celia, cybersecurity, password, mep, business, people, nist, manufacturers, attacks, hacked, vulnerability, risk, big, question, pci compliance, credit card information, talk, kurt, impact, service
Damon Pistulka, Celia Paulsen, Curt Anderson
Curt Anderson 00:00
Awesome. Well, guys, well thank you. So Happy Friday, everybody can’t believe it’s another Friday. So, on a personal note, if for those of you that attend with Us Weekly, my dear friend, my partner in crime Damon was off last week had a little sad news and his family lost his dad. So, Damon, our thoughts and prayers been with you. Thank you for all you’ve done and welcome back. And you know, our prayers to you and your family. So glad to have you back with us, buddy.
Damon Pistulka 00:26
Thanks so much, Kurt. Well, welcome everyone once again to our weekly manufacturing ecommerce Success Series. If you’re on LinkedIn joining us go ahead make sure to drop where you’re listening from in the comments. And we will get rolling here because we are ready to have Celia teach us about cybersecurity in manufacturing. Take it away, Kurt.
Curt Anderson 00:49
So guys, so happy Friday. Celia Thank you. We have Celia pawson from NIST and I St. That’s a National Institute of Standards and Technology federal government agency. She is a cyber security expert. So Celia, I feel compelled I just I you know, you shall summarize, do a little digging on our guests. I do a little, little intro. The theme of this is so profound I have to I have to read it. So first off, Celia is a veteran served our country very proud. So thank you for your service.
Let me just share a little bit and sorry, cilia takeaway from your presentation. I just thought you’re very humble person I need to share this. She supported operations and Opera and Iraqi Iraqi Freedom, Enduring Freedom, and others monitoring intelligence databases analyzing data and multiple software tools. She wrote more than twice as many technical reports with 100% accuracy.
She helped improve morale on her team. She developed laser guns with linguistic teams, and she volunteered as an honor guard Color Guard member performing and funerals and at parades. So this I tell you guys, I dropped Celia’s LinkedIn profile in the chat, please connect with Celia. What an honor. What a gift to have you here today, Celia. Welcome. Thank you.
Celia Paulsen 02:12
Thanks. You know, that all sounds a lot better than it actually was? Well, you’re looking at dating the how to write a LinkedIn profile and how to do resumes and stuff. And man, it all sounds like bs when you’re done with it.
Curt Anderson 02:26
Yeah, well, you well, hats off to you, thank you for your service. And let’s just let’s go back in a little bit of time. So you are a security cybersecurity expert. I had the honor and privilege you and I met at the Alaska MEP. And I was blown away by your presentation. And thank you for gifting us with your time today. But you just shared a quick story with daymond myself about how did this when did this whole cybersecurity thing start in your career? Can we go back a little ways?
Celia Paulsen 02:53
Sure. So I was eight years old. My my brother was learning how to program in basic. And I was very curious about that. So I decided to jump in and force him to teach me how to program in basic as well. And since I was pretty bad at math, we decided that we would make me a training program to help me learn how to do math. So it would be you know, really simple asking me some random math questions like, what’s two times six? I would answer it and that would be that right? So my brother, he’s helping me teaching me all about programming.
I’m super excited. I think it’s time for me to test this thing. And I start testing it and it says, What’s two times two? And I say four? It says you’re wrong. I’m sure I’m right. I’m positive. I’m right. So I do another one. You know, what’s three times three? Um, I’m pretty sure it’s nine. But what if I’m wrong? So I said, Okay, it’s I’m going to do it. I’m going for it. It’s not, you’re wrong. What? So I go to my brother, and I say, I don’t understand this. And he starts laughing and laughing. And yeah, it was a whole joke with him that he was helping me programming this thing that was going to always tell me that I was wrong.
Curt Anderson 04:14
You were you were hacked at a young age very scarred. And so your passion, your purpose in life, was to help other companies prevent cybersecurity. So God bless you what a great story so well, Hey, I know you have a ton of information to share today. We have a presentation. Do you want to go ahead and share your screen?
I’m on it.
Curt Anderson 04:34
While you’re at it. I want to give a shout out to my buddy Jeff is on the program today. just spoke with him this week. Tammy, Valerie. Chris, president of Gen alpha is on the program today. We’re going to see her in a couple weeks. AJ Eric, thank you guys for joining us today. Celia go ahead and take right off.
Celia Paulsen 04:52
All right. So I’m going to go through a bunch of mandatory stuff first and you know, some interesting stuff but then You know, when I get through that, then I am happy to just talk with people. I have my slides and we’ll go through the slides. But if you have questions, please feel free to interrupt me, Kurt, tell me what the questions are all this. So starting off already introduced me I am Seeley Paulson, I am a cybersecurity services specialist for the NIST manufacturing extension partnership. Now NIST is a non regulatory agency of the US Department of Commerce. That’s important because commerce is is a very friendly agency. Its Its goal is to promote commerce, right?
