Up in the Air with CZ

Episode 4: Cyber Risks in A/E/C with Lee Carsten

Season 1 Episode 4

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 57:04

Welcome to Up in the Air with CZ! As AI advances, so do cybersecurity threats, now posing significant business risks. In this episode, Danny talks with Lee Carsten, Founder & CEO of Whitecap Risk Advisors, about emerging cyber threats facing A/E/C firms. 

Lee Carsten 
Founder & CEO
Whitecap Risk Advisors

Lee Carsten is the Founder and CEO of Whitecap Risk Advisors, a cybersecurity and AI risk advisory firm focused exclusively on the architecture, engineering, and construction industry. He brings more than 20 years of experience, including time as a Vice President in Aon's Cyber Solutions group, and is a Fellow of the Information Systems Security Association, a designation held by fewer than 2% of members globally. Today he works directly with AEC firms to translate technology risk into terms their leadership teams can act on.

Hello again and welcome to the Up in the Air Podcast, a show about designing buildings, building people, and just finding ways to be better. I'm your host, Danny Zimmerman, executive principal and CFO with Cleary Zimmerman Engineers. Thank you for taking time out of your busy schedule to join us today. I hope you'll leave uh better and a little lighter for the listen. For the next few minutes, I have the privilege of speaking with my friend, Lee Karsten, founder and CEO of White Cap Risk Advisors, a cybersecurity consulting firm focused specifically on the AEC market. We're going to talk about cybersecurity, maybe a little bit of AI. And this is a subject that I think all AEC leaders really need to make a priority if it's not already part of your business plan because it affects us all. We've been affected by it numerous times already, and I thought it'd be great to uh bring Lee on and talk about it on the podcast. Full disclosure, White Cap is on contract with CZ. And I was so impressed by Lee's process and what he did for CZ. I thought it'd be great to have him on and talk about it. But before we do that, it's our usual hot takes by cool engineers. And today's hot take is that technology upgrades, maintenance upgrades are a hassle, even for MEP engineering firms. We have been going through a technology upgrade here, bringing all of our offices onto the same platform. And man, on the access control side. So that has been just a hassle. We thought we were good. Next morning, everybody comes in. None of the cards work. Then the get cards redistributed, supposed to have proximity sensors or proximity use of the phone. So when you come into the door, none of those worked. And it's just been day after day trying to get this right across all of our five offices in Texas. So even engineers who are supposed to have their stuff together struggle with some of the maintenance upgrades. Same for HVAC. I don't know what's special. Maybe it's the fact that we're approaching our 20-year anniversary. But uh this year in San Antonio, we're also replacing uh the most of our HVAC systems. And boy, that's been fun as well. Just unanticipated issues, what we call existing conditions that we didn't foresee when we started the upgrade. So if you have something like this coming in your future for your firm or at your house, uh make sure and plan for the worst. Have the contingency plans because there's a good chance it's gonna go south and it's not gonna go exactly like you hoped. Lee, any upgrades you've ever had that uh didn't go the way you expected? Yeah, I'm I'm sure there's there's plenty. Um luckily we don't have a proximity sensor on our door at home. I I think for us, we just standardize with like with ring. I think you can get it though, right? Now the technology, yeah, you can you can buy it for the doors. Yeah, uh cybersecurity guys probably aren't, but you probably I'm sure you can. Right, right. You know, it's interesting you say that because I actually did upgrade the doors on my house uh to codes, but they were connected to Wi-Fi where I could see who comes and goes and I could assign different codes to contractors or somebody. Um but what I found was, and I don't know if it's just the technology or the brand, but the problem was the batteries die quickly in the door locks and it just eats them. And then you get locked out of your house, which I've literally been locked out of my house and had to call a locksmith because I have all this fancy technology and I can't get into the house because I don't have the override key and the lock is has died. Yeah. So the key under the rock, you know, you didn't have the key. Yeah, I didn't have the key under the rock. No, you're right. And after that, I did put the key under the rock. Actually, I was so frustrated by this that I went and yanked them, yanked the locks out and went back to a simple code. So you can get where you just have a code and it's not intelligent and it's not connected to your Wi-Fi, and that seems to work great. Um, but I was disappointed because I like the fact that I could see the doors opening and closing, who was coming, contractor, when they arrive, things like that. Um kids sneaking back in the house, yeah. Exactly. Uh I I think in the commercial world, they act you can actually get electrified hinges where you have a constant power source that's routed through the mortising of the door and uh works a lot better. But at a residential level, I was not prepared to spend that kind of money. I just wanted the economical Home Depot upgrade, and needless to say, it didn't work. Yeah, in in the cybersecurity world, I've done some physical penetration testing before, and we've, you know, some pretty high security areas, and there's there's known hacker tricks on how to defeat some of the sensors. Yeah. So just like above the door, if there's if there's a heat sensor, uh-huh, um, you can use a can of um of air and just stick the straw through the crack. Oh, nice. And the temp change triggers the magnet to unlock. So, I mean it's a it's a four-dollar can of air and you're in. Okay, well, I'll remember that for next time I need to break into a secure facility. All right, Lee, thanks uh