E120 - Chris Glanden, Host of The BarCode Cybersecurity Podcast and Security Strategist Advisor
44:22
SUMMARY KEYWORDS
metaverse, people, data, ransomware, privacy, security, companies, iot devices, organization, cyber, podcast, iot, talking, workflow, applications, thoughts, understand, breaches, mfa, cybersecurity
SPEAKERS
Debbie Reynolds, Chris Glanden
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Chris Glanden. He is the host of the BarCode podcast which is a really cool cybersecurity podcast. I've been a guest on your show. You're also a security strategist, founder, and advisor on things like cybercrime innovation, leadership, and cybersecurity. Welcome.
Chris Glanden 00:51
Thank you for having me, Debbie. It's an honor to be on your show. It's been a long time coming. Yeah, this is great. This is great. So podcast hosts get to interview one another. So you put yourself in the hot seat for a change, right?
Debbie Reynolds 00:59
Yes, yeah, I'm sweating. Oh my goodness. Well, you and I found each other on LinkedIn, I think we read each other's content, and you invited me to be on your show a while back; your show's very unique. You had a show before I had a show, actually a podcast. So you've been doing it for quite some time. You know, I love your show, first of all, because you really dig deep into issues. So I feel like some people do it on a surface level. Right? Like, almost like, I don't know, like the BuzzFeed, you know, here are the five, you know, top tips that anybody can tell you. And you really go deep with your audience on different subjects. So you really do your research, and you say things that I feel are very actionable. Also, the concept of your podcast is cool. So every podcast episode, you have Tony, the bartender, who creates like a drink named after the guests. And it's pretty cool. It's I've not seen anybody be as creative as you in the space. But tell me a little bit about that yourself. Tell me about your journey into technology. And why you ended up deciding you wanted to do this podcast, BarCode.
Chris Glanden 02:26
Yeah, well, first of all, thank you for the kind words; I really appreciate it. And Tony is not actually a real bartender. So I need to put that disclaimer out there. Tony is a friend of mine who works in a liquor store. So I guess that it's close, but he doesn't actually make drinks in real life outside of what I direct him to make so, but he's definitely a unique character. So he adds some flavor to the show, for sure. But I mean, as far as my journey goes into security, so I came up through the IT sector. I got into it in the late 90s. I worked at Comcast for a while I went to work at JPMorgan Chase for a while. And I didn't graduate to security or really get into security, and make that my career path till about 2011. So 2011, I ended up going to work for a very small bank as a level-one security analyst. And a friend of mine actually brought me in because he had just taken over that group; he knew I was interested. And I just took advantage of it because I didn't think there was another way for me to get in at that time. I didn't have any formal training. I didn't even have any formal training in IT. I was self-taught pretty much throughout my entire career. So when he offered that up to me, he knew I had an interest there. So I went and I did security as a Level One analyst at a bank and two weeks in, they offered me to go down to Hacker Halted in Atlanta to do some training. And I was like, alright, well, what am I going to do at Hacker Halted? Like, that just sounds intimidating. What kind of classes do they have? And I looked at the classes and there was like an intro to cyber. So I said, alright, I'll take this intro to cyber course. And they call me back and said it got canceled. All we have left is the CEH course. I'm like, I don't even know what CEH stands for. But sign me up. So I went down there. And you know, I'm immersed with all of these security guys and ethical hackers and they had the Cyber Olympics going one at a time. And it was just captivating for me coming from IT but not knowing that side of things so it really hooked me after I got there and actually got to talk to people and realize that security is more than technology. There's so many layers to security. And yeah, that's really what hooked me. So I've been in the security game ever since. Worked my way through the ranks from analysts to engineer to architect, I've been doing consulting for the past five years now. And then in 2020, during the pandemic, I decided to launch BarCode, which is split Bar Code. So the atmosphere is like you're in a bar. And the code is essentially the open source code that experts like yourself, Debbie come on and share with us. So I felt like it was filling a void at the time of the pandemic, where folks couldn't get out to conferences, like Hacker Halted, like Blackhat DEF CON, and meet up at happy hours and have these, you know, off the cuff conversations or conversations that aren't in front of a, you know, a conference room. So that was really my mission, to transplant that feel and that vibe into audio. And if you've heard the show, you know, I really tried to paint that picture, like I really tried to take it back to radio, when radio was was, you could visualize things and you were on with your imagination on things. So yeah, that's what keeps me going. And the reason I love it the most is I get to talk to people like you; I learn as I do it. It gives people a platform for others to hear their voices, and the listener also takes away something from it as well. So it's a win three ways; that's the way that I see it.
