Is your business vulnerable to a cyber attack? How well-protected are you? In this episode, Steve Sanders, the Chief Information Security Officer for Computer Services Inc, CSI, shares his insights on protecting your business from a cyber attack. The derailment of your business through cyber attacks will drastically impact your business, and nobody wants to put their business at risk. As business owners, we need to train our employees on how they can protect themselves from cyber threats. Would you want to risk your business and stay vulnerable to cyber attacks? Gain more insights from this conversation with Steven Sanders.
—
Watch the podcast here
Listen to the podcast here
Risk vs Innovation: Is Your Business Vulnerable To A Cyber Attack
This show is a little bit different than what we normally share. Usually, I love to share about the people side of business, the people issues and leadership, but now we are looking at those threats to your leadership as we invite our guests, and let me tell you who he is. It’s Steve Sanders and he is a Chief Information Securities Officer at Computer Services, Inc., CSI, an innovative service-first technology provider offering leading FinTech, RegTech, and cybersecurity solutions.
Steve oversees the information security governance program for CSI, ensuring the proper controls are in place to protect CSI’s customer’s data and CSI’s infrastructure and information. Steve regularly speaks to business leaders about cybersecurity from conferences to boardrooms. He uses these platforms to help CISOs and other security leaders think of the cyber challenge as a business problem instead of a technology one.
He also emphasizes the importance of a strong human layer as an essential accent to a strong information security program. Similarly, he frequently gives presentations to boards of directors and senior leadership teams helping to lower the technological hurdles, preventing a clear understanding of cyber risk, which empowers better decision-making. Steve, welcome to the show.
Thank you. I’m excited to be here.
We met when I was speaking at an organization for CISOs. I was speaking at your conference all about personal branding and building your brand and we connected on LinkedIn and all of that. I think you have a wicked sense of humor. It’s always fun to listen to and watch your comments on things. Do you think you have a sense of humor?
Sometimes. Some people don’t get it, though.
I did say it was wicked. You have to think about it sometimes, but I am so thankful that you joined us because when we talk to leaders, and we are talking about building confidence in leadership, one of those things, leaders are often asked to do is SWOT analysis and looking at your strengths, weaknesses, opportunities, and threats.
In your bio, you speak to business leaders about cybersecurity and the technology threats to their organizations as a business problem. It’s not something to be taken lightly in this age of technology that we live in. Talk a little bit about that and then we are going to get into how you became who you are.
Many times, having been such a technology-focused issue for so long, many of the senior leaders in organizations tend to believe this is something that’s handled by the technical teams. They don’t realize the risk that it poses to the organization, the risk it poses to them and the plans they have put into place as you draw out what you will do in the upcoming years. It’s not hard to envision a major cyber incident derailing all your plans. Ensuring that you have the right controls in place to keep this risk from becoming something that affects you is important.
Let’s go back in the way back machine a little bit and tell me how did you become a CISO?
That’s an interesting story and we probably don’t have long enough to go through the whole thing, but I spent a number of years working as a laborer in a steel mill and got laid off from that role. At that point, I decided that I needed to pursue something I wanted to do in life and began looking around at what that would be. I ended up getting an education that prepared me for this. I spent seventeen years as an auditor prior to that and had got into this field through audit. When the CISO role came open, it was an area I already had interest and had already proven myself. It opened a door for me and now I have been in this role.
I love to see people’s journey because, a lot of times, a lot of people don’t start where they end up. They started one way, thinking, “This is going to be my career or my journey,” and then you take a turn and you end up somewhere magnificent somewhere else. I never imagined I’d be doing what I’m doing now. Never in my wildest dreams. I’d love to hear the ins and outs because it gives people hope.
If something fell through, listen, it might not have been where you needed to be. Keep yourself open to opportunities and always keep learning. We are getting back to major threats when you are looking at organizations because, as a leader, you might think, “The technology will take care of itself. I have to focus on the vision, mission, keeping innovation, and all these things in the forefront of what we are doing in the company,” all the people issues and all of that. How can you help them start thinking that you need to think about aside from the technological side of the threat, how do you layer the people into that threat because we are all using technology?
The world has changed a lot. We are all very connected and we are very vulnerable. If we think about security, the more you tighten security down, the less people have the ability to do what they need to do as fast and as easy as they need to do it. There’s always a compromise there and you have to make the right decision based upon your risk for that. With that in mind, some of the bigger threats especially impact an innovative, very fast-moving business.
