Emotionally Engineered: How AI Is Rewriting Free Will

~ Garrett B. Brown ~ Leave a comment

My “aha” moment happened recently. My associate and I were working on a presentation for our clients about modern workforce solutions addressing the challenges of remote work and security. Using Google’s free tool, NotebookLM, he created a podcast, entirely AI-generated, that was so compelling, it shook me. In that moment, I realized just how this technology could threaten humanity as we know it. Combined with quantum computing, AI’s growing power demands, and political shifts toward autocracy, this is perhaps the greatest threat to the world order and humanity in modern history.

I know that sounds dramatic, but it’s not. What struck me was how emotionally convincing the fabricated podcast was. It wasn’t real, yet it moved me. That same power can be used to mass-produce content designed to influence thought and behavior. With the right message, format, and messenger, even fiction can feel like truth. Governments and powerful entities can exploit this, weaponizing our emotions to shape our beliefs and actions.

Reporter Tom Bartlett, from The Atlantic, profiles a controversial study by University of Zurich researchers where they found that AI driven posts on Reddit were most successful in persuading the opinions of other human participants. You can read more about this experiment on The Atlantic and on NPR.

We like to think we’re rational, but we’re not. Emotions govern nearly everything: whom we love, where we live, what we buy, the careers we pursue. Sales and marketing professionals understand this well—emotions close deals, not logic. If we’re constantly exposed to emotionally manipulative content and lack the tools to critically evaluate it, we lose our agency, our free will, and perhaps even our right to life, liberty, and the pursuit of happiness.

There is strong science around the power of emotions. Ethan Kross, author of the book Shift, demonstrates through scientific studies the ways in which our emotions affect us and how we can manage them. If we’re subject to the emotional manipulation of overwhelming and compelling AI driven content, we are likely to become the very sheep we fear. And if we’re not in control of that content or trained on how to understand it and it’s emotional impact, we are not the ones in control.

Consider this: I love watching motorcycle and car shows. Some of the most emotionally detached people are the men who love their cars and bikes. Many of them think they’re emotionally simple, direct and logical people. The irony is that these are the same people collecting muscle cars and custom modifications purely for the feeling it gives them. They are the very epitome of the emotionally driven art lover, willing to spend money and resources that are entirely based on emotion. I watch the Mecum and Barrett Jackson car auctions and watch these same people spend tens, hundreds and sometimes millions of dollars on effectively useless equipment. That’s emotion in action.

Still skeptical? Look at the rising crisis of gambling addiction, particularly around sports betting. In Massachusetts alone, people reported gambling problems jumped from 12.7% in 2014 to 25.6% in 2023. People knowingly destroy their lives, and those of their loved ones, because emotional impulses override rational judgment. The emotional reward is so powerful, it eclipses consequences. That same principle makes emotional manipulation more powerful than drugs or physical power.

The atomic bomb of this century isn’t nuclear, it’s AI-powered, emotionally manipulative content. Combined with the reach of the internet and social media, it allows curated information to be injected directly into our minds. Making matters worse, trustworthy news sources are shrinking, and access to reliable content is increasingly hidden behind paywalls. It’s a race for power like no other. For all its productive uses, the race for AI technology and technological primacy is not about improving our lives, but rather a race for global power.

Much political rhetoric, especially around First and Second Amendment rights, is also part of this manipulation. Arguments about freedom of speech and gun rights are often used to distract and divide. Bumper stickers like “If guns kill people, do pens misspell words?” are clever, but they miss the bigger point. Real power doesn’t lie in firearms, it lies in controlling information and influencing emotion. Division is the goal, and many don’t see they’re being played.

Quantum computing will amplify this exponentially. “Q-Day,” the hypothetical moment quantum computers can break current encryption standards, could arrive before 2035, if it hasn’t already. Governments have been stockpiling encrypted data for years, waiting for the day it becomes readable. Once AI and quantum power converge, decades of private communication could be analyzed and exploited to manipulate individuals and populations on an unprecedented scale.

The convergence of AI, emotion, and geopolitics is fundamentally changing the world. The fact that a fake podcast could make me feel something so deeply is proof of how easily we can be influenced. We are emotional beings first, rational beings second, and now there is a reliable, scalable way to exploit that truth. Without critical thinking, education, and emotional literacy, we risk surrendering our thoughts, behaviors, and freedoms to those who can most effectively control the narrative.

This is not just a technical or political crisis, it’s a philosophical and moral one. Even the new Pope Leo recognizes the risks. What kind of future do we want to build? Our ability to protect truth, agency, and societal cohesion is at stake.

My son, the hacker, and the lessons I learned 

~ Garrett B. Brown ~ 1 Comment

Despite the thousands of cybersecurity products on the market today, most business leaders do not understand their true cybersecurity risk or who their potential attackers are. Most think they’re not much of a target at all. They understand that they have to budget for certain protections such as antivirus or firewalls, but once they’ve metaphorically locked the doors and windows, they think they are done. In fact, this lack of understanding of the true risk and who the attackers are is driving complacency, ineffective spending and financial losses. 