So we as NIST, we also our goal is to promote calm commerce, we are non regulatory, I gotta emphasize that many times non regulatory, we do however, in the NIST labs, we produce a lot of guidance, technical expertise, reference materials, and all sorts of stuff that is used by government agencies, industry organizations, and others. And I have to say that disclaimer, if I mentioned any commercial product, or trade name or service or anything like that, it does not imply any particular position I’m not endorsing, I’m not promoting none of that, or the opposite to if I say something, you know, on the negative side, that’s, that’s not anything about that.
Okay, that’s the big stuff. NIST MEP NIST MEP is a nationwide network, we have centers in every state in Puerto Rico. No manufacturer is more than two hours away from a service location. We have a lot of great feedback about us. This 84.3% or 84.3, net promoter score, that’s that that’s how much people like us, they like us at 4.3%. That’s pretty good. I think, you know, we always try to make it higher, but that’s really good. And then we have 1400, in house manufacturing experts and more than 2000 external partners and universities, subject matter experts, all types of people.
So all of our centers have some cybersecurity capabilities, whether it’s in house or whether it’s parties that they work with. This is like they they do everything, man, these people are so talented. They can do everything from exporting and reshoring advanced manufacturing sustainability, but I’m focused on the cybersecurity aspect. And that’s what I’m going to talk to you about. So first, the scary stuff. Why does NIST care? Why does NIST MEP care? While cybercrime and manufacturing is about 3.6 $36.3 billion loss in the global domestic product that is ridiculously high?
A recent study this is from 2020 40% of manufacturing firms experienced a cyber attack in 2019. And 38% of those attacked, suffered a million dollars in damage. So you think about all of the manufacturers that are in the US and 99% of them are small businesses, how many of them can afford a million dollars in damages? And that’s not many. So why are manufacturers specifically right? Few manufacturers can be shut down for very long. What does that mean? That means that they are going to be willing to pay ransoms to get access to their systems.
They are often interconnected with higher payoff targets like the Department of Defense. They attacking a manufacturer can be newsworthy, especially when you talk about something like pharmaceuticals or food manufacturers or weapon systems. It’s very newsworthy. Not all attacks are, you know, not all criminals are after money. Some just want to make the news. This one up, there’s a lot of use of technology that just isn’t very secure, like Internet of Things or industrial Internet of Things. They’re typically not very secure.
So they’re easy targets. And there’s a huge lack of awareness and monitoring, which means that a criminal could get into a manufacturing network and not be noticed for a long time. So this this last statistic is my most scary This is from I think it’s 2000 September 2019 to September to 2020. I think that’s the timeline and that timeline. Um, there was a 2,000% increase in incidents affecting the shop floor 2,000% Hmm. So, our appetite for advanced technology is rapidly exceeding our ability to protect it. That is why this is happening.
You think about you know, I have pictured here, advanced manufacturing systems, robotics, things like that. But think about the tablet, think about the laptop in the guy’s hand, everything that has a chip, everything that talks to something, everything that’s automated. All of that requires cybersecurity protection. And, unfortunately, many of us, we want the latest and greatest, and we don’t always think about the ramifications of that. Alright, so I’ve gone through the tough stuff. I’ve talked about NIST MEP. I’ve talked about the scary stuff. Now we can get on to the actual fun stuff, and free Feel free to interrupt me as you see fit.
So another story from my past. I think I was about the same age, I think I was seven or eight years old when this movie came out Joe versus the volcano. And in that movie, Joe is fishing and he pulls up a hammerhead shark and it is the most fake hammerhead shark you have ever seen. But ever since then, I have been terrified of hammerhead sharks. So this is just general risk management. This is how we operate in real life. Right? There’s a threat a hammerhead shark, the vulnerability. I have soft flesh, and I look like food.
Curt Anderson 11:20
Celia I’m sorry, didn’t you’ve told me that story before? And where did you live when you watch that movie?
Celia Paulsen 11:25
Hey, landlocked Colorado.
Curt Anderson 11:31
told me that before I was dying, that I saw that movie. It’s just such a classic scene with Tom Hanks. And
so fake Look,
Curt Anderson 11:41
I’m picturing you in Colorado. That’s awesome.
Celia Paulsen 11:43
Yeah. And and you know, maybe that had something to do with it. Maybe because I’d never seen the ocean. I was more afraid than I would have. Normally. But yeah. Okay, back to this the impact. Worst case scenario death. average case, though, is stitches likelihood. Now, Kurt, when you saw my other version of this, I had it wrong. I had that there were two attacks annually. And it was corrected. I was corrected, saying that that statistic says that it’s two attacks from great white sharks. Not all sharks. Okay. So I went back and I corrected it. And there are 80 attacks annually ish. Um, but like you said,
Curt Anderson 12:27
not Colorado, right?
