Episode 16: Nick Espinosa on Cybersecurity

The month of October is Cybersecurity Awareness Month, and this week’s podcast features Nick Espinosa, an expert in cybersecurity and network infrastructure. Nick has consulted with clients ranging from small businesses up to the fortune 500 level for decades, and he’s the Chief Security Fanatic at Security Fanatics, a cybersecurity and cyber warfare firm that’s dedicated to designing custom cyber defense strategies for medium to large enterprise corporations. Nick is also a TEDx speaker, a regular columnist for Forbes, an award winning co-author of the best selling book Easy Prey, and he’s also the host of The Deep Dive, a nationally syndicated radio show.

Nick and Joshua talk about cybersecurity in the publishing industry, including the value of doing an assessment of your threat tolerance, the threat of ransomware to publishers, two-factor authentication, and other related topics. Nick gives his recommendations to publishers for securing their data, talking with their team about security, and more.

Follow Nick online at:
LinkedIn: https://www.linkedin.com/in/nickespinosa/
Twitter: https://twitter.com/nickaesp
YouTube: https://www.youtube.com/nickespinosa
The Deep Dive: https://soundcloud.com/nickaesp/sets/the-deep-dive-radio-show

Transcript

Joshua Tallent 

Before we jump into today’s episode, I just wanted to say a quick thank you to everyone who has taken the time to submit a response to my survey at the BookSmarts podcast website. So if you go to https://booksmartspodcast.com/survey, you’ll be taken to a quick survey that just kind of goes over a couple of questions. I’m trying to understand better how people enjoy the podcast, what they like about it, what they don’t. If you would take just a couple moments and fill that out, I would really appreciate that. For those of you who have filled it out, it’s been really helpful to me to see, you know, what kinds of people are listening, and what topics you really enjoy and what types of formats you like. So thank you so much for that. And now we’re gonna jump into a really interesting episode about cybersecurity. So here we go.

In this week’s episode of the BookSmarts podcast, I’m excited to be joined by Nick Espinosa. Nick is an expert in cybersecurity and network infrastructure. He’s consulted with clients ranging from small businesses up to the fortune 500 level for decades. He’s also a security researcher who knows a whole lot more about security than I will ever know. And he’s the Chief Security Fanatic at Security Fanatics, which is a cybersecurity and cyber warfare firm that’s dedicated to designing custom cyber defense strategies for medium to large enterprise corporations. Nick is also a TEDx speaker. He’s a regular columnist for Forbes. He’s an award winning co-author of the best selling book, Easy Prey. And he’s also the host of The Deep Dive, which is a nationally syndicated radio show. So Nick, you’re very busy. Thanks so much for joining me on the BookSmarts podcast.

Nick Espinosa 

Thanks for having me. Glad to be here.

Joshua Tallent 

So Nick, the month of October is cybersecurity month, and you’ve been obviously very busy going around and talking about this. So tell us a little bit about what cybersecurity month is about and kind of what you’ve been working on, to help raise awareness for cybersecurity among businesses?

Nick Espinosa 

Sure, well, one of the biggest problems that we have overall in cybersecurity is simply awareness, people don’t understand just how insecure or unsafe the world can be. You know, when you walk into, for example, that local coffee shop and you connect to their wireless, a lot of people don’t know, you’re actually exposing your device onto a network that you don’t know, and that you don’t control that has other devices on it, that may or may not be malicious, knowingly or unknowingly. And so Cybersecurity Awareness Month was essentially created to make sure that there was a uniform push in the cybersecurity community just to make everybody aware to say, hey, you know, stop and think, you know, do you really need to help that, you know, Nigerian prince with his revolution, you know. Is grandma, really, you know, getting robbed, and you need to send her money, like all of these kinds of things that, you know, we kind of take for granted that just happen all the time are a huge problem. And it’s interesting, because one of the things that I’ve been talking about for years, especially when I’m on stage, or, you know, on my radio show, and nobody knew what I was talking about was herd immunity. And thanks to COVID-19, now, everybody knows what herd immunity is. And I like to talk about herd immunity and cybersecurity. And that really comes down to the education side that if we are all aware, we have much less of a chance of getting infected. But that also means that we have much less of a chance of infecting others. And so we’re all in this together, because we’re all connected on the internet. And that’s in part, I think, what Cybersecurity Awareness Month is all about.

