The Future Was Supposed to Be Sleeper. It Turned Out Much Quieter.

~ Garrett B. Brown ~ Leave a comment

The scene in the 1973 Woody Allen film Sleeper, where Miles Monroe wakes up from his cryogenic freeze, is absurd, chaotic, and obvious. Everything is exaggerated and loud. You can clearly tell something is wrong.

That is not the future we got.

The future we got is subtle, quiet and polite and wrapped in convenience and framed as “customer centric.”

I was reminded of that recently when a client emailed me late one evening. He had just read a Substack article titled “51% Confidence: The Price of Living Online.” It scared the heck out of him and he wanted my take.

My first reaction wasn’t fear, it was frustration.

I have been talking about versions of this problem for well over a decade and it seems most people don’t seem to care. The benefits of free services, social media, personalization, and convenience are immediate. The tradeoffs around privacy, fairness, and free will feel abstract and distant. Until they don’t.

Back in 2010, I was working with a fast-growing online retail company evaluating platforms to power their next phase of growth. During one vendor demo, the sales team proudly explained how their system could automatically pull in Facebook and other social media profiles.

If a customer called into support or opened a chat, the sales representative would instantly see inferred interests, preferences, and behaviors. The goal was to guide the conversation in a “more powerful way.”

All of this happened without the customer’s knowledge.

I remember sitting there thinking, wait, what?

The buyer had no idea they were being profiled, categorized, and influenced based on their digital exhaust. This was framed as a customer centric experience.

I actually love the idea of customer centricity. When I walk into a local shop and the owner knows me, asks what I’m working on and makes thoughtful suggestions, that feels human. There is shared context and both parties understand the rules of engagement.

But I realized what was being discussed in this demo was different. Here, the salesperson held asymmetric power. They knew things about the customer that the customer did not know were known. The assumptions being made, how those assumptions shaped messaging, pricing, and options, all of it was invisible to the customer.

Imagine a salesperson saying, “Hey John, I see from your social profile that you’re into aggressive hiking. You should really consider this higher-end boot.” That would at least be honest.

Instead, the influence happens silently.

The Substack article that scared my client leans into corporate malfeasance and government surveillance, and then offers familiar advice such as using private browser session, a privacy VPN and to void public computers and Wi Fi.

None of that actually solves the problem it describes. It’s a total fallacy that any of this provides real privacy.

The real issue is not that companies know who you are, they don’t need to!

They track the middle-aged white male in zip code 02465 who likes cybersecurity, tennis, and certain brands. They don’t need your name. Once the profile is accurate enough, the distinction becomes meaningless.

And increasingly, that distinction is gone anyway.

Facial recognition companies like Clearview AI can take a single photo and match it against images scraped from social media and the open internet. From there, they can often positively identify a person, their home address, their family and their history. This can then be tied to a public digital profile. While there are legitimate uses for this technology, finding a murder by using a Ring Doorbell image, there are also many terrifying ones like stalking a person simply by taking a picture of someone at a bar.

The same data exhaust that’s used by corporate America to market shoes to a targeted audience can also be used by governments. Governments no longer have to break the laws to track their citizens and dissidents, they simply have to pay the private sector for the information. And commercial surveillance tools do not stop at national borders.

This is what makes the conversation so uncomfortable. Not because it’s science fiction, but because it’s mundane and because it’s now.

AI is supercharging all of this. Physical movement is tracked through mobile devices, vehicles, foot traffic sensors, and private beacons placed on private property that happens to sit next to public roads. That data is sold, aggregated, enriched, and resold. What was once “anonymous” becomes trivially identifiable when enough dots are connected.

So yes, privacy as we understood it is gone, but panic is not the right response.

What we still have is agency, awareness and the ability to shape rules.

We have data protection laws, imperfect as they are, in places in like Massachusetts, California, and the EU. And here in the US, we still have due process. This must be where we begin.

The most dangerous outcome is resignation, the belief that nothing can be done so nothing should be attempted.

The future didn’t arrive with a bang, it began with free services, better recommendations, slightly better ads, and just enough comfort to keep us from asking hard questions. We must start asking them anyway.

The Clogged Toilet Lesson About Incident Response I Didn’t Expect

~ Garrett B. Brown ~ Leave a comment

I learned an unexpected lesson about incident response and crisis management last weekend. It came from my family and a clogged toilet.

I was woken up around 12:30am by my youngest daughter. She was panicked. She told me my son and his friend didn’t know what they were doing and couldn’t resolve a serious situation, the toilet was clogged and overflowing.

Still groggy, I followed her downstairs.

Water was everywhere in the first floor bathroom. And there was my son looking exacerbated in his pajama pants, snow boots and plunger in hand. Worse, water had already seeped through the floor and into the basement below. As I evaluated the situation, I could see standing water around the heating system, the hot water heater and all the electrical components. Dollar signs were flashing in my head. This was the kind of situation where every additional minute mattered.