Celia Paulsen 12:29
Not in Colorado, just making sure. So but think about this, like, this is how we think about risk in everyday life. You think about you know, right now it’s really icy outside. So I’m thinking about, you know, what’s the threat the ice, the vulnerability is I have bald tires on my car right now. The impact, I could die, or I could just have a really high bill. And the likelihood pretty high right now, because of all those other things I mentioned. This is just how we think we don’t often break it down like this. But it’s how we think.
So what do we do about it, though, there are four different ways we handle risk, we accept it, we mitigate it, we transfer it, or we avoid it. Accepting, a lot of times we have to accept a threat exists, I can’t do anything about hammerhead sharks, unless I decided to go out and kill every single one of them. I’m not going to do that. So I’m accepting that they they exist. mitigate, I could, you know, mitigate the vulnerability by wearing a Kevlar suit.
Maybe I couldn’t swim very well, if I did that. But mitigating is just anything that you do to to reduce the vulnerability or the impact. Just to reduce it. I’m transferring, think of insurance that transfers risk for you know, if you have a car accident, transfers the risk to the insurance company, usually not all of the risk, but you know, a good portion of it, and then avoiding it live in Colorado, and you won’t have to deal with sharks, right. Um, so what does this mean for cybersecurity? Yeah, I like talking about sharks, but but I’m here to talk about cybersecurity.
So let’s go back to that. Thing is, is that cybersecurity is a lot less about the technology, and a lot more about people a lot more about just how you think. So I have this this cartoon up here, which I adore. And there’s similar ones out there for, like, all the different fields. But I like this one the best because of course, it’s my field. But the one on the left movie hacking, and he goes through a whole bunch of gobbledygook that makes absolutely no sense. And real hacking is much more like, Hi, Kurt, what’s your password? Can I have your Netflix password? Sure, no problem.
That’s real hacking. It’s really simple. So we’re taking That risk equation I talked about, and it’s to cybersecurity, the threat. Now, this could be adversarial or non adversarial. What do I mean by this, it could be a criminal, or it could be a lightning storm. That could impact your cybersecurity vulnerability, it could be, you know, something internal to your systems, you have, you know, a computer that hasn’t been patched in 100 decades, and is vulnerable to being hacked.
Or it could be external, it could be your service provider has a computer that is using to run your systems and it’s vulnerable, could be internal, or it could be external impact, the most common impacts affecting manufacturers, I think that’s on the next slide. But here is someone’s impact could be theft. Just somebody straight up taking your information, your personal data, your intellectual property, it could be incorrect data. So think about what if somebody changed a parameter on one of your systems, or it could be a system malfunction or failure, a denial of service attack where you just don’t have access to anything anymore?
Think about that, when it comes to like your bank account, or you know, comes down to payroll, and you can’t actually access your payroll, or think about it in terms of time, like, how long could you afford your business to be shut down? Then there’s the likelihood. And we talked about three different things, when looking at likelihood, look at the capability of the threat, look at the intent of the threat. And you look at history. Now, unfortunately, for most of us, we don’t know the capability of the threat.
We don’t know the intent of the threat. So most of us look at just history. And that can be you know, news sources, it could be you know, subject matter experts, what have they seen, there are a lot of information sharing websites and resources out there that say, you know, these are the things that you should probably look out for. And that’s what we really rely on. When we think about likelihood, I tried really hard to somehow tie that into, you know, mystery novels and how they do you know, motive and all of that it didn’t work. So this is what we got any questions so far? Be quiet.
Curt Anderson 17:28
So your question I have for you. So we do our show is e commerce, you know, manufacturers? Do you encounter a lot of conversations about PCI compliance with your with your clients or in your in your space?
Celia Paulsen 17:41
You know, what’s unfortunate, is No. Okay? And I’m going to say PCI compliance, I’m going to skip this one. Okay. Um, so these are, are a bunch of common requirements that are out there, right? That the first one anybody taking credit card information has to have PCI, PCI DSS compliant, huh?
They don’t know it. Most people I talked to don’t know that. Right? And I’ve never heard of it, could you share it? Could you share a little bit about, you know, for folks that are out here, our audience that want to get an e commerce, what is PCI, I’m gonna be frank, and that most people don’t actually need to know very much about it, okay. Um, because most of it is taken care of, by, you know, whatever company you use to take credit card information.
