Cybersecurity in 2024: Trava’s CEO Jim Goldman on What to Expect

Jara Rowe: Gather around as we spill the Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. Welcome to season three of the Tea on Cybersecurity. One thing I know for sure is that something is always happening in the world of cybersecurity, from threats to technologies. So to help us prepare for the ever- changing world, we're looking at what's to come in 2024. Now, I am not the cyber guru, but I do have the questions you want answers to, and I have just the person here to deliver those answers. I'd like to welcome Jim Goldman, Trava's CEO and co- founder. Hi, Jim.

Jim Goldman: Hey, Jara. How are you? Great to be here.

Jara Rowe: I'm great. How are you?

Jim Goldman: Wonderful.

Jara Rowe: All right, so for those people that this may be their first episode they've ever listened to and maybe are unfamiliar with your voice, can you go ahead and introduce yourself?

Jim Goldman: Jim Goldman, CEO, and co- founder of Trava Security.

Jara Rowe: Can you tell a little bit about what Trava does?

Jim Goldman: Trava helps sub- enterprise and mid- market companies, and what we mean by that is companies that don't have their own chief information security officer, don't have their own security and compliance team. We basically are that team for them in terms of both our people and what we call our platform or our product, which basically is a cyber risk management and vulnerability management platform that's specifically designed for people that don't have a deep background in security, engineering, compliance, et cetera.

Jara Rowe: So let's go ahead and jump into the first question, which could be a lofty answer, but can you provide a general overview of the cybersecurity and compliance landscape in 2024?

Jim Goldman: There's almost like a converging of several forces or several trends, if you will, going on right now that I think are going to cause maybe significant changes in 2024. So let me talk about that. One is clearly ransomware. Now, ransomware is not new, but there are things about ransomware that have changed in 2023 and could contribute to something significant in terms of change in 2024. So let me be specific when I talk about that. What we're seeing now is that the perpetrators behind these ransomware attacks are becoming more brazen. What I mean by that, a specific example is they're now shutting down essential services. They're now shutting down healthcare systems, hospitals, et cetera, basic human needs type of things. If you think about that, it's only one step further to trying to shut down water treatment plants, trying to shut down electrocute utilities, trying to shut down transportation systems, air traffic control systems, food, and agriculture, basically the fundamental elements that run our society. That's a very disturbing trend. On the other hand, federal governments across the globe, because this is not just an American problem, federal governments across the globe are starting to recognize that same thing, the depth and the brazenness and the concern of this criminal enterprise. As you're aware, there's been a recent agreement, and we'll see how well it holds up, that 40- ish countries have agreed that they will no longer pay ransomware payments because there's two benefits to the perpetrators. There's the disruption that they cause, and it really is terror if you think about it. I call them cyber terrorists trying to cast a negative dispersion on them. I truly believe this is a form of terrorism. You undermine society's confidence that their life is going to be okay day to day, that they can count on certain things, that the lights will stay on, that if they need a hospital, the hospital's going to be operating, that kind of thing. The cyber terrorists are trying to undermine that confidence in a society. As a result, that's one of the reasons why these countries are getting together because we don't know always who's actually behind it, but then there's also the financial benefit to them, to my point. So there's the disruption to society, and then there's the financial gain. What these 40 countries are trying to do is say, " If we take away the financial gain, somehow lower the incentive of the perpetrators to continue to escalate this, to grow their criminal enterprise." If you want to look at it that way.

Jara Rowe: What are proactive measures that we can take to mitigate these ransomware attacks?

Jim Goldman: That's an interesting thing about it because it sounds like, " Oh my gosh, there's sophisticated and so well funded, and in some ways they're brilliant, etc. How could I ever protect myself against that?" And the irony is, in many cases, it actually doesn't take that much to protect yourself. And as we've said on previous podcasts, one of the best ways for any organization is to implement what's called multifactor authentication across the enterprise. Multifactor authentication means something more than just a password, and there's many ways you can do that. Now, the problem with that, or in practical terms, is it's got to be on 100% of your systems because these people are smart. If you have it on 98 or 99% of your systems, they're going to find the 1% where it's not turned on, even if it's some back door to your HVAC control system. That's how they're going to get in. As I've said on previous podcasts, cyber criminals are no different than other criminals in some respects. They're going to find the one unlocked door. They're going to jiggle every door handle. If it's locked, they're going to move on, but they're going to find the one unlocked door.

Jara Rowe: I've learned from hosting all of these episodes that MFA is important, and just a couple of weeks ago actually every program or account that I have that I did not have that enabled, I did because I felt like that was just the easiest way.