My son, his friend, and my daughter had been trying to fix it. They were actively working the issue, but failing.

This is not a story about incapable people.

All three of them are smart, capable, and thoughtful. But they had never faced this exact situation before. The solutions they knew didn’t work and the problem continued to get worse.

They had tried plunging the toilet. We have plenty of plungers in the house, including a very good one that fits the toilet properly. My son knew to use that one. His friend had tried flushing repeatedly, because that’s what worked in his house when a toilet clogged. Unfortunately, every plunge temporarily lowered the tank reservoir, which caused more water to refill and spill over. Their attempts to fix the problem were actively making it worse.

When I walked in, I was angry.

I was angry about being woken up in the middle of the night. I had work the next day. I was angry they were up so late. I was angry the toilet was clogged in the first place. I was worried and angry about the water damage and the potential cost of repairs. It was school vacation, so the house was full of kids with nowhere to be in the morning, which somehow made everything feel worse.

I’m the “clogged toilet fixer” in our house. That’s my role. And in that moment, I realized something uncomfortable. I had never actually trained my family on how to handle this.

They knew the basics. Get a plunger. Use the right one. Try to clear the clog. But they’d never practiced. They’d never thought through the whole system. They didn’t understand all the inputs and outputs involved.

Technically, the problem wasn’t complicated.

Water was coming into the toilet and not leaving through the drain. With nowhere else to go, it spilled onto the floor. There were complicating factors, including the obvious disgustingness of the situation, which makes decision making harder. And their attempts to fix it were unintentionally increasing the input.

But this wasn’t an unsolvable problem for three capable people. And yet, as the situation unfolded, they were stuck.

This is exactly what happens in most IT and cybersecurity incidents.

The technical problem itself is often not that complex. Organizations struggle because they’re unpracticed, panicked, and unfamiliar with the situation. People lose the ability to calmly reason through what’s actually happening. Inputs and outputs blur together. Time is lost while damage continues.

In our toilet crisis, the first thing that needed to happen was to stop the input.

Turning off the water to the toilet immediately stopped the situation from getting worse. Once no new water was entering the system, we could focus on stabilizing the environment. We mopped up water in the bathroom and the basement. We cleared water away from electrical and heating components. We reduced the risk of additional damage.

Only after the situation was stabilized did we focus on fixing the root problem, the clog itself.

With the water turned off, plunging the toilet became effective. No chaos. No overflow. The drain cleared, the water was restored, and the crisis ended.

This same pattern applies to IT and cybersecurity incidents.

Teams often rush straight to “fixing” without stopping the bleeding. They don’t pause to identify where data, traffic, access, or actions are entering the system. They don’t isolate systems. They don’t stabilize the environment. In many cases, their well-intentioned actions make things worse.

This is often compounded by the fact that basic planning hasn’t been done. There’s no clear inventory of systems, no shared understanding of how things connect and no practiced response that helps people stay calm under pressure.

Incident response is not about heroics. It’s about understanding the system, knowing where inputs and outputs exist, and stopping the things that cause damage before trying to repair what’s broken.

If you’re lucky, sometimes these types of lessons come from a tabletop exercise. If you’re not, sometimes they come at 12:30am, standing barefoot in a flooded bathroom, realizing that knowing how to plunge a toilet is not the same as knowing how to manage a crisis.

Emotionally Engineered: How AI Is Rewriting Free Will

~ Garrett B. Brown ~ Leave a comment

My “aha” moment happened recently. My associate and I were working on a presentation for our clients about modern workforce solutions addressing the challenges of remote work and security. Using Google’s free tool, NotebookLM, he created a podcast, entirely AI-generated, that was so compelling, it shook me. In that moment, I realized just how this technology could threaten humanity as we know it. Combined with quantum computing, AI’s growing power demands, and political shifts toward autocracy, this is perhaps the greatest threat to the world order and humanity in modern history.

I know that sounds dramatic, but it’s not. What struck me was how emotionally convincing the fabricated podcast was. It wasn’t real, yet it moved me. That same power can be used to mass-produce content designed to influence thought and behavior. With the right message, format, and messenger, even fiction can feel like truth. Governments and powerful entities can exploit this, weaponizing our emotions to shape our beliefs and actions.

Reporter Tom Bartlett, from The Atlantic, profiles a controversial study by University of Zurich researchers where they found that AI driven posts on Reddit were most successful in persuading the opinions of other human participants. You can read more about this experiment on The Atlantic and on NPR.

We like to think we’re rational, but we’re not. Emotions govern nearly everything: whom we love, where we live, what we buy, the careers we pursue. Sales and marketing professionals understand this well—emotions close deals, not logic. If we’re constantly exposed to emotionally manipulative content and lack the tools to critically evaluate it, we lose our agency, our free will, and perhaps even our right to life, liberty, and the pursuit of happiness.