Debbie Reynolds 06:26
Well, you're definitely succeeding, I think, I think some people when they want to when they think about doing podcasts, and they don't really know what they want to say, they say, you know, I think it's cool, just have a podcast. But really the best shows are the ones that are really thought out, just like you said like you had a purpose, you know, there was a void there, you want to make sure that your message is on point, even though you have different guests, you know, the overall arching goal is the same. So I think that's what makes your podcast so interesting. You say something interesting, I would love to dig in deep on this. So you said that security is not just technology. And I would love for you to talk a little bit about that. Because I think people feel like it's the opposite. So people feel the opposite. And that to me in some way. That's a kind of abdication of your human responsibility. So if you think a tool is going to like solve all of your problems, like you have much bigger problems. So tell me a little bit about your idea about security is not just technology.
Chris Glanden 07:42
Yeah, the way that I went into security was thinking that it was technical. And I didn't quite understand the different levels that came with that. And what I mean by that are, is that there are psychological levels to it. There's, so you have the social engineering piece, you have physical aspects of it, and you have the physical intrusion piece to it. And there's a lot more that goes into it than just understanding how to sit behind a screen. I think, even when you're doing that, and I learned is going through to see CEH, in terms of like your reconnaissance steps and your initial foothold into a network. So even if you're doing behind the scenes, there's still steps involved that take creativity, I think, to be really good at it. So those are the things that I meant in terms of layers, obviously, it's great to have that technical acumen, especially coming from it that helped. But once you get immersed into security, you realize that I think it goes way beyond the technical piece. So I think you have to be willing to learn these different aspects. If you're creative in nature, I think that also helps as well. Because as you can tell, when you're hacking, I think hacking or hackers have a particular mindset. It's a hacker mindset versus a role or a function. So it's just thinking differently. If you're creative if you're an artist. If you're anything along those lines, you can apply that to the hacker mindset. So these are all things that I realized after I got into security.
Debbie Reynolds 09:34
Very good. Very good. I want your thoughts on insider threats. So I've done a couple of sessions with people asking about insider threats. And I don't know about you, but my eyes start rolling when someone says insider threats. I mean, they start talking about the rogue employee, right? And so I saw a statistic recently that said that only you know of insider threats like less than 30% are a rogue employee. So if all you're thinking about is a rogue employee, you're missing like, you know 70% of what the actual insider threat is. So, tell me your thoughts about this whole insider threat shenanigans.
Chris Glanden 10:12
Yeah, I thought it'd be actually lower than that. I've worked on the enterprise side for a long time; I've done consulting, like I said, for the past five years. And what I've seen is a very, very low percentage of nefarious use cases for insider threats. A lot of times when you're putting an Insider Threat program in place, you're really focusing on the accidental data loss and the accidental threats that come along with insiders that aren't educated to handle data safely, or the security mechanisms aren't in place to act as a safety net for that data. So insider threats do exist, and we've seen it with data breaches. But I think that in normal cases, a high percentage is looking at that accidental data loss and not necessarily malicious action.
Debbie Reynolds 11:12
Well, what happens when people focus on malicious actions and not these other kinds of everyday things?
Chris Glanden 11:23
When they focus on malicious action and not the everyday thing, I mean, it's good to focus on that and be aware that that's something that could happen. You know, I think it comes down to being able to, to tune your tools and your policies in a way where it's focusing on both because I think, I think both are very important to identify. I don't know which one I would say is more critical, honestly, because you have your employees, and if and if they're in a workflow where they're exfiltrating data, that's an insider threat, and they could be running this workflow for, you know, years and years before you can identify it. When that malicious actor comes along, and they're leaving to go to a new job, and they want to exfiltrate you know, data to their house, you know, you're not often going to see them exfiltrating credit card numbers, and using those credit card numbers, it does happen, and it is a threat. But I would say that the other is more of a common scenario from my experience.
