Hmmm there seems to be a problem fetching this series right now. Last successful fetch was on February 20, 2019 17:57 ()
What now? This series will be checked again in the next day. If you believe it should be working, please verify the publisher's feed link below is valid and includes actual episode links. You can contact support to request the feed be immediately fetched.
Manage episode 225185470 series 1409586
Kip Boyle, the founder and CEO of Cyber Risk Opportunities and author of Fire Doesn’t Innovate, has worked with the US Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others, helping them with their cyber security. This episode is really about cyber security as it’s not just a technology problem, it’s a management opportunity. Kip is going to share how big of a problem this can actually be for any company, because cyber crime is just a part of doing business now.
No executive today can afford to ignore the damage that phishing and malware and malicious code can pose to their company’s future.
In fact, Kip even shares a story of how it’s literally shut down established businesses. You can’t afford to neglect your cyber security, and in this episode, Kip is going to lay out the few things that you can do to establish companywide habits of good cyber hygiene. His three phase approach that will help safeguard your business from cyber attacks.
Get Kip’s new book Fire Doesn’t Innovate on Amazon.
Kip Boyle: When I started working on cyber security, pretty quickly, I was interacting with what I call senior decision makers on the job, and what became obvious to me pretty quickly is that they really struggled, they really didn’t understand what cyber security was, they were really looking to me to help them figure that out—“What’s really going on here, Kip?”
At the same time, they were also very quick to challenge me, push back on me. If I would explain something to them and it didn’t make sense, they would be like, “That’s BS, that’s not the way it really works.”
I found that despite that, they had trouble setting priorities, and they had trouble talking a with other decision makers about cyber security. Yet they needed to continue to talk about it because they had an unlimited number of risks pressing down on them, and they had a limited budget.
I really got into that space, and I just kind of made it my mission to try to figure out how to help these people make these decisions. It’s really important decisions that they needed to make. I went out there and tried to figure out, what are other people doing?
Really, there are two extremes of approach. One approach is what I would call a fairly simplistic, high, medium, low method of figuring out what your cyber risks are, so I tried them.
The feedback that I got from the decision makers was, “Okay, you’ve just spent a lot of time and money on this, but I don’t think that you’ve really produced results that are a whole lot better than what I could have done on the back of an envelope drinking a beer,” which was really disappointing.
Charlie Hoehn: Probably felt a bit insulting.
Kip Boyle: Yeah, you know, taking my personal feelings aside, I did feel deflated, right? They were right, they were absolutely right. They were saying, you know, “Kip, you’re here and you’re on salary to help improve the quality of our decision making on cyber risk but you haven’t really helped.
You know, you’ve done a fancier version of what I can do for myself. The quality of the decision making really wasn’t that much better, but along the way, you spent a lot. You spent a lot of time, you spent a lot of energy, you spent a lot of money, and there’s just no business value there. You really have to up the game.
They weren’t being mean about it in any way shape or form, right? They weren’t, but they were right to demand better, they deserved better and so I went out to try to find better. That’s when I encountered what I would call the other extreme, which is a more mathematical based approach.
One that, rather than qualify the risk, actually tries to quantify the risk to use statistics and probability estimations to figure out what are the risks and what priority should we put them and how do we know how much money to spend on them, you know? Is there some way we can calculate the exposure? Can we say, well, here’s a vulnerability, and it’s worth $50,000 of exposure?
If you spend anything less than $50,000 to deal with it, you come out ahead, right?
There’s this huge appetite to translate all of this risk over into math.
People like certainty, and math seems certain.
I dove into that, and what I found was, decision makers are absolutely overwhelmed. The amount of mental energy that they needed to spend to understand all the jargon and all of the math, it was just overwhelming.
When I say decision makers, I’m talking about people who have multiple teams reporting to them and with people in different disciplines. Finance, operations, human resources, that sort of thing. Nobody else is bringing math puzzles like I was.
They’re like, you’re killing us here man, this is just way over the top, I don’t have time for this, it needs to be more simple. I appreciate what you’re doing, but this just isn’t doing it for me, you’re confusing me, you’re making it worse, you’re not making it better.