There is strong science around the power of emotions. Ethan Kross, author of the book Shift, demonstrates through scientific studies the ways in which our emotions affect us and how we can manage them. If we’re subject to the emotional manipulation of overwhelming and compelling AI driven content, we are likely to become the very sheep we fear. And if we’re not in control of that content or trained on how to understand it and it’s emotional impact, we are not the ones in control.

Consider this: I love watching motorcycle and car shows. Some of the most emotionally detached people are the men who love their cars and bikes. Many of them think they’re emotionally simple, direct and logical people. The irony is that these are the same people collecting muscle cars and custom modifications purely for the feeling it gives them. They are the very epitome of the emotionally driven art lover, willing to spend money and resources that are entirely based on emotion. I watch the Mecum and Barrett Jackson car auctions and watch these same people spend tens, hundreds and sometimes millions of dollars on effectively useless equipment. That’s emotion in action.

Still skeptical? Look at the rising crisis of gambling addiction, particularly around sports betting. In Massachusetts alone, people reported gambling problems jumped from 12.7% in 2014 to 25.6% in 2023. People knowingly destroy their lives, and those of their loved ones, because emotional impulses override rational judgment. The emotional reward is so powerful, it eclipses consequences. That same principle makes emotional manipulation more powerful than drugs or physical power.

The atomic bomb of this century isn’t nuclear, it’s AI-powered, emotionally manipulative content. Combined with the reach of the internet and social media, it allows curated information to be injected directly into our minds. Making matters worse, trustworthy news sources are shrinking, and access to reliable content is increasingly hidden behind paywalls. It’s a race for power like no other. For all its productive uses, the race for AI technology and technological primacy is not about improving our lives, but rather a race for global power.

Much political rhetoric, especially around First and Second Amendment rights, is also part of this manipulation. Arguments about freedom of speech and gun rights are often used to distract and divide. Bumper stickers like “If guns kill people, do pens misspell words?” are clever, but they miss the bigger point. Real power doesn’t lie in firearms, it lies in controlling information and influencing emotion. Division is the goal, and many don’t see they’re being played.

Quantum computing will amplify this exponentially. “Q-Day,” the hypothetical moment quantum computers can break current encryption standards, could arrive before 2035, if it hasn’t already. Governments have been stockpiling encrypted data for years, waiting for the day it becomes readable. Once AI and quantum power converge, decades of private communication could be analyzed and exploited to manipulate individuals and populations on an unprecedented scale.

The convergence of AI, emotion, and geopolitics is fundamentally changing the world. The fact that a fake podcast could make me feel something so deeply is proof of how easily we can be influenced. We are emotional beings first, rational beings second, and now there is a reliable, scalable way to exploit that truth. Without critical thinking, education, and emotional literacy, we risk surrendering our thoughts, behaviors, and freedoms to those who can most effectively control the narrative.

This is not just a technical or political crisis, it’s a philosophical and moral one. Even the new Pope Leo recognizes the risks. What kind of future do we want to build? Our ability to protect truth, agency, and societal cohesion is at stake.

My son, the hacker, and the lessons I learned 

~ Garrett B. Brown ~ 1 Comment

Despite the thousands of cybersecurity products on the market today, most business leaders do not understand their true cybersecurity risk or who their potential attackers are. Most think they’re not much of a target at all. They understand that they have to budget for certain protections such as antivirus or firewalls, but once they’ve metaphorically locked the doors and windows, they think they are done. In fact, this lack of understanding of the true risk and who the attackers are is driving complacency, ineffective spending and financial losses. 

2024 is on track to be the costliest for cyber security related incidents. Official reporting from the FBI shows that in the US, losses grew from $3.5 billion in 2019 to $12.5 billion in 2023. This year we saw an Illinois hospital permanently close because of ransomware and countless high profile incidents like MGM Casino, Caesars Palace as well as AT&T and Change Healthcare. This week we learned the seminal brand Stoli Vodka has filed for bankruptcy, due in part to a ransomware attack. But we also know thousands of small organizations were impacted like this Reddit account of a small law firm in Connecticut who closed their doors forever after 30+ years in business. 

As a leader, if you don’t understand the underlying problem, you’re unlikely to fully address it. I’m reminded of this every day in my own home life. I assumed protecting my kids from the dangers of the Internet would be relatively easy for me compared to my friends and non-technical counterparts. I know all the tools and how to set them up to filter Internet content and control my devices. In much the same way that businesses fail to understand their risks and adversaries, I had failed to account for my son’s determination, ingenuity and resources (knowledge, Internet and time). He consistently and repeatedly circumvented the limits and systems I had put in place. 

In 6th grade we gave my son a smartphone. We wrote up a contract about responsibility and acceptable use and the risks posed by social media and the Internet. Additionally, we setup parental controls to limit apps, inappropriate content and the amount of time he could spend on different apps and sites. Lastly, I had put a business class firewall in my home to filter and control the Internet. I was busy congratulating myself and pitying the fools who weren’t as smart as me. I had secured my home technology kingdom, and I thought I was done! 

