Is Your Business Ready? Cyber Risk Strategies for 2024 & Insights on Emerging Tech with Dominic Vogel

Show Notes

THE EPISODE:
How critical is your company’s data to its operations, revenue, and reputation? In this important episode, we explore cyber risk management's shifting landscape. Are you prepared for the challenges and opportunities emerging technologies bring to the cybersecurity arena? What impact could AI or Web3 have? Join cyber risk expert and advisor, Dominic Vogel, as he shares essential insights for businesses confronting these complexities. Discover effective strategies for managing cyber risks amid increasingly sophisticated digital threats, including advanced phishing and social engineering tactics. Learn to proactively protect your business and adapt to the changing face of cyber threats. Whether you have a B2B or B2C business, large or small, Vogel's insights shed light on the dynamic landscape of cyber threats and the importance of strategic, well-informed approaches to cyber risk management. 

EPISODE RESOURCES
Visit our website for guest info, transcripts, links, and resources for today's show.

GUEST:
Dominic Vogel, the Founder & Chief Strategist at Cyber.sc, brings 15 years of expertise to the table. Discover practical, tailored cybersecurity advisory services aimed at startups, investors, and small/midsize businesses. From cybersecurity assessments to strategic roadmaps, Vogel's insights are invaluable. 

GUEST QUOTE: 
"The attackers only have to be right once and the defenders have to be right all the time."

HELP US GROW:
Subscribe, review, and connect with From The Blockchain on social! 

WANT TO SPONSOR the show? We'd love to hear from you!
- INQUIRE HERE
HAVE IDEAS for the show? Let us know!

FROM THE BLOCKCHAIN

• website
• youtube NEW!
• linkedin
• tiktok
• instagram
• threads NEW!
• facebook NEW!
• twitter

HOST - Ashley Smith

• linkedin
• tiktok
• instagram
• threads
• twitter

Music by: Spottie WiFi
Presented by: Fame Lady Squad...

Transcript

*NOTE: The transcript below does not include opening teaser and intro in time stamps. Begins at beginning of the interview… powered by AI (so may not be 100% accurate).

Ashley Smith (00:01.046)

Hello, everybody. Welcome back to From the Blockchain. I'm your host, Ashley Smith, and I'm very excited about today's episode. I think that the topic that we're going to be reviewing today is a bit overdue given the nature of this podcast. I'm going to be speaking with Dominic Vogel, founder and chief strategist at Cyber.CD. He's bringing 15 years of expertise around cybersecurity and best practices.

to this conversation. I'm super excited. I know lots of folks are wondering about IT risk emerging technologies. What should they be thinking about from an organizational perspective? How should they be training their employees? What should they think about if they're starting to dabble in new technologies? And what if they're not? What are the risks and what are the tools? Anyhow, without further ado, Dominic, I should also mention, I'm sure we'll put your links, your socials.

at the end of the conversation and in the show notes, but he also happens to be the most wonderful, beautiful, positive social media troll that I've ever gotten to know. He's always very engaged and kind in the social media ecosystem. So Dominic, welcome to the show. Thank you so much for being here with me today.

Dom (01:19.856)

Thank you so much, Ashley, for having me on the show. I'm just so grateful to be here. I appreciate your friendship. And yeah, that was an awesome intro. I just always appreciate the opportunity to speak with good kind people like yourself. And I'm looking forward to having what I'm sure will be an awesome packed conversation here.

Ashley Smith (01:36.178)

Cool, I'm looking forward to it too. Now, I should mention for context for our audience that you and I would have met at some point in our professional history, I think in some capacity with you coming to a boardroom that I worked on or in and discussing this type of topic, although I'm sure the landscape has changed quite a bit. But Dominic, why don't you tell our audience a little bit more about you and what you do?

Dom (02:02.648)

Yeah, absolutely. Actually, I appreciate that opportunity. Yeah. So like you mentioned, I mean, I've been in cyber security my entire professional career and I've had the opportunity to look at cyber security across all sorts of scales from the smallest of organizations all the way up to the biggest of organizations. And, you know, where I focus much of my efforts right now is with startups and smaller and more mid-sized organizations as well. Really working with business owners, executives, board of directors to really understand cyber risk.

I personally hate the term cyber security because a lot of people automatically think that that's for the geeks to deal with, the IT guys to deal with. I'm not a fan of that term. To me, it's very much about risk management. So cyber risk, cyber trust, right? And being able to bring what I truly believe is being one of the most pressing risks facing organizations today, bringing that to the forefront, bringing that to the board, bringing that to the executive, bringing that to the highest echelons of any organization and really helping them understand how do we deal with this risk and how do we optimize it in our organization.

That's what I do in a nutshell, plus like being a positive guy.

Ashley Smith (03:02.798)

Mm-hmm. Well, maybe before we dive in, maybe I can ask you, what do you see as being a key difference as you look, as we're now heading into 2024 versus say five years ago? Like what are the key things that stand out in terms of how you do things differently with organizations you work with? Like what's top of mind?

What are key questions? What are key focus areas?

Dom (03:35.18)

Yeah, that's a really good question, Ashley. I'd say one of the things which is different today is that there's a lot of emphasis on, I'll say the new stuff, right? Web3, AI attacks and all that stuff. I hear that a lot from so many prospects and my existing clients. We're worried about AI attacks. We're worried about what Web3 attacks could look like. And for me, I'm, I jokingly say I'm somewhat on the fence with stuff like that because

Yes, it's real. Stuff like AI attacks are absolutely real and we need to plan for that. But it's what I feel, especially with most smaller businesses, is that that's a train that's well down the road. Right. And most small organizations, especially across this country of Canada, most small businesses struggle to deal with the basic cyber threats. So the analogy I always give is picture there's two trains just barreling towards you. One's about to literally smash in your face and destroy you.