2024 is on track to be the costliest for cyber security related incidents. Official reporting from the FBI shows that in the US, losses grew from $3.5 billion in 2019 to $12.5 billion in 2023. This year we saw an Illinois hospital permanently close because of ransomware and countless high profile incidents like MGM Casino, Caesars Palace as well as AT&T and Change Healthcare. This week we learned the seminal brand Stoli Vodka has filed for bankruptcy, due in part to a ransomware attack. But we also know thousands of small organizations were impacted like this Reddit account of a small law firm in Connecticut who closed their doors forever after 30+ years in business. 

As a leader, if you don’t understand the underlying problem, you’re unlikely to fully address it. I’m reminded of this every day in my own home life. I assumed protecting my kids from the dangers of the Internet would be relatively easy for me compared to my friends and non-technical counterparts. I know all the tools and how to set them up to filter Internet content and control my devices. In much the same way that businesses fail to understand their risks and adversaries, I had failed to account for my son’s determination, ingenuity and resources (knowledge, Internet and time). He consistently and repeatedly circumvented the limits and systems I had put in place. 

In 6th grade we gave my son a smartphone. We wrote up a contract about responsibility and acceptable use and the risks posed by social media and the Internet. Additionally, we setup parental controls to limit apps, inappropriate content and the amount of time he could spend on different apps and sites. Lastly, I had put a business class firewall in my home to filter and control the Internet. I was busy congratulating myself and pitying the fools who weren’t as smart as me. I had secured my home technology kingdom, and I thought I was done! 

The first thing he did was realize that if he embedded URL links in Google Docs, which was allowed because he needed it for school, he could open whatever links he wanted in an embedded browser window that would circumvent the parental controls and time limits in place. Next, he realized I had no way of controlling the hotspot on his phone. So, he would connect his computer or our TVs to his hotspot to get around all of my limits. As I ran around scrambling to patch the holes, he continued to find the “bugs.” One day after checking his screen time reports I noticed he was spending a lot of time with the Files app, the program used to browse and open documents on the iPhone. Apparently he had figured out that by embedding URLs in the Files app, he could again circumvent my controls. Lastly, he realized that he could cover his tracks by deleting incriminating files on his phone and then restoring them from the trash when he wanted to access them. He could continue to do this as long as he restored them within the 30 day permanent deletion retention period. 

There is a great talk published on YouTube that I highly recommend for business leaders. It’s only 30 minutes and if you watch it at 2x speed, like my children would, you could get through it in only 15 minutes. In the video researcher Selena Larson tries to dispel the misguided focus of businesses and cyber professionals on APT or government threat actors as the greatest risk. She argues that this is a distraction and provides a false sense of security. She describes a criminal ecosystem that supports both government and non-government threat actors working like any legitimate industry driven by money and endless opportunity. As we learn about the illicit ransomware industry, we learn that it doesn’t matter what type of business you are or how small or large you are, you are a target of equal significance to this criminal industry. 

If we take the example of my son, had I not monitored his screen time regularly, I wouldn’t have noticed the unusually high usage of an unlikely program, the Files app. This cued me into the fact that he was doing something unexpected. If this sounds expensive and time consuming for a business whose focus is making widgets, you’re right. But over the last 30 years businesses have been enjoying the productivity and cost savings of automation, computers and Cloud computing. Now with the explosion of AI and natural language learning models, it will only get more efficient. We have to invest some of that efficiency into understanding the business risks fully and developing effective cybersecurity programs.  

Cybersecurity is not just about implementing tools or locking digital doors; it’s about understanding the risks, the attackers, and the ever-evolving threat landscape. My experience with my son highlights how a determined individual, armed with time and ingenuity, can outmaneuver even the most carefully implemented defenses if risks are not fully anticipated. For businesses, the lesson is clear: a static approach to security is insufficient. Success requires continuous monitoring, adaptability, and a deep understanding of both risks and adversaries. By investing in comprehensive cybersecurity strategies, businesses can safeguard themselves from the devastating consequences of cyberattacks and build resilience in an increasingly connected world. 

Maybe the greatest security risk to your business that no one is talking about 

~ Garrett B. Brown ~ Leave a comment

Do you or your staff use Virtual Assistants (VAs)? Using VAs is great, but if you don’t have good security controls, you may be putting yourself, your staff and your organization at serious risk.  

My daughter came home with an assignment to explore human nature and different philosophical perspectives. As I reflected on that conversation, which in true teenage fashion she quickly told me she was done with, I started to think about a common situation we have addressed with many clients and wondered, do all these business execs believe in the innate goodness of people? That certainly is a much kinder way to understand their choices. 