Okay, I’m dejected again, right?
Trial and Error Learning
Charlie Hoehn: Right. I love that you’re starting off with the mistakes that you made early on.
Kip Boyle: You know, they’re not just my mistakes per se—and by the way, I’m not afraid of failure. I fail a lot, and I think failure is the best possible teacher that a human being can have. Emotionally, it’s very rough. Socially, it can be really difficult to deal with failure.
I was using off the shelf approaches, and they weren’t working.
I thought, “Oh my gosh, what are other people in my situation doing?” Guess what? They were all crashing and burning too.
We were all just sort of standing around saying, “My goodness, how can we do better than this?”
I was feeling frustrated, and I knew they were feeling frustrated, but I was motivated to do something about it. I thought it was just a fantastic little puzzle, and I really still felt like my decision makers deserved a good answer to the question that they were asking me to the point where if I couldn’t do it, I needed to change careers, I needed to get a different type of job because I could not face the idea that I was just going to sort of mill around in this horrible little space where none of the existing approaches and tools were really going to work. I just invented something.
In the beginning it was just a way to think about cyber risk. It really started with asking myself: What exactly is it that these decision makers want? What are they really looking for?
I isolated some stuff that had to be better than back of the envelope.
It couldn’t have the high, what I would call, cognitive costs of statistical estimations. It had to be somewhere in between. It had to be biased towards action because these people wanted to do something but they didn’t know what to do, it had to be biased towards action and they also had to be real business value. Like if they’re going to spend money on this, they’re going to want to know that it’s money well spent.
Not just because some dude or some gal who said a lot of jargony things was telling them that it was going to deliver business value. I also realized too that whatever we came up with, it had to meet decision makers where they were. The idea that I was going to get them to study up on something or attend a half day class, I mean, that was not going to happen.
Finally, I also realized that it needed to facilitate, to actually foster an ongoing conversation rather than a one-time conversation. I wanted executives to actually figure out how they could talk about it all the time just like they would constantly talk about sales. “How are the sales looking,” right? If sales weren’t looking that good, they could do things to improve the quality of leads or the number of leads, right?
There were things they could do and same with order fulfillment, right? How are we doing fulfilling orders? Things are slow, let’s buy an additional factory or let’s add a second shift, right? There’s things that they could do but there was nothing like that for cyber risk. Eventually what I came up with was what I call the Cyber Security Executive Toolkit.
It was a very simple workflow with some tools built to facilitate that workflow, and I used it on the job and it went really well. Then I used it with a bunch of paying customers and they really liked it, and we improved it as we went. Then eventually I launched a business based on it, and finally I wrote a book about it.
Charlie Hoehn: What did they really love about it?
Kip Boyle: Yeah, it was a better experience. Let me tell you something about decision makers, what I call decision makers, just from the title alone, right? You should understand where I’m going with this, but senior executives and, to a lesser extent, junior executives in organizations, they are decision making engines.
That’s their prime function, to make decisions. If you’re a junior member of their team, your job is to help them make decisions. To the extent that you can do that, then you’re making their job easier and better and you remember from the story that I told you a moment ago like I wasn’t really helping them with that. None of this regular grain, high, medium low, on the qualitative side. None of the statistics and all that stuff, none of that was helping them make better decisions.
Well, with this new approach, they were actually able to make decisions, which they found very satisfying. All the goodness of this approach really came from satisfying that core appetite that they had which is, “I want to make a decision about this.”
Charlie Hoehn: Got it. Okay, it sounds like Fire Doesn’t Innovate is really for those decision makers, right?
Kip Boyle: Yeah, that’s right, that’s exactly what it’s for. Now, the economics of my business really constrain who I can help. I wrote the book because I wanted to help more people than I could economically afford to help just within the confines of my business. If you think about the term decision maker, there’s another reason why I use the term a lot.
It’s because a decision maker can be, of course, a vice president or a director in an organization, but a decision maker can also be somebody who is lower in the hierarchy but who still faces cyber risk decisions every day, like how big of a password am I going to set on this website, you know? I just created an account, what am I going to do here?