Visa will provide stuff and and make sure that it’s compliant, and say, don’t use anything but this, that’s fine. That’s absolutely fine. Um, it gets more tricky. When you come down to having a website, and you start taking payment, then you need to verify that that website says that it’s PCI compliant, and that it can take payment, right. But you don’t really need to know what it is. Right? Just make sure that everything you do that takes credit card information, it says it’s compliant,
Curt Anderson 19:11
right, just don’t take credit card numbers over the phone and like, leave the papers laying around, right? Yeah, I’ve actually, I’ve had many characters that are just, you know, just starting out, and they, you know, they had never heard of PCI compliance. And they’re just, you know, like, the person in HR or customer service, like, Hey, we got an order. And so we took the, you know, you know, here’s the
Celia Paulsen 19:34
Curt Anderson 19:34
Yeah, the credit cards on the package, or, you know, the the ticket that’s going through the shop floor, and I’m like, No, no, no, no, you can’t you can’t do
Celia Paulsen 19:42
okay. So yes, in that case, you should know something about what PC. That’s all right.
Curt Anderson 19:49
Yeah. That’s some of the things that I’ve read. I’m like, No, no, no, no,
we’re into that.
Damon Pistulka 19:54
Yeah. Like we can’t do that. No,
Celia Paulsen 19:57
but this falls under a broad category of privacy. I mean, PCI itself doesn’t. But the general idea is if you are dealing with somebody’s personal information, whether it’s their name, their email address, their telephone number, their credit card information, anything that has to do with a person protected, treat it as though it’s really important, right?
That means not writing it down on a sticky note and putting it up for everybody to see. Right? That’s not good. And the rule of thumb here is treated, how you would want your information to be treated. Do you want everybody to see your credit card information? Probably not. So that’s the I mean, general rule of thumb there, that’ll keep you safe in 90% of the time, it’s just general bucket anything dealing with a human protected?
Damon Pistulka 20:55
Yeah. Well, one, one thing that I see with clients from time to time, and we talked about cybersecurity, and we think cybercrime, we think big stuff, right. But when you’re an e commerce, what most people don’t realize, when they start doing e commerce that if someone gives you a bad credit card, you’re on the hook for chargebacks. Yeah, and that can turn up in to a lot of dollars fairly quick. I had a client last year that until we got it under control, you know, they had $5,000, in about a week.
And, and, you know, we got the right procedures in place, because they had they had, they had had some government buyers, honestly, in the government buying from the government with the P cards and other stuff is very unique in the credit card world because I my shipping address never matches the billing address.
So when you look at that in a system, and you’re going to be selling to government and commercial people at General, you need to have a system that can say, Okay, this is a government buyer, and we don’t verify the shipping, or that that those two addresses are the same. But this is not or this is a first time buyer. And we we are you know, locking it down. And then also probably you want to have some sort of cyber fraud insurance, excuse me to do it, because it can that you’re just on the hook. You’re on the hook money. I’m
Celia Paulsen 22:15
gonna, I’m gonna say something about the insurance since you said have fraud insurance. You want to be especially careful that whatever insurance you’re purchasing, that you make sure there’s this, you know, you make sure that it covers what you think it comes. Yep. Um, so many of them will walk away, if they find that the cause of whatever happened is because you weren’t doing what you should.
Damon Pistulka 22:47
Yep. Well, you have to do it right, or you won’t get Will you will not get reimbursed. And that’s where you have to work very closely with them to make sure you’re, you’re airtight on your processes, but it can it could turn out 1000s fast
Celia Paulsen 23:00
them. Well, some some of the insurance companies will be really nitpicky, like you know, if you have a car accident. You know, they will look for ways not to pay for it. It’s the same way they look for ways not to pay well.
Curt Anderson 23:15
And great tips. Yeah,
Celia Paulsen 23:18
yeah. Awesome. So yeah, I didn’t, I would have studied up a little bit more on PCI compliance.
It’s a good point.
Yeah, yep. No.
Celia Paulsen 23:35
Yeah. Um, so you know, we’re talking about insurance and all that, um, just a couple things, the most common things affecting affecting manufacturers. ransomware is the most common one that we see in MEP centers. And what that is, is somebody gets access to your network to your systems. And they usually sit there for a while, it could be a month, it could be two months. And it’s usually an automated thing. It’s not a natural person that’s there at some bot. But they sit there for a while.
And then at some point, a bomb goes off, they’re triggered. And it encrypts everything on your machines on your home network. And it makes it so that you can’t access any of your data. You can’t even you know, open your computer without there being a big black screen up there saying you owe us and they do their homework. So they will say you know, 50% of your revenue or something like that, but they know what that number is. They choose the number that they think you will pay.
And they will put that up on the screen and say send this to us and cryptocurrency and otherwise, you know, you won’t have access to your data. Now, it used to be that there was a really simple fix to this and that if you had backups Well, then you didn’t care because you just run your backups. And that would wipe away the encryption and you’re free. They’ve gotten more sophisticated though, because they sit there for months, which is about the time that people have backups. And so now they’re in your backups, too.
