S.2 Ep.16 TMH Nick Espinosa - Cyber Security Threats to AEC Firms
America's infrastructure is at risk of cyberattacks, and private businesses are a favorite target for cyber-criminals looking to wreak havoc and line their pockets. As the second-largest global industry, construction is a definite target for hackers. Meanwhile, the average construction firm in the US is not taking the steps necessary to protect itself and its data from attack. Security Fanatic, Nick Espinosa joins The Morning Huddle to talk about why we should be worried about cybersecurity and some tangible steps construction companies can take to protect themselves.
Transcript:
00:01
Speaker 1
We need to get back to work. And work is one of the ways that we contribute to this country, that we grow our gdp, we grow our tax base, we contribute to each other effectively. We help finance our national security, our homeland security, our, you know, our infrastructure. I had key employees that really wanted to be leaders in the company, but they didn't want to have any ownership responsibility that way. So I just had to start researching out and figuring out, well, how do I market my company?
00:29
Speaker 2
Go to your local school board for one hour twice this year.
00:32
Speaker 1
And if you can have even just 10 or 15 employers show up and do that at the same school board every single month, there's two contractors filling.
00:39
Speaker 2
Out a little card to give your.
00:41
Speaker 1
30 seconds at the podium that says.
00:43
Speaker 2
I need your help and we have great jobs. Eventually they will hear you.
00:46
Speaker 1
But if everyone just did two hours a year, that's how we change this.
00:49
Speaker 2
Stacy, how you doing this morning?
00:51
Speaker 3
I'm doing great.
00:53
Speaker 1
She loves it. I ask the question every time.
00:55
Speaker 2
She's like, I'm fine, dude, just a little much.
01:01
Speaker 4
And I say to that owner, I said, see, you're not willing to invest in yourself. You're not going to invest in yourself. You're going to invest in companies you have no control over, whereas your company, you control. And you don't have the confidence to pour the money into that. When things are busy and they're looking for their GC friends to sit down and negotiate a project on a GC and a fee, and they're more excited about building the project, and then all of a sudden the model, the market swings, and now the developer market is going to go out and they're going to hard bid the same project to two or three different GCs. And that's where it starts going down.
01:44
Speaker 2
All right, it's morning huddle time. Good morning. How's everybody doing? Stacy and Nick Espinosa here with us this morning. How are you too, Stacy? How are you this morning?
01:54
Speaker 3
I'm excited because it's finally getting warmer over here in Maryland.
01:59
Speaker 2
What I'm talking about. Yeah, we're gonna have like a 70 degree day.
02:02
Speaker 1
Yes.
02:03
Speaker 3
Thank God.
02:04
Speaker 1
Yeah. And we had snow three days ago, so, you know, hey, welcome to the Midwest.
02:08
Speaker 2
Nick, you're coming to us from Chicago, right?
02:11
Speaker 1
Indeed. Indeed. Chicago it is.
02:13
Speaker 2
So, yeah, it's. It could swing any direction until, like, when is the threat over?
02:19
Speaker 1
Yes, yes. Roughly July. It starts up in August. So here we are. Oh, man.
02:28
Speaker 2
So this morning, Stacy and I are psyched to. To have Nick Espinosa on from Security Fanatics, among other really interesting things. So Nick is joining us this morning to talk about the cyber security threats that are facing the building industry. What construction industry companies need to have their antenna up for and planning to prevent when it comes to security threats. So we're going to get really into the, you know, details on some specific actions that these organizations can take. But before we go down that road, I think it'd be good to just orient ourselves a little bit with your story, Nick, what's. So I know you're you own Security Fanatics, which is a security consulting firm. You're a radio host for a show called the Deep Dive that's syndicated across 150 stations across the country.
03:26
Speaker 2
And you know, you're clearly an avid collector of film.
03:33
Speaker 1
A little bit. Little bit, yes. Yes. I also don't sleep just given the way cybersecurity is going these days. Right. You know, but yeah. I also, I'm on the Forbes Technology Council. I, you know, I write for free. Forbes, my naturally radio show, it fluctuates but the last time it was on about 150 stations. And I think that's in part because I've been interviewing members of Ukraine's government for my show because we've had access to Ukrainian government just given our regular jobs in cyber security. You know, I also sit on various boards as well, like Roosevelt University. I help them spin up an NSA certified cyber security program, you know, those kinds of things as well. So, so we are super busy in cybersecurity right now. It's everybody's hacking everybody, let's just put it that way. So, so it's non stop.
