TechSperience

Transcript of Episode 15 - KICK-OFF Part II to National Cyber Security Awareness Month

March 4, 2020

Episode 15 – KICK-OFF Part II to National Cyber Security Awareness Month

with Penny Conway

 

 

This transcript was first posted on the Connection Community

 

Announcer:

Welcome to another TechSperience podcast from Connection. In honor of Cyber Security Month, we've been having conversations with Connection team members and partners about all things security. In doing so, we had an idea, a question. What would happen if we gathered some of these folks in a room, and we just talked about some of the interesting, crazy and scary cyber security issues that they have come across? The answer? It's what you're about to hear.

 

Now, our panel includes several folks. Steve Nardone is on board, Director of the Cyber Security Practice at Connection. Lane Shelton heads Connection's Microsoft Center of Excellence. We have two senior security engineers with Connection, Mitch Tanaki and Bill Virtue in the room. And Rob Di Gerolamo, he is the Product Manager for Security Consulting and Professional Services at Connection. Now, leading the conversation and kicking things off for us is Penny Conway, our Senior Program Manager for Workplace Transformation with a story straight from her email inbox.

 

Penny Conway:

What's funny is I get a- about once a week. And I'm looking it up on my- my email right now. I get a email from PlayStation, or so I think, that says, "Need to change your account password. Change your password." So, you guys can see it's, like, a full ... or maybe I have my Sure View on, so you can't see.

 

Rob Di Gerolamo:

No, I can see.

 

Penny Conway:

(laughs) But I don't ... What I find really interesting about this is I in my ... Never in my entire life have I ever had a PlayStation, nor have I ever had a PlayStation account, like, 'cause they do the whole TV streaming thing like everyone else does. A lot of people would look at this and go, "Oh, okay. PlayStation, that's well known. I'll click on that, and I'll give them my account information." And then all of my data gets lost, and I'm- but I'd only click on my work computer. Right? (laughs)

 

Rob Di Gerolamo:

Well, when they send this out to a million people. Somebody's going to have PlayStation-

 

Penny Conway:

Somebody has to click.

 

Rob Di Gerolamo:

Somebody's going to click on it.

 

Lane Shelton:

Wait, you mean PennyConway40622, The World Champion of Destiny II, That's not you? (laughs)

 

Rob Di Gerolamo:

(laughs)

 

Bill Virtue:

(laughs)

 

Penny Conway:

You would never guess, but I am into e-gaming (laughs). Quite a professional. So, what are some of the, like, the crazy sort of things that you guys have seen either in your personal lives or just kind of working with customers in terms of the whole phishing thing? Like, what's the most sophisticated thing you guys have seen? And what's the most, like ... I don't even have a PlayStation account. Why would they be asking me for this?

 

Steve Nardone:

The most sophisticated is- is probably really hard to answer. But probably the most sophisticated is the phishing attacks we conduct ourselves as part of our security testing.

 

Penny Conway:

(laughs)

 

Bill Virtue:

Right.

 

Steve Nardone:

Where we really get in and do things like analyze customer environments and, you know, send a phishing email that says, you know, "You're- you're in a- a- a town that has a state fair for, I don't- a- a state has a state fair, you know. Here's a discount. You know, click on this link and you'll get a $50 discount," so on. Right? So, you get a lot of people that click that.

 

The simplest one and the scariest one that I've seen is actually is a family member. I won't mention who, and I won't give a lot of detail on this. But they were working for a company, and the CEO sent an email to the CFO and said, "Please send me all the, in a PDF form, all the W-2s for every employee in the company." And the CFO said, "Hm, okay," and pulled it all together and sent the W-2s to the CFO. And then the next day saw the CFO in the hall and said, "Hey, I just want to check you got the W-2s, right?"

 

Penny Conway:

Oh.

 

Bill Virtue:

(laughs)

 

Steve Nardone:

And the CFO said, "What are you talking about?" So, every employee in the company's W-2 was exposed, right. Think about the interesting information that's in a W-2. And it was just a simple email, right. They just had to spoof it coming from the CEO. The person didn't recognize it, and wow. That's pretty serious (laughs).

 

Rob Di Gerolamo:

That's when you just go, "I- I'm- I'm fired, aren't- I- I'm fired."