Those little decisions make a big difference, as we can tell from studying all these news stories that are coming out about how a single phishing attack brings down an organization or causes hundreds of millions of dollars in damage. But there’s also a lot of cyber risk at home. I wanted people, parents, or heads of household to be thinking about cyber risks at home. So my book, especially in part one, it’s full of very practical things that they can do to protect their family.
Not Quite Fire Insurance
Charlie Hoehn: Let’s get in to part one of your book where you really talk about the basics of cyber security. Why did you call it Fire Doesn’t Innovate?
Kip Boyle: You know, in the process of titling your book, there’s this brainstorming exercise that you do and I must have generated 75 potential titles and as I got through the first 25, it was pretty easy, I was just rattling them off and then got harder and harder. As I was getting close to the end of the list, I was like, I just started throwing stuff down and Fire Doesn’t Innovate was one of the things that I threw down.
I really wasn’t sure that that was really going to work but here we are, right? The reason why I threw it down is because I was giving a talk one time and was trying to explain to this audience of decision makers, it was like a public presentation that I was giving, and I was trying to help them understand why is cyber different than other risks that they face.
For some reason, we started talking about building catching on fire. Fire insurance and sprinkler systems and all that. I realized that that was the perfect metaphor to help people understand why cyber is different. That’s why that’s the title of my book, because I really wanted to hook people and get them to understand that it’s a big change in the way that you think.
Here’s what it comes down to: fire has been the same here on planet earth from the very beginning. It’s a mix of three ingredients. Heat, oxygen and fuel. If those three ingredients come together, you get fire. If you don’t want the fire anymore, you’ve got to remove one of those three ingredients. That’s why our buildings look the way they do, that’s why they’re built out of the materials that they’re built out of, why they have sprinkler systems, why we have fire hydrants and fire departments is because we understand how fire works.
We actually can buy fire insurance in the off chance that a fire goes crazy and we can’t control it, there’s one last line of defense. It’s really the insurance industry that has driven these requirements about what materials you use to build buildings. I think people expect cyber to be like that, which is to say, “Hey Kip, give me the checklist, tell me if I just do five things and dial them in really well, that I’m good, right? I don’t have to worry about it anymore.”
The unfortunate reality is that cyber is nothing like that. The people who are driving all of this cyber damage are constantly innovating how they attack us. Always innovating how they attack us. Either because the attacks don’t work anymore, because we find ways to defend ourselves or because the attacks worked great and they want them to work even better, right?
Why charge a $300 ransom for data when I could charge $1,500 or $20,000 or something like that? Why attack a grandmother’s computer and hold the pictures of her grandchildren hostage when I can attack a medical center and shut them down with the same level of effort by the way but charge them a ransom of $55,000, right?
I wanted people to understand that this is a completely different thing than you’ve ever encountered before.
Charlie Hoehn: Asking for an amount of money once the data is compromised, do you see that a lot?
Kip Boyle: It’s happening all the time, yeah, quite a bit actually. It’s a well proven form of automating crime on the internet, and it’s getting worse, not better. It literally is evolving in exactly the way that I just described it.
They started by attacking individual people and charging $200, $300 to get the payday for themselves, and then once they realized how easy it was, then they started going after large organizations.
It’s working. People are freaked out, and a lot of them pay the ransom.
Charlie Hoehn: Could you give an example?
Kip Boyle: Yeah. I’m going to tell you a story about a company that was not a customer of mine, and you can read about them on the internet. Everything I’m about to tell you is open source, there’s no confidential information in here.
In September of 2018, there was a company in Denver, Colorado and they were called the Timber Line Company, and there were about a hundred employees, they had a few hundred customers, they’re about five years old, they were backed by a private equity firm, right?
They were a legitimate business. People with money to invest put money into this firm because they believed that the company had future potential to grow.
What they did was, if you wanted your company’s logo on a pin or a T shirt or something like that or if you needed promotional materials created, they would do that. By all accounts, they were just doing just fine.
In about the middle of September 2018, all of a sudden, without any warning, they just shut down.
They posted on their Facebook page and on their website, “Gosh, we’re really sorry, but effective immediately, we’re not in business any longer.”