A quick Google search reveals many online resources and people extolling the benefits of overseas VAs including flexibility, availability and cost. Many of these resources have brief notices about security and privacy considerations. Many suggest that having proper due diligence and contracts in place are good mitigations to risks. However, the technical details of how to properly protect data and privacy are never disclosed or discussed. This article from US News has a small 4 sentence expandable blurb at the end that simply suggests choosing a reputable service is the best way to protect yourself. 

Using an overseas VA is not necessarily a bad idea. VAs can be a very powerful tool for businesses and individuals. However, in order to avoid a serious data security or financial disaster, it is critical to understand what your risks are and how to mitigate them.   

One day we got an alert for one of our clients who is in a regulated industry. The alert was about improbable geographic access to one of their Microsoft 365 mailboxes. Upon investigation, it turned out that a salesperson had hired an overseas VA to help manage their calendar and sales efforts. The salesperson had shared their credentials and MFA to an unvetted foreign agent and potentially provided access to legally protected data. This was a clear violation of their security policy. 

Despite having gone through training on the company’s security policies and participating in regular cybersecurity awareness training, this salesperson seemingly didn’t know that what they were doing was wrong. Perhaps they just didn’t care? Or perhaps the lure of what the VA offered was just too compelling; a widely used, cheap, effective sales support tool. Or maybe they just believed in the innate goodness of people? Surprisingly we see this all the time. People are too willing to give up their privacy and security for free or inexpensive products and services. Gmail is a clear example of this! 

It isn’t just salespeople, it’s the C suite too. Outsourcing administrative work to inexpensive overseas staff is very common. We have clients ranging from plumbers to data analytics companies and insurance agencies that have outsourced executive assistant and administrative roles to overseas VAs. 

What many people fail to realize is that granting a stranger access to your email is not only against most company policies, but also a very bad idea. In 2023, the FBI reported $12.5 billion in losses from US firms due to fraud and cybercrime. Of that, $2.9 billion was related to Business Email Compromise (BEC). For most businesses, email is a critical system that provides significant access to other systems, files, people and resources. This is why email systems are a favorite target for attackers. They stand to gain significant levels of access and are able to use that access to establish authority with other victims.  

In another recent example, we advised a client whose use of an overseas VA would have allowed the VA to easily impersonate, defraud and damage the client’s business. In our discussions with them, they revealed that they had set up an Apple iPad for their VA, through which the VA had complete access to their personal Apple ID, phone records and text messages. They were using the VA to help with administrative tasks including responding to emails and text messages. With access to the person’s Apple ID, this complete stranger on the other side of the world had access to personal photos, access to financial resources such as Apple Pay, mobile banking, and access to sensitive data stored throughout their Apple account. They even knew the client’s location information! What’s more, the VA’s access included knowledge of the device PIN. The device PIN is a form of identity verification for Apple and is used to encrypt iMessages. 

Many of these VA services are located outside the US, beyond the jurisdiction of the US legal system. If you don’t have the time and resources to hire someone locally, you probably don’t have the time and resources to chase down an overseas fraudster. So even if your overseas VA was caught doing something illicit or immoral, there is little recourse, and navigating a foreign legal system can be challenging and costly. 

It is astounding to me the way in which people are circumventing their own security policies to take advantage of low-cost efficiency tools. Those policies are in place for a reason. If I were North Korea’s Kim Jung Un or Russia’s Vladimir Putin, why spend the time and resources breaking into systems around the world when all you have to do is ask? They could setup inexpensive overseas VA shops, charge reasonable rates and wait for their victims to open their doors to them! In fact this is already happening. It has been recently reported that North Korean employees are infiltrating western companies, a slight twist on the VA angle I’m describing.

So, when you’re ready to engage your VA, you don’t have to solve the age-old question of human nature. You just need to do some planning. Take the time to understand what systems or resources your VA will need access to to perform their role. Determine if company policies or laws limit what data and systems they can access. Finally work with your IT and/or security team to put the necessary controls around their access with appropriate monitoring. If you take the time to plan appropriately, you can help avoid a costly and disruptive breach. 

Who is left holding the bag?

~ Garrett B. Brown ~ 4 Comments

In the march towards the November election and all the high-profile headlines, there is little room for a thoughtful discussion around the never-ending unpleasant cybersecurity news. In fact, many companies like AT&T and Snowflake are thankful for the current environment! At any other time in history, their unprecedented system compromises and data leaks would normally dominate the headlines for weeks. 

I have attempted to write this blog post at least three times since the middle of July. First, when AT&T disclosed its massive data breach exposing the data of every customers’ (110 million subscribers) phone and text message activity and geolocation data, I thought, “This is it! A wake-up call! AT&T will have to come clean and face the consequences.” But then the CrowdStrike incident took out large swaths of the internet. AT&T’s executives’ prayers were answered! The implications of their outrageous failures and negligence would be dealt with, in the quiet shadows of the endless recriminations of CrowdStrike’s own gross negligence (yes, you read that right, gross negligence). 