Debbie Reynolds 12:36
Right, it's kind of that low hanging fruit, the stuff doesn't get your attention. And then if people are, if someone is trying to exfiltrate data, they're smart enough to know to do it in ways that don't raise eyebrows, don't you know? No, it's not like a movie, right? Where someone has a thumb drive to download 10,000 gigabytes of stuff, you know, overnight, like, it just doesn't happen that way, you know.
Chris Glanden 13:01
And there's ways to get around that which we're not going to go into, right? There's ways to get around DLP and controls that we're not going to get into, but you know, someone is going to the length to be doing that. You would think that they put some research into it, or what have you. And again, you know, it's that it's the accidental data loss, the exfiltration, the process improvement side of things that I think really needs to be looked at with these tools, and then changes made and consistently tested against.
Debbie Reynolds 13:38
What do you see when you're consulting or you're talking with companies? What do you see in terms of the low-hanging fruit that you say, oh, my God, like you're concerned about all these other crazy wacky, you know, rare things? In the here's kind of a major basic thing that probably maybe it's kind of low tech or no tech thing that a company can do? What are your thoughts about that?
Chris Glanden 14:07
When you're talking about false positives, like false positives, you can look at and it could just be a string of numbers and a URL that match a credit card. You have to eliminate those that are just policies and rules; you need to eliminate the actual data exfiltration that insiders are performing. You know, it could be shortcuts, it could be, you know, I don't have enough time in a day. Let me send this to my Dropbox at home. Now that you're working at home, a lot of people are working remotely. It's exfiltrating data from your corporate network to your home network. And that could get flagged. It could be you know, writing data to a disk or USB Drive To be able to take that with you, mobile, or hand it out to someone else that you need to collaborate with. I mean, typically, they're all workflows that have some type of justification to it. But then once you identify that, that's when it comes down to the education piece and the policy improvement. And being able to eliminate these workflows and educate the user, because then you bring in these other solutions like you have, you know, encrypted drives or you have other safeguards in place that you need to educate a user on, say, you don't do it this way. You do it this way; this is how we prefer you to do it. And now it's policy that you do it; we've uncovered this rogue workflow, and now we're going to put this policy in place to fix that. So it's those types of, I think, workflow shortcuts that I see the most that need to be eliminated. Because I don't think that they know, uh, you know, they don't know, they don't know, the danger that they're, they're posing to the organization, and to themselves, and once you educate them there, then I think that you know, the goal is to have the controls in place, but also have their mind thinking in a different way.
Debbie Reynolds 16:13
That's great. That's great advice. That's something that all companies need to really think about. I want your thoughts on Shadow IT. So I had the pleasure of being on a conference panel many years ago, and there were some people who weren't, these are not technical folks, right? They're in a different industry. And they were talking about how great Shadow IT was because hey, you know, maybe it doesn't give us the tools we need; we can go out and get what we want. And, you know, I'm cringing listening to people say this is like, horrible. And then, you know, I think Shadow IT has always been a problem.
Chris Glanden 16:53
Who was saying that the user or the organization?
Debbie Reynolds 16:57
The customers of the organization.
Chris Glanden 17:00
Ok I can see that.
Debbie Reynolds 17:03
Yeah, because that because it benefits them right now, you know, I don't want to use you know, this is a great example. So I was a consultant with a company, they were using a certain like, like Box or Dropbox or something, and then we switch them to a better tool that was more secure, you know, not, you know, something that we tested handled better. And this other person just had a fit because they were accustomed to doing their workflow that way. And that tool made it really understand why that wasn't the most secure thing. And also, it wasn't like a station application by you know, the organization. But I think Shadow IT was always a problem because you have people doing things differently and data in places that the IT or the cyber folks are not aware of. But I think the cloud, and it's just more complication because it's easy now for people to go in and sign up for an account, upload data to a cloud account, and no one knows anything about it. Like I heard someone tell me once that they have, I guess they were using some cloud application within the organization. And the guy who created the account left the company. And then when he left the company, he stopped paying for the thing, and all their stuff got deleted, and people didn't know that wasn't an application that was sanctioned by the company and it wasn't paid by our company. So it was like a huge mess. But I say all that to say I would love your thoughts on Shadow IT. The thing is that people don't understand why it's a problem.