The reason was because they had been cyber attacked and ransomware had got on to their systems, and the damage was so substantial that they could not afford to recover from it. They went out of business. That’s just one example.
Charlie Hoehn: What comes up on their computer screen, what is the dawning realization that we have to shut down our business now?
Kip Boyle: There’s other types of cyber threats out there that don’t look or feel anything like this, but in the case of ransomware, it starts with an unexpected screen on your monitor that says something to the effect of, we’re really sorry but we’ve gone ahead and encrypted all your files. If you want them back, you’re going to need to send 1.25 bitcoins to this wallet.
Most people don’t even know what that means, right?
Where do I even get bitcoins and how do I send them to a digital wallet? Right away, your brain is seizing up because you don’t even understand the ransom note that you just got. From there, the next thing that you notice is that your computers don’t work anymore.
If you think about it, are there very many companies in the world, certainly in the developed world, that can operate without computers. In the case of Timber Line, they needed computers to design the materials, right? To get to bring the logos in and do the layout of how it was all going to look. They needed computers to control their printing presses and the different ways that they actually produced product, and they needed computers to schedule the pickup of the shipments, and so on and so forth.
The next thing you realize is that none of that works anymore.
Because you needed computers and those computers are now unavailable to you. Worse than the computers being unavailable, all of the data that you need, like your customer records, where do I ship this box, that’s unavailable as well.
If that goes on long enough, people who paid you money aren’t getting their orders, so now they’re getting unhappy and they’re calling you and they’re trying to find out where’s my stuff?
The vendors that you bought the raw materials from aren’t getting paid because you can’t access your bank accounts to pay them. Now they’re getting unhappy. Where’s our money? The new people who heard about you and what a great job you do are trying to place new orders, but they can’t because you don’t have a computer system that can receive new orders.
I think you can see where this is going—pretty quickly, your engine seizes up and stops working.
Now you’ve got to repair that engine and you’ve got to get it going again. Very quickly, the enormity of the work in front of you just becomes overwhelming and everything just falls apart.
It Can Happen to Anyone
Charlie Hoehn: What is the biggest size company you’ve seen this happen to?
Kip Boyle: The big ones have made it into the headlines—the city of Atlanta was cyber attacked with ransomware and you can read about that online by just doing a web search on city of Atlanta ransomware. You can check out the new stories, you can read the different press releases that the city issued to help people understand what was happening to them and you can see the impact. People couldn’t pay their utility bills, they couldn’t renew their business licenses, there were just different city services that were just completely unavailable during this time.
The city had to consummate tens of millions of dollars in emergency contracts in order to get cyber experts and technology experts to come to the city and clean up this enormous mess. It took them a long time to recover.
There’s the city of Atlanta, several medical centers, Hollywood Presbyterian Medical Center in California had this happen to them, and there’s others. They have all reacted in different ways.
Some of them paid the ransom because they did what I would call a cold economic calculation that a $55,000 ransom is going to get them back in the business faster than a $10 million bill, which is what the City of Atlanta had last time I checked.
How it plays out can really vary, but one of the things that I’ll say about ransomware is you should never pay the ransom, even though the economics might tell you that you should pay it, you really shouldn’t. Here is why.
Every dollar that you spent paying ransom to get your data and your computers back is a vote for more ransomware attacks, and that means that you could get attacked again and that means that any of us could get attack because you are emboldening the criminals. I mean behind all of this malicious code and the stuff that actually causes all of this damage are people, and those people respond when they earn money they do more of their dirty little deeds. It is that simple.
Practice Good Hygeine
Charlie Hoehn: So what do you mean by cyber hygiene?
Kip Boyle: Remember earlier on our conversation, I was telling you that I was giving a presentation to some decision makers and they were just really struggling to understand why is cyber different from fire, right? They were both threats, can’t I just buy some insurance?
I found that people also struggled to understand basic things like, “Everybody tells me I should do this with my password and do that with my password.”
Or they say, “Hey I should install these security updates but why? I mean what good does it do?”