Joshua Tallent 

Yeah, that’s good. And so you also serve on the steering committee for the COVID-19 Cyber Threat Coalition, and you’re their spokesperson, too. So this, obviously, we’ve seen a lot of hacks and things that have happened over the last couple of years. And I think, you know, the movement to so many people working from home, I’m sure has led to some of that. So can you give our listeners just a brief overview of some of the cybersecurity threats that you’ve encountered in the last couple of years? And some of the things that you’ve been working on with that COVID-19 task force?

Nick Espinosa

Yeah, well, I mean, obviously, you know, we’ve had a huge problem with with ransomware. Ransomware continues to explode, which actually is really becoming a reckoning for the cyber insurance companies of the world, because they are now really, I think, starting to figure out that their model just hasn’t been working. And we’ve all been underpaying them, you know, but yeah, we’ve seen a huge problem and COVID-19 and it’s actually one of the reasons why the COVID-19 Cyber Threat Coalition was formed is actually formed by Joshua Sachs, who is the Chief Data Scientist over at Sophos, which is a threat detection company, they make firewalls and antivirus and all of that. What we saw in the cybersecurity community was essentially a singular moment that we had never seen in cybercrime before in the history of the internet, one specific lure, was what all of the criminals were using, and that was COVID-19. And we had never seen that usually in normal times. You know, you’ve got one cyber gang running one crime another one running a different kind of scheme and all of that. But the the underworld collectively came together and said, No, we’re all going to use COVID-19 because everybody is freaking out about it. And so we started to see very specific COVID-19 related or Coronavirus related threats. At first it was phishing emails and messages that said, oh, you know, go to this website to buy toilet paper because nobody could find toilet paper. And then it was stimulus checks. And then it was PPE and, and on and on and on and all under this guise, and so at its height, the COVID-19 cyberthreat coalition was 4000 cybersecurity volunteers in 24 timezones, looking at what we call IOCs, or indicators of compromise, to basically give this threat intelligence out to hospitals and critical infrastructure and all of that. I happened to join up on like day two, or three, and just given that I’m vocal and in cybersecurity, you know, it made sense that I’d be the chief spokesperson, right. But it was, it was a singular moment, I think, in time. And as we’ve seen, basically, these gangs, once again, start to diversify, as everybody just settled into COVID-19, it still is a major problem. At its height, they were registering 5,000 malicious websites a day, basically around Coronavirus in March and April of 2020. And since then, it’s still something that’s used as a lure, but now we’re starting to see the old tactics come back into play as well.

Joshua Tallent 

Interesting. So that’s led to a ton of different issues. You mentioned ransomware before, and that seems to be one that has taken a lot of companies down in the last couple of years, just people not being prepared or ready for that. And this has happened in the publishing world as well. So you know, publishers and retailers and distributors, and publishing service providers are all trying to maintain large amounts of data on internet connected systems. And there are constant threats of attack—ransomware, things like that. So let’s switch to publishing for a minute and think about this from a midsize or larger business, if a publisher was kind of unsure about how secure their systems were, or, or how secure they should be, could you give them some recommendations on just where to start? If I’m trying to figure this stuff out on a baseline? Where do I start?

