Episode 17: Fran Toolan on Cybersecurity

Fran Toolan, CEO of Firebrand Technologies, joins me to continue the conversation about cybersecurity in the publishing industry. Fran pulls back the covers a bit on this topic, revealing that Firebrand has had four security incidents in the last two years, including two ransomware attacks. And Firebrand is not alone; there have been a number of other breaches in the industry, too, so Fran is not the only executive losing sleep over this issue.

We discuss phishing attacks, environment and server checks, the NIST framework, monitoring, two factor authentication, and more, and offer some advice for individual publishers, for publishing services companies, and for the industry as a whole about how we can work together to address this problem.

If you missed the first episode on this topic, please listen to Episode 16, where I interviewed Nick Espinosa from Security Fanatics.

If you have not filled out the listener survey, please do that at https://booksmartspodcast.com/survey.

Also, be sure to tell your colleagues about this podcast!

Transcript

Joshua Tallent
So on this episode of the BookSmarts Podcast, I am excited because I get to interview my boss, Fran Toolan, who is the CEO of Firebrand Technologies. Fran thanks for joining me today on the BookSmarts Podcast.

Fran Toolan
Thanks, Joshua.

Joshua Tallent
Yeah, so this is actually pretty cool, because we’re continuing the conversation that I started with the last episode a couple weeks ago. And that was talking about cybersecurity. Cybersecurity month was October, we’re a little bit late on the topic of conversation, I guess, in some ways, but the cool thing is that there’s a lot to talk about. So we’ve had some incidents in cybersecurity in the industry—in the publishing industry. And, you know, one of the things that we’ve talked about is that you really think we should be pulling the covers off a little bit and talking a little bit more about this, and really dealing with it from an industry perspective, not just a technology perspective, but really as an industry. So what do you think about that? Looking at where the industry is and what we’re dealing with—or not dealing with—cybersecurity, what do you think we should be doing better?

Fran Toolan 
Well, I guess I just start by saying that, I think the number one thing that causes me to lose sleep at night these days is cybersecurity. And I think that many of my colleagues in the industry who are running companies, whether they’re publishing companies, or publisher services companies, are feeling some of the same. And it’s such a radical departure from where we were even two years ago, where it wasn’t even crossing my mind, to be honest—you know, minimally, but not making me worry every day, the way it is now. And so, I do think that there’s an opportunity here for the industry to come together. This is something that’s, you know, still relatively new—two years in the publishing industry is a microsecond, I think—but I think there’s an opportunity here. And I do think we should pull back the covers a little bit about what’s going on.

Joshua Tallent 
Yeah, and there’s a lot that’s happened. In my podcast last week—or two weeks ago—I talked with a security researcher, Nick Espinosa. And for those of you who may not have listened to that podcast, you might want to go back and grab that one as well. Ransomware has been a big issue, even just general hacks, phishing attacks, and things like that are becoming more common. What have you seen as kind of the biggest problems for publishers? You know, if you’re looking back over the last two years, and seeing those, those incidents, what do you think has been the hardest hits for us as an industry?

Fran Toolan 
Well, I can’t really say what it is for publishers, because I don’t know, you know, who or what has been hit in those—in those places. I can only talk about what’s happened for us, really. And I think that’s part of the problem is that nobody’s really disclosing it. And part of it is very natural, you know, we don’t want to, we don’t want people to see where we’ve messed up. Right? But, you know, I will say that we had four security incidents in the last two years. And one was very public with NetGalley, right around Christmas last year where we had hacked and, you know, 700,000 emails got taken from us. But we had other incidents. We had two ransomware attacks at Firebrand, and, you know, we were very fortunate in both cases to be able to limit the damage, and return systems to normal very quickly. And we didn’t pay the ransom. That’s a interesting topic all by itself. So I think we were very fortunate, but we also feel very much like we dodged some bullets. And, so as you know, because every company meeting I’m talking about cybersecurity these days, you know, is the number one topic that we’re working on and trying to improve ourselves, and trying to make things better. You touched on phishing, and you know, we implemented our Dark Arts group at Firebrand and NetGalley, and now we’ve got the entire company, you know, pushing suspicious email things to this Dark Arts team to be able to look into them and to see whether they are phishing. And sometimes those phishing things are even coming from us, because we’re testing people to make sure that they’re not clicking on phishing links. So a it’s very interesting and very important topic, that we can get hammered from any number of different ways. And so that’s, that’s a big deal.