The first thing he did was realize that if he embedded URL links in Google Docs, which was allowed because he needed it for school, he could open whatever links he wanted in an embedded browser window that would circumvent the parental controls and time limits in place. Next, he realized I had no way of controlling the hotspot on his phone. So, he would connect his computer or our TVs to his hotspot to get around all of my limits. As I ran around scrambling to patch the holes, he continued to find the “bugs.” One day after checking his screen time reports I noticed he was spending a lot of time with the Files app, the program used to browse and open documents on the iPhone. Apparently he had figured out that by embedding URLs in the Files app, he could again circumvent my controls. Lastly, he realized that he could cover his tracks by deleting incriminating files on his phone and then restoring them from the trash when he wanted to access them. He could continue to do this as long as he restored them within the 30 day permanent deletion retention period. 

There is a great talk published on YouTube that I highly recommend for business leaders. It’s only 30 minutes and if you watch it at 2x speed, like my children would, you could get through it in only 15 minutes. In the video researcher Selena Larson tries to dispel the misguided focus of businesses and cyber professionals on APT or government threat actors as the greatest risk. She argues that this is a distraction and provides a false sense of security. She describes a criminal ecosystem that supports both government and non-government threat actors working like any legitimate industry driven by money and endless opportunity. As we learn about the illicit ransomware industry, we learn that it doesn’t matter what type of business you are or how small or large you are, you are a target of equal significance to this criminal industry. 

If we take the example of my son, had I not monitored his screen time regularly, I wouldn’t have noticed the unusually high usage of an unlikely program, the Files app. This cued me into the fact that he was doing something unexpected. If this sounds expensive and time consuming for a business whose focus is making widgets, you’re right. But over the last 30 years businesses have been enjoying the productivity and cost savings of automation, computers and Cloud computing. Now with the explosion of AI and natural language learning models, it will only get more efficient. We have to invest some of that efficiency into understanding the business risks fully and developing effective cybersecurity programs.  

Cybersecurity is not just about implementing tools or locking digital doors; it’s about understanding the risks, the attackers, and the ever-evolving threat landscape. My experience with my son highlights how a determined individual, armed with time and ingenuity, can outmaneuver even the most carefully implemented defenses if risks are not fully anticipated. For businesses, the lesson is clear: a static approach to security is insufficient. Success requires continuous monitoring, adaptability, and a deep understanding of both risks and adversaries. By investing in comprehensive cybersecurity strategies, businesses can safeguard themselves from the devastating consequences of cyberattacks and build resilience in an increasingly connected world. 

Maybe the greatest security risk to your business that no one is talking about 

~ Garrett B. Brown ~ Leave a comment

Do you or your staff use Virtual Assistants (VAs)? Using VAs is great, but if you don’t have good security controls, you may be putting yourself, your staff and your organization at serious risk.  

My daughter came home with an assignment to explore human nature and different philosophical perspectives. As I reflected on that conversation, which in true teenage fashion she quickly told me she was done with, I started to think about a common situation we have addressed with many clients and wondered, do all these business execs believe in the innate goodness of people? That certainly is a much kinder way to understand their choices. 

A quick Google search reveals many online resources and people extolling the benefits of overseas VAs including flexibility, availability and cost. Many of these resources have brief notices about security and privacy considerations. Many suggest that having proper due diligence and contracts in place are good mitigations to risks. However, the technical details of how to properly protect data and privacy are never disclosed or discussed. This article from US News has a small 4 sentence expandable blurb at the end that simply suggests choosing a reputable service is the best way to protect yourself. 

Using an overseas VA is not necessarily a bad idea. VAs can be a very powerful tool for businesses and individuals. However, in order to avoid a serious data security or financial disaster, it is critical to understand what your risks are and how to mitigate them.   

One day we got an alert for one of our clients who is in a regulated industry. The alert was about improbable geographic access to one of their Microsoft 365 mailboxes. Upon investigation, it turned out that a salesperson had hired an overseas VA to help manage their calendar and sales efforts. The salesperson had shared their credentials and MFA to an unvetted foreign agent and potentially provided access to legally protected data. This was a clear violation of their security policy. 

Despite having gone through training on the company’s security policies and participating in regular cybersecurity awareness training, this salesperson seemingly didn’t know that what they were doing was wrong. Perhaps they just didn’t care? Or perhaps the lure of what the VA offered was just too compelling; a widely used, cheap, effective sales support tool. Or maybe they just believed in the innate goodness of people? Surprisingly we see this all the time. People are too willing to give up their privacy and security for free or inexpensive products and services. Gmail is a clear example of this! 

It isn’t just salespeople, it’s the C suite too. Outsourcing administrative work to inexpensive overseas staff is very common. We have clients ranging from plumbers to data analytics companies and insurance agencies that have outsourced executive assistant and administrative roles to overseas VAs. 