I realized that it would really help them if they could relate it. So I was searching for another metaphor, and that is kind of where the cyber hygiene metaphor comes from. Here is what I am getting at. There’s these things that none of us have really ever seen with our naked eye called germs, and we know from about 200 years of human experience now that there are these little invisible things called germs.
When you get one of these things in your body it makes you sick and sometimes it’s just the flu and you get over and sometimes it is something really, really bad like typhoid fever that can kill you but it all starts from germs which nobody can see but even though we can’t see the germs, parents teach their children to wash their hands and parents ask their children to wash their hands multiple times a day and as grownups we do it too, right?
And we know when we should wash our hands, after using the bathroom and so on. Germs are so accepted as a source of trouble that we even have rules. Government imposed rules about when we make food for other people in a restaurant, we have to wash our hands, we have to wear gloves. When we are manufacturing food in a plant, people have to wear hairnets and they have to take all of these precautions with cleaning the equipment, and it is all about anti-germ, right? To keep people from getting sick.
If you can believe in something invisible like germs that you have never seen before and you can take all of this action, then I would say that take that brain space and put it into the cyber world.
What I am going to tell you is there’s these invisible digital cooties floating around the internet, and they’re looking for a host. They are looking for a computer to infect. So you need to get good cyber hygiene, just like you’ve got good personal hygiene.
You shower on a regular basis, you wash your hair, you go to the doctor once a year to get a checkup. You get a flu shot every year, you visit the dentist twice a year. So there are these hygienic habits that we’re into, and we need to do the same thing with our computing in order to make sure that we can reduce the risk that a digital germ is going to hurt.
Basics of Cyber Security
Charlie Hoehn: Walk us through some of the basics that maybe we don’t know about.
Kip Boyle: Yeah, so there is a lot of things that you could choose to do. A lot of this goes back to what your personal risk appetite is. I talk about that in the book because everyone is going to have a different sense of how vulnerable they are.
Some people are going to be very risk averse, and they’re going to want to do a lot of things. Other people are going to feel like, “Hey I’m fine, I am just going to write my password down on this piece of paper and leave it on my desk.”
And we see this all the time, right? Everybody has a different sense of how vulnerable they are and how much risk they are willing to take on.
I am going to tell you a couple of things that I think everybody should do, no matter how risk averse you are or no matter how risk tolerant you are. One of the things that you should do is you should buy a high quality password manager and use it to its fullest potential.
Now remember in the earlier part of our conversation, I was telling you that decision makers were really interested in business value? A password manager has tons of business value. It has tons of personal value, right? And you touched on a little bit on already. Not only is it going to reduce the amount of technical risk in your life that somebody is going to guess your password and then as a result, they’re going to take over your bank account or they’re going to steal money from your brokerage account.
But it is going to make everything easier. This is one of those rare things where you get more security and you get more productive at the same time, because once you start using a password manager, you don’t ever have to be in the business of choosing passwords anymore. It will do that for you, and you don’t have to type them into your computer anymore, it will do it for you. It’s wonderful.
It is this wonderful, beautiful little combination of more security and more productivity.
I have heard people say this to me a lot, so I want to be totally clear about this: The key is you’ve got to choose a high quality password manager. You can’t just use any password manager that is available at your fingertips, because quite frankly most of them are junk. They seem to be doing the right thing, but under the hood, they are not doing the right thing at all despite the best intentions of the authors of a lot of these password managers, they do not get the details right.
I will give you one example. If you are saving passwords in your web browser, terrible idea. Very convenient, but terrible idea because if you visit the wrong website, the website can issue a command that you will never see to tell your web browser, “Hey, can I have all the passwords that you’ve cached?” And the web browser will go, “Okay here you go.” So it is not built for security, it is built purely for convenience.
Charlie Hoehn: So just to clarify on that, are you saying you need to disable stuff like Google Chrome browsers automated autofill password feature?
Kip Boyle: Yeah, exactly. That is a wonderful example of what I am saying. Don’t use that, it is very convenient, but it is not at all secure. That’s the problem, is that you get a false sense of security. You think you’re covered, but you are not. The only way you know that is you’ve got to pop the hood open and you got to look inside. Sometimes you can’t, right?