We can point to ransomware as an example. We hear that on the news all the time and many people think, “I’m not a Colonial Pipeline. Why would someone target me?” The Colonial Pipeline didn’t think they would be targeted either. The bad guys know that if they take a business that has money or appears to have money, and in some way, they hold their files ransom either by encrypting them or, more commonly, stealing those files and saying, “If you don’t pay me, I’m going to release these to the public.”
If a business isn’t prepared to deal with that, it can put them into a position where they may lose a lot of data, go through a very embarrassing situation, or end up having higher experts come in six months or a year. They are trying to recover from this before they can even continue down the path they want to do. It causes them to lose confidence with their customers, suppliers, regulatory bodies if they are involved, and employees.
You have all these different factors that can affect the direction of a business if it gets derailed by that. Similarly, the crown jewels of a company are at risk all the time. If a hacker were to get ahold of sensitive company documents that maybe have things you don’t want to be released to the public, your customer list, or the secret sauce of what makes your business work.
If these items happen to be compromised either through an employee sending them through an unencrypted email so that it can be intercepted rather easily or someone gets into your system and steals those things. It’s important to have thought ahead of time, what risk do we have to this and how would it derail our business? What would the impact be to us if this happened? Are we putting the right resources toward that, either through technology, training, or insurance in some cases?
It all sounds expensive.
They are. If we understand what the risks are, we can make good decisions based on that. Unfortunately, cybersecurity is a bit of a thankless industry unless you have a problem.
It’s like insurance too. It’s until you have something catastrophic happen, you are paying this stuff. It’s usually the first thing to go when things get tight. It’s like, “We are not going to need this and all this.” Talk to me about the risk employees. To me, that sounds like one of the bigger risks because it seems like it’s an easy in for hackers. What is the risk of your employees not being trained properly to handle cybersecurity issues?
Most employees think this isn’t my problem. The IT people are going to take care of me. Every level of the company believes that many times that, “IT is going to take care of me.” They don’t realize how vulnerable they are if, for example, a phishing email comes in. Let’s say you are in the accounting department and a phishing email comes in saying that there’s a wire that needs to be paid and it looks like it’s coming from their CEO and instead your CEO’s been spoofed. All of a sudden, you send out a wire for $500,000, perhaps. The money is gone. You have lost that money. With a little bit of training, that person might not have fallen for that.
What it boils down to is ensuring that your employees understand what the risks are, understand their roles in protecting them. They are the front line of defense. That doesn’t take away the technology. That’s important. Technology can be your defense too, but your employees play a key role. They can be, for lack of better terms, a town crier. If something looks bad, they can sound the alarm so that everybody becomes aware of whatever that is that looks funny or they can get the right people involved quickly. Unfortunately, it’s not enough to know those things though because many people know them.
They know it in theory, but they will still click on the email. We have been trained to click.
We have been trained to do things. We have to rethink how we go about that and ensure that people understand the risk it poses to them and the company. One of the things I tell a lot of organizations when I train them is we have an obligation to train our employees how to protect themselves in their own lives. If they are wise in their own lives, if they are cyber smart in their own lives, they will be cyber smart at your company as well.
Train our employees how to protect themselves in their own lives. If they are wise in their own lives, if they are cyber smart in their own lives, they will be cyber smart at your company as well. Click To Tweet
A lot of people have their websites stolen. I saw an ad for someone who had their website stolen. Their social media was hacked. Someone spoofs their social media and sends stuff out to all their contacts. It’s about learning how to practice being online and being vigilant online. It’s like when you are walking down the street. You are not going to walk down the street in a dark alley, you see something suspicious and you are going to continue down that road. You are going to turn around or go somewhere else.
We are trained in the physical world to do that, but we have to start training ourselves that if we get a strange message from someone that we think we know, why are we clicking links? I text people and I said, “Did you send me something? I’m not clicking on a link. You didn’t tell me that you were sending me this or what this is. I’m not clicking on the link. Sorry. If this was something important, I’m not going to click on it.” They are like, “You are so paranoid.” I’m like, “Yes, I am.”
That’s music to my ears and I like to think of it this way. If you were to leave your front door wide open while you went out for the day, that’s irresponsible. We are leaving our technology front door wide open and that’s where all of our most important information in the world is in these technology systems, from our bank accounts to documentation and scans.
Social Security and all that.
There was somebody that had their iPhone hacked. They offered to pay, let’s say, it was like $200,000 to have Apple help them get their access to their Apple account back because all their family photos were caught up in that account and they had no record of a deceased person other than that. It cuts pretty deep when we think about it from a different perspective that again, “Do you leave your front door to your house open?”