What many people fail to realize is that granting a stranger access to your email is not only against most company policies, but also a very bad idea. In 2023, the FBI reported $12.5 billion in losses from US firms due to fraud and cybercrime. Of that, $2.9 billion was related to Business Email Compromise (BEC). For most businesses, email is a critical system that provides significant access to other systems, files, people and resources. This is why email systems are a favorite target for attackers. They stand to gain significant levels of access and are able to use that access to establish authority with other victims.  

In another recent example, we advised a client whose use of an overseas VA would have allowed the VA to easily impersonate, defraud and damage the client’s business. In our discussions with them, they revealed that they had set up an Apple iPad for their VA, through which the VA had complete access to their personal Apple ID, phone records and text messages. They were using the VA to help with administrative tasks including responding to emails and text messages. With access to the person’s Apple ID, this complete stranger on the other side of the world had access to personal photos, access to financial resources such as Apple Pay, mobile banking, and access to sensitive data stored throughout their Apple account. They even knew the client’s location information! What’s more, the VA’s access included knowledge of the device PIN. The device PIN is a form of identity verification for Apple and is used to encrypt iMessages. 

Many of these VA services are located outside the US, beyond the jurisdiction of the US legal system. If you don’t have the time and resources to hire someone locally, you probably don’t have the time and resources to chase down an overseas fraudster. So even if your overseas VA was caught doing something illicit or immoral, there is little recourse, and navigating a foreign legal system can be challenging and costly. 

It is astounding to me the way in which people are circumventing their own security policies to take advantage of low-cost efficiency tools. Those policies are in place for a reason. If I were North Korea’s Kim Jung Un or Russia’s Vladimir Putin, why spend the time and resources breaking into systems around the world when all you have to do is ask? They could setup inexpensive overseas VA shops, charge reasonable rates and wait for their victims to open their doors to them! In fact this is already happening. It has been recently reported that North Korean employees are infiltrating western companies, a slight twist on the VA angle I’m describing.

So, when you’re ready to engage your VA, you don’t have to solve the age-old question of human nature. You just need to do some planning. Take the time to understand what systems or resources your VA will need access to to perform their role. Determine if company policies or laws limit what data and systems they can access. Finally work with your IT and/or security team to put the necessary controls around their access with appropriate monitoring. If you take the time to plan appropriately, you can help avoid a costly and disruptive breach. 

Who is left holding the bag?

~ Garrett B. Brown ~ 4 Comments

In the march towards the November election and all the high-profile headlines, there is little room for a thoughtful discussion around the never-ending unpleasant cybersecurity news. In fact, many companies like AT&T and Snowflake are thankful for the current environment! At any other time in history, their unprecedented system compromises and data leaks would normally dominate the headlines for weeks. 

I have attempted to write this blog post at least three times since the middle of July. First, when AT&T disclosed its massive data breach exposing the data of every customers’ (110 million subscribers) phone and text message activity and geolocation data, I thought, “This is it! A wake-up call! AT&T will have to come clean and face the consequences.” But then the CrowdStrike incident took out large swaths of the internet. AT&T’s executives’ prayers were answered! The implications of their outrageous failures and negligence would be dealt with, in the quiet shadows of the endless recriminations of CrowdStrike’s own gross negligence (yes, you read that right, gross negligence). 

Of course that wasn’t the end. Rumors of the National Public Data’s system compromise had been swirling and in early August news of the disclosure of 3 billion records containing names, addresses, social security numbers and other private data, became public. But that wasn’t the end. There preceded a stream of disclosures from other high profile businesses including ADT, HealthEquity, FBCS, Trello, Rite Aid, and Twillo

The hard truth is, all of these incidents were avoidable. The excuses are endless, and the “reasonable” explanations are endless. Yes, building secure software and systems is not simple, easy or inexpensive. In the case of Crowdstrike, you will hear people explain away that no system is immune from system failure and how impressive their response and resilience was. In the case of the AT&T data breach, you will hear excuses about “sophisticated foreign threat actors” and their significant resources. They will also point fingers at the hosting provider, Snowflake, for not maintaining a secure by default design.   

These are all excuses! None of the scenarios that lead to any of these failures are so novel, so creative or so unavoidable that the designers of these systems couldn’t have reasonably anticipated these types of faults and built in appropriate controls and resiliency. The problem is a lack of accountability. There are very few regulations around the building and maintenance of critical business systems and the protection of private data. 

The incentives for businesses and investors are reflective of the limited financial and legal risks associated with the failure to protect consumer and businesses data and systems. Businesses are highly incentivized for fast growth and product development based on easy to deploy private cloud and SaaS infrastructure. This article on Lawfare does a nice job of exploring the issues. In other mature industries like construction, automotive, airline, food safety and medicine, we do have regulations that help ensure a baseline of safety and standards. 

Building and health codes were born out of tragedies such as fires and disease. As early as the 1680s, cities such as Boston started implementing codes to limit catastrophic fires. It wasn’t until the early 1900’s that building codes started to take shape with the formation of the National Association of Home Builders (NAHB) in 1942. We all now take for granted that our homes are safe, the roads and bridges we drive on are safe and the buildings we conduct business in are safe. 