Nick Espinosa 

Right, well, and baseline is one of those keywords. So what I recommend any organization that is looking to really enhance their cyber defense strategy, their defensive posture, in general, is to actually start with an assessment to understand the good, the bad, and the ugly of the defensive technologies and capabilities that you do and do not have in place. And by virtue of that, it gives you that roadmap to see exactly where those holes are. You would be amazed, we walk into massive corporations that don’t fully understand their risk. And that’s the other core thing that we are talking about, when we’re talking to mid-sized companies end up is understanding the risk posture. Publishing companies have a ton of intellectual property. And by virtue of that they have a lot of staff that accesses intellectual property, whether they’re reading, you know, submitted manuscripts or, or anything like that. These are the kinds of things that if let’s say you are getting that next JK Rowling book ahead of time, gives me the ability to say, hey, you know, you want to see Harry Potter 9, or whatever that book is like, I will dump it out there unless you pay me a whole lot of money. And we’ve seen that before happened to Game of Thrones and HBO. So we know that these things happen in this world, but starting with that baseline understanding of The Good, the Bad, and The Ugly, you know, what doors and windows on your house are unlocked, or I can simply walk in, or I can simply teach a third grade class how to break into very easily is a really good start with that.

Nick Espinosa 

The next key thing I think, is understanding and quantifying that risk. How much intellectual property do you have in hard and soft dollars? You know, how many computers can be out for how long before you’re simply out of business? And if you can’t answer these questions in real actual dollars in value to your organization, then how do you know that the contingency plan that you have is good? How do you know the backups that you have are good, because you might be down for three days, and that might be 24 hours too late, you know, or marketing can be down for a week and nobody cares? These are things that we have to understand and quantify. But it really does start with that assessment. And then from there, you know, we are looking at protecting the data. A good cybersecurity strategy, basically understands that as we are looking at securing that data, we are applying the confidentiality, integrity and availability controls to that data to make sure that it’s maintaining its privacy, nobody is altering it in a way that it shouldn’t be altered. And in case of a disaster, you can still get access to it and continue to publish. Those are things that that we are looking at quantifying on top of, you know, user awareness control identity management risks to supply chain, and on and on and on. But starting with that assessment, I think is just a super, super important part.

Joshua Tallent 

Yeah, that makes sense. So you know, publishers deal with a lot of different types of data. They’re dealing with their own data, they’re dealing with their authors data, and obviously that this becomes a real problem for especially smaller publishers who may not have their own security systems in place. They’re not doing their own data management even so if I we’re looking at my publishing company. Besides the data where it’s stored, what about on the on the team level? What should I be talking to my staff about? How should I begin engaging my team members to be thinking differently about security?

Nick Espinosa 

Well, first things first, it’s understanding awareness. And before I’d actually talk to my staff about this, I would want to make sure I have a complete lay of the land. Especially if you’re talking about midsize publishers that do not have, let’s say, an army of nerds to keep the infrastructure running and defend it, you’re outsourcing all of that, which means what you’re doing is introducing supply chain risks. So are you using a cloud provider where you’re storing all of the submitted manuscripts and the intellectual property that you have, and everything else. What about the HR data for your employees? Where is that going, is that going into a third party system, getting that lay of the land getting that quantification of that gives you a much better sense of where your data is going, who has it, the assurances from those third parties that they actually are maintaining security and privacy in a proper way. And then from there, that gives you the framework to talk to your employees to say, hey, when you’re accessing your HR data, do it this way. When you’re accessing your the intellectual property of the publishing, etc, etc. These are the security controls that we have to have in place. On top of the standard training for things like anti phishing, you know how to spot a phishing, email, those kinds of things. And those are typically role based. And a lot of organizations miss that, in other words, how we train the janitor for that—and the janitor needs to be trained if he or she is punching a clock in a computer system—versus the assistant to the CEO has to be different, because the assistant of the CEO has vastly more access than a janitor simply accessing one part of the network. And so so as we are quantifying that, it starts with understanding that foundation of where the data is how it’s supposed to be accessed, and then applying good security control around it to make sure that your employees are actually following the policies and procedures, that 1) are established by the company, but 2) are deemed to be the most secure ways for them to manipulate that data.