Ashley Smith (04:24.922)

Mm-hmm.

Dom (04:32.824)

And that is basic cyber threats, stuff that's been around for 15, 20 years. And then the other train, which is well down the track, you can see it, but it's sort of just like a little blinking light on the horizon, that's AI threats. So both absolutely pose a risk to you. But by the time the AI threat train gets to you, you'll already have been squashed to death by the basic threats. So I'm a big proponent of do the basics, do them well, let's focus on, for most small businesses, modernizing their approach to cyber risk management.

And then you'll have a firm foundation to be able to deal with stuff like AI attacks in that nature. So let's not put the proverbial carp before the horse.

Ashley Smith (05:08.335)

So sorry, just to unpack that a little, when you look under the rug of most organizations, what are their current state of affairs? What are their current protocols, generally speaking?

Dom (05:21.264)

Yeah, it's a grab bag. That's pulling it mildly, Ashley. I mean, more regulated spaces may be in better shape. So as an example, organizations that are maybe in the financial services arena, they tend to have more prescriptive stuff around cybersecurity and cyber risk management. They tend to be a bit more advanced compared to maybe organizations that are in manufacturing, as an example.

Ashley Smith (05:25.419)

Mm-hmm.

Dom (05:47.172)

So even within the small and mid-sized business arena, there are various shades of who's doing cybersecurity well or even just doing the basics well. But I would say by and far for most Canadian small and mid-sized organizations, even many Canadian tech startups as well, cybersecurity tends to get more of the lip service or the cyber risk management tends to get more of the lip service of the, what can we do with the bare minimum kind of thing until something bad happens. And sort of to go back to your earlier question of sort of...

Ashley Smith (06:13.556)

Mm-hmm.

Dom (06:15.832)

What am I seeing now that's different than five years ago? Especially during a recession or pre-recession or whatever we're choosing to call this time, period of time, more and more organizations are going reactively around cybersecurity. And what I mean by that is they're waiting for the heart attack moment. They're waiting for the data breach. They're waiting for the ransomware attack. They're waiting for, you know, when they're.

key customers to say, hey, your security is terrible. We're gonna stop this contract unless you ship up your security capabilities in the next three months kind of thing. They're waiting for bad things to happen. And again, that to me, being an analogy person, that's like someone who's eating Burger King five times a day kind of thing. And the doctor is telling them, you gotta stop that, right? You're going to have a massive heart attack, right? And they just keep eating until they have that heart attack. And then they just deal with it then, right? And that's what I'm seeing right now is that more and more

Ashley Smith (07:04.642)

Mm-hmm.

Dom (07:08.86)

Canadian small businesses are choosing to see security as a sort of like, almost like insurance. We're like, ah, you know what? It's, we're fine, we haven't been hacked. There's nothing to worry about. And then it happens. The perception right now is that it's cheaper and more effective to deal with security after the fact. If I could change one myth, it would be that, right? Because that's a, going on the assumption that you survive, your organization survives the data breach, that they survived the ransomware attack.

Ashley Smith (07:27.529)

Mm-hmm.

Dom (07:38.644)

is very much a, I'll call it a survivorship bias, where in mass media, right, we see a lot of stories about data breaches in cybersecurity, right? The level of awareness is much higher now than it was even five years ago. But most of those stories that are covering about data breaches and all that, it's generally for larger organizations. The thing that most small businesses don't understand is that those big businesses, cyber risk is not an existential risk, right? They have a huge war chest, right?

Equifax, Home Depot, you name it, all those big companies that have suffered data breaches over the years, for many of them, that's just the cost of doing business. Right? They have the war chest, they end up surviving in the long run. But that myth or that misconception, what they don't understand is that for any small business, cyber risk isn't just the cost of doing business, cyber risk is an existential risk. And again, this is anecdotal, but I'll say for every big company that you see having a data breach, there's probably at least a hundred smaller companies.

that has a similar data breach and no longer exist. They just don't make the news because no one gives a damn about them outside of their clients and the people who own them kind of thing, right? So I think it's so important that we get that level of understanding through the startup and small and mid-sized business community across the country.

Ashley Smith (08:39.756)

Right.

Ashley Smith (08:54.67)

So that makes me think about two sides of the coin, the business owner, business leader side and then the consumer protection side. Let's start with the consumer or sorry, let's start with the business owner side. I have to wonder, as you mentioned that a lot of small to mid-sized businesses in particular tend to be reactionary.

I have to wonder, there must be many of these players who simply assume they may not be at risk. They might not be thinking of this much in terms of, they may not think that the data they have is so important as an example. That's an assumption I'm making, that they may not be a big target. Can you help us understand why many businesses...

are more of a target than they might think. And are there any examples you can provide without, say, naming any names, but maybe a sector where there was some sort of disruption through their data security?