So you run from a backup, and it’ll just encrypt it again. Um, so this is actually a huge problem. There, there are things to be done, like having good antivirus protections. But the key is this, this third one and fourth one here, social engineering and spoofing phishing. Those are how people get access to your computers, eight times out of 10. And what this is, is simple. It’s that human aspect. It’s somebody calling you up and saying, I’m the password Inspector, can you tell me what your password is? It’s the Norwegian Prince, Norwegian. No, Nigerian, Nigerian prince sing, please send me money.
But they’re a lot more sophisticated now. So now, it’s your bank, sending you an email saying we’ve noticed that there are some problems with your account, please log in. And it’ll have a login. And it looks like it’s from your bank. But it’s not. Right. So biggest tip that I can give you right now, today actionable, do not click anything. If somebody calls you and says, you know, I’m from the IRS. Or I’m from your bank, need to verify some of your information.
Don’t do it hang up. Well, don’t hang up right away. say, Okay, I need to call you right back. I’m in the middle of something, give me your name, do not call the number that they give you. If it’s an email, and they say that, you know, your bank has been compromised, don’t click that link, go to the web, go to your bank’s website itself, login that way, call the bank. You can absolutely do that. But do it from a phone number that you know, is repeatable. Not someone that you know, randomly calls you. Okay, biggest tip? Hands down. Don’t click anything. Don’t answer any information. Cool.
Curt Anderson 27:13
Let’s go. And Celia, that phenomenal tips. And it’s an app. That was one of my questions I was gonna ask you like the most common so you just you just hit that. My recollection you shared, you have some really nice strategies. My I have memorable strategies of password protection. Do you want to share sure that
Celia Paulsen 27:32
you would pick on that one? I don’t think I have a slide for that. Oh, no. So I don’t know. Let’s see. Let’s scroll down.
Curt Anderson 27:42
Wow. I’ll give everybody a hint. Every time I every time I hear every time I hear it Lincoln Lincoln Park Song. I think
Celia Paulsen 27:49
that’s right. That’s me. All right. So um, passwords, passwords is the second way people get in. And it’s kind of getting up there. It goes up and down. So it goes right along with the spoofing, because what they’re really after is your passwords. We call them credentials. So they’re really after your credentials. So best thing to do is to have good passwords that you change often. And don’t repeat them on system to system.
The problem with that is, the longer your password is, the better it is. But the harder it is to remember right? And then you get these people who I have a thing I should have brought it. It’s a little woodblock that says your password must contain 18 numbers, four digits, hieroglyphs and the blood of a virgin, which I love. That’s how we see a lot of these passwords these days.
Right? So my tip, my tip for doing passwords, yes, you can write them down, though, I mean, to say that you can write your passwords down, you can store them in a password safe, just make sure that the Password Safe is an external device that you can lock into a safe, that if you’re writing them down, you lock it in a safe and that you know only you have access to that safe unless you die, in which case somebody important should have access to that safe to. Um, now.
Okay, so my tip, I use music, lyrics or used to use music lyrics for my passwords. So then I change the letters to numbers and make it confusing, but um, what Chris referring to is for a long time, all of my passwords were linkin park songs. And I would start singing linkin park songs all around work, and people got really annoyed with me. Um, but yeah, I use a song lyric can be really long, and they’re easy to remember. And, yeah, that’s my tip.
Curt Anderson 29:51
That was I love that. Could you do you mind? Can you go back to a previous slide because I know on the right side, you had the consequences of Been? Can we? Can we touch on that? And we do have a comment. We have a question. So john, our dear buddy, john john, thanks for stopping by brother ryzen, as well as other carriers flag potential spam on incoming calls helped when my extended warranty was up in breach of my social number eight times a day. So that’s a great,
Celia Paulsen 30:20
yeah, thank goodness for that man. Except I am getting called by somebody every single day, from a different phone number, and it’s driving me insane.
Curt Anderson 30:32
And Jeff, our buddy, Jeff in Jersey, he asked, What’s your opinion with a password service like dash Lane?
Celia Paulsen 30:40
Um, I don’t actually know that one. And you know, I can’t promote or otherwise any particular technology? Yep. My recommendation is that it should be encrypted. and preferably, it should say that it’s fixed f IPS, IPS validated encryption or FIPS. level, or NSA level. That’ll work too. But it should be that level of encryption. It should not be on the computer itself. So that includes software, although, depending on your application software might be okay. But if you’re talking like a bank account, no. And definitely not browser based, definitely not.
Curt Anderson 31:25
Okay. Perfect. Cool. Excellent tips. And then we have one more comment just came in from Eric that password crackers. And brute force technologies utilized dictionaries and processing power to work effectively, passwords. 16 characters longer are generally effective as they take years, sometimes eons to crack. And so I said,
Celia Paulsen 31:46
No, I’m gonna, I’m gonna correct that right here. Sure. Um, so that is true, like longer, better, as long as the password. So mentioned dictionaries, but I’m going to define what a dictionary is, in this case, it’s not just Webster’s, they also have a compile ation of every password that has ever been hacked before, included in that dictionary. So if your password was hacked two years ago, on a different account, um, that, you know, gives it the time to crack it, and then they will try it on all the accounts they can find. So that’s why it’s really important to change your password, even if it’s long. Change it.