Joshua Tallent 

Yeah, that’s good. So if you’re looking forward, and you’re thinking about the future of cybersecurity threats, and the things that you are starting to see the glimmers of right now or the things that you think they’re gonna happen. What’s that look like? What is the industry thinking will happen in the future?

Yeah, well, I mean, if I could tell you the next massive threat out there, I would be giving this interview for my own private island probably fly you in and we could, you know, hang out, but because I would have the defense for that, and everybody would want to buy it. But what we what we know is happening right now is one, we’re continuing to see an explosion of ransomware with more sophisticated attacks that are bypassing threat detection systems, meaning that $20 antivirus that you bought that you think turns your computer into Fort Knox, we just evade, it’s not even really relevant to us, as we are infecting machines. But the other big thing that we have a problem with here is the explosion and identity management, meaning we have a ton of stolen usernames and passwords in the dark web that essentially can be used, you know, to log into organizations and corporations. And that’s primarily not because the corporation or organization itself has been hacked, it’s because everybody is using their corporate email addresses to log into banks and Facebook and Amazon and Google and like, you know, whatever you’re doing in your life. And so by virtue of that, people have a tendency to also reuse passwords. So for example, Colonial Pipeline, stolen username and password in the dark web, they logged into the VPN, they ransomed out the entire building system, freaked Colonial out, so they shut the pipeline down, so the gas wouldn’t flow. The pipeline was never hit, for the record, a lot of people don’t realize that, but they couldn’t figure out how to bill. And so instead of figuring that out, with their insurance company, letting the gas flow, they chose the national panic option. That’s what we’re talking about here, you know, with this, not to mention the fact that we’re seeing ransomware and what is known as now quadruple extortion attempts for organizations, and that’s on the rise. And so if you’re breaking that down, the first extortion is they lock the files out on your server or wherever it is. And basically, you have to pay them to get it back. You might have a great backup, you can just restore and no harm, no foul, it sucks, but you’re fine. The second extortion is they copy out the data and they say even if you’ve got good backups, we’re gonna leak it to the world. And so you have to pay even though you’ve got good backups if you don’t want your reputation potentially damaged. The third extortion is they start sifting through the data—and this actually happened to Apple—and say, Oh, you’ve got large clients, they’ve got money, we’re going to go after them to so a Taiwanese manufacturer that actually assembled and made the MacBooks and iPhones and all that kind of stuff for Apple got hit and all of their schematics got dumped. And so one of the groups said, here’s a MacBook design schematic, if you don’t want the rest out, Apple will pay us too. And on top of that we have a fourth level of extortion, which is harassment. They start knocking out your websites, they start calling your clients, they start doing all this kind of stuff until you pay and that is what we are seeing a rise of right now. So ransomware isn’t going away anytime soon. Stolen usernames and passwords is just an explosive thing right now. So identity having a good identity management solution is essentially where the next horizon for cyber defense is in that vein.

Joshua Tallent 

Yeah. And so an individual user, an individual person obviously needs to have a good solution in place for their passwords, where they can rotate passwords and create secure passwords and keep track of those and not use your mother’s maiden name everywhere, or whatever it is…ii

Nick Espinosa 

Hopefully not!

Joshua Tallent 

So what recommendations would you have for a line worker? Somebody who’s, you know, I’m working at XYZ company, my company doesn’t necessarily—maybe they have some security things in place—but what should I be looking for, for myself, personally, maybe even on a personal level, and not just a professional level? But what should I be aware of right, this moment that I can do immediately to just make my life a little bit more secure to think about my identity protection and things like that?