Of course that wasn’t the end. Rumors of the National Public Data’s system compromise had been swirling and in early August news of the disclosure of 3 billion records containing names, addresses, social security numbers and other private data, became public. But that wasn’t the end. There preceded a stream of disclosures from other high profile businesses including ADT, HealthEquity, FBCS, Trello, Rite Aid, and Twillo

The hard truth is, all of these incidents were avoidable. The excuses are endless, and the “reasonable” explanations are endless. Yes, building secure software and systems is not simple, easy or inexpensive. In the case of Crowdstrike, you will hear people explain away that no system is immune from system failure and how impressive their response and resilience was. In the case of the AT&T data breach, you will hear excuses about “sophisticated foreign threat actors” and their significant resources. They will also point fingers at the hosting provider, Snowflake, for not maintaining a secure by default design.   

These are all excuses! None of the scenarios that lead to any of these failures are so novel, so creative or so unavoidable that the designers of these systems couldn’t have reasonably anticipated these types of faults and built in appropriate controls and resiliency. The problem is a lack of accountability. There are very few regulations around the building and maintenance of critical business systems and the protection of private data. 

The incentives for businesses and investors are reflective of the limited financial and legal risks associated with the failure to protect consumer and businesses data and systems. Businesses are highly incentivized for fast growth and product development based on easy to deploy private cloud and SaaS infrastructure. This article on Lawfare does a nice job of exploring the issues. In other mature industries like construction, automotive, airline, food safety and medicine, we do have regulations that help ensure a baseline of safety and standards. 

Building and health codes were born out of tragedies such as fires and disease. As early as the 1680s, cities such as Boston started implementing codes to limit catastrophic fires. It wasn’t until the early 1900’s that building codes started to take shape with the formation of the National Association of Home Builders (NAHB) in 1942. We all now take for granted that our homes are safe, the roads and bridges we drive on are safe and the buildings we conduct business in are safe. 

Food safety standards started to take shape in Massachusetts with the passage of the Massachusetts Act Against Selling Unwholesome Provisions in 1785. In 1862, Abraham Lincoln formed the USDA and FDA. Throughout the twentieth century, several acts were passed to strengthen food safety and transparency. None of us questions the safety of foods we pick up at the grocery store now. 

The standards around IT infrastructure and software design are all over the place with various standards being established by different federal agencies, states, not-for-profits and for-profit institutions. What’s already in place doesn’t even account for the emergence of AI.  In addition, the Federal and State regulations that exist around data privacy have few teeth or little enforcement. The US Federal government has established regulations around military/DOD contracts, aka CMMC, but they’re too costly and heavy handed for any practical commercial application. 

While it may seem like the recent CrowdStrike incident or the many other large data breaches are not the same as a building collapse or food born illness resulting in human loss, equally impactful tragedies are taking place as the result. Many businesses and individuals are left holding the bag.  As a result, hospitals were unable to perform lifesaving procedures, small businesses have closed or shrunk due to lost or unavailable funds, and individuals have lost their retirements and life savings. These types of failures impact the lives of everyday people. And who will pay? Who will suffer? This week the FTC just imposed a $13 million fine on AT&T, which is a welcome development, but will neither make its customer whole or provide a meaningful deterrence to a 122 billion dollar company. Very few businesses will get insurance money to cover their losses due to a myriad of clauses around cyber and business continuity insurance. CrowdStrike’s own terms of service will at best cover the cost of services. 

This is not a problem individuals or businesses can solve for themselves. The truth is that no business could have been fully prepared for Crowdstrike’s failed update or AT&T’s data breach. Some with more resources and better planning will recover more quickly. This is not, as some have suggested, a legitimate opportunity for businesses to practice their incident response plans. 

If we are going to build our society around the fast-evolving technologies of public Cloud, SaaS and AI, we need to have an honest discussion about what the rules are, who’s responsible for what and how we can build a safe and secure future. 

In the absence of these guardrails and standards, the best we can do is teach our clients to make themselves smaller targets. Adopt a good security framework like NIST or CIS and go through the exercise of understanding their own risk tolerances and what the costs are to minimize those risks. 

The Roomba Approach to Cybersecurity and Compliance

~ Garrett B. Brown ~ Leave a comment

Imagine that I have a big house with 4 kids, 3 animals, 4 bedrooms and a lot of chaos. It’s a mess. It’s dirty and disorganized. January 1st rolls around and my New Year’s resolution is to get the house organized and clean.