 

Bill Virtue:

(laughs)

 

Penny Conway:

(laughs) "I'm just going to see myself out." (laughs)

 

Rob Di Gerolamo:

[crosstalk 00:03:52] "I'm just, I'm just, I'm going to head out now."

 

Bill Virtue:

I'm gonna bring my own box, [crosstalk 00:03:56]

 

Penny Conway:

(laughs)

 

Bill Virtue:

So, it's fine.

 

Penny Conway:

You know what's an, I think it was a couple years ago, I don't- or, maybe even last year, some of the New Hampshire school districts had a- a W-2 hack around around tax time. And someone had gotten into the as- the different SAU districts and put out an email saying that to retrieve your W-2 for tax season, put in- you know, complete your information here, and, like, your social security number, and your full name, and things like that.

 

So, they had teachers that were getting this email from payroll to go and retrieve their W-2s, and willingly putting their information in, because it was timely. They're like, "oh, I'm gonna get it and don't have to wait in the mail, I'm gonna go and retrieve it right now," and there was a huge breach across New Hampshire schools, just from something simple, like, and that's what I think- that's probably more sophisticated, because it's taking normal behavior, normal things, and not out of the norm, and allowing people to freely give their information and opening them up.

 

Bill Virtue:

I don't know if this is actually ever happened or not, but you know how when we get the- we get the cyber security training, you know you have the- you get the- you click on the link to go to the- the- the place where all the training is. It's- if anybody's ever had a-

 

Rob Di Gerolamo:

(laughs)

 

Bill Virtue:

A phishing attack that [crosstalk 00:05:15] that masquerades as that, you know, "click here to access your cyber security training", and (laughs) I don't want to give anybody any ideas, but that's pretty- (laughs)

 

Steve Nardone:

That would really be interesting, to be that sophisticated, get in the middle of a link to cyber security training, and then teach everybody the wrong thing. All right

 

Penny Conway:

(laughs)

 

Bill Virtue:

(laughs)

 

Steve Nardone:

If you see a thumb drive in the parking lot-

 

Bill Virtue:

(laughs) Right.

 

Steve Nardone:

To verify that there isn't something sensitive on it-

 

Penny Conway:

(laughs)

 

Steve Nardone:

because that's good security practice.

 

Bill Virtue:

Right. Right. That- there- that goes with- so we're gonna demons- we're gonna live demo our DLP policy and-

 

Rob Di Gerolamo:

(laughs)

 

Bill Virtue:

Because when you type your network password and credentials into the screen, it's just going to return a series of x's- go ahead and type your network password and credentials into the screen right here and hit enter.

 

Rob Di Gerolamo:

(laughs)

 

Steve Nardone:

We actually did a phishing campaign at a previous company. In fact, I think Mitch might have been the creator of this, I'm not sure that- where we sent out a notification to a targeted set of employees, with the Outlook Web Access login screen. We just did a screen scrape, put it in there. And basically, when you log- b- the message was, "we've just modified OWA, and you need to validate whether or not your credentials still work," right? Yeah, and I think we had, what, about a 62% click rate or something like that.

 

Penny Conway:

Whoa.

 

Mitch Tanaki:

It was high.

 

Rob Di Gerolamo:

Yeah, yeah, yeah.

 

Steve Nardone:

(laughs)

 

Mitch Tanaki:

One of my favorite ones was like, no one's gonna click on this, "you received a fax," sent it out to a targeted group, and they happened to be sales people. And I didn't realize that people still send faxes.

 

Penny Conway:

(laughs)

 

Mitch Tanaki:

And it was the end of the quarter, and boy, did I make a lot of people mad at me.

 

Penny Conway:

(laughs)

 

Rob Di Gerolamo:

Oh wow.

 

Mitch Tanaki:

'Cause like, "yeah, well here's the fax," and you know- they go- they click on it, expecting it to be an invoice, or PO, or something... Yeah, that was fun. And I learned a lot about cell cycles, and when not to send those type of-

 

Steve Nardone:

(laughs)

 

Rob Di Gerolamo:

And you also learned people still get faxes.

 

Penny Conway:

(laughs)

 

Mitch Tanaki:

And faxes are still used.