04:20
Speaker 2
I can think of trends that are, are, you know, less painful than that. Everybody's hacking everybody. That sounds terrible. Yeah, but it really is. I mean, you know, it's one of those things that, speaking from personal experience, you know, 10 years ago it was sort of like a buzzword but you know, nobody's really dealing with that today. You know, I think we all know at least one company personally that.
04:49
Speaker 1
Oh yeah.
04:49
Speaker 2
Been attacked.
04:50
Speaker 1
Right?
04:51
Speaker 2
Yeah. It's hap, it's not, it's, it happens on a regular basis.
04:55
Speaker 1
Yeah, Yeah. I mean I, and I founded my first company in 1998 and its focus was cyber security and I was the redheaded stepchild in the room until about 2015 or so. And, and that's essentially what it is. We have just as human nature, a certain sense of complacency if it ain't broke, don't fix it. And so a lot of businesses have taken that model because quite frankly, they're not looking at what the next innovation is going to be, not necessarily in their industry. Meaning I'm not running a construction firm. And if I was, I would be looking at, okay, what's the next thing I'm going to be using in construction? Is it drones? Is it automation? You know, am I hiring more people? What, what does my company look like in five, 10 years?
05:34
Speaker 1
But one of those things is, you know, what does cyber security look like in five, 10 years? What does the landscape of threat look like? And that's something that I think is sorely missed on companies from small to huge. And it's something that we really need to understand because at the end of the day, what cybersecurity is a quantification and mitigation of risk on the technology side. So a lot of organizations don't understand their risk.
05:55
Speaker 2
I'm really worried. Nick's way, way smarter than me. This is going to be very uncomfortable. All right. No, this is great. So Stacy, you know, let's make sure that we, you know, solicit the specific direct questions from the audience to the best of our ability. Stacy, we'll bring you back here with about 10 minutes to go. While Nick confuses me wildly and then confusion.
06:24
Speaker 1
For the record. For the record, I pride myself on nerd to English translation. So we'll be aligned. We'll be aligned.
06:30
Speaker 2
That is great news. That is great. Could, does it go all the way down to a third grade level? Out of curiosity?
06:36
Speaker 1
It does.
06:37
Speaker 3
Excellent.
06:38
Speaker 1
That needs that too for the rest.
06:40
Speaker 2
I am gonna be fine.
06:41
Speaker 1
Sweet.
06:42
Speaker 2
All right, so Stacy, we'll see you in a bit. I, I want to start off you, you mentioned conversations that you're having. I, I can't help it. I'm just interested. It has nothing to do with construction. But you mentioned conversations that you're have having with folks in the Ukraine. What are those conversations about and what are they like right now?
07:01
Speaker 1
Yeah, yeah. So just by virtue of our work in cyber security, we've had some interesting connections and ties to the area of, in and around Ukraine, given our clients and various entities that we work for. And so by virtue of that, we've had access to members of Ukrainians topper government, like higher end government. So I've been interviewing members of parliament. The last one was in a substance. She's also the deputy minister for science and education and all of that And I wanted to talk to her about what her daily life is. I mean the first time I interviewed her she was in Kiev, the bombs were dropping. I mean she had just had to evacuate. Sometimes these interviews, oh, we're going to do it on X date at X time.
07:41
Speaker 1
They can't, they just ghost and it's, you know, and then they come back hours later, oh, I'm sorry. I had to evacuate. And I was like, you have nothing to apologize for. You're in a war zone. I'm just glad you're alive. You know, we also know that, or I should say I know that some of the people that I've been talking with, I believe are no longer with us anymore as well. They've simply just dropped off the face of the earth. Even though they've been incredibly communicative before that, which is heartbreaking but I wanted to just because I have a platform with my radio show, kind of, you know, talk to them, see what's going on. Very rarely do we get a first hand account in a war zone.
08:15
Speaker 1
And one of the things that we are seeing by benefit of the Russians at least initially, not going after the Internet in Ukraine and intel speculated that the Russians needed it just as much as the Ukrainians did to coordinate their troop movements and all of that. The double edged sword was that every Ukrainian with an iPhone or android became a citizen journalist, recording everything, sending it out, tweeting it out, you know, putting it on and thank God for that.