If I were to take the approach to this problem like so many do to cybersecurity, the first thing I would do is get on the Internet and google “house cleaning technologies.” When I do that I’d find solutions like iRobot’s Roomba. Boom!! It turns out all I have to do is buy some autonomous AI cleaning tech. This was the first result in my search: https://www.architecturaldigest.com/story/high-tech-cleaning-devices-for-your-home

I purchase an AI powered vacuum ($1,000), a phone sanitizer ($120), a smart trash can ($200), a smart litter box ($700) and finally an air cleaner ($250). After spending $2,300, my home is actually more cluttered! Despite all the automated smart tech with AI, my house is no cleaner or more organized than it was before my tech buying spree. In fact, it would be worse now because I have more useless stuff laying around!

Alternatively, if I spend the time organizing the first floor, putting away what’s not in use, labeling and getting things off the floor and making sure everyone in the family knows what their role is in keeping the space clean, then can I leverage the Roomba and other technologies to become more effective and efficient.

Like with cybersecurity tech, successful and meaningful implementation of the Roomba will require knowing the areas it can clean, setting up guiding barriers and purchasing 2 Roomba’s because it turns out I have a step in the middle of my first floor.

The point is there is no magic Easy Button (not to mix marketing metaphors) in cybersecurity or compliance despite what all the marketing vaporware tells us. There are a number of vendors advertising automated SOC 2 compliance solutions with type 1 reports completed in 5 days! Like cleaning one’s house, cybersecurity and compliance require actual elbow grease and a disciplined effort to understand what’s going on in an organization. Only then can you leverage the fancy tech to become more effective and efficient.

COVID-19, are there lessons for cybersecurity?

~ Garrett B. Brown ~ Leave a comment

When I got my second Pfizer vaccine shot and now ponder the possibility of a third, I started thinking about what it means for me to be afforded added protection from the threat of COVID. Should a vaccine change how I behave and what, if any, additional precautions I should take? With the appearance of new variants, how do I identify the risks? How does it affect my overall approach to protecting my health, my friends and family’s health, and even my business’s continuity?

As a person who spends his professional life mitigating risk for his clients. I couldn’t help but see the parallels between managing cyber security and the lessons we’ve learned, and continue to learn, during COVID. Just like the COVID-19 pandemic, cyber risk to businesses is global, is indiscriminate, is unrelenting, and requires personal, national and global effort to limit its impact on our businesses and ultimately, our society.

Reading security blogs, Twitter feeds and the musings of CISOs, one walks away thinking good cyber security is only successfully achieved through the efforts of an elite group of cyber-geeks who never sleep, live on stress, can code with abandon, are networking experts, and can understand complex systems. It can feel unapproachable.

The truth is, managing cyber risk and protecting yourself and your business is not as difficult as it appears. Cyber security businesses and technologies want you to think it’s complicated stuff, impossible for a lay person to understand, and requires the magic wand of AI and advanced technologies. While modern businesses have complicated systems to manage, the concepts behind cyber security are largely intuitive.

Let me outline a few important cyber security principles that we can all understand and that are highlighted by our shared COVID experience.

“Defense in depth” is a term common to cyber security professionals . It sounds fancy but really just refers to a layered approach to security. Cyber security experts know their defenses will eventually fail no matter how well crafted, so if you have several overlapping systems or protections in place, if one fails, the other protections should stop or minimize the impact of an attack. Living through a pandemic, this idea is familiar to us all. We maintain social distance (layer 1), wear masks (layer 2), wash hands and sanitize (layer 3), limit exposure to as few people as possible (layer 4), and get vaccinated if possible (layer 5). We know that none of these things alone will stop COVID from spreading entirely but that the combination of these efforts will systemically minimize its impact and its spread.

“Risk management” is another phrase found within the cyber security lexicon. Again, this can sound more complex than it is; it refers to the decisions we all make about how much risk we choose to tolerate during daily activities. We know intuitively that doing some things are riskier than others. For example, if I go to a large indoor party with people who don’t wear masks, I know that if one person shows up COVID positive, the virus has a higher risk of spreading to many people at that event. I also know that if I get sick, there is some chance I could get very sick. The key to risk management is understanding the risk factors. If I don’t know that being in a crowded room with unmasked people is risky, I can’t make an informed decision. This is true of cyber security, once informed, our clients determine the amount of risk they can manage given their unique situation and the consequences of the risks they take on.

“Cyber hygiene,” another bit of cyber security jargon, describes a connected system, up-to-date and patched, configured to limit vulnerability to misuse. While this, too sounds fancy, you can think of it much like maintaining a clean working environment and being thoughtful about your and your staff’s overall health. Choosing to stay home with a running nose, cough or compromised immune system helps limit the spread of disease and infection. This is the same with technology. Maintaining a healthy, resilient systems means keeping technology up-to-date and using protective software that monitors and protects against malicious activity.