Dom (10:02.308)

Absolutely, Ashley. Back to that, I'll say, prevailing thoughts or myths that may have been true 20 years ago, for most small businesses, historically, they haven't had to invest in cybersecurity or cyber risk management because cyber kernels didn't go after them. They went after enterprise. That's what it was for much of my career up until, I'm going to say, probably about seven years ago when we saw a noticeable shift, and especially during the pandemic that accelerated that shift where...

cyber criminals recognize that they no longer need to break into enterprise to monetize their attacks. What they saw was more and more small businesses coming online. What they saw was that even if an organization doesn't have, call it sensitive data or secure data, that data is still valuable to someone. And in 10 out of 10 cases, that data is important to the organization. So I'll give an example. There is a small manufacturing company, a

reached out to me, this is probably about six months ago, and they didn't have anything in terms of sensitive data, right? They're not a traditional target, so to speak. But they got hit by ransomware, and they were unable to access the data that they need to be able to fulfill their mission on a daily basis. So even though that data may not be, you know, directly, you know, have some value to it on the underground market, cyber colonels recognize that data in this age has value.

Ashley Smith (11:18.35)

Mm-hmm.

Dom (11:30.08)

And it has value to the people who need to leverage that data on a daily basis. So what happened was that business, this small manufacturing company, ground to a halt. They couldn't fulfill their mission. They couldn't fulfill their sales. They couldn't function as an organization. And they went over a week without being able to do anything. And when the CEO reached out to me, they said, hey, you know what, we're literally days from going under because we don't know what to do. We can't access our data. And again, that goes to me as illustrating the point

Ashley Smith (11:30.7)

Mm-hmm.

Dom (11:59.888)

just because you think your data isn't important, you're wrong because like I said, in this day and age, you, every organization, I jokingly say, unless you're selling tacos at the back of your mother's Volvo and all cash deals, you're a tech company. You're a data company, right? You leverage data. That data has value. Like I said, even if it's not obvious value, like credit card information or financial information or social insurance numbers, it has value. And criminals know that. So if they know that if they knock you offline for a day or two days,

Ashley Smith (12:11.211)

Yeah.

Dom (12:29.636)

and they know that you're losing a million a day, they know that you'll pay 50,000 or $100,000 of ransom in order to regain access to the data so you can go back to being a business, right? They know that, right? But the thing is small businesses don't understand.

Ashley Smith (12:44.806)

So that leads me to kind of want to dive into that in two different ways as well. You're telling me that lots of these organizations reach out to you in a reactionary kind of moment. You know, as an organization, what would you say is sort of the base layer fundamental strategy that's needed? You know, people always kind of relate to back in the day when...

Dom (12:57.573)

Yes.

Ashley Smith (13:13.794)

people used to put like clubs in their car, you know, and it might not be like the greatest anti-theft approach of all time, but most criminals are just going to, you know, skip that car, go to the next. So what's kind of like the base layer approach that organizations should be thinking about? And then I have one other addition.

Dom (13:16.805)

Ha ha!

Dom (13:34.78)

Well, and that's such a good question. It's actually such a good visual too, Ashley, because for most small businesses, unless you're gonna be drawing the ire of China, Iran, or Russia, most small businesses are going to be hit by what I refer to as opportunistic attacks, right? Whereas just basically someone just trying to look for an open door, a virtual open door and walk in. So if you can make it just that much more computationally expensive, they will move on. And cyber criminals, most people don't know this or appreciate this.

most cyber criminals, they're basically, they're operating a business, right? So they have economic models. So they know how long an attack should take before they should move on elsewhere. Otherwise they know it's not worth their time or effort. So if you just make it that much more harder, that much more complex, at that much more gunk to their cycle, they will move on because the base of the pyramid for small and mid-sized businesses that have an open door to cyber criminals is a very broad pyramid base. But in terms of some tangible things, what can you do, right? That proverbial.

Ashley Smith (14:28.174)

Mm-hmm.

Dom (14:33.812)

club, so to speak. The first one I'd say is leverage what's called multi-factor authentication on any of your external facing accounts. So for most organizations that could be maybe your Microsoft 365 or your Google email accounts. Have multi-factor authentication. I'll even take a step back. Multi-factor authentication for those of you who don't know what that is. That is your username, your password, and then ideally it's a code that is sent maybe to your authenticator app. So Google has an app, Microsoft has an app.

Or if you prefer, right, that can go to text and you get a code that way. That's not ideal, but it's better than not having multi-factor authentication. What it does, like I said, is it makes it that much harder for cybercriminals to crack into your account. So that's often the first door that they try to open is your email account. So that's number one. Do that. And it costs nothing because you already have that access through Microsoft or through Google. You're already paying for it. You just have to turn it on. Unfortunately, it's not on by default.

Ashley Smith (15:12.246)

Mm-hmm.

Dom (15:33.888)

Second thing is identify what is your mission critical data and where does it live. So this ties back to knowing your business, knowing your customers, how you fulfill what it is that you do, what is it that, your company's essence, why does your company exist, and going back to what is the data that fulfills that goal, that dream, and knowing where that data lives and who has access to it, and more most importantly,

making sure that you have some level of robust, what I'll call a data backup architecture, not to get too technical, but somewhere in which if the main system is compromised, i.e. hit by ransomware or lockdown or what have you, it exists somewhere else that can't be accessed by cyber attackers. So you're able to restore your company's operations. And what's important is not just knowing where it is and backing it up, but testing it. A very quick aside, Ashley, just because I love sharing stories.

Ashley Smith (16:07.843)

Mm-hmm.