Jim Goldman: It takes you a couple of minutes to get it done, but then once it's done, " Oh, all my doors are locked, all my windows are locked." As you've learned in information security or incident detection and response, there are stages. The best thing is to prevent. If you can't prevent and it happens, you have to be able to respond and recover. Let's talk about recover for a second. Again, fairly easy is have a very good backup and recovery, not just the plan but the technology. If you needed to, you could fully recover all of your data and all of your systems. And there again, what a lot of companies do is they brush it off. They say, " Yeah, well, we're backed up. I know we're backed up. Have you ever tried to recover?" No. What we do with our customers is we do business continuity and disaster recovery tabletop exercises at least once a year where you actually do test because what happens is through no one's fault, recovery's always a little bit more complicated than you think it's going to be. The systems that you think are going to be up to assist you in your recovery, in fact, aren't up. That's why the tabletop exercises are so important. So someone said to me, " Jim, I can only do two things to prevent ransomware." What are the two things going to be? It'd be multifactor authentication on the prevention side and backup and tested like legitimate backup and recovery on the recovery side.

Jara Rowe: Any other things in cyber security in particular that we should be keeping our eyes on in the new year?

Jim Goldman: I think the third vector in that same area is what's going to happen with cyber insurance because cyber insurance companies when companies have cyber insurance and have a ransomware attack, assuming that they filled out the application truthfully. And the policy that they got was clear as to what their coverages were going to be. Those insurance companies are going to have to pay pretty hefty payouts for the different recovery services. That's why you have insurance, right. If you have a claim, you expect to be made whole by the insurance policy. In this case, cyber insurance. Insurance companies are not in the business of losing money. They're going to slowly do things so that they have fewer claims, and so there's another pressure on industry in general, do the things that the insurance companies think will lead to fewer claims. All of these forces are converging to say, " In general, companies have to get their... regardless of size, regardless of whether they're public or not, doesn't matter everybody, every company's going to have to get their act more together when it comes to cybersecurity."

Jara Rowe: Trying to shift gears just a little bit, what's new in 2024 when it comes to compliance? Are we seeing any changes in frameworks or anything else?

Jim Goldman: I just mentioned the public versus private company, and so the Security and Exchange Commission just earlier this month published their final directive. Now, understand this is just for publicly held companies. That's where it'll start, and then it'll be all companies, and so the SEC published a directive. It's really two things, and in some ways, it's written backwards, and I'll tell you what I mean by that. So it starts off with kind of more specific directives about breach disclosure with specific timelines, et cetera, et cetera. If a company were to have a breach and they're a publicly held company, there's very specific directives in there about how they have to report that incident. What's interesting, and why I said it was kind of backwards, is it then goes on to say, " And you need to be able to legitimately document and describe your cyber risk management program." I say it's backwards because I think the legitimate cyber risk management program is the umbrella. That's what you ought to talk about first, and then, " Oh, by the way, underneath that, you have your policies and procedures in regard to incident detection response and reporting." If every public company is now having to abide by the exact same rules, wow, that's a big swath of industry if you think about it. So a big swath of industry is now going to be forced to do things in a consistent manner. That's a good thing. That's a big step because I think what'll happen is there'll be some kind of trickle- down, and it won't matter whether you're public or private. You're going to have to follow these rules. The other pressure for change for improvement in cybersecurity comes within the business enterprise. What I mean by that is instead of coming from a regulatory organization like the Security Exchange Commission, it comes from a company's customers or potential customers. All companies having to be more cautious. There, again, let's say I'm not a public company, but I'm trying to sell to public companies. That public company is now under these SEC regulations oversight, et cetera. Chances are they're going to start to be more careful, more prescriptive with their vendors that they buy software or whatever from to say, " We now have some higher cybersecurity expectations of the vendors from who we buy software." And so that's where, again, they're going to say, " At a minimum, you have to be SOC 2 compliant, or you have to have an ISO 27001 certification." The US government has been ahead of the curve on this a little bit in that they've had certifications for companies that they want to buy software cloud services from for some time. That's the FedRAMP certifications. And then the Department of Defense, specifically for all of their vendors, has adapted FedRAMP to what we call CMMC. We're helping some of our customers now become CMMC compliant.

Jara Rowe: Jim, you've mentioned tabletop exercises a few times, and that's actually a term that we haven't had on the podcast just yet. We do have an episode completely dedicated to that coming soon, but can you just give the listeners a brief understanding of what those are or what happened during them?