Chris Glanden 18:42
Yeah, so I don't think Shadow IT is ever going away. Because even if you have it locked down, people are going to try to get those applications, those non-sanctioned applications. So I think when you're looking at Shadow IT, I think there's really three main aspects I would look at and one is discovery. So understand what applications exist. Cloud apps exist. So whether you're using a CASB or some other type of discovery tool, make sure that you're scanning and understanding what the Shadow IT landscape looks like. And then understand the use cases for those applications. So if it is Dropbox, and you don't allow it and understand the reason for that. Are they using it for whom you started using it for work, use and then potentially implement an enterprise solution to, you know, help with that use case versus allowing the user to go out and use these rogue applications? And then the last one, I would say is controlling those applications. So if there's applications in Shadow IT that, you know, you don't want to use it to access lock those down. And, you know, blockless applications, you don't want users using it, then, you know, within that tool, you can also do auditing and other types of metrics. But, you know, those are the things that and it is a risk. It's definitely a risk. And, yeah, I think those were the three ways that I was suggesting an organization take a closer look at it.
Debbie Reynolds 20:29
Yeah, that's great. I would love your thoughts on how cyber and what you do intersect with privacy. So privacy, I was telling people privacy existed before computers, right? So we're trying to protect people's rights. But as we're in a more data age and technology age, privacy is coming more to the forefront and it gets intertangled, interwoven into conversations around cyber. So tell me about your experience with privacy and how it intersects or intertwines with what you do in cybersecurity.
Chris Glanden 21:14
Yeah, I mean, it comes down to I think, you know, one thing that I think of now is the data security and Metaverse; I think that's top of mind for me. Anytime that you're talking about data, you have data ownership, and your personal data is attached to it, or someone's personal data is attached to it. And then once you have that, you know, that's that could be used against you and identity theft in many other ways. So top of mind for me right now is the Metaverse and what's coming with the Metaverse and the privacy implications there. And I'm not a huge Marvel fan, like, you know, Spider Man and hawk. But in the Marvel Universe, there's something called a multiverse, which I think is a collection of these alternate universes which share a universal hierarchy. So when I think a Metaverse and privacy, you know, that's my perspective, that is that you have all these mixes of universes, it blends together, everybody's data is, is out there, you know, how is it secured? How are people's data and privacy secured? It blurs the lines of reality for me and for others as well. So if you talk about data and privacy, and if your reality is skewed within these multiverses How do you know who to trust, what to trust? And Where To trust when you're distributing that data that ties to your privacy? So, again, I think it's always been, you know, chained together in a way where it's data and privacy, but I think the Metaverse is just going to take that to a whole other level.
Debbie Reynolds 22:57
I agree with that. I think people don't really, you know, I end up working, you're advising people in those emerging technology areas, you know, virtual reality, augmented reality, mixed reality, and different types of applications. So I think when people in the news, we see articles, they're talking about Metaverse as kind of a consumer product, I'm just like, what a gamer would use or whatever. But what I'm seeing is real applications and kind of training like training, simulations, education, tons of stuff, and medical, you know, that, you know, these are real things are happening. So I think, you know, we should be concerned and I am concerned; that's why I got involved with this. Because once you start capture, you're, you're basically capturing things that no one ever captured before. So you know, it raises the stakes, raises the risk in terms of what's being collected. And then what is happening with that data, like is this data really, truly, to benefit the individual? How do we limit that data retention? How do you limit that data sharing to our people? Do people even know what they're sharing or, you know, what they're agreeing to? And a lot of when I'm working flat with people in these applications, we came up with this thing, what I call it like incremental consent because they're their athletes, there's got to be a situation where if you're wearing VR glasses, or you're in an augmented space that has sensors and stuff like that, based on what you do, you may have to give consent, like through that journey. So that's different than, you know, checking the x box, a tick box when you're on some privacy policy or software. Based on what you do. You may need certain types of consent, I guess.