Food safety standards started to take shape in Massachusetts with the passage of the Massachusetts Act Against Selling Unwholesome Provisions in 1785. In 1862, Abraham Lincoln formed the USDA and FDA. Throughout the twentieth century, several acts were passed to strengthen food safety and transparency. None of us questions the safety of foods we pick up at the grocery store now. 

The standards around IT infrastructure and software design are all over the place with various standards being established by different federal agencies, states, not-for-profits and for-profit institutions. What’s already in place doesn’t even account for the emergence of AI.  In addition, the Federal and State regulations that exist around data privacy have few teeth or little enforcement. The US Federal government has established regulations around military/DOD contracts, aka CMMC, but they’re too costly and heavy handed for any practical commercial application. 

While it may seem like the recent CrowdStrike incident or the many other large data breaches are not the same as a building collapse or food born illness resulting in human loss, equally impactful tragedies are taking place as the result. Many businesses and individuals are left holding the bag.  As a result, hospitals were unable to perform lifesaving procedures, small businesses have closed or shrunk due to lost or unavailable funds, and individuals have lost their retirements and life savings. These types of failures impact the lives of everyday people. And who will pay? Who will suffer? This week the FTC just imposed a $13 million fine on AT&T, which is a welcome development, but will neither make its customer whole or provide a meaningful deterrence to a 122 billion dollar company. Very few businesses will get insurance money to cover their losses due to a myriad of clauses around cyber and business continuity insurance. CrowdStrike’s own terms of service will at best cover the cost of services. 

This is not a problem individuals or businesses can solve for themselves. The truth is that no business could have been fully prepared for Crowdstrike’s failed update or AT&T’s data breach. Some with more resources and better planning will recover more quickly. This is not, as some have suggested, a legitimate opportunity for businesses to practice their incident response plans. 

If we are going to build our society around the fast-evolving technologies of public Cloud, SaaS and AI, we need to have an honest discussion about what the rules are, who’s responsible for what and how we can build a safe and secure future. 

In the absence of these guardrails and standards, the best we can do is teach our clients to make themselves smaller targets. Adopt a good security framework like NIST or CIS and go through the exercise of understanding their own risk tolerances and what the costs are to minimize those risks. 

The Roomba Approach to Cybersecurity and Compliance

~ Garrett B. Brown ~ Leave a comment

Imagine that I have a big house with 4 kids, 3 animals, 4 bedrooms and a lot of chaos. It’s a mess. It’s dirty and disorganized. January 1st rolls around and my New Year’s resolution is to get the house organized and clean.

If I were to take the approach to this problem like so many do to cybersecurity, the first thing I would do is get on the Internet and google “house cleaning technologies.” When I do that I’d find solutions like iRobot’s Roomba. Boom!! It turns out all I have to do is buy some autonomous AI cleaning tech. This was the first result in my search: https://www.architecturaldigest.com/story/high-tech-cleaning-devices-for-your-home

I purchase an AI powered vacuum ($1,000), a phone sanitizer ($120), a smart trash can ($200), a smart litter box ($700) and finally an air cleaner ($250). After spending $2,300, my home is actually more cluttered! Despite all the automated smart tech with AI, my house is no cleaner or more organized than it was before my tech buying spree. In fact, it would be worse now because I have more useless stuff laying around!

Alternatively, if I spend the time organizing the first floor, putting away what’s not in use, labeling and getting things off the floor and making sure everyone in the family knows what their role is in keeping the space clean, then can I leverage the Roomba and other technologies to become more effective and efficient.

Like with cybersecurity tech, successful and meaningful implementation of the Roomba will require knowing the areas it can clean, setting up guiding barriers and purchasing 2 Roomba’s because it turns out I have a step in the middle of my first floor.

The point is there is no magic Easy Button (not to mix marketing metaphors) in cybersecurity or compliance despite what all the marketing vaporware tells us. There are a number of vendors advertising automated SOC 2 compliance solutions with type 1 reports completed in 5 days! Like cleaning one’s house, cybersecurity and compliance require actual elbow grease and a disciplined effort to understand what’s going on in an organization. Only then can you leverage the fancy tech to become more effective and efficient.

COVID-19, are there lessons for cybersecurity?

~ Garrett B. Brown ~ Leave a comment

When I got my second Pfizer vaccine shot and now ponder the possibility of a third, I started thinking about what it means for me to be afforded added protection from the threat of COVID. Should a vaccine change how I behave and what, if any, additional precautions I should take? With the appearance of new variants, how do I identify the risks? How does it affect my overall approach to protecting my health, my friends and family’s health, and even my business’s continuity?

As a person who spends his professional life mitigating risk for his clients. I couldn’t help but see the parallels between managing cyber security and the lessons we’ve learned, and continue to learn, during COVID. Just like the COVID-19 pandemic, cyber risk to businesses is global, is indiscriminate, is unrelenting, and requires personal, national and global effort to limit its impact on our businesses and ultimately, our society.