Dom (16:29.988)

is that I had a construction company reach out to me, I don't think about a year ago, they were saying that they got hit by ransomware and they couldn't access their data. And they said, could you talk to our service provider? Cause we don't understand why we can't access our data. I spoke with the service provider. Service providers spent the first five minutes telling me how great their data backup architecture was. And I said, something's not adding up. Your client is telling me that they can't access their data. You're telling me that you set up the best data backup architecture known to mankind.

what am I missing? He said, well, we never tested it, so it actually doesn't work. I was like, well, I probably should have led with that. But going to the point where you need to be able to test that, test those in real life situations. So that's another, again, very simple business-oriented approach. If you do those two things, you are already well ahead of, I'd say, 95% of Canadian small businesses.

Ashley Smith (17:03.011)

Hmm.

Ashley Smith (17:06.478)

Mm-hmm.

Ashley Smith (17:22.098)

Mm-hmm. And so sort of back to basics still, I think you also kind of alluded to another issue I think that's worth probably bringing forward is the reaction, right? So this manufacturing company, as you mentioned, contacted you a week later and didn't have a plan. You know, in the organizations I've served in a governance capacity in, one of the exercises are like

kind of going through that scenario, like walking through what would you do in this scenario where you're under a ransomware attack and kind of figuring out what's your game plan. Is that something that you teach organizations to consider doing?

Dom (18:06.94)

Absolutely, Ashley, and even taking a step back and laying out what is the board's, I'll say risk tolerance, as an example, because knowing that tolerance and appetite will help dictate what the strategy is. So to illustrate that point, I often will, when I meet with a client, we're going through that exercise, I'll be speaking with the board or the executive suite, and I'll say, okay, what is your tolerance? If you were to get hit by ransomware tomorrow, at what point are you screaming uncle? Is it an hour of downtime, two hours?

Ashley Smith (18:13.911)

Mm-hmm.

Dom (18:35.088)

half a day, a day, three days. Because again, if it's three days, your security spending approach there is gonna be different than if your tolerance is half an hour or measured in minutes. Again, that's up to the board to dictate that. This is where I see a lot of boards feeling is that they don't provide the right oversight and guidance to the technical teams, in which the technical teams are often, hope this isn't too graphic, but they're pissing in the wind in terms of trying to identify where they should be laying out their security strategy because the board isn't

telling them this is our sort of drop dead point, or this is the point that we cry uncle. Or even another question I'll often ask is, how much data loss are you willing to tolerate? So let's say you lose a whole day's worth of data. Is that tolerable? Is that something that would make you scream? Is it two days, three days? Is it 30 minutes? Is it one minute? Again, questions like that will help dictate the security strategy. That way, there's greater alignment, and we're moving away from misassumptions or misunderstandings in which

That way there is complete alignment between the technical fulfillment and then the board or the executives are dictating what that tolerance should look like. Because what I see in so many organizations is the board thinks, oh, we can recover in minutes. IT thinks, well, based on the budget, the poultry budget they've given us, we can maybe recover in three days. And then an incident happens. And then the board's like, why aren't, it's been three hours. Why haven't we recovered? Well, what we set up, we're sort of able to get back within 72 hours.

Then there's screaming, there's neck choking, there's a lot of pissed off people. And why did that happen? It's because no one bothered to have that conversation beforehand. It was the board thinking IT took care of it, and IT thinking, well, the board calls the shots, and they're not telling us what to do, so we'll just make best effort, right? That's why I try to help organizations steer clear of that situation.

Ashley Smith (20:19.416)

Mm-hmm.

Ashley Smith (20:23.118)

Mm-hmm. Yeah, that's a really, really good point. And I guess there's also insurance considerations that organizations can look at.

Dom (20:29.9)

Oh yeah. Yeah, that's another level of complexity there, Ashley. And again, actually a bone of contention for me, where I still see with so many business owners, is that they see cyber insurance as that proverbial monopoly get out of jail card, right? Where it's like, oh, we got hit by ransomware. Oh, let's play the cyber insurance card. We're good. Right. The thing is, and that shocks me, how many...

people to understand that insurance is not meant to address inherent risk. Insurance is meant to address residual risk. I have fire insurance. That doesn't mean I rip out my smoke detectors and throw my fire extinguisher out the window and walk around lighting matches, right? If something happened, the insurance company would not fulfill my fire insurance there. Same goes from a cyber security perspective, right? You can't just not do the basics, right? And I've seen this, especially as we've gone through this, I'll say this trajectory,

with cyber insurance where it started off being where the insurance companies were literally handing it out like ecstasy at a rave to now they're like, hey, you know what, we're gonna really start clamping down on things. And I've seen this happen. I've had organizations reach out to me saying, we got hit by ransomware. We thought we had cyber insurance, but our cyber insured looked at some of the stuff that we didn't have in place. And they're like, sorry, you're not doing multifactor authentication. You don't have this in place. Denied. That's a bad spot to be in.

Ashley Smith (21:51.595)

Right.

Dom (21:53.628)

And again, had they looked at it as a risk management tool, and rather than the get out of jail card, they wouldn't have been in that crappy situation.

Ashley Smith (22:01.166)

Right. Okay. So what about for consumers or even B2B I'm thinking about? It's like we all touch different companies in so many different ways and they're touching a lot of our sensitive data or even our serving, providing, you know, required services for our businesses. So I'm just kind of, I know this could go a lot of different ways, but I'm wondering how the individual

Maybe this is two conversations. How might the individual be thinking about protecting themselves from the businesses that they work with? And then maybe B, what about B2B putting in some measures to make sure that things that they're doing, part of their operations aren't negatively affected for a long period of time because of data breaches as an example.