08:38
Speaker 2
I mean, yeah, really, if it's not, if it weren't for that, you know, what would you know? I think there are people still, there are people in Russia who still don't know that there's anything going on.
08:50
Speaker 1
Right, right. Well and that's part of the big issue though is that if you didn't know they actually had the state, the same state run television show called Varemia basically every evening at 9pm Moscow time. And it's been going on since like 1952 or 1956, something along those lines. And that's essentially the expectation is that's where you get your information that carried over even after the USSR fell. And so that's where they're getting it. Their body count still hasn't changed From, I think it's 462, which is what they first reported in early March. So you're looking at a population that has been wildly misinformed, you know, about this or simply is not getting that information. And Russia's Been doing their best to try to block the Internet there. So it's been absolutely nuts.
09:35
Speaker 2
It's a crazy, you know, not much of a segue. I got nothing for in way of a segue to, you know, get into talking about construction. But I, you know, I would encourage all of our viewers to check out your, you know, radio show, the Deep Dive again. That's, that's the name of it. And, and where. What's the easiest place to find it?
09:55
Speaker 1
You can go to my SoundCloud channel, soundcloud.com Nick A. ESP and it's listed out there. And there's a playlist of all my past shows. It starts with number one, which is from years ago. And I really should reverse that on the playlist. So, so scroll to the bottom to get my, my latest shows a couple weeks behind usually. But, but they're there. They're there and my interviews are pinned to the very top of the top of my SoundCloud channel.
10:20
Speaker 2
In general, all the conversations that I've heard on any various, you know, interview shows with people on the ground in Ukraine, they're. It's just extremely valuable and you know, really hard sometimes to hear, you know, kinds of conversations.
10:37
Speaker 1
It's brutal. It's just what they're going through, it's just brutal. So I'm happy to help if I can.
10:42
Speaker 2
So, so obviously, you know, your, your experience in cybersecurity spans well beyond the scope of AEC firms, right? The, the, you know, the building industry. But you know, when you think about your experience inside that industry, you know, my take is construction companies are pretty small, right? Statistically, obviously there are big construction companies. They exist. But the average construction firm, if you know, out there taking a look at, you know, architects, engineering firms, contractors, is probably in the neighborhood of 25 to 50 employees on average. And you know, what's going on in their mind is we're too small for anybody to care about us. How would you respond to that?
11:36
Speaker 1
Yeah, I mean, I think that's there's a gross misunderstanding, you know, essentially of the perception of hacking. I, I'll be honest with you. Hackers are lazy. We are lazy people. You know, one of the, I'm serious, one of the hardest things I have in dealing with the construction industry is I'm sitting here at 8:00am Central Time, you know, doing this when I would love to wake up at the crack of noon every day, you know, why can't you have this at noon? You know, and so we are, we are going for the lowest hanging fruit always. I mean that's, that we just do. And so think about it from this perspective. You're a 25 person firm.
12:12
Speaker 1
Odds are, you know, whatever your role in AEC is, mechanical, electrical, sheet metal, you know, et cetera, whatever you do, plumbing, you are looking at catering to and working with larger customers, right? You're typically not, you know, doing the, you know, the smaller jobs, especially if you're on the commercial side. And so by virtue of that, what you're doing is you're building a roadmap for somebody like me, but malicious to break into your lives. Thanks to your website, thanks to LinkedIn, thanks to other places on social media where you are promoting this. So think about the Target data breach, for example. So that actually when that happened, Target, we all shop at Target, when that happened, they blamed their mechanical contractor. They threw that mechanical contractor under every bus on the bus schedule that week. Oh yeah, they completely blame them for this.
12:59
Speaker 1
Even though it was shared responsibility, was one part them, another part, you know, Target. And the reason why they did that is because they're obviously trying to mitigate their losses. But think about it from the mechanical contractors point of view. What's that going to do to the reputation when they are basically splashed out on the news to say they got Target hacked? Do you think they can walk into Walmart or Home Depot or any other big box store and say, hey yeah, we can, we can service you, we can maintain you, we can do whatever you need us to do. Their reputation is ruined.