Chris Glanden 24:56
Yeah. And I think as the Metaverse becomes more adopted and more universal, you're going to start sourcing more of those types of digital transactions on digital goods. That's a risk, you know. And back to the glasses piece. If we're all avatars, you know. And we're walking around with these glasses that we're going to see avatars. Are they real? Are they not real? Are you exchanging your phone number with an avatar or someone real like it? Like, I'm talking like way down the line. But these are the things that I think of, you know, if your digital avatar, if your digital avatar that you have in the Metaverse and you're playing a game, if that's comprised of code that's comprised of ones and zeros, and that code is compromised, or cloned, you know, then what you have walking around as evil twin is an evil clone of yourself. So that's identity theft, right there. That's identity theft in the Metaverse. So, you know, that becomes very dangerous. And again, as this tech becomes more open and distributable, how do we fix that? You know, how do we secure that? Those are the things that in terms of privacy, I think, down the line, we need to start looking at now and I think maybe, you know, it could be MFA. It could be a way in MFA because I think with MFA it separates the real world from the Metaverse so you could have third-party app validation. You could have Metaverse merchant validation, right? If you're going, if you're transacting goods, you're going to have a habit, you know, a secure verified vendor, to have a physical device to be able to authorize that. So you don't know, you're forced to have that physical device. I don't know. There's certain, there's a lot of things to think about when it comes to that and privacy, but another thing is government like do we have a government? You heard about the Metaverse story where a woman was assaulted in the Metaverse. You know, and I've talked about this before, do you go to court in real life? Do you go to court? No. Metaverse, what are your repercussions? So I think there has to be some type of government around that. And I think it's just too early on to realize that, but I think that's where the privacy experts need to get involved.
Debbie Reynolds 27:15
Yeah, I agree with that. What were your thoughts? You saw that the Metaverse for some people may be far off into the future. I don't agree. But I would love something that's here now that I love your thoughts on it's kind of like IOT devices. So my friends in cyber who work in either municipalities or private companies, they're going bananas about IoT devices that people aren't willing to put on networks, and just the fact that you know, right now, it's kind of a very wild list type of thing. So I tell people like IOT devices, like a computer without a screen. So, you know, you don't really know what exactly is doing, you know, you hope it's doing what you think it is. You don't know what you know; it was connected to the internet. You know, there are just so many variables there in terms of security. I saw a statistic, very eye-opening; they said that most companies have more IoT devices than computers connected to their network. So it's like, you know, it's kind of a threat that people aren't really talking about as much. And I think that they said, but what are your thoughts about that? IoT?
Chris Glanden 28:26
Yeah, so that stat you saw, was that for the enterprise? Like, within organizations? They have IoT devices?
Debbie Reynolds 28:32
Yes.
Chris Glanden 28:33
Okay. Yeah. So I mean, I'm on the consumer side, I stay away from IoT, I try to stay away from IoT. The scary part is the devices that you have in your home that are IoT that you don't know are IoT, that that have access, like your TV, it's collecting that data, sometimes it has, you know, a mic on the remote that you need to disable manually. That's calling out, you know, those are the type of devices that scare me that that the consumers aren't aware of, if they are aware of it, you know, I think that that's where the education comes in, in terms of what data are they collecting? And I don't think that consumers are quite clear on that. And if they are, then I think they need to be; they need to understand the risk that they're up against. In the organization. Yeah, you're right. I mean, IoT is taking over, especially when you're talking about industrial industries or manufacturing industries. And I don't think that we can rely on the manufacturers like we cannot rely on the manufacturers to secure these devices. I think that as an organization, we need to understand every device that is connected and what it's doing and secure properly, whether that's segmentation whether that's for You know, validation, I think that we need to have and that goes back to the visibility. Like we have to have visibility into what's on our network and understand what we're connecting to. So yeah, that's my take on IoT. I personally don't do IoT too much. And then from the organization side, again, just know what you're plugging in and make sure you do the validation, make sure you do the testing like it is a PC, and understand the threat there.
Debbie Reynolds 30:31
That's good. That is good advice for people.
Chris Glanden 30:34
Sorry, I'm not an IoT expert, Debbie. No like, you know, that's just my, from my experience.
Debbie Reynolds 30:42
Yeah work with companies on IoT devices. And I'm like, I don't have IoT devices in my house, either. Because I just prefer not to invite surveillance into my home if I can help it, right?
Chris Glanden 30:56
Who's behind that? Like, right? You don't know who's altering your perspective on things? And that's what scares me is that you have a perspective, but then those IoT devices could influence you. And, you know, that's scary.