Dom (22:57.212)

I'm going to start with B just because those are the people that I focus on and help. And that's what I deal with on a daily basis. So I'll work backwards there, Ashley, if you'll permit me to. But when we're talking about B2B, what we've seen, especially over the past few years, and this is even going back to the first question you asked me about what's changed over the past five years, we've had several watershed moments in what I'll refer to as supply chain risk management or vendor risk management. Five, seven years ago,

Ashley Smith (23:01.354)

Yeah. Sure. Yeah. Mm-hmm.

Ashley Smith (23:23.053)

Yes.

Dom (23:25.548)

unless you were dealing with really big enterprise organizations, most organizations didn't bother assessing the cybersecurity capabilities or the cybersecurity maturity of their vendors. Just wasn't done, or it was at best a checklist. But there have been several, like I said, watershed moments over the past few years that have really brought to light how weak the supply chain is in terms of cyber risk management and how weak vendor risk management is in the B2B space.

And what we're seeing, even in unregulated spaces, is I'll say the proverbial pendulum over swing, where it's gone from being really bad to now being sort of over burdensome. But if you are in the B2B space and you want to be successful, maybe you have a startup or you're a small business, you need to be able to prove very, very quickly, to me, it's boiled down to competitive differentiation right now, you need to be able to prove your cybersecurity capabilities as quickly as possible to potential customers.

Why? Because right now, preferences, if there's, let's say there's company A and company B, and they're both trying to sell to big company C. If, let's just say they're very similar from a capabilities perspective, and we're seeing that a lot, and it comes down to how quickly they can validate the security capabilities, they're going with the organization that they can validate the security capabilities with. So by investing in cybersecurity, doing the basics, and I hope this doesn't sound like it's me trying to promote myself, but engaging.

Security advisors, engaging security professionals to help you provide almost like a security package, welcome package to be able to provide to potential customers. Here's how we do security. Here's how we do anything from A to Z kind of thing. That is a source of competitive differentiation. And if you're in the B2B space, you need to be able to be investing in that right now. Otherwise you're not gonna be around over the next five, seven years. I truly believe that. From the consumer perspective, it's

Ashley Smith (25:01.699)

Mm-hmm.

Dom (25:22.596)

We're seeing consumer narratives change and consumer attitudes change. Europe, as an example, has always been very strict around privacy. The privacy norms, cultural norms there, have always been very different to North America. But we've seen that change. With privacy legislation, both Canada and the US, we've seen greater customer requirements or attitudes changing around privacy and data security. So as a consumer, what...

what I'm certainly advocating for is, you know, asking, looking on, you know, if you're thinking about using some B2C platform or tool or what have you, look, what do they talk about with their security capabilities or privacy capabilities? Does it sound like marketing crap? Um, if you don't know, reach out to your friendly security professional and get the, get, get their opinion. Um, but ask those questions. How are you protecting my data? What are you doing with my data? Are you selling it to a third party without my consent? Right? Stuff like that. We're seeing those attitudes change. Um, so it's, I'd say, you know, consumers at

very much now have that buying power compared to years past to be able to wield the privacy slash security piece. In years past, they didn't because they weren't asking the questions, so companies didn't bother. But we're very much seeing a change there in attitudes. We're seeing B2C organizations investing more in privacy and security controls.

Ashley Smith (26:28.989)

Mm-hmm.

Ashley Smith (26:39.922)

Mm-hmm. This might be an appropriate time. And I'm not sure that it's an area that you spend a lot of time thinking about, but maybe you can add some color to it just from the individual perspective and very much a Web3 perspective. Something I've been hearing a lot about over the last year are individuals getting their phones hacked, basically like things as what seemingly seems so simple as like

SIM swapping. So somehow bad parties are able to convince phone providers that something was wrong with their phone and they literally swap the SIM and now somehow someone has access to that individual's phone. I don't know how prevalent this is in Canada. The examples I've heard have probably been more in the US, but obviously a lot of risk there and

I'm sure it would happen one way or the other, regardless of what's going on in the environment, but I think crypto has led to a lot of this because people are trying to get into people's like wallets and exchanges and they're storing password and seed phrases on their phones where they shouldn't be. Is there anything that you might be able to add just to personal security kind of that from that perspective?

Dom (28:02.112)

Yeah, and you're so right, Ashley. And again, this again goes to demonstrate, you know, where it's security is about the whole ecosystem, right? And cyber criminals are so good at looking at the weak links in that channel and in that ecosystem. And while it's certainly not prevalent, like it's not something that I generally say is high risk for most people, it's certainly within the realm of possibility. It's sort of it's possible, but not always probable kind of thing. But there's a fairly simple.

fix for it and part of the significant part of the blame, I should say, falls with the telecom providers that they are not doing enough for identifying that the person who is calling is the person who is calling kind of thing. And that's something as a consumer, yeah, we don't necessarily have a lot of power in dealing with that right now, mainly because all the telecom providers are equally bad at it. But it is something that I would, I'd say we're sort of seeing tides of change in that regard. But there is a very simple technique that people can,

leverage or use, calling up your telecom provider and ask them to lock your SIM and that they you, either by providing a separate PIN or a separate password, ideally something that you don't reuse, you know, a hundred different times on a hundred different websites, but be able to lock that down. And most telecom providers that I've talked to are willing to do that. I've seen that be a common technique in the States. I've seen it being used here.

Again, it's not foolproof because it does still rely, unfortunately, on the maturity of the telecom provider in terms of how they're protecting against social engineering attacks like that. But it is a well-known technique, and it's something that I certainly do with my phone.