13:29
Speaker 1
And on top of that, basically when you're looking at those 25 user firms, they're not spending the money that a Target or a Home Depot or a large corporation is on an army of nerds like me to defend the barn. Oftentimes they're outsourcing their IT to a third party IT provider. IT providers typically are not cybersecurity. They put a shingle out there that says, oh yes, you know, we will do your cybersecurity. And at best, usually what they're doing is selling you products that are low to mid range, which again doesn't really quantify your risk. All it does is give you a couple layers of defense, which is important, but it's not the be all end all. And so the problem that we have with smaller organizations is they don't think that they are targets because well, quite frankly, we're small.
14:13
Speaker 1
The other side of that is that the construction industry, AEC in general is in the top three basically verticals that get hit with ransomware. And, and it's, they get hit most consistently. And the reason being is that all y' all pay. It is basically considered high margin, meaning most of these businesses have cash on hand. Most of them are on deadlines for larger GCs or their customers. They're not going to sit there and say, well, we can't fix your air conditioning for a week. You know, those things don't happen. So they pay historically faster and therefore they continue to get hit. And so when you are looking at small business alone, small business to low midsize business accounts for something like 63 to 65% of all data breaches in the world right now. Primarily because they're complacent on their technology.
15:01
Speaker 1
They usually don't have any of these things in place at an advanced level. Even though the enterprise technology is affordable. Their IT providers don't work at those levels, you know, and they pay. So it's a perfect storm. It's almost on par with health care. Who pays as fast as humanly possible because if they don't, people die. So, so construction in and of itself is right now a huge target that we see. And it's considered part of the critical infrastructure of the United States. All y' all keep the lights running. My house isn't falling down. My H Vac works. You know, thank you. Thanks to my local H Vac contractor, thanks to my local gc, et cetera. So it's a huge problem in that vein.
15:40
Speaker 2
So it's because in fact, we almost should switch the thinking. It's, it's that smallness that you thought made you safe.
15:54
Speaker 1
Right.
15:54
Speaker 2
Is actually a potential, really making you a very easy target.
16:01
Speaker 1
Right, right. I mean, and that's what it is. I had, I literally had one that was, I want to say 30, 45 called me frantically. The number one call we get, the record is, oh my God, help. The world is burning down. We've never worked with you, but you know, I saw you on stage or I listen to your show, like whatever it is, right.
16:18
Speaker 2
And we're being held ransom, right?
16:20
Speaker 1
Oh my God. Like it's an end, it's a life ending event for the company. The number two call we get is, yeah, I don't want to be that guy. So what do we do? You know, how do we improve?
16:29
Speaker 2
Yeah, if you could flip those, we get less of the first one.
16:32
Speaker 1
Right. But I've heard more than once where, you know, basically the business owner that calls me, especially on the small side, I literally just had one, about 35 employees or so that called frantically and said, I didn't think this could happen to me. Like, I'm flying under the radar, you know, I'm just, I'm in the middle of nowhere. Like, why would they hit me? And it's like, well, because you're easy to break into, we can leverage you to get to larger clients. I'm going to use you to get to Target, you know, or Home Depot or, you know, wherever I'm trying to break in, you know, so you are on the radar and you don't train your people. They're clicking on everything, they're opening everything. I mean, these are things that, you know, we really don't take into account.
17:06
Speaker 1
And most small businesses have not fully quantified their risk. It's a huge problem.
17:11
Speaker 2
It, it. I'm, I'm seeing that and I, so I think I want to go back real quick to this comment about outsourcing it. You're right. I, it's very rare. My, my personal experience, very rare that I will see an AEC firm under 150 employees actually have, you know, what I would call real I, IT staff.
17:39
Speaker 1
Right.
17:40
Speaker 2
And even then, it's pretty rare. It's like, you know, you're into like the 500 to 1000 employee range before.
17:45
Speaker 1
Right.
17:46
Speaker 2
You know, that starts to become the norm. So, so outsourcing it is. It's very much the norm.
17:52
Speaker 1
Right.
17:53
Speaker 2
Is there anything that if you're gonna. Because, I mean, by the way, the people that we're talking to right now, our viewers, they can't afford to hire an IT staff internally. They can't afford a quarter of a million dollars a year in. That's not going to happen.
18:08
Speaker 1
Right.
18:09
Speaker 2
So is there anything that you would advise if you're going to outsource it? Here are some of the do's and don'ts. And here, here are some of the things as it relates to your cyber security that you should be looking for or careful of.