Debbie Reynolds 31:17
Oh, absolutely. And that's not far-fetched, right? So think of it like Netflix to me. So the net, I put I have, frankly, two different profiles on Netflix, and believe it or not, one has a man's name, one has a woman's name, and I see different things. Yes, totally pronounced. So part of what I try to fight against this I want to see things on filter, right? I don't want things to be pre filter before I decide kind of was drilled down. So I think the way the internet is people sort of assume that we see the same thing. So based on where we are and what these algorithms think that we want to see, we're only seeing kind of a portion of things. So having IoT devices, maybe, maybe they're trying to think of it as personalization. But it's really sort of limiting your choices. In some ways.
Chris Glanden 32:18
It is. And, again, we've talked about this before, when when you're talking about IoT and limiting choices, it's using an algorithm and the back end and AI algorithm that's looking at your viewing behavior, right, you know, as a human that could change overnight, like your decision making can change overnight, you could have a life-changing event that changes your perspective on what you want to watch that night. And I don't think there's any way that you can accurately predict that. And it's just, you know, it's crazy. And I don't know if we're ever going to get to that point where it's 100% accurate. Or if I wanted to be 100% accurate, to be honest with you.
Debbie Reynolds 33:06
When you see these data breaches? I don't know, I would love your thoughts about this. So a lot of times on the news, like you say data breaches are going mainstream. So you're saying and news every day about some new data breach to happen with some big company? Do you feel like sometimes some maybe small to medium businesses when they see this? They think it could not possibly happen to them? Because they're not, you know, Sony? Or they're not Target or something? What are your thoughts about that?
Chris Glanden 33:35
100% I know that they're thinking that because a lot of the folks that I consult with are SMBs and small business owners. And I'm, you know, a new term that a friend of mine, Jim Tiller has coined in the shadows; these companies in these SMBs are in the shadows right now. They used to be, you know, behind these big corporations, and nobody's looking at them. But now with the digital transformation piece, the supply chain workflows, you know, they're dealing with these big corporations, whether they know it or not, behind the scenes, so they're affected, I think, more than ever right now. And in addition, they don't typically have the security controls stood up like a Fortune 500 company would or have the resources or staff to be able to look at and monitor attacks. So that's an easy target for attackers. And so yes, they definitely need to think about that. And it's, again, you've heard it a million times, but it's a matter of when not if.
Debbie Reynolds 34:43
And tell me a little bit about educating people about looking at cybersecurity as more of a risk-based exercise as opposed to a kind of a reaction. So being proactive as opposed to being reactive because I feel like the way people have been trained, it's like, okay, you know, we don't need, you know, these tech people around, you know, we know what to do until something bad happens. And we sort of call them in there. So rescue us some kind of way, but, but the issue that most companies have, especially around breaches and ransomware, things like that, it's that you have to have a plan in place, you have to have a system in place, you have to kind of think thoughtfully about cybersecurity, how you're protecting your data, before you get into kind of an emergency situation. So tell me a little bit of how about how you, you know, advise companies who maybe think, okay, we don't, we don't really meet cyber unless, like, something bad happens. So I feel like people treat cybersecurity almost like, you know, you're in the fire department. So it was like, Okay, let's, you know, we don't need you until something bad happens, then we'll call you, and all of a sudden, you're like, you know, sweeping in and like risque photos.
Chris Glanden 36:00
Then you got to show him the stats like this is what happens when you think like that, you know, these are the companies that are getting breached, and getting and getting hit with that mindset. So yeah, I mean, it really depends on how mature that organization is, you know, you got to look at what your, your IR plan looks like what your IR processes are. I'm a big proponent of performing crisis simulation or tabletop-type exercises to plan for this type of event; you can do that on any scale, you can do that on any level, whether you're five employees or 5000 employees or five, you know, 55,000 employees, you know, there's different ways that you can go about training on how to properly react to those type of situations and identify those situations and see them coming. So definitely practice crisis simulation, definitely take a look at your IR and your disaster recovery plans, make sure that you have backups in place, you know, there's a lot of simple and free actions that you can take as an organization to prepare for an attack, and then react to one once that happens. And I think a lot of SMBs and smaller organizations don't know that. There's very, very simple MFA. MFA is the number one aspect of defense that I recommend, which is low cost. And, you know, it's not the silver bullet, but it will save you. So things like password managers and enforcing strong password policies, I mean, these are very high-level things that can prevent against these attacks that SMBs and smaller businesses just need to be aware of how to implement.