Ashley

something I just want to mention for the sake of our audience in case they're thinking, well, you know, I don't have crypto exchanges on my phone, for example. I'm not too worried about someone accessing even say my bank account because I don't do anything like that on my phone. One of the things that was vulnerable to attacks over the last year that I've noticed are people's social media accounts. So whether that's a personal social media account or one where someone is say operating and managing.

a business's social media account. And what happens is when someone's able to take that over, they're able to then put out content or perhaps sending to malicious links. And then of course, your business's reputation is at risk for a variety of reasons. So...

Dom (31:00.732)

Mm-hmm.

Ashley Smith (31:19.858)

Those are the types of things I think that we're seeing in the landscape. And as these bad actors are becoming more sophisticated and finding new ways to make money, whether it's on the ransom side or on the simple sending people to the bad link side, there's just a lot of things to be thinking about and watching out for.

Dom (31:37.772)

Oh, for sure. And, you know, I'll go back to multi-factor authentication or what sometimes called 2FA. Social media accounts, I would include that as well, right? They all have that capability. It's unfortunate they don't force that by default, but your social media accounts, especially your business ones, turn on MFA. Stuff like that is like the proverbial club in the car, right? It's not foolproof, but more often than not, it does the trick.

Ashley Smith (32:02.914)

So I do want to touch a bit on the emerging technologies. I understand your point that people have to have the basics down first before they can even attempt to catch up to some of these things. I mean, we see headlines, right? So and the headline examples of the bad things that can happen may only scratch the surface, really. It may not be the primary areas of concern, but like people are talking about deep fakes as an example. So when we take phishing to the next level.

and we've got people pretending to be other people and they're able to do, they're able to perform as that individual in a much more sophisticated way. What should organizations and businesses be thinking about when looking at, say, how fishing is evolving and how should they be preparing their employees for the new landscape?

Dom (32:49.54)

Yeah.

Dom (32:53.56)

Yeah, that's such a good question, Ashley. And even stuff like with phishing, where stuff like AI is allowing, or I'll say empowering, cyber colonels to have even more believable phishing emails. Because a lot of the stuff that people have been relying on in terms of indicators for, oh, this is a phishing email. Like,

bad spelling or a rushed sentence or stuff that we've been preaching for 20, 30 years, it's falling apart very quickly. Those indicators may have been good in the past, but I've seen ones now where it's almost impossible to be able to identify what's real and what's not. And AI is certainly going to be accelerating that and that makes social engineering and fishing even more scary. And so I'd say it's less on...

trying to rely on your staff to identify phishing. I think that is an antiquated approach to dealing with phishing, right? That makes it, it's unfortunate we still have a culture where we're trying to have people be aware of threats. And to a degree, I think it is important, but relying on it as a control or sole control, I think is futile. Businesses need to be able to create more resilient processes.

So I'll give an example where I have to focus. And it's something that's often referred to as wire transfer fraud or business email compromise. So it's like an email that looks like it's coming from a VP or the CFO. Say, hey, you know what? We have this new vendor. Please create this. You know, it's an email sent to someone that counts payable. Please send this, you know, 50,000 or 100,000 or 500,000 dollar payment to this new vendor right now, you know, and someone that counts payables like, oh, this came from the CFO. Can't question it. Right. Got to do it. And then the company's out 500,000.

Rather than focusing on trying to identify what is quickly becoming unidentifiable, there should be creating more robust and resilient processes. So as an example, being able to say, okay, as a company, if an email comes in asking for a new vendor, we need to validate that through another communication mechanism. Or maybe they set a threshold, anything over 5,000 or 10,000 requires some other level of validation, whether that's in person, whether that's picking up the phone.

Dom (35:09.752)

whether that's using a carrier pigeon, I don't really care, but some other level of validation that you're not just blindly relying on email, right? So that's a very clean non-technical solution. And it's generally why we see these types of phishing attacks being more, I don't know if deadly is the right word, but more scary with small organizations and with large organizations. Large organizations tend to have more procedural maturity around stuff like wire transfers and stuff like that. Most smaller businesses don't.

So again, there's a great non-technical solution to be able to identify that problem. So new problem introduced by AI, you don't necessarily need to fight that with more AI. It's just, I guess, being able to identify areas of resilience and robustness and be able to build that in.

Ashley Smith (35:53.578)

That being said, I can't help but ask, are there tools that you're paying attention to or watching that may very well be new but could potentially really help organizations in the coming years?

Dom (36:07.884)

Oh, for sure. I mean, like, obviously, everyone's heard of chat GPT, but those types of LLMs, they provide such great capabilities and opportunities for especially smaller organizations to be able to tap into knowledge, right? And often at a fraction of the price or for free compared to having to engage a Deloitte or KPMG or whomever.

And I see that being a great equalizer, right? Because right now for most smaller businesses, trying to really get a grasp on what does a security strategy look like, right? Where should we be focusing? That can often cost them, you know, 50, $100,000 kind of thing, depending on if they're engaging one of the big four or larger organizations, right? It can often be cost prohibitive. And that's why a lot of organizations, especially during a recession, they're like, we can't afford.

We're worried about security, but we can't afford to pay for it. So what do we do? Right. And I see that a lot from people, they're like, we're left with us. So what question? So what should we do kind of thing? I see LLMs being able to provide a great equalizer where they can at least use that as a first pass. Right. Asking chat GDP, what does a good cybersecurity strategy look like for a small business, right? Being able to start there. Um, I think it provides great opportunities for organizations to shore up.

their cybersecurity capabilities and then be in a better position to maybe even ask more informed questions. So I see it being a great equalizer that way.