18:23
Speaker 1
Sure, sure. So the number one problem that a lot of organizations have when they outsource to it, and it's a very common thing. There are pluses and minuses to this. But one of the biggest things is you don't understand the industry that it swims in. In the same way that, like, I can take my car to my mechanic and he can say, oh, yes, you need to replace your Framistan. And I'll be like, I have no idea what that is, but please replace it. You know what I mean? I don't even know if that's real. But you know, it's, you know, I go to my doctor and my doctor tells me, oh, you broke your thingamalaringathoid. Sure, okay, you know, just fix the damn thing.
18:57
Speaker 2
What do I do?
18:58
Speaker 1
Right, right, exactly. By virtue of that, what ends up happening is you're sold on not necessarily the capability of the organization, the IT company. You're sold on the friendliness. You're sold on what you perceive to be the reliability. Meaning they're going to keep our lights up, they're on it. The problem that we have is that it is not cybersecurity. Cybersecurity pivots on a dime and has to innovate as quickly as possible. Sometimes we never know when that 15 year old kid is going to break all of Google and we have to slam on the brakes and figure out, okay, what on earth just happened? How did they get around that? And how do we now apply that defensive technology into our clients to make sure that they don't end up being the next Google? It is different. It is trained differently.
19:45
Speaker 1
They keep the lights on, they keep your printers running, they keep your computers on, all of these kinds of things. But they also understand the need to sell cybersecurity because like I said, everybody's hacking everybody these days. And so what ends up happening is they come in and say, we'll give you a cybersecurity solution. Sometimes it starts with a cybersecurity assessment that they say, which is anything but. They run a couple scans on your network, they see some holes that gives them an end in order to sell products to fix those holes. But that is not holistic. I would never do a cybersecurity assessment in a week because a cybersecurity assessment is holistic. On average, it takes us three to four months even on a small business to do a full blown cybersecurity assessment. On top of that, it tends to be incredibly complacent.
20:29
Speaker 1
Meaning these IT companies know to the penny exactly how much that firewall is going to make them money. You know, what it's going to cost them, how much it's going to take to install. They don't have to invest in training because they're typically lower end products that are easier to install. So the older Technicians can train the new technicians so you don't have to actually invest money into these kinds of things. And what you end up having is a low to mid range data security solution, which is a very small subset of cybersecurity. And so as I am counseling any organization or any company that says, hey, we're looking at outsourcing it, I say, okay. The benefits to that are you're going to get more than one person because if you just hire somebody on site, they're pigeonholed into your technology.
21:11
Speaker 1
You're going to get more than one person, they're going to be relatively responsive to you. You know, they're going to take care of some of these things. But understand that the proof of the capability of the company is in their products. If I can sit down with a company and they can list out what's their firewall, what's their antivirus, what is their wireless access point, what do they use for all of these different things? I have a snapshot very easily of are they mature? Have they been investing in training? Have they been keeping up with the latest trends and innovations? We've had our products here every 90 days. Every 90 days. I can't walk into a Fortune 100 level client and basically say, yes, here's last year's technology, I'll get walked right out the door. These are differences that are key.
21:55
Speaker 1
Conversely, you wouldn't hire me to fix your printer. One, you'd get charged way too much. And two, I would never take that job. So we specialize. I don't go to my podiatrist for brain surgery. I don't go to my neurosurgeon for footwork. Both are important. I like to walk and think. But they're two different things. And I think that's a rather important distinction to make. But the proof is in the technology that they're leveraging. And as I'm asking or consulting with customers, my first question is, give me your product stack, tell me what they're running and I will tell you if it's good, bad or ugly. Usually it's low to mid range at best. So here we are.
22:29
Speaker 2
All right, so I'm going to bring Stacy back, but as I do that, I want to ask you to, you know, lay it on the line for us. I'm a mid sized, maybe small, maybe bigger than mid size, right. But figure I'm a 25 to a thousand employee, right. Which I know is a swing construction company. What are some of the, just in general, what are some of the thoughts I should be having, what should I be doing to protect myself?