 

Rob Di Gerolamo:

Wow.

 

Mitch Tanaki:

And I think- I don't know if that was the most surprising thing-

 

Rob Di Gerolamo:

(laughs)

 

Mitch Tanaki:

Or the click-through rate. The click-through rate for that one was, like, close to 70%.

 

Rob Di Gerolamo:

Wow.

 

Mitch Tanaki:

So-

 

Penny Conway:

So, do you- have you guys ever worked with a customer that's kind of, like, "no, no, no, no, I don't need that, I-" you're, like, it's more of like, your sky- the sky is falling, "I'm not worried about anti-virus, I'm not worried about this-"

 

Bill Virtue:

Yup.

 

Penny Conway:

"I'm not-"

 

Rob Di Gerolamo:

I- I've had customers say to me, "I don't wanna do social engineering testing, 'cause I know I'll fail."

 

Penny Conway:

(laughs)

 

Rob Di Gerolamo:

I was like, "but how bad will you fail is what you need to know." They- they're adamant that, you know, "we're gonna fail, so we don't need to worry about it" [crosstalk 00:07:45] what's the problem?

 

Mitch Tanaki:

Yeah, but I've also had customers say that, "I don't need any kind of a security assessment, because-"

 

Rob Di Gerolamo:

I'm smarter.

 

Mitch Tanaki:

"lockdown"-

 

Rob Di Gerolamo:

Yeah, right.

 

Mitch Tanaki:

"You can't get in."

 

Rob Di Gerolamo:

Right.

 

Mitch Tanaki:

(laughs) so... (laughs)

 

Steve Nardone:

Burn.

 

Mitch Tanaki:

(laughs)

 

Penny Conway:

(laughs)

 

Bill Virtue:

(laughs)

 

Rob Di Gerolamo:

And that's where you go, "challenge accepted" right? Like-

 

Mitch Tanaki:

That's right (laughs)

 

Rob Di Gerolamo:

That's- let's do this. Yeah.

 

Steve Nardone:

My favorite conversation with a customer during an assessment was, they were running laptops, they weren't running the firewall, they weren't running fix disc encryption and they were running with admin mode, right as the-

 

Bill Virtue:

(laughs)

 

Steve Nardone:

Credentials for the user on the firewall. And I said, "No, there's risk associated with that." And they said, "No, not really, because we have firewalls, and we have internal controls, and we get that pretty well locked down." And I said, "Hmm, laptop. Does anybody ever take that laptop and go to, like, a Starbucks or a cyber café?" And- "Oh, yeah yeah, people take them out all the time and use them."

 

And (laughs) I said, "I think you need to reconsider your- your security policy," right, "firewalls, FD, I think that's probably something you need to consider." But it's really interesting that they just didn't understand the concept of on-domain versus off-domain security. And I think a lot of customers get confused by that.

 

Penny Conway:

Right. They think as long as, like, if someone's VPN- like using a VPN to go into your network, and they're working in your network, and being able to pull their- like, they're sitting here in the office, then that's just as secure as sitting here in the office. But sitting on a s-

 

Rob Di Gerolamo:

Or sitting in a Starbucks.

 

Penny Conway:

Or- but when you're sitting in Starbucks you're on a network that someone could actively be browsing-

 

Rob Di Gerolamo:

Sure.

 

Penny Conway:

Waiting to just pop into that person's computer.

 

Rob Di Gerolamo:

That's right.

 

Steve Nardone:

Yeah, or propping out the door on the loading dock-

 

Bill Virtue:

Yup.

 

Steve Nardone:

Is directly lodging into the data center and leaving it wide open because you're having a- some level of a heat issue or something. (laughs)

 

Penny Conway:

(laughs)

 

Steve Nardone:

With nobody monitoring it, right? Yeah.

 

Penny Conway:

So, I'm gonna do a couple of r- of rapid fire questions to- to each of you. And they- they'll be different, but feel free to hop on and add your answer if you'd like to. So Bill, we'll start with you. Bill, what's your favorite piece of technology?

 

Bill Virtue:

I would say sim technology would be number one, and followed closely by next generation AV.

 

Penny Conway:

All right, and Steve, what is your favorite application? And this could be personal too, it doesn't necessarily need to be business.