Jim Goldman: I'd be glad to, and I'm thrilled to hear we're going to do an episode on that because it's something that is often overlooked, or people have a misconception over it. Is it a waste of time? Is it too complicated? It's almost like they look for reasons not to do it. Now, it is, in fact, a requirement if you want to get that SOC 2 certification or the ISO 27001 certification, but as we tell all of our customers, that shouldn't be the only reason you do it. Everybody should do it regardless of whether you're going for certification or not. And so to answer your question about what is it. At the simplest level, the way I usually describe it is we're going to go through this in a calm and non- pressure kind of way so that if and when you actually have to go through this in real life, you'll have almost the muscle memory having gone through it before you got through it before you know what to expect, and so the anxiety level comes down because you've already gone through this one or more times done the process improvement, improved your documentation, who needs to be on the call, what everybody's role is, etc. So it's almost like dress rehearsal for a play or an orchestra rehearsing before a big performance. That's all it is. It's a dress rehearsal.

Jara Rowe: So tabletop exercises are a dress rehearsal for if something were to happen, how it would be handled.

Jim Goldman: And the idea is every company starts out, we help them with this, with some level of documentation, whether it's on the system recovery for the BCDR or how do we handle an incident for the incident detection. But inevitably, by going through one of these tabletop exercises, you find where the holes are. But to my earlier point, especially with incident response, the secondary benefit is, by having the CEO on the call, all of a sudden, it's like the light bulb goes off in his or her mind, and it's, " Wow, this is important stuff."

Jara Rowe: Jim, so you've talked a little bit about, not a little bit, actually a lot about ransomware. That was definitely a threat that we should be on top of our minds in 2024, but are there any other cybersecurity threats you think will be on the rise or that we should be looking out for in 2024?

Jim Goldman: It's almost like ransomware is the end result of a lot of possible other kind of trends, but that's where it all ends up. What are the other things we could do to prevent a ransomware attack? And it goes back to what I was saying before about cyber criminals are always looking for openings. So besides not have an MFA enabled, another vulnerability, if you will, another unlocked door is that people's laptops, which, by the way, is now the edge of the network. In many cases, there's no such thing as a corporate network anymore with work from home. The edge of the corporate network is Jim's laptop running off his home internet. What that means is that you can't really protect the network as much as you used to with corporate firewalls and so forth. Now, Jim's laptop better be super secure because that's the entry point or the gateway into Trava's network, into Trava's platform, et cetera. Often overlooked is, " Okay, how secure are your employees or your contractors?" This gets tricky, your contractor's laptops. Why? Because chances are your contractor's laptops are their property, not company property. At the same time, if they're vulnerable or they're working for multiple different companies, et cetera. Very tricky, very scary, very dangerous. We spend a lot of time on two things. One is only having company- owned laptops or laptops that the contractors have agreed we can control, monitor, et cetera. And so we have to have a standard configuration on there, knowing that the software on those laptops is properly patched and knowing that random software that may have vulnerabilities can't be downloaded onto that. So it's almost an insurance policy of sorts internally because everything's very predictable. You want to eliminate the unknowns. Standard configuration on all the laptops. Everything's being monitored. We know that everything's ship- shaped, just where it needs to be, that kind of thing.

Jara Rowe: I feel like some people would be very upset with me if I didn't ask anything about AI in particular.

Jim Goldman: Is it scary? Yeah, you're darn right is scary in so many ways, and let's start with the data level because AI is nothing but like a layer of, I'll use the word intelligence in air quotes because it's not really intelligence, but it's just an application, if you will, over data. The scary part is it presents that data as fact, but as we all know, the underlying data is we don't know the quality. We don't know the veracity. We don't know the truthfulness, et cetera. My concern is really at the data level. A big thing that has been a concern of mine for many years that I've worked on at different companies is data risk management, which is different than cyber risk management. inaudible stop and think about it. Data over the years in corporations has not been well organized, and so there's this movement called data management. There's a DMM maturity model. This has led to the rise of chief data officers whose job it is to consolidate, build a data catalog, et cetera, build data management processes so that you don't have random pockets of redundant or data that disagrees with each other all over the corporation, that kind of thing, because if you throw AI on top of data that doesn't agree with each other, it's the old, like we used to say back in the day, garbage in, garbage out. That's the one thing. The other kind of moral issue around AI, which is somewhat more scary, is technology in and of itself is agnostic. It's not good or evil. It's a tool. But it is the motivation and the moral fabric of the people that use that tool that determine what the outcome could be. AI be used for good? Absolutely. Could it be used for evil? Absolutely. How can the average person determine the legitimacy of something? Is this real? Is this AI- generated? I don't know. Many new technologies we're now trying to catch up in terms of how should we control this. How should it be regulated? How should it be legislated, et cetera? No one wants more government intervention, but at the same time, if industry can't come together and regulate this thing, then government has no choice but to be involved.