for being here today uh here in the SoFlo Design District studios of Cleary Zimmerman Engineers. And I want to start just by hearing your background. Tell me about uh yourself. Clearly you're in cybersecurity, but how did you arrive here and uh how did you get to the point where you founded uh WhiteCap? Yeah, so um thanks again for having me. It's it's this is exciting, and you know, it's a fun thing. And thanks for the friendship and the opportunity. I mean, you've really been a supporter of you know a lot of what I've done, and and I appreciate it. And I'm glad to hear that I brought some value to you and the firm. Absolutely. Yeah, so I've been in cybersecurity since 2002. Um, my first real cyber assignment was helping Chris's hospital build out their cyber team. Um, and that you know, they came to me and needed help with a firewall person. And this is before we called it cybersecurity, and it was really like the early days of information security. So helped them build that out and then started doing that for a lot of different organizations in town and ultimately um got my first cyber job in 2007. So, you know, been in like dedicated since then. Um worked for 20 years now. Yeah. Wow. Yeah. Worked for uh an application security boutique. Yeah, no, it's it it there's a lot of us at this stage right now. Like it's it's pretty wild. I was just at a dinner last night um in Austin with a bunch of chief information security officers, and yeah, like the a lot of us are the gray hair, gray beard. Yep, yep, yep. You've arrived. Yeah. Um so yeah, I moved from the job with Kalens into a job with a application security boutique consultancy. Work nationwide, a lot of big enterprise firms. We were helping um organizations secure their application stack. So this is lots of custom development, typically in highly regulated industries. Um, that was an amazing experience. And then in 2016, um, I took an opportunity with Strauss Friedberg, and that was Strauss was a digital forensics and incident response firm. And three months after I joined, we were bought by Aeon. So spent um almost 10 years with Aeon as a vice president of their cyber solutions group, working with treasurers and CFOs and risk managers at the intersection of legal risk, technology risk, um, and enterprise risk to help them make decisions about what their, you know, what their risk programs look like and was there like if, you know, when the bad day occurred, it was I was one of the first phone calls. So I got to do that for some time, which is um exciting. It's like driving an ambulance. Um my dad actually drove an ambulance when he was um coming up, and he said it's 95% boredom and 5% terror. Um, so I don't know if it was quite that, but um that was it was a really cool experience. And then last summer, um, Aeon like sold off the cyber team and had an opportunity to like do something else. And and I I had worked with the construction services group at Aeon for some time, and there was a they have a big CSG team, and was never really able to support those construction clients um at Aeon just because of how we were built and the kinds of teams we had and what it would take to do, um, and and just based on size and scale. So when I built Whitecap, I you know I saw this as an opportunity to really dig in. I just love the AEC space, I love the people, I love building things. And you know, like there nobody does like more like like literal building than the AEC industry. And the opportunity with Cleary Zimmerman came up, um, spoke at a couple of construction finance management association meetings, got some friends that are construction brokers, so it just made a lot of sense. And and I've I guess I'm about nine months in and just it couldn't be happier. I think there's so much opportunity in the AEC space. Um, you know, when you came to us, we just weren't thinking about cybersecurity, and we'll talk about here shortly, but it's it's such a risk today. Everything we do is so focused on um technology and software and all the systems, and we're really good about locking the doors and having the the controls on the doors, like we talked about, but not so much in the cyber realm and with all of our systems. So looking forward to that. On my last podcast, um I told the audience in my hot tank that I believe uh the impact of AI and the AI revolution would be similar to that of AutoCAD in the late 1980s, kind of really changed um our business and what we do and how we do it. You and I had lunch a while back, and you shared some opinions that I thought were really fascinating about the disruption, this disruption from a cyber perspective in AEC, so in architecture, engineering, and construction. Tell me a little bit about that, because I want our audience to hear that. Yeah, so I it's it's based in the digital transformation and construction technology and where the business is moving, um, there's a lot of advantages to leveraging tech. And I think that one of the reasons that, especially on the construction side, where it's you know, mainly field crews, um kind of legacy systems, and and as you move up into like go from blue collar to the white collar construction and into the A's and the E's, the architects and engineers. Um, like you guys have been leveraging technology for a while, like you said with AutoCAD. Um, but the AI boom is changing everything. Um, it's it's going to allow you to, you know, bid better, to like have more controls over the project as it goes through. There's the opportunity for um like selling services as with the as built, and so you're not just turning over plans, but all of the like the electronic um information that you can manage about a building and the structures and what's what's in the air in those buildings. So um it's really important that um that you you don't not move forward with technology because you're concerned about risk. Uh and I think my take on this is the companies that um that don't move forward with the technology and don't embrace AI and don't embrace the construction technology, they have risk as well. Yeah, so it's a choice. Like you don't have to do it, but it's a choice. And I think the first way that it shows up