 

Steve Nardone:

Oh, man. Waze.

 

Rob Di Gerolamo:

(laughs)

 

Penny Conway:

Waze.

 

Steve Nardone:

Yeah.

 

Mitch Tanaki:

Like Waze.

 

Penny Conway:

And Mitch, if you could be doing any job in the world besides this job that you love, what would it be?

 

Mitch Tanaki:

That's a great question. Either something with hockey or on a boat.

 

Penny Conway:

Hockey or on a boat?

 

Rob Di Gerolamo:

(laughs)

 

Mitch Tanaki:

(laughs) Yeah.

 

Rob Di Gerolamo:

"What's your job?" "Just to be on a boat." That's it.

 

Bill Virtue:

Just to be on a boat.

 

Penny Conway:

(laughs) "I just sit on a boat"

 

Bill Virtue:

"I just ride boats, all day"

 

Mitch Tanaki:

Just ride boats.

 

Steve Nardone:

Hockey on a boat.

 

Mitch Tanaki:

Hockey on a boat, that's even better.

 

Bill Virtue:

-you go.

 

Mitch Tanaki:

There we go.

 

Penny Conway:

Steve, I was going to ask you that question too, because, what would- I- I'm going to. What would you do if you weren't doing this job that you love every single day?

 

Steve Nardone:

Well, I don't know. I would love to- course, Arrowsmith, you know, they're kind of getting a little bit old, but I- you know, I always used to say, I wanna be the drummer for Arrowsmith. So that's, you know, certainly a band like Arrowsmith, right?

 

Penny Conway:

Yup.

 

Steve Nardone:

That would be awesome, I could handle that.

 

Penny Conway:

And you are a drummer right?

 

Steve Nardone:

I am.

 

Penny Conway:

This isn't like "I want to be a drummer and-"

 

Lane Shelton:

(laughs)

 

Steve Nardone:

No, I've definitely been playing the drums for a very long time.

 

Penny Conway:

Excellent. And, Rob, I'm actually going to throw you a similar question that I threw to Bill, because you are our internet of things guy now.

 

Rob Di Gerolamo:

Mm-hmm (affirmative).

 

Penny Conway:

So, what is your favorite piece of technology and application that goes along with that?

 

Rob Di Gerolamo:

Just thinking about them hand in hand, I really like my smart speakers. I talk to them all the time-

 

Steve Nardone:

(laughs)

 

Rob Di Gerolamo:

I ask them all kinds of questions, because I'm- I'm not smart. And it's way smarter than I am. So, I'm like, "Hey, what- how old is this, you know, actor I'm watching on TV?" And it tells me in like, two seconds.

 

Mitch Tanaki:

Well they listen to you that's one big thing. Right-

 

Rob Di Gerolamo:

Well that's just it too-

 

Mitch Tanaki:

They're always listening.

 

Rob Di Gerolamo:

I've got a, yeah, I've got a four year old and a two year old and they don't listen to me at all. So the fact that something's responding to me is great. Like, this is wonderful.

 

Mitch Tanaki:

(laughs)

 

Steve Nardone:

(laughs)

 

Penny Conway:

(laughs)

 

Bill Virtue:

Have you- have you- have you named them yet?

 

Rob Di Gerolamo:

They make me call them, you know, Alexa, but-

 

Penny Conway:

(laughs)

 

Bill Virtue:

(laughs)

 

Steve Nardone:

So, the scary part about that is that Rob actually asked that question at 8:00 last night and-

 

Bill Virtue:

(laughs)

 

Steve Nardone:

I heard it in my monitor as well. And I was listening to his smart technology myself.

 

Mitch Tanaki:

(laughs)

 

Rob Di Gerolamo:

That's right. I got a- I got a email from Steve with the- the actor's IMDb page. It said, "you should check out this movie,"

 

Penny Conway:

(laughs)

 

Rob Di Gerolamo:

But my-

 

Mitch Tanaki:

The real scary part is that his daughter's name's Alexa also.

 

Rob Di Gerolamo:

Yeah, right that (laughs)

 

Penny Conway:

Oh, that must get confusing.

 

Rob Di Gerolamo:

No, no no, I don't love it that much. I didn't name my kid after it.