Jara Rowe: AI, it's great, but it's also terrifying, at the same time, like you were saying. All right, Jim, so what advice do you have for organizations to stay agile and resilient in the face of all of these evolving threats in 2024?

Jim Goldman: I guess it almost comes back to where we started with what Trava is all about, and I don't mean to make this sound like a shameless plug, but if you are a company that's fortunate enough to be large enough that you have a chief information security officer, you have a security and compliance team, then certainly part of their job is to be aware of what's going on, staying abreast of trends and responding accordingly. As a matter of fact, interestingly enough, that is a required process or control that you have to provide evidence for in order to get ISO 27001 certified. You have to show that your people are staying abreast of what's going on, staying abreast of trends. You're in touch with the proper authorities on an ongoing basis to know what's going on in order to reassess your risk on an ongoing basis and then respond. If you don't have the capability to do that in- house, whether you're trying to go for an ISO certification or not, it's the right thing to do. I used to be a Boy Scout, so it's the old, " Be prepared, be prepared." If you're not blessed to have that capability, then you really have to find someone like Trava to be able to help you do that on your own.

Jara Rowe: So if someone didn't have necessarily a Trava, what are some resources that you would recommend for people just to stay up to date with cybersecurity and compliance?

Jim Goldman: Believe it or not, I imagine most of our audiences in the United States, although not exclusively, there's an organization called CISA, C- I- S-A, that puts out frequent bulletins and advisories on things to be aware of. That's what I would do is I would find some of these. And the reason why I say the government is they're not trying to sell you a product. There are many vendors out there that provide good information, but you have to understand they're trying to get you to buy their product. That's not to say that the information they're providing is an objective or legitimate. But just you have to understand the motivation, whereas the government advisories tend to be just objective, factual, etc.

Jara Rowe: You've definitely provided me with so much information, and I hope the listeners got as much out of it as I did, but before I let you go, is there anything else you would like to point out about cybersecurity and or compliance?

Jim Goldman: The last thing I would say, Jara, is something that we said a couple of questions ago, which is, don't bury your head in the sand. This is not going to go away, and saying things like, " I'm just a small company, no one's going to hack me. I don't have anything. They'd be interested in." A, it's not naive, but maybe more importantly, it's not true. It's like, in this day and age, everybody has to accept the reality that they are a potential victim of cybercrime. Their company could and will be put out of business. People will lose their jobs. You may be devastated personally if your personal finances are tied up in your company, etc. It doesn't have to be difficult. It is understandable. It is a problem that can be solved with help from Trava or somebody else, but the worst thing you can do is bury your head in the sand and think it's not going to happen to you.

Jara Rowe: Definitely. That is great advice to end this first episode on. Thanks so much, Jim. Now that we've spilled the tea on what's to come for cybersecurity in 2024, it's time to go over the receipts. The biggest thing I took away from Jim during this conversation is that ransomware is alive and well. So much so that federal governments across the globe are banding together to agree to stop paying the ransoms. One of the only ways to keep the bad guys away is to stop their payments. Jim also talked to me about ways to prevent ransomware, one of those being MFA, multifactor authentication. I feel like, if you're a loyal listener of the Tea on Cybersecurity, you definitely understand the importance of MFA at this point. Another important thing with preventing ransomware is Jim talked about the importance of testing your backup and recovery, and he specifically talked about doing that through tabletop exercises, which, like I mentioned, we have an entire episode dedicated to these, what they are and why they're important, coming soon. When it comes to compliance in 2024, specifically for publicly shared and traded companies, there are two main things that they need to do. They have to change and or update how they reported breach disclosures, and they also have to describe in more depth their cybersecurity risk management, and Jim was pretty excited about this as it was putting everyone on equal playing field, it will be required for all companies. Jim also talked about how we are all more vulnerable to any sort of threat and or attack, especially since we all work from home or we work from different locations. It's hard to have a company firewall set in place if no one is in an office. So Jim talked about how it's best to have company laptops so you can control better and see better what people are doing or what's happening. And he also talked about how, even with contractors, you want to have something in place to where you're just more understanding of what they have access to or if someone is trying to weasel their way through your contractor into your systems. The last receipt that I have was about a resource that is available for all of us just to stay up to date about compliance inaudible cybersecurity, and that is CISA, which is Cybersecurity and Infrastructure Security Agency. Cyber Defense Agency is what their website says. Jim just talked about how they often have bulletins and other helpful resources to help us stay abreast in what's happening in the cybersecurity and compliance world. I hope you learned as much as I did. I can't wait to have you along this journey in season three as we dive more into compliance and some other general cybersecurity topics. Stay tuned. And that's the Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security, follow wherever you get your podcasts.