23:00
Speaker 1
So, yeah, so I don't care if you're 25 or 25,000 or 250,000 employees. One of the things that you need to be approaching holistically for your organization, it goes beyond cybersecurity, is understanding and quantifying the risk. I can't tell you how many organizations I've walked into from small to utterly massive. And basically the person says, okay, Nick, let's talk about cybersecurity. Or the chief information security officer of the Fortune 100 company says, you know, let's talk cybersecurity. And my default answer is, no, we're not going to talk about cybersecurity yet. We're going to talk about risk. How many organizations? If you can't tell me in hard and soft dollars how many computers can be often for how long? And so until it's so economically unviable for your organization, then how on earth do you know what you are doing is correct?
23:46
Speaker 1
How do you know your backups are working in the way that you need them to work? On paper, 24 hours sounds great, but maybe 6 hours is too long for production. Maybe marketing can be down for a week and nobody cares. If you cannot quantify these things for me, how on earth do you know the technology and the product solutions you have in place are actually doing what they say they are and will keep your business afloat in a tornado, in a ransomware event, in an earthquake, in an alien invasion, whatever it is. These are things that we need to understand. Start there, understand that there, and you will be ahead of the game for most companies in general.
24:21
Speaker 2
Well, it seems to me that if I start. If you start by quantifying risk, you start by doing that kind of assessment. A couple of things that are going to happen. You know, one is you start getting your head really in the game in terms of what is it going to take to. To hurt my business and where. Where are. Where am I? You know, where are my priorities? And the second thing that it's probably going to do is scare the hell out of you and motivate you well to, you know, take, you know, to start taking whatever recommendations are coming next very seriously.
24:51
Speaker 1
Right. Well, and I get that from a lot of IT directors or CIOs or CISOs that basically say, how on earth do I sell my C level? And it's like, you're not selling the C level. You're showing them the risk right now. They have they understand, I can spend X money to indemnify myself from this risk and mitigate it, or I can keep doing what I'm doing, understanding that I, my risk appetite is vastly increasing. And that is it. You're not selling anything. All you're doing is saying, this is your risk. You want to, you want to lower this risk because you think it's too risky. We need to buy X, we need to invest in this. That's really the name of the game here and that is, I think, important.
25:29
Speaker 1
Now the difference between a 25 user firm and let's say a 1000 user firm is as you grow, you start to develop internal maturity on processes, on flows. You start to have employees that aren't outward facing, meaning they're going to customers to generate revenue for you. They are internal teams that aren't just doing things like supporting the external team. They're looking at the internal processes that we see. Meaning, is everything in place? Do we have good controls for our users, for our systems, for everything? And that's not just cybersecurity, that's anything the business requires. And so as you grow, as you develop these teams, you should also be maturing those policies, those procedures, those controls that help also mitigate that risk, but also align your employees with the technology solution that you have. It's very hard at 25, should be much easier at 250.
26:17
Speaker 1
And if you're hitting, you know, a thousand, you should have these things in place. That's just the nature of, this is the nature of business.
26:26
Speaker 2
Re. Realistically, if I'm at 25, what are the things that I absolutely must like? It's just simple stuff. Go, go do this, I'm at 25. Like go do these things. You can actually handle this, right?
26:39
Speaker 1
You have to take time at 25, you have to take time to look internally in your organization. You have to look at a gap analysis to say, where are we falling down on the cybersecurity side? It's a quantification of risk. In other words, understanding, okay, I'm paying X amount of employees, I'm paying X amount in electricity and idling trucks for gas, in leases for the trucks, all that kind of stuff. What happens if I have a complete work stoppage, meaning I'm ransomed? Nobody can go out on a job site, nobody can do anything. And I figure, how much money am I losing?
27:12
Speaker 2
I'm gonna, I'm gonna go, I'm gonna be, I'm gonna run out of cash in three weeks if that goes down, and then I'm going to run out of my line of credit in six weeks if that goes down. Right? So, so now I'm quantifying the risk. And if I, once I've done that, now what do I do? What, what, what should I, what.
27:29
Speaker 1
So once you understand I'm losing X amount of dollars, let's say you realize that if you were down for complete week, paying for everything that you're paying, everybody's getting a free vacation, you know, because they're not taking time off. You are paying their salaries. And if you've got union, the union guys are still getting paid. I mean, this is just the nature of it, right? So, so once you've quantified that to say I can survive for X amount of time before it's so economically unviable, the goal is then to start developing a solution that says, okay, what basically ensures that if I get hit with ransomware or something else, I'm not going to be down for a week or X amount of days, whatever that is. How do we make it half of that? How do we make it a third of that?