Reading security blogs, Twitter feeds and the musings of CISOs, one walks away thinking good cyber security is only successfully achieved through the efforts of an elite group of cyber-geeks who never sleep, live on stress, can code with abandon, are networking experts, and can understand complex systems. It can feel unapproachable.

The truth is, managing cyber risk and protecting yourself and your business is not as difficult as it appears. Cyber security businesses and technologies want you to think it’s complicated stuff, impossible for a lay person to understand, and requires the magic wand of AI and advanced technologies. While modern businesses have complicated systems to manage, the concepts behind cyber security are largely intuitive.

Let me outline a few important cyber security principles that we can all understand and that are highlighted by our shared COVID experience.

“Defense in depth” is a term common to cyber security professionals . It sounds fancy but really just refers to a layered approach to security. Cyber security experts know their defenses will eventually fail no matter how well crafted, so if you have several overlapping systems or protections in place, if one fails, the other protections should stop or minimize the impact of an attack. Living through a pandemic, this idea is familiar to us all. We maintain social distance (layer 1), wear masks (layer 2), wash hands and sanitize (layer 3), limit exposure to as few people as possible (layer 4), and get vaccinated if possible (layer 5). We know that none of these things alone will stop COVID from spreading entirely but that the combination of these efforts will systemically minimize its impact and its spread.

“Risk management” is another phrase found within the cyber security lexicon. Again, this can sound more complex than it is; it refers to the decisions we all make about how much risk we choose to tolerate during daily activities. We know intuitively that doing some things are riskier than others. For example, if I go to a large indoor party with people who don’t wear masks, I know that if one person shows up COVID positive, the virus has a higher risk of spreading to many people at that event. I also know that if I get sick, there is some chance I could get very sick. The key to risk management is understanding the risk factors. If I don’t know that being in a crowded room with unmasked people is risky, I can’t make an informed decision. This is true of cyber security, once informed, our clients determine the amount of risk they can manage given their unique situation and the consequences of the risks they take on.

“Cyber hygiene,” another bit of cyber security jargon, describes a connected system, up-to-date and patched, configured to limit vulnerability to misuse. While this, too sounds fancy, you can think of it much like maintaining a clean working environment and being thoughtful about your and your staff’s overall health. Choosing to stay home with a running nose, cough or compromised immune system helps limit the spread of disease and infection. This is the same with technology. Maintaining a healthy, resilient systems means keeping technology up-to-date and using protective software that monitors and protects against malicious activity.

“Authentication,” “access control” and “privileged access” may sound officious but in fact, describe really simple concepts, the kind of lessons that we teach our kids from a very young age. We all have ways to identify people and determine whether we are comfortable with or if they are authorized to enter our lives in different ways. People have names, we recognize their faces and voices, and we put them in the context of their relationship to us and the people around us. Is this person someone I know who is allowed to pick me up from school? Of course, it’s my aunt who picks me up every Wednesday! Is this person allowed to make medical decisions and talk with my doctor? No, it’s my coworker who brought me to the ER when I injured my leg. Authentication, access control, and privileged access are simply electronic ways to identify people and determine who they are contextually and what they should be allowed to do.

The last cyber security term, “Compensating Controls,” means that when we know there is a weakness or vulnerability we can’t control, we do something else to help minimize the risk it represents. So, because my child is under 12 and has other health risks, we don’t send her to school. We home school her to minimize her exposure to other people and limit her risk of contracting COVID. Keeping her home is our “compensating control.” If we have a computer system that only supports weak passwords, then as a compensating control we might consider allowing only physical access to the system and not connecting it to the Internet. This would limit the risk of it being compromised because only a small group of people would be able to physically access the system.

When it comes to cyber risk, it is the combination of these measures that provides optimum security, no matter how simple or complex your system. The Colonial Pipeline hack is a high profile example of an organization not employing defense in depth, good access controls or good cyber hygiene. The attackers were able to compromise their systems using a leaked or stolen password combined with a VPN connection that didn’t require multifactor authentication, demonstrating poor authentication and access controls. They also appear to have had few defense in-depth measures, so once the attackers were inside, little else prevented additional access or provided detection. Additionally, there was lax cyber hygiene, allowing attackers to further compromise unpatched and poorly configured systems.

It is true that large businesses like Colonial Pipeline have many complex systems complicating the process of managing cyber security, but the fact is, these measures are not out of reach for any business. Educating staff and implementing management systems are the key to successfully maintaining good cyber security and putting an end to the recent ransomware and international supply chain hacking. The lessons are much the same in taming the spread of COVID: becoming educated, implementing control measures, and creating layers of defense will minimize the risks of its impact and disruption.