 

Steve Nardone:

(laughs)

 

Penny Conway:

(laughs)

 

Rob Di Gerolamo:

But, I think my favorite application is the photos in iOS, because having little kids, sharing photos with family and friends is important. So, do that pretty quickly and that's- that's my favorite application. Kind of unrelated, but, you know.

 

Penny Conway:

No, totally. Lane, I'm gonna switch a little bit. What is your least favorite piece of technology?

 

Lane Shelton:

My least favorite piece of technology... My old VR headset.

 

Bill Virtue:

(laughs)

 

Lane Shelton:

Because, it sucks compared-

 

Penny Conway:

(laughs)

 

Lane Shelton:

To the new stuff that's out. I need to get a Valve Index, and I have the old Vive, and so the resolution, you know, when I'm swinging the sword in Skyrim VR, I could be doing that in much higher resolution.

 

Steve Nardone:

(laughs)

 

Lane Shelton:

Much better detail than I'm doing today.

 

Penny Conway:

You know- you know we might have a few people that can get you a better VR headset.

 

Lane Shelton:

I would sign right up.

 

Penny Conway:

(laughs)

 

Steve Nardone:

(laughs)

 

Rob Di Gerolamo:

(laughs)

 

Penny Conway:

I hear Microsoft has one.

 

Lane Shelton:

You know what, they're going down the augmented reality path.

 

Penny Conway:

Got you.

 

Lane Shelton:

I go down the virtual, like- I don't want that stuff over, li- I want to get out of reality, and into virtual reality.

 

Penny Conway:

Yeah, that is pretty cool.

 

Lane Shelton:

I want complete immersion.

 

Penny Conway:

Yeah, g- good luck with that. (laughs)

 

Steve Nardone:

It's the wielding the sword I'm having difficulty envisioning. So yeah.

 

Lane Shelton:

(laughs) Yeah the- you know what's interesting, like, the gaming industry, I- the- makes me think, just, as a quick aside about, you know, about the f- how we pay for all this stuff. The gaming industry is a lot like Netflix in that it makes a lot of money on binging, right? And so-

 

Steve Nardone:

It does.

 

Lane Shelton:

That makes me wonder if VR- you know, how VR's going to overcome that. 'Cause you're not going to binge for 14 hours on Skyrim VR when you're running around, swinging a sword, you know, shooting a bow and dodging, and doing all that. It's like, you can do that for about, you know, 30-40 minutes before it's- you feel like you've had a work out, so. Be interesting to see how the VR industry overcomes that hurdle.

 

Penny Conway:

There's a whole movie, I for get the n- I'm hoping maybe one of you knows what it is. There's a whole movie where, like, the world now is being in your- your virtual world.

 

Mitch Tanaki:

Ready Player One. Yeah.

 

Penny Conway:

Yeah. The whole- the whole day. And it's almost like the real word- world is scarier than the virtual world.

 

Bill Virtue:

Yeah, it's a, you know, you could- I could spend- I could get lost in VR sometimes. And sometimes, when you take the headset off, 'cause you're so used to moving in three dimensions where you can go up, down, si- you know, you- you- that-

 

Penny Conway:

(laughs)

 

Steve Nardone:

(laughs)

 

Bill Virtue:

That's, then you get- when you take it off you're like, "why can't I just float over there?" Or-

 

Penny Conway:

(laughs)

 

Bill Virtue:

"I wanna go up to the ceiling, how come I can't do that?" You know, I can't just will myself up there. It's a little weird.

 

Penny Conway:

So imagine the security risks that come when you can immerse yourself in virtual reality for 14 hours a day. Now you're dealing with incoming attacks, and people doing things in a virtual world. That'll be a whole new area of expertise for you guys.

 

Rob Di Gerolamo:

That's right.

 

Steve Nardone:

Very interesting, we'll have to add that to our design portfolio-

 

Rob Di Gerolamo:

Yeah.

 

Steve Nardone:

For 2020.

 

Penny Conway:

(laughs)

 

Rob Di Gerolamo:

It'll- it'll go on the solution map, yeah.

 

Steve Nardone:

(laughs)

 

Penny Conway:

It might be thir- it might be 3020 before you have to worry about it.