Ashley Smith (37:39.undefined)

I can't help but ask about Web3 technologies and I'm wondering whether or not that's something you're thinking about, whether from a tools and opportunity perspective or from a risk perspective. One thing I'll mention before we get into your answer, just as I'm thinking about it, is I have heard of some companies having like token gated.

resources, training, basically where there's exclusive areas where things can be accessed and otherwise would be difficult to access. And maybe there's a security practice in that. But I'd love to hear any thoughts. And if you don't have any, if you think we're not there yet, that's okay too.

Dom (38:15.132)

Mm-hmm.

Dom (38:22.176)

And that's a really good question, Ashley. I like it because it's forward thinking. And I really believe that what we'll see, and we generally have seen this with broader security technology as well, is that we see enterprise adopt those types of technologies first, and then there's a trickle down effect. So I think very much we're in a space right now where we're seeing enterprise embracing Web3, especially some of the security capabilities that could live there. I think one of the first hurdles to overcome though, before we...

get to that spot where we're seeing mass adoption at the enterprise space, is a long well referred to as code security. Everything that's making any of these web three technologies work is the underlying code. And one of the areas that we still struggle with right now is, is the code secure? Are there things that were put in there, either maliciously, by state governments, China, Iran, Russia, US, what have you, or is it just some mistake in there that could allow, vulnerability that could allow someone to gain access to everything?

We still don't have enough robust processes in place. And this goes back to supply chain maturity, risk maturity as well, to be able to say, yes, this code is as secure as possible. Let's start rolling it out, operating it, that type of stuff. So I think that's the prerequisite and the hurdle that we're dealing with right now. And right now, a term that often gets thrown around in those circles is referred to as a software bill of materials.

So understanding what are the components, what are the library components, what are the actual pieces of code that go into making this web three technology work as an example. So we're seeing that happen at the regulatory space, we're seeing this happen with enterprises. So I think as we get deeper and pass that, I'll say that checkpoint, I can see that greater adoption happening at enterprise and then seeing that trickle down right now. What exactly, what type of technologies end up being the ones that win?

I'd say it's too early to tell. And I'm usually terrible at predicting stuff. That's why I usually finish last in fantasy football every year. But for me, I think that's where we are in terms of the timeline.

Ashley Smith (40:15.404)

Mm-hmm.

Ashley Smith (40:24.758)

Right. And so for folks who are maybe this is their area of focus, whether they're, you know, leading IT departments, audit and security, or, or they're CEO of a company, you know, how might one keep their finger on the pulse of advancements? Because it does feel like things are happening so fast. And even new threats are coming about so quickly. How do you stay on top of things?

Dom (40:46.556)

Yes. Yeah, that's such a good question, Ashley. And I'm going to maybe indirectly answer that first, in which if you own a blockchain company, a Web3 company, you're owning a tech startup, nothing pisses me off faster than someone saying, oh, it's secure. How do you know it's secure? Oh, well, I coded it. Well, that's absolute garbage. That doesn't make it. Stuff like that.

If you're trying to sell to investors, if you want to grow your company, don't do that. And one of the things that always bothered me with crypto was that, I'm going to say the vast majority of crypto companies that I came across, they weren't really worried about their security because they were just trying to just get someone to buy it, invest in it, to them, security was someone else's problem. So if you're truly trying to build a sustainable organization that will be around years from now, ask those questions now.

can show that your code was done securely, right? Demonstrate that you have the right security ecosystem in place, be able to demonstrate that you are following here into certain security best practices. If you're not sure what those are, reach out to me, right? Me and my pineapple are happy to have a conversation, right? So I think it's important to recognize why you're in the game. Like I said, so if you're in it for the right reasons, reach out, but like I said, one of the things that always bothered me about crypto was that there was so much funny money being thrown around was that very few crypto companies

actually paid attention and invested in cyber security because to them it was someone else's problem.

Ashley Smith (42:19.022)

those who are listening not watching, Dominic has a pineapple nicely positioned right in behind him on video. No, that's great. That does lead into my next question a bit and you sort of touched on some of the answers, but I am wondering, where do you start? If you're a legacy company and you know that your practices are antiquated or non-existent,

Dom (42:22.145)

Yeah.

Dom (42:26.3)

It's not a euphemism with natural pineapple.

Dom (42:41.871)

Mm-hmm.

Ashley Smith (42:46.39)

versus if you're a startup, whether you're tech startup or any sort of startup, as you mentioned, most companies today, whether they want to recognize it or not, are tech companies in some way or data companies in some way. And so how do those two very different organizations navigate what to do right now if they're starting from zero?

Dom (43:10.444)

Yeah, great question, Ashley. And you know what? The thing to understand is that for me, security is very much, needs to be intertwined in the fabric of an organization. Security as a five-person organization should look very different than when you're a 50-person organization or 500 or 5,000. It evolves and changes as your company evolves and changes as well, right? So I think it's so important to take a pragmatic approach and lens to cybersecurity, because there's no point putting enterprise-level security on a 10-person organization, right? That just...

is inefficient and ineffective and the waste of money. So being able to understand, I'd say first thing is where you are right now as a company, where do you want to be a year from now? Who is it that you're selling to? I really understand that market, understand what are their security requirements. So if you're a fintech company trying to sell to financial service organizations, you're gonna need to be able to demonstrate security very, very clearly and efficiently. Same thing if you're a health tech company, you got to be able to demonstrate that. Maybe if you are more in the manufacturing space,