“Authentication,” “access control” and “privileged access” may sound officious but in fact, describe really simple concepts, the kind of lessons that we teach our kids from a very young age. We all have ways to identify people and determine whether we are comfortable with or if they are authorized to enter our lives in different ways. People have names, we recognize their faces and voices, and we put them in the context of their relationship to us and the people around us. Is this person someone I know who is allowed to pick me up from school? Of course, it’s my aunt who picks me up every Wednesday! Is this person allowed to make medical decisions and talk with my doctor? No, it’s my coworker who brought me to the ER when I injured my leg. Authentication, access control, and privileged access are simply electronic ways to identify people and determine who they are contextually and what they should be allowed to do.

The last cyber security term, “Compensating Controls,” means that when we know there is a weakness or vulnerability we can’t control, we do something else to help minimize the risk it represents. So, because my child is under 12 and has other health risks, we don’t send her to school. We home school her to minimize her exposure to other people and limit her risk of contracting COVID. Keeping her home is our “compensating control.” If we have a computer system that only supports weak passwords, then as a compensating control we might consider allowing only physical access to the system and not connecting it to the Internet. This would limit the risk of it being compromised because only a small group of people would be able to physically access the system.

When it comes to cyber risk, it is the combination of these measures that provides optimum security, no matter how simple or complex your system. The Colonial Pipeline hack is a high profile example of an organization not employing defense in depth, good access controls or good cyber hygiene. The attackers were able to compromise their systems using a leaked or stolen password combined with a VPN connection that didn’t require multifactor authentication, demonstrating poor authentication and access controls. They also appear to have had few defense in-depth measures, so once the attackers were inside, little else prevented additional access or provided detection. Additionally, there was lax cyber hygiene, allowing attackers to further compromise unpatched and poorly configured systems.

It is true that large businesses like Colonial Pipeline have many complex systems complicating the process of managing cyber security, but the fact is, these measures are not out of reach for any business. Educating staff and implementing management systems are the key to successfully maintaining good cyber security and putting an end to the recent ransomware and international supply chain hacking. The lessons are much the same in taming the spread of COVID: becoming educated, implementing control measures, and creating layers of defense will minimize the risks of its impact and disruption.

Cyber Wellbeing

~ Garrett B. Brown ~ Leave a comment

It’s been over 6 months since my last post, and frankly the time during Covid seems to pass at warp speed! I can’t believe I’m already thinking and planning for the summer! We are making progress in the fight against Covid, vaccines are rolling out, and schools are opening, which has got me thinking more about building my business again.

But overshadowed by my new optimism and all the headlines of the election, the storming of the Capitol and Covid, the last six months have been witness to the most active and destructive cyber security events in recent history. The depth and breadth of these attacks is staggering, with implications for our economy and government. We are in a new age of cyber risk for businesses, so we all need to get better prepared to manage and guide our organizations through these new challenges and new growth. Here is just a quick list of what you may have missed…

  • SolarWinds supply chain hack, which affected 18k businesses and multiple government agencies including Microsoft, Cisco, Amazon, the US Treasury Department, Department of Commerce and many others. This hack lead to the disclosure of untold sensitive and critical data to foreign adversaries and the loss of control of critical government and business networks.
  • Microsoft Exchange hack leading to over 60,000 organizations having their email systems compromised and likely accessed by unauthorized users.
  • Accelion supply chain hack, which lead to the compromise of thousands of high profile businesses and government agencies and the disclosure of personal, privileged and sensitive information around the globe.
  • FireEye systems and data breach leading to disclosure of critical client information, which includes many Fortune 500 and government agencies and included the code to sophisticated testing and cyber espionage tools used by their offensive testing team.
  • SITA systems and data breach exposing personal and sensitive information about airline riders from over a dozen airlines.
  • BlackBaud systems and data breach compromising their systems and exposing sensitive information about donors and Not for Profits including healthcare systems, charities, universities and hospitals
  • and so many more…

To help business owners and managers understand and address these new realities, I recently penned a blog post for Ihloom, Mantra Computing’s sister cyber security business, about a new set of business skills we call Cyber Wellbeing. Like many business owners and managers, I am comfortable reviewing my businesses financial wellbeing, knowing where our revenues are, expenses, inventory, sales pipelines, etc. But most business owners and managers have no idea what their current risks are of a debilitating cyber event. What are the costs of preventing a cyber event? What are the costs of being unprepared? Will my cyber insurance cover my losses and ensure continuity of business?

My colleagues and I will be blogging on the Ihloom site and sending out related communications to continue educating business owners and managers on the concepts of business Cyber Wellbeing. If this is something that’s of interest to you, please check out the post and subscribe to our mailing list.

Like many of you, I’m excited about a post Covid rebirth. However, successfully capitalizing on this new opportunity will require being prepared. As G.I. Joe used to remind me, “Knowing is half the battle!”

OGN: Curly Girl Design

~ Garrett B. Brown ~ Leave a comment

For this month’s OGN post, I’d like to bring attention to one of my oldest clients, Curly Girl Design.

After 9/11, like so many other people, I decided to make changes in my life. I moved back to Boston to be closer to my friends and family. I met Alyssa, the person who was to become my wife and mother to my three children, and I decided to start Mantra Computing. 