We don’t know what we don’t know about all this stuff until you get hit with it. I was doing some work on Google looking for something. I didn’t even know that I clicked anything, but suddenly I got this, “Warning, you are under attack.” Thank God I know some people in your industry, and I immediately texted.
They are like, “Don’t touch anything. Let me send you a link. You follow the instructions on this link to clear it up because it’s not an attack yet. They are trying to get into your system. They are putting all this stuff so they either want you to call something or click this link or something and then that gives them access.” It’s like as soon as that warning popped up and the sounds and the alarms were going off, I texted immediately. I was like, “Thank you for answering my text.”
You have got a good list of friends.
I was able to shut everything down, follow the instructions, and wipe it out. I thought I was about to lose everything. Sometimes that’s what happens. What is that called? Is that a phishing?
It should be phishing, depending on how it came in, but it’s usually some form of malware that is attempting to fool you in something’s already happened, and through that, they, in turn, infect you. You are not infected yet with the bad stuff.
They make it seem like you have been. They say, “Don’t turn off your computer or you lose everything. Don’t shut down, call this number immediately or click on this link,” and a lot of people fall for that because it immediately sends you into panic mode. It’s like, “I have to do something.”
The bad guys are smart. Sometimes they are out to steal some money. They will call your number and they will say, “I’m from Microsoft and I’m here to help. Unfortunately, it’s going to cost you $450 to clean up this problem I found on your computer,” and people pay that. To quit monetary loss, which might not affect the business so much, it’s that susceptibility that we have in everything we do online, which might be helpful.
We have to train ourselves online to be more responsible with stuff. Try to use a lot of encryption. A two-factor authentication. It’s a pain, but it’s safe. It’s that extra lock on your door. What are some of the tools that you recommend for smaller businesses, for instance, to use if they can’t have a CISO on staff?
Cyber Attack: We have to train ourselves online to be more responsible with stuff. Try to use a lot of encryption. It’s a pain, but it’s safe.
It could depend a lot on the type of business. You mentioned the number one thing and that is multifactor authentication. That is critical. If you have your data stored anywhere in the cloud and you don’t have multifactor authentication enabled, you’re negligent. It’s so easy to hack into accounts without that. The second thing is be sure that you are updating systems appropriately. Never run anything that is out of date.
Hire a good IT team to put a good firewall in front of you to be sure that you are protected from the attackers that could come in. You mentioned the encryption and that’s important. It’s more important when you are emailing something that if it’s sensitive, that you encrypt it. Most people don’t understand emails more like a postcard than it is a sealed envelope. It’s not that hard to see email if you can interject yourself between the two points where it’s being transmitted. Encryption is important if it’s sensitive.
It's not hard to see an email if you can interject yourself between the two points where it's transmitted. Encryption is important if it's sensitive. Click To Tweet
Those are some almost table stakes, and let me add one more to that. Many people think when you say updating software or patching that you are thinking about Windows. One of the most vulnerable pieces of software out there is a third-party application, which I’m not going to call out on the show. Being sure that whatever it is you are running, that you are updating that too. Whether that is an Adobe product or industry-specific product, whatever that is, all these third-party applications. Your browser, when Chrome tells you are out of date, there’s a reason they are telling you that. Update it so you can protect yourself.
Always don’t wait to run the update. When the update comes in, run the update because there’s a patch for something or they have updated something that they see is vulnerable somewhere. Update those phones and passwords. That still is a challenge for people.
It is and that’s part of the reason multifactor authentication is so important because we are weak when it comes to passwords because we don’t want to have to remember this totally random crazy password.
For someone who’s dyslexic like me read, I never get it right.
It’s interesting because the perception around passwords has changed over the last few years and it’s become where many people say to just come up with a good strong password and never change it but have good multifactor authentication in place combined together. The theory is that if I’m asking you to change your password every 90 days, which many companies still do, if I’m asking you to do that, what’s the likelihood you are going to write that password down?
You are going to write it down because you are not going to remember it.
There are some debates still out there about it. The key point to take away from that is it is important to know how to make a good password. That’s critical and then it’s important to have that multifactor authentication enabled in every single case.
Don’t use obvious things as your passwords. If you have to use something that’s obvious, throw a couple of monkey wrenches in there so it’s not straight. It’s not your name and birthday. Throw a few things in the middle of it so it does break it up a little bit. If you can’t think of a password and you have to use your name a birthday, put your street address with it or something or where you grew up in the middle of it. Nobody remembers. All great tips. What is something else leaders are missing or not aware of when it comes to data security and especially updating laws? I don’t know if the laws are keeping up with the technology.
