at least right now, they may know your password, but if getting into that account also requires you to get an authentication code on your cell phone or an authentication on an authenticator app, the ransomware perpetrator isn't going to have access to your cell phone.
Scott: The simplest easy one is multi- factor authentication where it's ensuring that anyone who logs in passes that second factor and requiring that you have two keys really.
Jara Rowe: So now that we have a better understanding of passwords and MFA, let's dive back into more business related cybersecurity. And one of those things I would like to talk about that I actually learned a lot about is SOC 2. Marie did a great job at explaining to me, and I hope you other listeners about what SOC 2 is and why it's important. And I will say that SOC 2 actually was a term that I had heard before starting at Trava, but I never took the time to ask questions about what it is or why it's important. But my girl, Marie, was able to break it down extremely well for me and I hope for you as well. Let's refresh our memories with what she said.
Marie: It's a service organization control two. So SOC 2, it gives regulation and standards by a third party, and it gives us standards mainly for security. And I guess the best way to put it is that you're putting the pieces together to build some sort of program that will give other companies that satisfaction that you're doing something in regard to security. So a lot of these certifications, it gives them that reassurance that they have something there because when the data start crossing, that' your own customer's data and that's a lot of liability for them. And that's where a lot of cases, people could lose a lot of money and damage their reputation.
Jara Rowe: So we've gone over the what, the why and the how. So that leaves us with when. We're now in our final section of the mega receipt when it comes to the when. And as a business owner or founder, a cybersecurity program should be started from day one. Take it from the experts, Marie and Jake.
Marie: So the sooner you start in implementing the controls, the better. And then also typically price- wise, slowly implementing those controls usually tends to look prettier as well. Start now, it's never too early.
Jake: So it's important to build your privacy, security, and compliance programs in early on because there's an expectation in the market, especially for enterprise grave SaaS companies that are working with let's say hospital systems. You have these big clients that you're trying to get into upfront, and there's just that expectation that you have at least started to take those programs seriously.
Jara Rowe: So one of the other receipts that I also took away was from Marie talking about how cybersecurity is really a team effort, and I couldn't agree more. Let's listen to what she had to say.
Marie: A great security program is all about the people. So it is a team effort at your company and every person at your company needs to take it seriously for it to be really successful. You often hear that humans are your weakest link, but with the right training and culture around your company, I think they can also be your strongest link as well. And I think that's just something important to think about.
Jara Rowe: With that, we wrapped season one of The Tea on Cybersecurity. It has been an honor to host this podcast and be able to ask the questions about cybersecurity that not only helped me, but I hope helped some of you as well. We don't have to be cybersecurity experts because there are other people here to help us. We just have to ask. So as I gear up for season two, and if you have any other questions you would like for me to ask, slide to my DMs and I will get some of those answers for you. And as I mentioned, there is a season two of The Tea on Cybersecurity coming, so please subscribe on your favorite podcasting platform as I continue to help cybersecurity nubes like myself, understand the industry a little more. Thanks for tuning in to The Tea on Cybersecurity. If you like what you listened to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trave Security. Follow wherever you get your podcasts.
DESCRIPTION
We did it! We made it to the end of season 1 of The Tea on Cybersecurity.
So we’ve spilled the tea on a lot of cybersecurity in Season 1, but now it’s time for some mega receipts. Podcast host, Jara Rowe, breaks down what past guests have shared with listeners that are essential to keep in mind - what cybersecurity truly means, why it’s important, how it should be implemented, and when you should take it seriously. Listen in as she shares the top key takeaways that all of us need to know in order to be as safe as possible with our technology.
What you’ll learn in this episode:
- When you ignore a cyber problem because you don’t understand it, it can become a very costly mistake. Rob Beeler says it’s critical for us to continually educate ourselves in the cybersecurity space to avoid these mishaps.
- What is the asset that we're really trying to protect with cybersecurity? It's not the cyber device, it's not the laptop, it's not the phone. It's the data that one can get to through those things.
- Cybersecurity can make or break your company. Jake Miller says it should be about more than just your product. It should be about your organization as a whole because it affects everything. Develop a roadmap!
- Cybersecurity is important for a business, but no matter how much you prepare, there are mistakes that can be made. So how can a business overcome this? Cyber insurance.
Things to listen for:
[01:27] How to avoid the costly mistake of cybersecurity mishaps
[02:28] An explanation, in detail, of what cybersecurity is
[04:45] Why cybersecurity is important
[05:46] Cybersecurity in the business realm and why it’s essential
[07:03] Cybersecurity can boost your B2B company’s competitive edge
[08:13] The importance of cyber insurance and what it entails of
[09:34] How to keep ourselves as secure as possible
[11:56] Who’s at fault when a cybersecurity attack happens
[12:52] Watering Hole cyber attacks
[15:59] The importance of passwords for cybersecurity
[17:46] Breaking down what SOC 2 is
[19:00] When the right time is to start your cybersecurity program
Connect with the Guests:
Rob Beeler - https://www.linkedin.com/in/rob-beeler-945ab33/
Jake Miller - https://www.linkedin.com/in/jakemillerindy/
Jim Goldman - https://www.linkedin.com/in/jigoldman/
Adam Patarino - https://www.linkedin.com/in/adampatarino/
Shea McNamera - https://www.linkedin.com/in/sheamcnamara/
Scott Schlimmer - https://www.linkedin.com/in/cybersecurityintelligencecia/
Marie Joseph - https://www.linkedin.com/in/marie-joseph-a81394143/
Connect with the Host: Jara Rowe’s LinkedIn - https://www.linkedin.com/in/jararowe/
Connect with Trava:
Website - https://www.travasecurity.com/
LinkedIn - https://www.linkedin.com/company/travasecurity/
Instagram - https://www.instagram.com/travasecurity/
Twitter - https://twitter.com/travasecurity
Facebook - https://www.facebook.com/travaHQ
YouTube - https://www.youtube.com/@travasecurity