Joshua Tallent 
Yeah, and that’s actually an interesting thing to—the practical advice kind of thing for publishers, and for anyone else, you know. We really have taken all of these security things and brought them to the forefront as a company. Every single person is now much more aware of what a phishing attack looks like, and how it can, you know, how you can recognize the little bits and pieces. And we’ve seen some pretty sophisticated ones, too, things that are coming that look like they’re from someone in the company that look very legitimate, that have the same email address, and all these other things happening. But if you look a little deeper, you start to see, okay, that’s actually not from that person, or that actually is some sort of phishing thing. I think this is obviously an area where any business can grow is just educating their their team members on those issues and on those things, and making it fun, like we’ve done with the Dark Arts Slack channel, and these kinds of things that really helps bring those things into everybody’s awareness even more, because they’re seeing it happen everyday, basically, some new phishing attack that somebody got that you’re able to be able to put out there.

Fran Toolan 
So phishing is one thing, and I, you know, I think that one is fairly easy to tackle as a company. The environment [server] checks are, are more challenging. We’re undergoing a really extensive process that is—you know, we’ve been working on it for over a year now to really come up to, you know, the national standards on our cyber protection and how we do things. We’re using the NIST framework as our process for identifying assets that we have, and for protecting them and for detecting problems that may come in and for how we pull together our responses. And as we go through this whole process of implementing NIST in our many, many environments that we have to do it for, I’ve been surprised at different different points during this process. Most recently, I was surprised by how many of these security policies actually have an HR component to them. And how, what was, you know, our HR policy book has to change very dramatically, because of many of these security policies. And I don’t know if you covered this in your last podcast or not, but you know, many of the security breaches happened because of something an employee did, or didn’t do, inadvertently. You know, our developers have to be very careful. These attacks are coming because sometimes people are watching us, and sometimes they’re coming because they’re just looking for servers out on the internet that have, you know, an open port somewhere. And so we’ve really had to learn a lot about all the different vectors that these attacks are coming from fishing being one—the easiest one—to sort of watch, and implementing—you know, some of the things that we’ve also implemented are monitoring services, and we’re spending quite a bit of money on—for us quite a bit of money—on on those services these days. And, you know, the number of hits that we’re getting on our servers are just amazing. And to track where they’re coming from is also very, very enlightening.

Joshua Tallent
Yeah. And those frameworks, like the NIST framework that we’re implementing also do things like two factor authentication as a default and, and trying to take some of those security practices that we’ve been hearing about and really putting them into real world use for every person who has any kind of access to some of these systems. Those are those are practical things you have to deal with.

Fran Toolan 
Yeah, so NIST is a little different. I mean, Two factor authentication, which we now—that’s a very practical thing to tell everybody, you know, we now have on virtually every server that we that we control—is, is one of the ways that you protect yourself. And the protection is one element of the NIST framework. And there are, I’m going to get the number wrong, I want to say 117 different controls within the NIST framework of things that we are—questions that we’re answering and policies that we have to have in place for each of the environments that we have. So you know, 117 controls for the many environments that we have turns out to be quite a bit of work. But the so that—you know, two factor or multi factor authentication is part of the protection element of NIST. Just so that’s just a very, very tiny element of the whole framework.

Joshua Tallent 
Yeah. So you mentioned earlier that this is kind of an elephant in the room in the publishing industry. We haven’t really addressed it in any practical or kind of broad way, as an industry. We seem to be keeping it all to ourselves. So what would you recommend we do as an industry? What do you think would be some things we could do to really—you know, obviously admitting that it’s happening, and then somehow dealing with those issues—but as an industry, how do you think we can come together on that, and start really thinking about it more broadly?