With cybersecurity, in many cases, they aren’t, and part of the problem is we don’t have lawmakers who are typically cyber experts. Many times, it’s also it’s thought to be a business’s problem rather than the government’s problem. People are pulling and tugging, trying to figure out what the right place to be is. If we pivot over to privacy, the laws are changing all the time.
For example, if I remember correctly, a trucking firm was sued for $60 million for not protecting data appropriately according to privacy laws. This is not a small sum of data. That trucking firm, by the way, were in violation of biometric law out of Illinois if I remember right. You have all these laws that you might be required to comply with monetary penalties and, in many cases, the ability to be sued. We got this. You have healthcare and all these other things. Understanding what laws apply to you specifically around privacy are important things to do.
If you are a small business owner, how do you understand that you have to contact someone in cybersecurity? You are like, “Who do you go to find out if I’m in violation? How do I fix this?” Who is that person? Do you call up Best Buy?
Probably not. That’s a tough one to handle. What I would recommend is paying attention to the Chamber of Commerce or other business organizations who are bringing in someone who can speak business about these cyber risks and be sure you attend that. Don’t think this is a technology session or push those organizations to bring in someone who can speak business to help you understand what the real risks we are facing are. What questions do we need to be asking?
It might not hurt to even join an organization regarding privacy, for example. You can even join email groups that send out email blasts that alert you to the latest changes. You have to think about the level of interest you have and how much you are willing to invest in it. That’s going to vary depending on how big your business is and how much capacity you have, but at a very minimum, somehow keeping yourself abreast at least once a year about what’s changing.
A lot to consider here and I’m glad that we did this show because I don’t think cyber-attacks is a top priority for a lot of small businesses or even leaders in organizations in mid-level leadership. They are not thinking on that level that I need to pay attention to my people and making sure that they are handling cyber risk effectively. Those upstairs to think about like that’s not my concern, but it’s is everybody’s concern, isn’t it?
That’s exactly right. One thing I would say to any business leader is first, you need to understand what it would cost you potentially if you had a breach and you could think about that in a lot of different ways. If you have a lot of customer records, one thing to think about, it’s about $250 a record if you are breached. For example, your organization with lots of customer information, but figure out what a potential breach might cost and then realize that the statistics vary quite a bit. You have got a fairly high shot in the next 3 to 4 years of being breached. If that happens, are you willing to take on that responsibility or do you not want to be the easy pickings?
Cyber Attack: You need to understand what it would cost you potentially if you had a breach.
Thank you so much. This has been incredibly informative. We are talking about confidence in leadership. If your confidence in the security that you have right now isn’t high, mid-level or low, it’s time. This is the wake-up call. This is the alarm sounding. It’s time to pay attention to this and be very intentional about how you are protecting the valuable assets of your business that are online and how you are doing business.
You know what I find, especially businesses in that mid-level range that are scaling and starting to grow rapidly and they are having so many people come on board that they don’t even have the opportunity to train them properly for the job that they are doing because they are hiring so quickly. How do they train them to be cyber-savvy in all of that? Especially those mid-level businesses, as if you find yourself in a growing scaling position, you are vulnerable.
I could offer a quick piece of advice there. I would say those companies need to look at fractional CISOs or look at bringing in an adept consultant who could give them a full run-over and offer them some advice.
I’m working with companies who are that building, scaling, and bringing people on. I didn’t even think, “Cybersecurity. All these people coming in. Are they even paying attention to their email addresses?” They are off to the races. “You are doing business now. Great. ‘Thank you so much. I’m going to shift gears a little bit because I could talk forever and ever and just try to get as much information out of you as possible. I’m going to honor your time and your day. We are going to jump into our rapid-fire and have you share some leadership stuff and some fun stuff with us. Are you ready?
I’m ready.
As you were rising up through the ranks, what has been either the biggest leadership mistake that you were a victim of or that you made yourself?
Probably the biggest leadership mistake that I have seen a lot of people make is not thinking big enough about where you want to go and then not having a mentor that can help guide you to get there.
That’s the first time I have heard that one. Not thinking big enough. My next question here is, what is the best leadership advice that you have ever gotten that you still implement now?
The most important lesson I have learned is that when you are in business, everything is a business decision and you have to be able to talk the language of business. It doesn’t matter if you are in IT or marketing or any other part of the company. You have to be able to talk business. Educating yourself in that way so you can speak the language that’s important.
When you are in business, everything is a business decision, and you should speak the language of business. Click To Tweet
You said you worked in a steel mill and made the switch when you were laid off. What, in your opinion, was the most Jedi or audacious leadership move you have ever made that was so out of the box but worked, or are you pretty much in the box guy?