Yeah, maybe you're not seeing that as much, but you need to be prepared for being able to answer vendor risk management questions or supply chain risk management questions. If you can't answer those adequately, they're gonna move on from you. So like I said, knowing where you are, knowing who you're selling to, use those as your foundations for growing out your security program. You mentioned sort of Ashley, like legacy organizations. Another favorite of mine, I love working with non-tech or old tech companies, your law firms, accounting firms.

companies that are more traditional companies and are not really sure what to do. For me, the approach there is understanding, A, what is your most critical data? What systems support that data? Where does that data live, breathe, who accesses it, and being able to then build very robust data backup capabilities and other access control capabilities around that. And then building out leveraging security frameworks that are right sized.

for a smaller mid-size organization. So one of my favorite frameworks is based from an organization called the CIS, which stands for Center for Information Security. It's a global platform, global framework. It lays out very tangible, very pragmatic and actionable steps that smaller businesses can take from both a people process and technical perspective in building out a security program. And if you feel so inclined, engage with a security professional to help you build out that security roadmap.

Ashley Smith (45:39.891)

I should mention that you have some great resources as well. You also have a podcast that you do. Do you want to talk a little bit about that? Because I'm certainly not going to be doing the deep dive on security on every episode. We're here just to introduce the topic and hope that folks are thinking about it in their businesses. So where can people find you? What kind of things are you covering?

Dom (45:48.252)

Yeah. Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha

I'm going to go ahead and close the video.

Dom (45:59.548)

the

Dom (46:04.168)

I appreciate that, Ashley. Yeah, so I'd say a great starting point is our podcast. It's called the Cybersecurity Matters podcast. Again, it's not a technical podcast. It's a podcast geared towards, again, business owners, executives, people in a small and mid-sized business space who aren't techies but are really trying to understand that intersection of cyber risk, business and just cyber threats. So that's something that we explore in great detail. We're...

almost 200 plus episodes in and it's something which I think is a great source of knowledge for a lot of people who are trying to start their security journey. You can follow me on LinkedIn, Dominic Vogel, only one there, at least only English speaking one there I think. And I don't always talk about security, but I actually mention there, I try to put a different slant on things, trying to come be a positive troll, be a, I jokingly refer to as a professional hype man.

So you can get to know me first, right? So if people get to know me and like me and trust me, then I like to believe I can bring up security and see if that's an area where I can help you. But the other area would be my company's website, cyber.sc, and we lay out some approaches there as well. But best spot to get me is LinkedIn. If you like what you heard, connect with me, drop me a DM, and I'm always happy to have a friendly conversation.

Ashley Smith (47:17.838)

Awesome. Thank you so much, Dominic, and we'll make sure to include all those links in the show notes, everybody, so to socials and to the podcast and website. Maybe before we leave, I don't know if you'll have an answer to this, but I'm curious, is there anything that excites you about the future when it comes to security in this context?

Dom (47:37.82)

Hey, yeah, that's a really good question, Ashley, because I mean, both having kids and being in this profession have aged me prematurely, the gray hairs on my head are testament to that. But I'll say what excites me for the future is that things like AI, web three technologies, there's great hope for greater automation. And by automation, I'm really referring to being able to refer to being able to

really remove the whole needle in the haystack equation. Because right now trying to find cyber threats proactively is very much the proverbial finding a needle in the haystack. And there's no shortage of security vendors that sell you and hawk you their wares that claim to find that needle in the haystack. The thing is, that's the wrong paradigm. That paradigm is no longer works because there's too much damn hay. And there's the being able to find that needle is just very inefficient, regardless of how good the platform is. So...

things like AI, things like web three, being able to have greater automation. So that type of paradigm is completely flipped over where security analysts, security professionals are only given the needles. They don't have to worry about the, hey, that's gonna really bring, I think, greater equalization to the defensive approach to security because cybersecurity is very much an asymmetrical game. One of my long time mentors always says,

The attackers only have to be right once and the defenders have to be right all the time. That paradigm has been true for three years, right, for as long as I've been in this field. And I think what excites me about things like AI and Web3 is that it has opportunity to completely shatter that paradigm where it's going to become less asymmetrical and ideally more in favor of the good guys, of the defenders. So that excites me, but who knows, that could still be five, 10, 20 years from now. So that's...

That's the only thing that, I'll say, lessens the excitement. Ha ha ha!

Ashley Smith (49:34.33)

Cautiously optimistic, always positive, and especially given the nature of your work, which I'm sure you're putting out fires or helping put out fires all the time. And so it's nice to see someone who's in that work still smiling and being willing to be out there and helping and contributing and helping folks just not have to run into those problems. So really appreciate your time, Dominic, today. It's been very enlightening and hopefully has...

Dom (49:36.416)

Yes, let's go with that.

Ashley Smith (50:02.51)

help stir up some ideas for folks who are listening, help them really, you know, start thinking about what their practices are, how they might be able to improve even in some very basic and fundamental ways, and also how to start thinking about and paying attention to the future and some resources with your podcast, for example. So Dominic, thank you for joining us today on From the Blockchain. I hope you come again. This is the type of topic that maybe in a year, there might be something really new to discuss. So you're always welcome back.

Dom (50:31.708)

That's awesome, Ashley. Thank you again so much. And I look forward to coming back on the show. That's amazing. Thank you.

Ashley Smith (50:36.43)

Great. Thank you. All right, everybody. Thanks so much. Have a wonderful day. See you next week.