It may not be possible for you to look inside the Google Chrome or the Firefox auto password complete feature. You don’t really know what they’re doing.
So as a result, you have to deliberately seek out what I call a high password manager, one that says to you, “We do it right and we allow other people to check our work to make sure that we are doing it right.”
The two that I know that are very good about this, one of them is called 1Password, and the other one is called LastPass. Those two are what I call high quality password managers.
You will pay money for them, but you should be glad and cheerful about paying money to them because they are a wonderful—both of these companies are great. They have great teams of smart people standing behind the products. When the products are attacked or there is a vulnerability that is discovered, they leap into action immediately and fix it.
Think of the annual subscription fee as just getting your flu shot each winter.
It is not going to kill you, right? We’re not talking about a ton of money here, but you are going to get really great benefits in return.
Charlie Hoehn: Excellent and just on a personal aside, do you think it is worth switching from Dashlane to one of the two that you mentioned?
Kip Boyle: Well, what I can tell you as I have not evaluated Dashlane. So I can’t tell you whether I would say that it is a high quality password manager. It could be, but that’s what you’ve got to decide for yourself.
Am I using a high quality password manager? How can I know? Just answer the question for yourself, and if you feel like, “Yeah, Dashlane is doing the job for me and I am comfortable with the assurances that I have received from the company,” then I would say you are better off using Dashlane than nothing.
Phases of Risk Management
Charlie Hoehn: You talk about the cyber risk management game plan, and you break it down into three phases. Could you just give an overview of what those three phases are?
Kip Boyle: Yeah you bet. So the cyber game plan is really good for people who are decision makers in organizations or if you work for decision maker and you know that that decision maker is concerned about cyber risk, then this is a great part of the book that you should be connecting with.
Let me give you a quick overview, and before I do, I want to say one other thing.
When you buy the book, there is a link inside here that you can use, and we’ve created a Google sheet where we have already pre-automated all these steps. Virtually all these steps are already on the internet ready for you to use. All you have to do is buy the book, check out the link. I think we’re going to ask you for your name and email address to get access to the workbook. That will get you subscribed to our newsletter, but after that point, the workbook is free. It’s yours, you can use it, change it, do whatever you want with it.
So the first phase is you want to discover your top cyber risks.
This all gets back to the thing that I said is about prioritization. You’ve got more risks than you know what to do with. Everybody does, every organization does and so it is key is that you’ve got to discover what’s top and that’s what the first phase is all about. The second phase is really all about answering the question, “Now what do I do about these top risks?”
And the book will walk you through a process of discovering what you need to do to go from, “Hey I am not doing a very good job of dealing with this top risk,” to, “Hey, if I make these changes and spend this money, then I am going to be in a much better place with respect to that risk.”
I can give you some examples, but I am going to keep this high level right now.
And then finally, because the nature of cyber is that it is always changing the first two phases are about what are my top risks and then what do I do about it but it is not the case that you can just say, “Great I am done.” I don’t have to worry about this anymore because I have implemented these steps.
So phase three is about maintenance and ongoing updates and making sure that you are staying up with the changes that are happening in the world outside of your four walls, things are changing all the time and so those are the three phases that I walk you through and we suggest that you do this on an annual basis. So in other words every year, go back to step one and start again because the world just changes too much to think that you can set it and forget it.
Working on Cyber Protection
Charlie Hoehn: Could you tell a quick story about a company that you’ve helped with this and maybe the risk they would have faced had you not work with them?
Kip Boyle: I am going to tell you a story about my favorite customer. I can’t name them but I can tell you that they’re a professional basketball team. So imagine my delight in being able to work with them, right? Our customer there is actually the general council, in other words the senior lawyer. So we’re working with the general council of a professional basketball team and they knew that they needed to up their game.
So we started working with them, and as a result of working with them, they now have for example much better contracts with their vendors, right? We look at things on a holistic basis, cyber is not just about technology.
The fact that we use technology in our business is what creates cyber risk but managing cyber risk actually you have to do a lot more than just throw technology at that risk. You actually have to examine your people, your processes, and your management.