I have done some out-of-the-box things. Maybe not exactly where you are going to expect me to go on this, but being yourself is out of the box because everyone tries to fit into a pattern of what they think everyone else expects. We lose the advantage of who we are when we try to mold ourselves too much to what other people expect.
We need to understand what our own strengths are and what we bring to the table and we need to utilize those strengths, the areas that were weak. We need to build those areas up if we can or we need to figure out how to mitigate them if we can’t. We shouldn’t pretend to be someone else. I am who I am and I’m where I’m at because of who I am. If I’m fake about that, there comes a point that runs out.
That’s awesome and that’s the work I do. Be more of them themselves and be confident in that, understanding their strengths, digging into their strengths. I’m imagining. This is not one of my rapid-fire questions, but as CISO, they brought me in to talk about personal branding because the people wanted to hear more about an opportunity to be themselves more effectively as technology officers. This is one of my rapid-fire questions. If you were a castaway on a deserted island and you could only have three things either wash up on shore or airdropped to you, what would those three things be and one of them cannot be a cell phone?
The Boy Scout in me is going to come out here. I need a good fixed-blade survival knife with aa piece of flint so I can start a fire and cut. I’m thinking water purification next. A Kelly Kettle camp stove, so I can boil water. I’m leaving out all these things I would want while I was alone to enjoy the time. Third would be a waterproof bible, so I’d have something to read and keep my hope alive.
It’s very thoughtful. Your Boy Scout came out where you’re thinking survival. I saw that movie Cast Away. As the FedEx boxes were washing up onshore, hoping that there’s something in there that he could use and it wasn’t the pocket knife. Who is someone that inspires you every day?
There are a lot of people I would probably put into that list, but moved my mind in years more towards people who have thought differently about the world. One of those that stands out to me is Ray Dalio. Ray Dalio wrote a book called Principles, which is outstanding. He approaches life through a principled approach, meaning he defines what his principles are and he doesn’t violate those principles. That’s how he approaches life. I look forward to seeing posts by him on a daily basis.
PRINCIPLES: Your Guided Journal
Within the same line of questioning is if you could choose one person, real or fictional, alive or past, who would you want to sit down and break bread with?
I would enjoy having lunch with Warren Buffett. I would like to pick his brain.
More about business.
You could pick a lot of people. That changes with my mood. I can think of spiritual aspects of that or Freddie Mercury with Queen talking about their rise. It could be a lot of things, but right now, Buffett stands out.
My final question about this is, what are you reading right now? Do you have three of your top favorite books that you’d like to share with our audience? Readers are Leaders.
I’m not going to give you three of my favorite books because that would change every day. I love to read and I keep a large list going at all times. Let me tell you what it is because I won’t remember all of them. Chip War, that’s about the semiconductor industry. Decisive, Chip and Dan Heath. It’s an older book by them, but it’s good. Reading Romans with Eastern Eyes and that’s a spiritual book. The Family Tree Guide to DNA Testing and Genetic Genealogy.
We have to fit this on a thing now.
Let me add a few more. The Incerto series and Execution. I have got nine books going right now. We will stop with those.
What’s your favorite way to read books?
It depends. I like reading on Kindle, but I also like audiobooks. I don’t read paper books much anymore, so it depends.
I love the feel of that paper.
I do too, but I like carrying my Kindle with me everywhere. I like the smell of a book too. If they could put that into a Kindle, it’d be great.
That and a new car smell. Come on. I appreciate you. How can people get ahold of you if they have more questions?
LinkedIn is the best way. My account is Steven R. Sanders.
I encourage you to go ahead and connect with Steve on LinkedIn and look out for his posts and his comments.
It’s been great. We have covered a lot of ground.
I want to congratulate little Ezekiel, your grandson. Congrats on that. What are you going to teach him about leadership and being confident?
I’m going to teach him to remember that how you treat people says a whole lot about who you are, no matter what you do in life. Always be yourself.
Thank you so much, Steve. It was my pleasure.
Mine too.
For those of you reading, I want to encourage you to lead yourself, your teams, and your organization with audacious confidence. Until next time.
Important Links
- Steve Sanders
- Principles
- Chip War
- Decisive
- Reading Romans with Eastern Eyes
- The Family Tree Guide to DNA Testing and Genetic Genealogy
- Incerto
- Execution
About Steven Sanaders
Steve is the Chief Information Security Officer for Computer Services, Inc (CSI), an innovative, service-first technology provider offering leading Fintech, Regtech, and Cybersecurity Solutions.
Love the show? Subscribe, rate, review, and share! https://aliciacouri.com/podcast/