28:10
Speaker 1
How do we make it whatever is economically viable, Meaning I will eat, let's say, a quarter of the money that I will, I can lose on this and no more. So what you do is you then start investing in solutions that ensure that you can do that.
28:24
Speaker 2
So what I think I'm hearing you say is quantify the risk and develop a clear backup plan so that you're able to mitigate that risk to the best of your ability. Should it go, should that happen?
28:37
Speaker 1
So I would say contingency planning in the sense that a backup disaster recovery plan is part of a greater contingency plan. But, but in that vein. Yes, but then you have to execute on that. It's great to have it on paper, but if you're not actually putting in the solution that, you know, gets you up in six hours, if that's what you need, then what's the point of having it on paper? Get it on paper, start executing on those things because you're investing in the longevity. You're investing in the security of the company, which ensures the longevity. I mean, it's, it's. That kind of cycle.
29:06
Speaker 2
Makes sense. Stacy, what do we have?
29:10
Speaker 3
I have so many questions to ask you, but we'll start with the audience. So Jose Posada said, would it better not paying the ransom and using the backup servers.
29:20
Speaker 1
So that's a good question. I get that a lot. I walk into some ransomware events where they're like, we are not negotiating with terrorists. Screw them. You know, like, we're gonna go straight to backups. And usually if you're doing backups, right, Jose? Then yeah, you go straight to backup. So if you have a backup on site that is sitting what is known in what is known as immutable storage, then those can't be altered by ransomware, so you have a very fast restoration. Conversely, if you have a cloud backup, how we back up to the cloud, which is via agent as opposed to computer like you do on site. The cloud can be your lifeline as well. Understanding that you're going to have to get that data from the cloud or spin it up virtually in the cloud as you repair your systems.
30:03
Speaker 1
Understand what that does? But yes, the reason why people pay ransom most more often now than what we've seen in the last few years is not because they don't have the backups. And that does happen on occasion. It's more, I don't want this sensitive information on my massive clients to get out because if they find out, I will be fired and I will never be able to work with a large client again because everybody will know that it'. This is the problem with Target. You think anybody wanted to go to that mechanical contractor after Target threw them under the bus? No. And so by virtue of that, companies will pay ransoms and negotiate those down. And you can negotiate ransom to keep that information out of the public eye to ensure that they will continue to survive as a business. Great.
30:46
Speaker 3
We also have. What role does social media play in a company's cybersecurity now?
30:53
Speaker 1
Oh, my God. So I like to talk about something. I've talked about it for years and thanks to Covid, and it's the only thing I can thank Covid for is I no longer have to explain global herd immunity. We have the same concept in, in basically technology that we do with medicine in terms of herd immunity. Think about it this way. We are all connected on link. You're probably watching this on LinkedIn or Facebook or wherever it is. We're all connected. But if you know not to open the phishing emails or you know how to spot, you know, a potential malicious message or whatever it is, but your friends don't, they're the ones getting hit, which makes you more susceptible. This really comes down to user education.
31:31
Speaker 1
We social engineer all the time when we are running reconnaissance on organizations, we'll check the website, we will check LinkedIn, Facebook, Twitter, anything that we can possibly get insight on into the organization to build an attack profile against it. I actually talked about this in my very first TED Talk, which was called Trusts Sucks. And that was, I think, aptly named, you know, because that's essentially what we're doing. We are putting out a huge amount of data on social media that can be used against us. Not to mention the fact that I can send infections through Facebook messenger, through LinkedIn messenger, etc. Etc. Pretty easily, and I can infect you straight through social media. So. So think about it that way as well.
32:12
Speaker 3
Do you have any stories of any prominent AEC companies that have been attacked to date that you could share?
32:20
Speaker 1
So, short answer is yes, without naming names. I got called into a large engineering firm last year to help support their IT team as they went through a massive ransomware event. Basically, they gave essentially hundreds and hundreds of employees a free vacation for about a week and a half as they were scrambling to essentially unscrew that. And it cost them, ended up costing them millions of dollars. Aside from the millions that the ransomware people wanted, the. They lost millions in everything from salaries to electricity to stoppages to, you know, all those kinds of things, contractual obligations that they were trying to meet. So, yes, these things happen constantly and continuously. And we got called into, I want to say it was.