Fran Toolan 
Yeah. So I think that we don’t need to call out anyone, you know. I personally know several other companies that have had security incidents over the last two years. So I know, I’m not alone in this, you know, losing sleep at night over this problem. I do think that understanding what some of the best practices are, is really important. You know, as a service provider, we get security questionnaires from all of the major publishers, so we know that they’ve got things in place already, that they’re looking to do. But you know, how many people actually have that, or how many people even know where to start? You know, as I said, two years ago, we were pretty weak in this area, especially compared to where we are now. And we still have a long way to go to get to where we want to be. So how can, you know, how can the industry do this? You know, I don’t want to call out my good friend, Brian O’Leary, but I think this is probably something that, you know, could get on his agenda. I didn’t want to call him out, because I didn’t tell him I was gonna do this. But I do think that, you know, BISG could play a very good role here in terms of quantifying and qualifying how the industry might work together to develop their own best practices. Because this was something we had to learn on our own. And, and it was, it was arduous.

Joshua Tallent 
Yeah. It’s a, it’s a big and growing issue. In my talk with Nick Espinosa a couple weeks ago is—you know, and for the record, Fran hasn’t heard that podcast because it hasn’t been released yet. We’re recording this a little bit earlier. But the, you know, one of the things he brought up is that this has grown significantly during that timeframe where we got hit, and where other people, you know, have gotten hit. It’s not because—it’s not because no one really cared. It’s just because all of a sudden, there was a massive increase in the number of attacks that were happening. And as you said, you know, we’re seeing right now, millions of hits on our servers per minute, and we’re having these, you know—there’s just so much more happening. So even if, you know, it’s something that you were thinking about a couple of years ago, it probably would still have been a problem, for anybody who was in this situation. I think it’s interesting that, you know, now, because of all of that happening, we have this opportunity to grow together as an industry and really think through some of these problems. Think about, like you said, best practices and what we can do. And to really address the the problem from a publishing-specific perspective, it’s not just a technology problem. It’s a business problem. It’s an industry problem, and we can deal with it, not only from a technology perspective, but from unique perspectives of publishers in the publishing industry itself.

Fran Toolan 
Yeah, I would say that it’s definitely more of a business problem. And to the extent that all of us are in business in the publishing industry, we have a camaraderie in the publishing industry around certain things that we could use to be honest in where we are, where we should be heading with regard to this stuff. And that’s where I think we are. I don’t think that any of what we’re dealing with is really unique to the publishing industry. I think this is every business, you know, and the government, and it’s amazing to watch how far the government has come, you know. A funny story is that when we had our first ransomware attack, which was in March of 2019. You know, we called the FBI, and they, they put me on to some junior agent who had no idea what I was talking about, thought that it was, you know, that our mail had gotten taken or something, you know, like, it was crazy. And, now you’re, you know, was it four to six months ago, you know, the FBI hacked the account of the person who—the ransomware people who took the money and got money back. So you know, they’ve come along way too, and have had to come up, come up to curve very quickly. So we’re all coming up the curve very quickly. And, you know, it’s a really good time for us to get together and talk about some of this stuff.

Joshua Tallent 
Yeah, that’s good. Any final thoughts, anything else that you think we need to be addressing? That we haven’t talked about so far?

Fran Toolan 
Not really. I would say that our, our system—you know, anybody that really wants to target you and hack you is going to find a way to do it. You can’t protect everything. But you can protect against the attacks that are not targeted at you. And there are, as you just mentioned, you know, like, hundreds of thousands to millions a second, that are actually happening out there. We had no clue until we put some of this software on our servers just how many attacks and from how many different places? They were coming. And so that was that was really, really enlightening.

Joshua Tallent 
That’s good. Well, thanks, friend. I appreciate this. We’re letting people see some of the things that happened to us. And that’s important, because as an industry, we can’t grow if we don’t talk if we don’t discuss these problems.

Fran Toolan 
Yes. And I think we have to not be embarrassed by it. Because it’s happened to so many of us now that this is—it’s time to stop, you know, hiding behind it, and let’s, let’s take some action.

Joshua Tallent 
Thanks for joining me on the BookSmarts Podcast, I appreciate you taking some time. For those of you who are listening and haven’t heard the other episode, I would recommend you go back and listen to that as well, of course. And you know, if you like the podcast, we appreciate your reviews on Apple Podcasts and Spotify and other places where you listen to the podcast. And if you haven’t gone and filled out our survey, that’d be really great to hear your thoughts about the podcast on the survey as well. Or if you have topic suggestions or feedback about the show, you can email me at joshua@firebrandtech.com. So thanks for joining me and getting smarter about your books.