Back then I was a poor 26 year old, starting a new business and living in my parents’ basement. I was following the girl of my dreams every week to hot and sweaty power yoga classes. Through volunteer work at the yoga studio, Alyssa and I became friends with many of the staff and community and through that connection we became friends with Leigh, the founder of Curly Girl Design.

In fact, I was first introduced to Leigh’s work in the bathrooms of Baptiste Power Yoga Institute (BPYI) in Boston. Leigh was friends with Mariam and Rolf Gates, who were managing the BPYI studio and they were helping to promote her work. And what better place to see joyful, mindful and inspiring work than in the bathrooms!?

Leigh’s work is incredible. Her web bio says it’s “whimsical and witty,” which is true, but it is also colorful, wise and beautiful. In 2004 Leigh took the brave step of starting Curly Girl Design, a business based around licensing and distributing her designs. The pictures below are some of the pieces hanging in my home. You can see a lot more of her work on her Instagram page and in shops throughout the US. 

Turmoil and unrest bring change. Things change in ways that we cannot always see in the moment. During “these hard times,” as I often hear it said during the COVID quarantine, we can see all the big things including sickness and death of loved ones, social unrest, economic hardship, and social inequities. But the changes that will matter most are invisible to us now.

September 11th was one of those big moments that changed my life in ways, that until now, I didn’t fully understand. The big stuff was the attack on the towers, the loss of life, the ensuing war in Afghanistan and all the changes to air travel and the economy. But what doesn’t get recorded or noticed are all the little decisions people make as a result of the big stuff including things like my move to Boston or Leigh’s move to go out on her own.

As I reflect on the early days of Mantra Computing and working with clients like Curly Girl Design, I can see all the beautiful things that grew from the 9/11 tragedy.  I try to remember that as we all deal with today’s challenges. 

Through Leigh’s designs and words, Curly Girl Design helps remind us of what’s important. She helps us reframe our reality and refocus us on a future that isn’t always clear. If you’re looking for inspiration, please check out Leigh’s creations at Curly Girl Design.

OGN: Vibram, This Sole’s got Soul!

~ Garrett B. Brown ~ Leave a comment

As part of the my OGN series (Operation Good News), I’d like to profile a long time client and brand that many of you are familiar with, Vibram.  Vibram makes the soles for top footwear brands and also designs and develops their own products like Vibram FiveFingers and Vibram Furoshiki. I began working with what was then called Vibram USA, back in 2007.  At the time, Vibram was a mostly Italian company with a small presence in the US. There were two pieces of the business on the US side, Soles and Components, who helped other footwear companies design and use Vibram Soles, and a small upstart called Vibram FiveFingers.

FiveFingers was a design concept developed in Italy that Vibram thought other shoe companies would be interested in.  When no other brands took interest, Vibram decided to take the product direct to market.  This development coincided with a movement of minimalist and barefoot running, which was propelled forward by the popularity of the book Born to Run, by Christopher McDougall in 2010.

There were only 6 people in the Vibram Concord office and they didn’t require much assistance given their small size. Also, the FiveFinger shoes seemed strange and hard to wrap my head around. So at the time I didn’t give them much consideration. Over time, however, Vibram has become one of the most gratifying and interesting experiences of my professional life.

Between 2007 and 2011, Vibram USA grew from a business with just a few US sales to revenues in the tens of millions. In that time, Vibram went from a mostly Italian company to a truly Global business.

In 2015, when Vibram acquired Quabaug Corporation in North Brookfield, MA, a business that’s been manufacturing rubber products in the US since 1916, it quickly and dramatically changed the size and operations of Vibram’s Global business. It also created one of the most dramatic and exciting cultural mashups I have ever been a part of.

One might wonder, what does an IT consultant know or care about culture? Although I started my career as an Electrical Engineer, I ended with an undergraduate degree in Cultural Anthropology and Studio Arts.  And of particular interest was Italian culture, inspired by one of my all time favorite books, an ethnography called The Broken Fountain, about the urban poor in Naples.

At Vibram, the cultural mashup included the corporate Italian culture, driven by the design and innovative heritage of the Bramani family in Northern Italy; and the young and more urban and entrepreneurial startup culture of Vibram USA and FiveFingers. And lastly the established and more conservative culture of a rural US manufacturing icon, in North Brookfield MA.

I believe the resulting company has emerged stronger and more dynamic, due in part to the resulting diversity of ideas and experiences. This was most recently demonstrated to me by the way Vibram has managed through the COVID-19 pandemic.

I have been impressed by their leadership and their commitment to their business and their people. They have successfully managed staff and business operations in three major virus hotspots including Northern Italy, Boston and Guangzhou, China.  Just this month they reopened their manufacturing facility in Albizzate, Italy.