Cyber Wellbeing

~ Garrett B. Brown ~ Leave a comment

It’s been over 6 months since my last post, and frankly the time during Covid seems to pass at warp speed! I can’t believe I’m already thinking and planning for the summer! We are making progress in the fight against Covid, vaccines are rolling out, and schools are opening, which has got me thinking more about building my business again.

But overshadowed by my new optimism and all the headlines of the election, the storming of the Capitol and Covid, the last six months have been witness to the most active and destructive cyber security events in recent history. The depth and breadth of these attacks is staggering, with implications for our economy and government. We are in a new age of cyber risk for businesses, so we all need to get better prepared to manage and guide our organizations through these new challenges and new growth. Here is just a quick list of what you may have missed…

  • SolarWinds supply chain hack, which affected 18k businesses and multiple government agencies including Microsoft, Cisco, Amazon, the US Treasury Department, Department of Commerce and many others. This hack lead to the disclosure of untold sensitive and critical data to foreign adversaries and the loss of control of critical government and business networks.
  • Microsoft Exchange hack leading to over 60,000 organizations having their email systems compromised and likely accessed by unauthorized users.
  • Accelion supply chain hack, which lead to the compromise of thousands of high profile businesses and government agencies and the disclosure of personal, privileged and sensitive information around the globe.
  • FireEye systems and data breach leading to disclosure of critical client information, which includes many Fortune 500 and government agencies and included the code to sophisticated testing and cyber espionage tools used by their offensive testing team.
  • SITA systems and data breach exposing personal and sensitive information about airline riders from over a dozen airlines.
  • BlackBaud systems and data breach compromising their systems and exposing sensitive information about donors and Not for Profits including healthcare systems, charities, universities and hospitals
  • and so many more…

To help business owners and managers understand and address these new realities, I recently penned a blog post for Ihloom, Mantra Computing’s sister cyber security business, about a new set of business skills we call Cyber Wellbeing. Like many business owners and managers, I am comfortable reviewing my businesses financial wellbeing, knowing where our revenues are, expenses, inventory, sales pipelines, etc. But most business owners and managers have no idea what their current risks are of a debilitating cyber event. What are the costs of preventing a cyber event? What are the costs of being unprepared? Will my cyber insurance cover my losses and ensure continuity of business?

My colleagues and I will be blogging on the Ihloom site and sending out related communications to continue educating business owners and managers on the concepts of business Cyber Wellbeing. If this is something that’s of interest to you, please check out the post and subscribe to our mailing list.

Like many of you, I’m excited about a post Covid rebirth. However, successfully capitalizing on this new opportunity will require being prepared. As G.I. Joe used to remind me, “Knowing is half the battle!”

OGN: Curly Girl Design

~ Garrett B. Brown ~ Leave a comment

For this month’s OGN post, I’d like to bring attention to one of my oldest clients, Curly Girl Design.

After 9/11, like so many other people, I decided to make changes in my life. I moved back to Boston to be closer to my friends and family. I met Alyssa, the person who was to become my wife and mother to my three children, and I decided to start Mantra Computing. 

Back then I was a poor 26 year old, starting a new business and living in my parents’ basement. I was following the girl of my dreams every week to hot and sweaty power yoga classes. Through volunteer work at the yoga studio, Alyssa and I became friends with many of the staff and community and through that connection we became friends with Leigh, the founder of Curly Girl Design.

In fact, I was first introduced to Leigh’s work in the bathrooms of Baptiste Power Yoga Institute (BPYI) in Boston. Leigh was friends with Mariam and Rolf Gates, who were managing the BPYI studio and they were helping to promote her work. And what better place to see joyful, mindful and inspiring work than in the bathrooms!?

Leigh’s work is incredible. Her web bio says it’s “whimsical and witty,” which is true, but it is also colorful, wise and beautiful. In 2004 Leigh took the brave step of starting Curly Girl Design, a business based around licensing and distributing her designs. The pictures below are some of the pieces hanging in my home. You can see a lot more of her work on her Instagram page and in shops throughout the US. 

Turmoil and unrest bring change. Things change in ways that we cannot always see in the moment. During “these hard times,” as I often hear it said during the COVID quarantine, we can see all the big things including sickness and death of loved ones, social unrest, economic hardship, and social inequities. But the changes that will matter most are invisible to us now.

September 11th was one of those big moments that changed my life in ways, that until now, I didn’t fully understand. The big stuff was the attack on the towers, the loss of life, the ensuing war in Afghanistan and all the changes to air travel and the economy. But what doesn’t get recorded or noticed are all the little decisions people make as a result of the big stuff including things like my move to Boston or Leigh’s move to go out on her own.

As I reflect on the early days of Mantra Computing and working with clients like Curly Girl Design, I can see all the beautiful things that grew from the 9/11 tragedy.  I try to remember that as we all deal with today’s challenges. 

Through Leigh’s designs and words, Curly Girl Design helps remind us of what’s important. She helps us reframe our reality and refocus us on a future that isn’t always clear. If you’re looking for inspiration, please check out Leigh’s creations at Curly Girl Design.