Debbie Reynolds 37:45
Yeah, I think the idea is to not be the lowest hanging fruit because I think that attackers, they look for the easiest target the easiest way in, so you don't want to be that easy target; you don't want to be that easy way in. So if you have something, even though multi-factor authentication MFA, isn't like a silver bullet, it won't save you in all instances, you know, if an attacker is looking at, you know, say 10 different companies, and eight of them have MFA, he's going to go for those other two that don't have it, right. Because those are going to be those easy targets. It's like; it's like a car thief, they're going to go down the street, check the doors. And if your doors are locked, that doesn't mean they can't break in; they're just not going to waste their effort; you're going to go to the next one to see if those doors are on lock. So it's almost very similar in that sense, where you do what you can. And he's easily these easy, easy controls that you can implement you have to implement. So I think that SMBs and smaller organizations just need to be aware of those things and to help better protect themselves because they are at risk and sensitive data resides there. And they just have to protect themselves and their customers. Excellent, excellent. So Chris, if it was the world according to you, and we did everything you said, what would be your wish for privacy, cybersecurity, and data protection anywhere in the world or in any facet, whether we technology human stuff? What are your thoughts?
Chris Glanden 39:24
I mean, my wish, even though I don't see it happening is that, we can just kill off ransomware because I think ransomware is probably the number one threat to organizations today. And I think that we have a lot of controls and mechanisms in place to help detect it and help identify it, but I don't see a way of stopping that anytime soon. So if I had a wish I would wish that there was a solution to stop it, kill it tomorrow. That would be my wish. So if anyone out there has that formula, please call me. Let's talk.
Debbie Reynolds 40:17
That's a very good wish. That's a very good wish. I feel like part of the reason part of the problem with ransomware is is kind of psychological in a way, with people. So it's like, let's say you have five businesses on a blog, right? This ransomware person can attack all five. And chances are, they're not going to talk to these businesses and aren't going to talk to each other. So let's say someone had a ransomware attack there; they tend not to want to talk or not want to share what they learned, right? So then this trick, everyone else falls for the same trick, because there isn't kind of that knowledge sharing nurse or someone saying, hey, you know, you should watch out because this happened to me, or, you know, here's what we learned from this attack. It's kind of like, let's like mass, say anything because I'm afraid to get sued. And then the same thing happens over and over. So, you know, the ransomware folks are having like a field day because they have the same trick they can play over and over and over again, and people fall for it over and over because there just isn't enough, you know, the information there to help people really protect themselves.
Chris Glanden 41:32
Yeah, 100%. And I think understanding and everybody puts so much stress on the human factor. And being able to recognize a phishing attack as a phishing attack is the number one attack vector for ransomware. And just being able to train the human, but I think, you know, the human is always going to make mistakes, that link is always going to get clicked. So we need to have a mechanism in place to stop ransomware. And, yeah, I think we need the answer for that, or at least mitigate it. And I think like what you said, being able to share those experiences will help us get there. But you know, we have to be communicating with each other to be able to do that.
Debbie Reynolds 42:22
Absolutely, absolutely. Well, hey, thank you so much for doing the show. This is great. Definitely, I would love for people to tune in. Definitely subscribe to the BarCode podcast. I think you guys are People's Choice podcast award winners, I believe. It's a great show, and you learn so much. And you really, for people who want to get down to deep and you know, not on the surface level on some of these topics with your guests, you definitely go there, which is great, because it's a great education for all of us. So thank you.
Chris Glanden 43:00
Well, thank you, Debbie. And thank you for having me on your show. We'll have to have you come back at some point. And we'd love to have you, you know, you're a VIP patron at the BarCode. So anytime you want to come through and grab a Divatini just let me know.
Debbie Reynolds 43:16
That's right. The Divatini is amazing.
Chris Glanden 43:21
Thank you so much. Yes, definitely. And we'll catch up in real life one time and have a real one.
Debbie Reynolds 43:26
Yeah. Excellent. Excellent. Thank you.
Chris Glanden 43:29
All right. Take care.