Curt Anderson 32:32
Okay, keep going. Right. And so I know Damon, you’re a big Abba fan, right? BGS Abba, so we can go back to disco and pull those lyrics out. So that’s, we’ll be thinking ready for it? Yeah.
Celia Paulsen 32:46
The trick now, if you start singing the songs, everybody’s gonna know.
Curt Anderson 32:53
in play, we can’t use drop the bomb on me anymore. For our we’re gonna see, I’m gonna try. Sorry, we’re chiming in on your.
So that’s what I like, I enjoy who could I.
Curt Anderson 33:05
And again, I’m not sure how much you have left. But I’d really liked it for you to touch on this is really powerful for folks to take a look at? Well, you have the impacts. Can we touch on this real quick?
Celia Paulsen 33:14
Absolutely. So you know, these, these impacts are not in order, they’re an order so that I could put this whole 404 error sign in. But other than that, they’re not in any kind of order. But types of impacts. embarrassment, this is, you know, if you are breached, your different states have different notification laws. And you some are like you have 15 days to send out a notice to all of your customers that you have been breached. That’s an example of a state based notification law.
So all of your customers get a notification that your business was hacked, and their information may have been compromised. That is going to drive down business. That’s the embarrassment model. Now, If, on the other side, if your business is hacked, and like your website is defaced, or think about zoom, and again, this is Yeah, remember my disclaimer. So zoom, had a big problem with zoom bombing, right? People would would find the information log in and especially this was bad for you know, schools or children.
They would start playing inappropriate stuff, zoom bombing, that caused huge embarrassment for zoom, and they had to immediately react and do something to fix it. misinformation could be something as simple as this has happened to a small business website is up somebody, a former employee from that company is fired and is mad that they were fired so they deface the company website to say this company is out of business. And misled all these customers who all of a sudden thought this company was out of business.
Simple things like that. This one is key weakened ability to innovate. If you don’t have some kind of method in your business to handle risk, including cybersecurity risk, it hampers your ability to innovate financially, you know, to you want to all of a sudden do business in Great Britain, Great Britain has privacy laws, maybe you can’t do business with them. Um, different things like this, but the most important one down here is out of business. Depending on the cost could put you out of business.
Curt Anderson 35:49
Yeah. And have you seen those examples?
Celia Paulsen 35:53
Oh, yeah. I’ve seen examples of all of these. No, okay. Well, in fact, there was a statistic A few years ago, that came out that said, somewhere along the lines of 30% of businesses who experienced an attack are out of business within a year. I don’t know how valid that statistic is. So I don’t include it, right, but it is there. So I want to touch on this slide real quick. Because this is how we fix it in a business.
This is how we fix all kinds of risks, but especially cybersecurity risk. And it used to be frame assess, respond, monitor, but the word respond got complicated. So now it’s framus. As implemented monitor, you frame your business constraints. This is, you know, the legislation that you have to follow the state based rules that you have to follow. If you’re in an industry like pharmaceuticals, there’s going to be a lot of regulations that you’re expected to follow.
Some of those include things that impact cybersecurity or impact your information technology networks, then, so that’s the negative frame, the business constraints, but also frame your business goals. Where do you want to go? Do you want to start doing business in Europe? Is that a goal? Do you want to do business with the Department of Defense is that a goal, you need to have some goals where you want to go to because this whole frame, this is going to scope your efforts, it’s going to frame how you attack cybersecurity.
This is key because if you don’t do this, then it just becomes money going out the window like water. This is this is the frame for everything that you do, not just in cybersecurity, but in in anytime you’re dealing with risk. So then we assess in cybersecurity, you assess the risk posture. This is where are you today, a lot of times, it helps to have a third party come in and do this. This is where a lot of our MEP centers really focus is coming in and helping you assess your current risks.
Curt Anderson 37:59
And so if you don’t mind, so let’s talk about that just half a second. So just so everybody knows for anybody not familiar with the MEPs. That’s the manufacturing extension partnerships. They are located in all 50 states. As Sue, you said earlier, there’s one within, like you said, most remote areas within two hours. Here in New York, I think we have nine or 10 different centers, Pennsylvania has like six or seven, Ohio six or seven. So again, they are all over a great resource for our manufacturers. So Yep,
Curt Anderson 38:30
Yep. And as a matter of fact, real quick. So Mike Womack from the New Jersey MEP is our guest next week, and he’ll be talking about his MEP Center in New Jersey. So great. Thank you for I just want to give a shout out to the MEP.