And that is where helped this basketball team do. That’s why they have better contracts now with their third party vendors.
If anybody has been paying attention, a lot of the data breaches that we read about in the newspapers and the stories that we see on TV are because in one organization gave a vendor of theirs access to sensitive information, and it was the vendor that fumbled the ball so to speak and caused the data breach.
One of the things that you need to do to have good organizational cyber hygiene is you need to have great contracts with those vendors so that you are clear with them like, “This is what I need you to do to protect everybody, and if you mess up, these are going to be the consequences.”
This basketball team now has much better cyber insurance. They understand what their policy covers and what it doesn’t cover. Cyber insurance is a real tough thing to buy these days.
There are a lot of options, but unlike automobile insurance, they are not comparable. You can’t just take two policies and put them next to each other and say, “This one costs less so it must be better.”
It is really hard to buy the right policy and to really know what you can get and a lot of these oversights in terms of insurance are being litigated. So there are companies that have spent a $150,000 for cyber liability policy. They go to file a claim, and the claim gets denied. They take the insurance company to the court and they lose, right?
We have done the due diligence with our customer.
They know exactly that they have now as far as cyber insurance. Their chief technology officer now has a prioritized cyber security roadmap that they can work from, and so now it’s completely clear to them where they should be spending their money on the technological improvements that they need to make.
Like having a high quality password manager or the different things that they need to do in order to prevent as much as possible bad stuff from happening. A couple other things that I will mention is they’re now have a much better conversation about cyber risk internally in the office. The executives actually now have an ongoing dialogue about where are they and what do they need to do next, and they have a score card that they actually look at.
And the other thing that I want to mention is that they’re actually having a much better conversation with the NBA. Because as a franchise, they are obligated to follow the rules that the NBA sets for them, and some of those rules have to do with cyber security and cyber risk, so now they are actually teaching the NBA a thing or two.
Connect With Kip Boyle
Charlie Hoehn: What is the best way for listeners to get in touch with you or follow you?
Kip Boyle: Okay, so there’s a couple of things. Online, I am most active on LinkedIn. So you can find me easily there if you just type Kip Boyle in the search box. I think I am the only Kip Boyle in the whole world. So lucky for me it is pretty easy to find me there.
And on Twitter, my handle is @KipBoyle, so again you could find me there. I would also encourage you to check out the podcast that I am a co-host of, it is called, no surprise, The Cyber Risk Management Podcast.
And my co-host is a cyber-security attorney, and we are constantly talking about the different issues that decision makers are encountering as they try to thrive as cyber risk managers.
Charlie Hoehn: Excellent. My final question is, give a ten second challenge. What is the one thing that listeners can do this week from your book that will make a positive impact?
Kip Boyle: Sure, assuming that you’re already using a high quality password manager or maybe you are just not ready to tackle that yet, here is the thing that I want you to try to do: Avoid public WiFi. And here’s why. I want you to think of public WiFi as a municipal swimming pool, right? You have a swimming pool in your head right now, and you’re thinking about the city’s swimming pool, right? And the kids are running around the edge of the pool and they are jumping in and they are getting out.
And you are looking down into the pool, the water looks good—but is that water clean? How can you tell? Maybe it is, maybe that is a very, very well maintained pool with the proper chlorine levels and PH balances and it’s perfectly safe.
But maybe it’s not.
The problem is that unless you brought your test kit with you, you have no idea. So you are taking a risk every time you would get into a pool like that, and public WiFi is exactly the same. You never know if it is good or bad, and you have no way to test it. So my suggestion is just don’t do it.
And what’s the alternative, by the way? Your phone probably has a hot spot on it, your phone you should turn off the WiFi and just use your phone carrier mobile data, and that’s really what you should do. If you’ve got a laptop or a tablet or something like that then you can use your phone’s hotspot.
If you don’t have unlimited data, these days it’s actually pretty cheap to get unlimited data or at least a very high data allowance, so that’s my challenge for the listeners.
Get Kip’s new book Fire Doesn’t Innovate on Amazon.
Listen to more authors on cyber security:
243 episodes available. A new episode about every 2 days averaging 37 mins duration .