 

Bill Virtue:

Well that's true though. Yeah what- what threat- what new threat vectors would come with like wearable technology? Which is probably not, you know, not too far away when you got technology in your clothes, maybe in your- you know, in your s- you know.

 

Mitch Tanaki:

Well, implanted medical devices right?

 

Bill Virtue:

Yeah.

 

Mitch Tanaki:

Yeah, it's terrifying.

 

Bill Virtue:

Yeah.

 

Lane Shelton:

They're all those IOT things that Rob loves.

 

Rob Di Gerolamo:

Oh yeah.

 

Lane Shelton:

Definitely vulnerable.

 

Rob Di Gerolamo:

Yeah.

 

Penny Conway:

Oh yeah, very true.

 

Lane Shelton:

All right, I want to go back to the VR route.

 

Bill Virtue:

(laughs)

 

Lane Shelton:

If we have to identify vulnerabilities in it, we- we're gonna need headsets.

 

Rob Di Gerolamo:

That's right.

Lane Shelton:

So... That's a lab. That's a lab-

 

Penny Conway:

(laughs)

 

Lane Shelton:

At least three or four.

 

Rob Di Gerolamo:

Yup. Yup, I agree.

 

Penny Conway:

Yeah, no, that's actually a good idea, we should set up an advanced threat protection virtual reality lab. Sponsored by Microsoft.

 

Lane Shelton:

Yeah. Everybody would laugh at us.

 

Penny Conway:

(laughs)

 

Bill Virtue:

(laughs)

 

Steve Nardone:

(laughs)

 

Penny Conway:

Well you know someone's doing it in an R&D room at Microsoft right now.

 

Lane Shelton:

Yeah.

 

Penny Conway:

(laughs) Bill, let's throw one of the questions to you. What would you be doing today if you weren't doing this job that you love?

 

Bill Virtue:

Fishing.

 

Penny Conway:

Fishing?

 

Steve Nardone:

Is that P-H or F?

 

Bill Virtue:

No that's-

 

Penny Conway:

(laughs) He's like, "I'd be- I'd actually be one of the bad guys."

 

Bill Virtue:

No. If I wasn't doing this today, I'd probably be doing it as a hobby.

 

Penny Conway:

Fishing? Let's- I'm still not sure if its P-H or F. (laughs)

 

Steve Nardone:

(laughs)

 

Bill Virtue:

(laughs) One or the other. Well one- one pays for the other.

 

Steve Nardone:

That's right.

 

Penny Conway:

One pays for the other.

 

Steve Nardone:

(laughs)

 

Penny Conway:

So, any other crazy stories that you guys have seen or heard, you know, when you're doing sort of the entire security landscape of, like, complete vulnerabilities, or people who have been so insanely tight and locked up, that they can't do anything, because they're trying to be so secure?

 

Steve Nardone:

Oh, that's a great question. I- you know, I- I think, you know, except for the government, right, you don't really see that higher level of- of insane security. We do see a lot of neglect in the physical security space. And- and corporate America we actually had this is another one of our favorite stories from previous jobs, right Mitch?

 

We had a- a penetration test that was done on an environment. And we had somebody come in, and they went into the printer room, and plugged in a network scanning, you know, analysis device in the wall. And stood there for- eh, sat, stood and sat, for probably about six hours collecting data, and- and not wearing a badge or anything. And not one person said, "hey, who are you?" Because they just thought, "this guy's gotta be the printer repair guy, or the Xerox-"

 

Penny Conway:

Wow.

 

Steve Nardone:

"Repair guy", or whatever. So that level of awareness is something that we see, again the physical security pretty lacking in- in general corporate America.

 

Penny Conway:

Well that's one of those things that you see, like, in a movie. The guy who dresses up like the printer repair guy, and comes in. Or like in the casino movies- What's that, Oceans Eleven?

 

Steve Nardone:

Mm-hmm (affirmative).

 

Penny Conway:

Where they all just dress up as workers and no one thinks anything of them.

 

Steve Nardone:

So-

 

Mitch Tanaki:

He was the best dressed repair guy-

 

Steve Nardone:

(laughs)

 

Mitch Tanaki:

He's in, I think it was a three piece suit.

 

Steve Nardone:

Yeah.

 

Mitch Tanaki:

Had the tie, yeah.