Stories of responsible businesses should be celebrated in these times of challenge. There are too many negative stories of big businesses stealing recovery funds, pushing for the bottom line and sacrificing the safety of their front line workers.  Vibram can stand proud of its record and I’m proud to have contributed in some small way to their success over the last 13 years. Vibram has certainly demonstrated it has a lot more soul than the soles it produces.

Information about Vibram and their products can be found on their website and their myriad of social media channels, which I’ve listed below.  Looking for their iconic Vibram logo on your next pair of shoes is the best way to support them.  If you’re a member of the US military or have family who are, you’re already walking around on Vibram soles manufactured right here in North Brookfield, MA.

Website: www.vibram.com
Linkedin: www.linkedin.com/company/vibram-s-p-a-/
Instagram: www.instagram.com/vibram/
Twitter: twitter.com/vibram
FB: www.facebook.com/VibramUS/

OGN! Lets take it From the Top

~ Garrett B. Brown ~ 1 Comment

With the Quarantine dragging on and the days and the weekends melding into one long stretch, I have been thinking a lot about how lucky I am and how lucky I am to have such incredible clients. I know there is a lot of loss and suffering including lost jobs, lost business, lost health and life, and food insecurity to name just a few. It is hard to stay focused each day and stay positive. So I’m launching OGN, Operation Good News! With 17 years in business and lots of incredible clients and experiences, I have some things I’d like to share!

The first client I’d like to profile is From the Top. I was first introduced to From the Top in 2007 through a relationship I had with Kevin Marren, a salesperson from Thrive Networks. These were the early days of Mantra Computing and there were only 3 of us on staff.  Any new business was good business and Kevin was a life line. At the time Thrive was so busy with work that they kept throwing us any business they didn’t want. We were happy to take it.

From the Top had suffered some technology challenges including a crashed server and lost emails.  From our first meeting I knew we could help them and get them back on firm ground. These days many of us take rock solid email, contact and calendaring for granted with offerings like Office 365 or G Suite.  But back then we actually had to stand up our own solutions! Also, From the Top was a mostly Mac operation and Mantra Computing was one of the few shops in the area with deep Mac knowledge operating within Windows network environments.

I knew From the Top produced an NPR radio show but I didn’t understand the scope of their work. The show is just the tip of the iceberg! They find extraordinary kids from all over the country, mentor them, give them opportunities to learn from professionals and then perform on a national platform on the radio, online and in theaters!

I’ve been to several From the Top shows, and the quality of the production and the talent of these children is really mind blowing. When you see these kids come on stage and perform, it would be easy to feel excluded or put off. The subject matter can feel inaccessible to many of us, not being familiar with classical music and its etiquette. Also, these kids are so talented and have spent so much time learning the subject that their performances seem superhuman. But that is the magic! Instead of walking away feeling left out or overwhelmed, you feel inspired, awed and included.

I remember at age 15, traveling on a summer bike trip, our group was invited to attend a classical performance. Can you imagine a bunch of smelly 15 year olds, who’d been biking for 2 weeks and sleeping in tents, being led into a theater? Truthfully, we were dubious and the surrounding audience didn’t look too pleased either. But the performance began and it was incredible. After the first movement we all clapped enthusiastically.  It seemed like everyone was moved like I was. But then after the second movement, we all clapped enthusiastically again! We were quickly shunned by the surrounding guests. We learned you do not clap between movements. I can only speak for myself, but after that shaming, it was very hard to enjoy the rest of the show. And I have carried that experience with me to this day and still feel some anxiety when I try to enjoy a classical performance. I’m always worried about what I’m doing wrong and what I may be missing.

From the Top offers an opportunity for young people that is opposite from my summer bike trip experience. They find ways to engage and amaze the audience, who are often young people elementary to high school age.  Their mission is to celebrate the power of music through the hands and eyes of a broad and young audience. When you’re there, you know something special is happening. I took my kids and walked away with a memory that I hope they will reflect on positively when they become adults.

Right now, the Quarantine presents a huge financial and operational challenge for cultural institutions, especially performance driven ones. From the Top specifically is limited in their ability to pursue their education and performance activities, which they rely heavily on for funding and donations. During this time of Quarantine, in addition to the support we give to essential workers, social and charity organizations, we all need to step up and make an additional effort to support our critical cultural institutions. If we don’t, we stand to loose them and all the beauty they bring to our lives. While the government relief funds are targeted at keeping the economy open and supporting critical businesses and institutions like hospitals, there is no special carve out for cultural institutions.

Please consider making a donation today to your favorite cultural institution. If you’re looking for a worthy organization, please check out From the Top. I’ve provided links about From the Top below, their online content and how to make a donation. They’re actively seeking and need the support to keep their programs running.

https://www.fromthetop.org/
Daily Joy: https://www.fromthetop.org/landing_page/from-the-top-daily-joy/
YouTube Channel: https://www.youtube.com/user/fromthetop
Donate to From the Top Now