Celia Paulsen 38:43
I’m always happy to let you plug the MEP network.
Curt Anderson 38:48
Right. I know this, this loves that. Right?
Celia Paulsen 38:50
Absolutely. Come on. Why wouldn’t I? Yeah, that’s right. So the next one, though, implement. This is when I talked earlier about you can accept the risk, you can mitigate the risk you can Oh dear, avoid the risk. And I forgot the other one. Um, but you can you can do all these things for risk. This is where it comes into play. To be honest, some of the risk you can just ignore, like you probably don’t care about, you know, whether a nuclear nuclear arms missile is going to drop on your location because frankly, if that happens, then we’re all dead.
Mmm, good point.
Celia Paulsen 39:33
So you know, risks like that you can avoid it things that are outside of the frame that you constructed, right? Maybe not worry about them so much. and implementing like, is key because you can have Fort Knox, you can build Fort Knox. Sure. But what good would that do your business? Probably not a lot. So when we implement it, we do it based on the assessment and we do it on a Business framing.
What now can we do to reach those business goals, meet those constraints and help you be secure. And then monitor, this process never stops. This process goes on and on. That’s why it’s shaped like a nice car wheel here. It’s just happens all at once it happens together, and it happens over and over and over again. But you need to have this ingrained in the culture. So I like to talk about it like safety. We had this safety push several years ago, right?
Safety First, safety first. It actually did work. A lot of people started paying attention to safety. Pretty much everybody knows the basics of safety for their job. It needs to be the same thing with security. Not just cybersecurity, but all security. You need to remind people lock your doors, close the windows, you know, things like that same thing with passwords, change your passwords, run updates, do the basics over and over and over again until it becomes ingrained. And until it becomes part of the culture. Okay, what else we got?
Curt Anderson 41:07
were men naman. Did
Damon Pistulka 41:09
you have a question? I got a quick question. Because, you know, I’ve got a few friends of mine. They’re in the cybersecurity and, you know, they’re two things, they’re talking about two factor authentication. So you know, I’ve got the old Google Authenticator and some other authenticators that I use. And I also use the one where it texts you to get a code to get in. Now, I’ve heard that those really aren’t as safe as you think. Because there’s people out there that have have your SIM cards and are just pulling that stuff, too. So what what do you hear about that?
Celia Paulsen 41:41
So Well, yes and no. Okay. So this is like, people have a nice little tool that can run through all the frequencies of car door locks, and steal your car that way. Yes, that is true. Does that mean it’s worthless to lock your car every day? No, it doesn’t. Okay. So the whole idea is make yourself a little bit harder than the person next to you. Um, okay, good. That’s,
that’s a great answer.
Damon Pistulka 42:18
Yeah. Don’t be the slowest person running away from the beer.
Celia Paulsen 42:23
Exactly. Yeah. Yeah. You know, and do what you can. The more you know, you do, the better. And now, yes, probably soon, somebody’s going to come up with a solution to that. Cell Phone based two factor authentication. But right now, it’s still the best thing that we’ve got that is also usable.
Damon Pistulka 42:43
Okay. Good. Excellent. What else?
Curt Anderson 42:48
I think so. We’re, we’re, and this is phenomenal. Celia. So we, we’ve been just crushing it on time we’re at We’re at 215 on the East Coast here. Do you want to kind of take things home? And just like any takeaway for everybody that they can
Celia Paulsen 43:03
apply? You’re going to share them? Are you going to share these slides to everybody?
Curt Anderson 43:07
if, if, are we are we allowed to?
Celia Paulsen 43:11
Oh, absolutely. Okay. I’m just say in these slides there, these two documents. One is the Small Business guide. And that’s for most companies, it walks you through the process of evaluating your company, and identifying specific cybersecurity protections. I’m currently updating it, but don’t let that sway you. The second one is more advanced. And this is specifically for God, but anybody can use it.
And it’s for manufacturers, but again, anybody can use it. And it’s just more advanced. But then taking us home. Do now please, right? As soon as we get off of this, go change your passwords. And also find out, you know, get with your legal team, get with whoever, just to make a list of all the requirements that your business falls under.
And then you can start going through those and identifying the cybersecurity aspects of them. This month, go to that small business guide, just go through it. It’s really simple. It’s down to earth easy. do an inventory of everything that has a chip, everything that has a chip, just just do an inventory of it, and talk with any service providers that you do business with, and set up a time to go over your contract so that you can find out what they are doing to protect your information. That’s all I’ve got.
Curt Anderson 44:30
Now, they can so I’ve dropped your your LinkedIn profile in the chat box. So please, everybody connect with Celia, can they and they’re welcome to connect with you direct connect. Absolutely. So please context to your direct.
Celia Paulsen 44:43
I’m a little bit slow on my LinkedIn responses, but I’ll be there.