 

Penny Conway:

Oh my god, really? (laughs)

 

Mitch Tanaki:

Yeah, so I-

 

Steve Nardone:

You at least have to look the part, you know?

 

Bill Virtue:

So I've got a question, maybe a serious question. So, I came up in the- did a lot of software asset management, you know, in my- in my career. And one of the things that w- I always found was a challenge for customers, for myself, is that like, software asset management when it's done right, like, just, business just happens. It's like, you know, you- when you- when you- win in, like, then everything just happens, it's just normal. So it's really hard to generate the kind of awareness and ongo- that- that companies are willing to invest in. Right? It's easy- once they get started, 'cause it's, "hey, we're gonna do this, and it's gonna solve all these problems."

 

But once the problems are solved, then suddenly the budget starts to tighten up. Because you just- there's no visceral, like, win. Do you think there's a parallel in security, in that, you know, when it's- when it works, nothing happens. That's the whole point, like business just- just goes on. So they only hear about it when something blows up, right? Do you think that that makes companies- you know, makes it more challenging to- to maintain a security budget over time? Especially the- the- the- the better you get at it, it's almost like the- the harder it is to maintain your budget? I mean, I saw that in sim, but I kinda see that- is that- is that a par- is that a parallel in security?

 

Steve Nardone:

Well we- we talked to- to customers all the time about the fact that, you know, you're talking to a Director if IT, right, that also owns all cyber security, and the general complaint is "I have a really hard time convincing leadership that we have a risk and that I need budget." Because if they haven't felt the pain-

 

Rob Di Gerolamo:

Yeah.

 

Steve Nardone:

They believe, you know, we're not a r- we're not a target. The numbers of- of people I've talked to, and they said, "you know, I'm a trucking company in the middle of the country, I'm not a target for cyber-attack." My first question to them is, "are you connected to the internet?"

 

Penny Conway:

(laughs)

 

Steve Nardone:

"Yeah of course we are." "Well then, you're a target of c- you know, for cyber sec- a cyber-attack." So, yeah, I think, we see that a lot in- and smaller corporations, right? Small to medium business corporations. If you haven't felt the pain, you believe it's not something you need to worry about. Yeah, absolutely.

 

Bill Virtue:

It's also part of, you know, it's Moore's Law, right? Every 18 months, technology just ages out.

 

Penny Conway:

Right.

 

Bill Virtue:

So, there's always new technology that companies should be looking at to protect their environment, so...

 

Rob Di Gerolamo:

Yeah. Yeah, it's just one of those Catch-22's where like, the better you get at it, the less anything actually, like, bad happens-

 

Bill Virtue:

Right.

 

Rob Di Gerolamo:

And so, everybody forgets about it. And then y- you know, the money gets allocated to other things, and you- then your risk goes back up again.

 

Mitch Tanaki:

You work yourself out of a job.

 

Bill Virtue:

Yeah!

 

Steve Nardone:

(laughs)

 

Penny Conway:

Right.

 

Bill Virtue:

Yeah. But then they hire you back as soon as some- right? (laughs)

 

Rob Di Gerolamo:

(laughs)

 

Penny Conway:

So, I- I think this is a good place for us to kind of wrap things up, you guys have been wonderful guests over the past few episodes. It's great to get to know you and your practice. But I think more importantly what an asset you are to our customers today to have that consultative experience around their security, and the value of security. Like you just said Bill, it changes every 18 months or so, so what is happening today?

 

And what, you know, policies or procedures are in place today may need to be adjusted in just a year and a half, two years down the road to make sure that you're constantly ahead of those threats where you can protect, detect, and react appropriately. So, thank you so much for joining us in honor of our Cyber Security Month here at Connection on the TechSperience podcast, and I hope you guys come back soon, maybe in 18 months when technology changes!

 

Steve Nardone:

(laughs)

 

Bill Virtue:

(laughs)

 

Rob Di Gerolamo:

(laughs)

 

Penny Conway:

Or sooner

 

Steve Nardone:

All right. Thank you, it was great to be here.

 

Bill Virtue:

Yeah.

 

Penny Conway:

Thanks guys.

 

Rob Di Gerolamo:

Thank you.

Play this podcast on Podbean App