Nick Espinosa 

Yeah. So first things first, don’t reuse passwords. So in other words, if the password you have for Facebook is the same as your bank, please go change it now, while you’re listening to this. I mean, that’s like, I cannot stress that enough how much we see that. And inevitably, when I do like live presentations for a canned audience, where I’ve got like, let’s say, 50 people, I will run usernames and passwords that we can find on the dark web on everybody there. And inevitably, somebody comes up to me and says, You just handed me the password I’ve been using for the last 10 years. So make sure that you are changing those passwords, make sure you’ve got, you know, a good password strategy on that. But more importantly than that, even though that is important—make sure you’ve got good passwords, don’t reuse—is to enable multi-factor authentication or two factor authentication in your life, you can download an authenticator app from like Authy, or Google or Microsoft. And essentially everywhere you go from your bank, to Facebook, to Amazon, etc. When you log in with that username and password, it will prompt you for a like usually a six digit code that changes every 30 seconds to a minute. So if I steal your username and password, or I find it on the dark web, and I attempt to log in, now it’s going to prompt me for a code. And because I don’t have physical access to your phone, I can’t get into your account. And when we’re looking at things like Office 365, over 90% of the calls that we get for compromises for Office 365 could have been stopped by simply having that. That’s it and it’s free, anybody can get it, it’s free to use. Those are the two critical things that you can do, obviously, outside of making sure you’ve got a good backup for yourself and your personal life as well. Because the last thing you want is your computer to die, and then you can’t get anything or it gets ransomed. And now you’ve got a backup that’s off site and in the cloud, and there are personal backup solutions that are affordable for human beings, you know, not just corporations, just individuals.

Joshua Tallent 

That’s great. Nick, this has been great. Any final thoughts or information that you would want to pass along to our listeners, things that they should be aware of? Or things that places they should go check out for more information?

Nick Espinosa 

Yeah, well, especially as we’re talking about the publishing industry understand that by virtue of the intellectual property that you hold the the unique, creative, you know, anything that you have, that you have, under safeguard, you are a target. And I think a lot of organizations and a lot of publishing houses don’t really realize that, and a lot of them have a complacent mentality of, You know, if it ain’t broke, I’m not going to fix it, or, well, we’ve never been hit or you know, what, we’re not friggin Random House, we’re just, you know, we’re a smaller organization, will smaller organizations tend to spend less in cyber defense strategies, they tend to have less hardened systems as the larger ones, which means it’s easier to break into you. And if I can break into 10 of you easier than I can a massive publishing house, well, I’m gonna make an awful lot of money. You know, and obviously, there’s a lot of money in publishing as well, which is why when groups are doing reconnaissance, publishers tend to be targets, like some other very cash rich organizations like architecture, engineering, construction, and some of the others, but publishers are up there. And I think that’s an important thing to understand that, you know, if you’re using the same technology for defense that you’ve had in place for, let’s say, the last two to five years, odds are, you’re being outclassed right now, not only in the products that could be defending you better, but by the cyber criminals that will simply walk around whatever defenses you have, and we see that constantly. So so please be aware you are a target. It’s a it’s such a huge problem.

Joshua Tallent 

Yeah, that’s great. So where can people learn more about you and about the work that you’re doing?

Nick Espinosa 

Well, you can connect to me on LinkedIn (https://www.linkedin.com/in/nickespinosa/). Or you can find me on Twitter @nickaesp. You know, you can find me on YouTube as well (https://www.youtube.com/nickespinosa). I do like daily videos and podcasts. And I have a nationally syndicated radio show that’s on NPR affiliates. And you know, so I’m always hanging out putting something online, cybersecurity or privacy related. So yeah, feel free to connect.

Joshua Tallent 

That’s great. Yeah, I’ll put the links for those in the show notes as well. Nick, thanks so much for joining me today. I really appreciate your insights and your recommendations. I think this will be really helpful to get the conversation started in the publishing world in some great ways. So appreciate that.

Nick Espinosa 

Thank you. My pleasure.

Joshua Tallent 

That’s it for this episode of the BookSmarts podcast. If you like what you’ve heard, please leave a review or rating in Apple Podcasts, Spotify, or wherever you listen into the podcast. Also, please share the podcast with your colleagues. If you have topic suggestions or feedback about the show, you can email me at joshua@firebrandtech.com. And also please be sure to fill out that listener survey at https://booksmartspodcast.com/survey. Thanks for joining me and for getting smarter about your books.