Curt Anderson 44:47
Yeah, sure. I’ll get around to you. But I have a I have another question here for you from you. Thank you. I tell you you guys have been great. Thank you for the conversation here. This has been so this has been very eye opening for me. This is a big We are not an expert here. And so Eric asks, hi, I have a concern question in dabbling with software development. My biggest concern our zero day attacks were unknown vulnerabilities. I’m curious to know, are there any ways the panel would suggest to actively and periodically audit my infrastructure for vulnerabilities? Great question. So
Celia Paulsen 45:22
I’m going to list off a few numbers. Those numbers are NIST sp 800 dash 160. So for Eric, if you’re dabbling in software development, please take a look at NIST sp 800 dash 160. Now, that is our How to build things with security in mind. And it talks about zero days. And if you’re following certain best practices in the development, it reduces your chance of having those zero days. And there’s testing and things like that. But here’s a key, oh, I stopped sharing.
But so me my, well, no, we won’t go into that. Um, there are different parts of the risk equation, right, you need to have, you need to be able to identify a risk, identify, protect, detect, respond and recover. The two key ones in this is respond and recover. So with a zero day, there are unknowns, you need to be able to respond to them anyway, and recover to them anyway. So have an ability to go back into a system and shut it down, have some process in place that you can apply whenever something happens.
Curt Anderson 46:40
Wow, that was, what what great is this? Yeah,
Damon Pistulka 46:44
I’ve got, I’ve got an example. Just because we’re listening. And we’re talking about manufacturers here. I’ve got a friend of mine that runs up, you know, a manufacturing company, and they had this old, big plasma cutter, right, and wasn’t connected to anything else was connected to the internet for some reason. And someone even hacked that old thing and killed it. They ended up having to, you know, go to the manufacturer, get a new hard drive, start over from the beginning and load everything up and have them come in and reset it and rerun everything so old sitting there, don’t don’t forget about that
Celia Paulsen 47:19
kind of scary case study that’s been in the news several years ago, but it was a plant, I don’t remember what they were building or doing. But they had a very old system. And somebody was able to hack into it and turn off the safety switch for the heat. And so it overheated. And the problem was that nobody shut it down. It welded itself together. So think of, you know, having to replace something that had just gotten welded. Okay. Yeah.
Curt Anderson 47:54
Wow, a couple couple more comments here. So Stan, she, she had challenges she come snia Great to see you. I know, you and I are connecting another week or so. And Eric, I’ve had to recover from an attack before and you’re exactly right. The ability to respond, recover, saved my server.
Celia Paulsen 48:09
So I am so happy to hear that.
Curt Anderson 48:11
Yeah, it is I you know, it’s just it’s just, it’s horrible. We don’t even need to have these conversations. It’s just awful, that they’re, you know, folks are just so malicious. And like you said, you know, if they’re chasing money, you know, and just think if they put their time and energy into productive things, how much for you know, my goodness, they could create the next Facebook or the next SAS product. And then instead, they’re trying to, you know, cut a corner, and maliciously, but just thinking of hope that aren’t even after money that just like you’re seeing, so you just do it for newsworthy, shut down the machine shut down a community hospital. It’s just it really, it’s said
Celia Paulsen 48:46
that and you know what said to me, and this is not representing this, I should be very clear about that. But what’s sad to me is that a huge majority of the attacks that happen are taking advantage of somebody goodwill. So yeah, they’re trying to do the right thing. And here’s somebody taking advantage of that. And I hate that.
Curt Anderson 49:08
Absolutely. Yeah. So, guys, we’re at man seal. Yeah, I’m big,
big apply, like talking.
Curt Anderson 49:16
Virtual applause. So guys, again, I’ve dropped Celia’s LinkedIn profile, please connect with her. She had her email at NUS. She is a federal agent, federal agent, right? Is that a good way to describe you? So she is a an army veteran, if you came on late and you missed that. So Sylvia, thank you for your service to our country. Thank you for your continued service as a civil servant, saving our manufacturers, protecting everybody.
Guys, we’re gonna drop over if you’re on with us here. We’re going to head over to the tables. You can talk with Celia, continuous conversation one on one, guys. Chris Harrington, President from Gen alpha just dropped a note. She’s our speaker in two weeks. Chris, I can’t wait to hear what you’re going to talk about you and Celia. So you have a little conversation about what What do you guys have going on? assymetry Damon, take it away. Thank you, brother. appreciate everything Celia Thank you.
Damon Pistulka 50:07
All right. Well, thanks a lot Kurt Celia. That was incredible. Once again, I’m just going to talk to everyone on LinkedIn for a second here. We’re shutting down on LinkedIn live, but thanks for joining us. Thanks for the comments there. And we will be dropping back to the tables.
Curt Anderson 50:22
Thanks, guys. Have a great weekend. Thank you.