33:05
Speaker 1
It was before the pandemic, so maybe three, four years ago, into a large GC that is pretty well known specifically for an event like this as well. And they caught it halfway through. And so were there as a second set of forensic eyes to take a look, to see, okay, did this actually, you know, only hit like 40 of our computers? Did it hit the rest and then those kinds of things? So. So yeah, this is. It's a huge problem in. In aec, we see it all the time. I'm. I'm dealing with multiple right now contractors, two of which have been through ransomware events right now. So it's a huge thing.
33:40
Speaker 2
Yeah.
33:40
Speaker 3
So I guess to wrap it up, can you just describe to our audience what ransom. How the ransom attacks work, you know?
33:49
Speaker 1
Sure, sure. So essentially, basically, somebody breaks into your organization. Typically the fastest way is through phishing, meaning somebody in your company has answered an email, clicked a link, downloaded something they shouldn't have downloaded or opened something they shouldn't have opened, that installs what we call a payload that essentially establishes what we call CNC or command and control traffic to go and phone home. That traffic is typically encrypted. So most firewalls don't pick it up. Enterprise firewalls will, but most don't. And most of you are not running enterprise firewalls that are watching or listening to this. So we download it right through the firewall, and then we started installing infections into the machine. But we're not activating anything. We're running reconnaissance, meaning we're looking through those files. We're trying to crack every username and password that you have on site.
34:36
Speaker 1
We have tools that will do that rather easily for us. And so once we have all of these things, we'll log in as an administrator, we will start slowly copying out information, or we'll copy out your latest backup, assuming it's not encrypted. Because a lot of. A lot of organizations don't encrypt their backup. So that's a very easy way to get all your data. Once we have a copy of it, then we start strategically putting out ransomware where we know we're going to hit, such as servers, other critical infrastructure that. And then usually in the middle of the night, you know, 3am Here is business hours in Moscow, you know, we turn it on and then, boom, everybody's hit. Everybody's locked out. And we leave ransomware notes absolutely everywhere.
35:12
Speaker 1
And then you get a dark website, typically, or now a telegram channel, possibly, where you have to go and communicate with us. And we want a whole bunch of money from you.
35:19
Speaker 2
Oh, my gosh.
35:20
Speaker 1
So that's what it is.
35:21
Speaker 2
And Russia is coming. And Russia's coming for us. I mean, we got. We have to be prepared for that. Agreed. I mean, that's happening.
35:29
Speaker 1
Yes. I actually was just in New York City last week talking to a construction organization out in New York about that specific thing that we have to prepare for. Russian cyber attacks. They're not going to launch a land invasion over our sanctions because there's no way they would win that. The best thing that they can do, in their terms of their retaliation is cyber warfare against the United States and our allies. So we have to prepare for. For that eventuality. We really do well on that.
35:58
Speaker 2
Uplifting and not terrifying at all note. Thank you so much, Nick. This was, I think, a fascinating conversation, certainly for Stacy and I, I hope, for our audience. And I, you know, can't express enough, you know, how we appreciate your taking the time to join us this morning.
36:17
Speaker 1
Yeah, well, thanks for having me. I think it's such an important topic, and so I'M glad you guys are on it. Thank you.
36:25
Speaker 2
So, so I'm gonna just take a, a moment and, you know, kind of plug next week. Next week we're going to be talking with a construction attorney named Mike Wagner. One of the things that's happening, you know, rampantly across the economy, but certainly in the building industry is inflation. And in particularly in the building industry, what we're seeing is material cost escalation beyond the scope of what anybody could have anticipated. Now maybe it's currently plateaued, maybe it's going to be going down. Who knows? But what we do know is that there's been lots of, you know, instability in materials pricing. Mike has been working with his clients who are construction companies as well as developers for developing fair contractual solutions to dealing with material cost escalation.
37:21
Speaker 2
I really hope that we have people join, you know, that episode with their real world challenges and toss some of those on the table with Mike. Stacy, is there anything that I'm leaving out from a housekeeping standpoint?
37:33
Speaker 3
No, you got it all covered.
37:34
Speaker 1
Awesome.
37:35
Speaker 2
Thank you so much. Great work today. I'll look forward to seeing, you know, the audience again here soon. Next week, same time, 9:00am Eastern on Tuesday. Thank you.
37:45
Speaker 3
See you guys. Have a great day.
37:47
Speaker 1
See ya.