is gonna be in the finances. So you're either going to be bidding projects and lose them because someone has a more efficient way to deliver that service, um, or you're gonna be bidding projects and winning them, but winning them at a loss because someone with better tech and a better understanding of all of the intricacies of the project is is going to not bid that or bid it a little higher. And now you're gonna be stuck with a project that you're on the hook to deliver and you deliver it, you know, at a loss. Sure. Yeah. So there's a financial risk. And I think that's the exact that risk is what I talk about internally in our firm and why we have to embrace AI is because we have got to get progressively more efficient in little areas. You know, not bring AI and say your AI is going to design this building. We're just gonna uh plug the architectural models in and then watch the MEP come out. That's not what it is. But if we can become more efficient when we're reviewing submittals, more efficient when we're um doing our site visit reports, you name it, the really low-hanging fruit, uh meeting minutes, uh financial analysis to your point, you know, that that applies to us too. We're looking at pay applications, we're looking at things in the field just like the contractors would be bidding on the front end. So I completely agree with you. And um, I think, especially in metropolitan areas, you've you've got to. If we're in if you're in a small town, maybe that's different because everybody knows everybody, but in metropolitan areas, I think our industry, if you're not competitive with technology, and I'll maybe taking some of this away from you, sorry, but no, you're not. So that that's the first thing. The second thing is gonna be a people risk. So, like, is is is are people important to the construction business? Yeah, of course. Yeah, there's there's a lot of discussions around how do we, you know, attract and retain like the next generation of talent or the good talent that we have. And the companies that make the lives of their employees easier and make them more efficient and and give them you know better opportunities are gonna be the attractive employers. So you're gonna be the you're fighting the talent more already, but now you're fighting it kind of with one hand behind your back because you're you're not employing some of the tech that's you know that really makes like the job fun. Yeah, yeah um and gives you you know some advantages that you don't have otherwise. So you're you're gonna lose the like the best employees, and that's gonna hurt you long term. Hurt your competitiveness for sure. Yeah, and just the kind of company you become. Yeah, yeah, absolutely. And then the third thing is it comes in like the rest of the risk profile and enterprise risk. So, you know, how are you getting bonded? What does your surety package look like? What does your cyber package look like? Are you having you know business interruptions because you're you know you're not managing those systems well? Yeah, um, because just because you're not doing something doesn't mean you're immune from the attacks. Like you're everybody's using email, everybody's using computers, you may not have iPads in the field yet. Um, but that doesn't uh absolve you from any cyber risk. Yeah, and it's gonna show up. Well, I really like your perspective on it, and um that's exactly what we're digging into today. So uh digging into today. AEC firms, we aren't, you know, the garden variety aren't big, large tech companies. Certainly there's a lot of big contractors and there's big architecture and engineering companies. But by and large, you know, we're just it doesn't seem like we would be a big target. Are we really a risk for cyber criminals? How do you see that? So what do you think? Do you think you're a target? I well, based on all of our conversations so far, absolutely. So this the studies are that the the AEC business is a pretty big target. I think the ransomware numbers that I've seen, it's about double the rate of other industries. Um and if you if you just look at the the list, um like last year, healthcare was number one, manufacturing was number two, and construction and AEC was number three. Oh wow. Well, I can imagine both in architecture, engineering, actually in all three, there are so many subcontractors and consultants involved. So many, so much payment of uh cost of goods uh payments that go out that aren't just expenses. So that you know, that's gotta be one of the areas that's a huge risk is payment fraud. Yeah, the numbers are really big, the companies are small, the level of maturity and the investment that's been made around cybersecurity isn't the same as as a more mature industries or regulated industries. And that one of the things that really drives a lot of cyber maturity is the regulation, and that just hasn't really happened in construction yet. I think CMMC and what's happening with the cyber maturity certification that the any DOD contractors have to um comply with by November is is driving some of that. Just like in the retail space, PCI, which just celebrated, I think it's 20th year, um, drove a lot of maturity for retailers because uh they had to comply or they couldn't take credit cards, which was a big source of the revenue. Uh yeah. So like that did it. And then in healthcare with HIPAA and uh in financial services with SOX and a you know a lot of other the the OCC, which is one of the top regulators in that space, um they're they're driving a lot of adoption because business leaders don't have a choice. And you said that's CMMC? Yeah, we're in the process of doing that with your help right now because of federal contracts and getting ready for those. Um do you have like an example of something that you've gone through or seen specifically uh in this area of the AEC or cybersecurity? Of a breach or something like that? Yeah, so it's it's uh it's a little sensitive because we know we don't we don't name names and that. But um I think from an AI perspective, there was a UK engineering firm that was recently hit that um, and it and not to like this is not a scare tactic, um, but the threat actors used um use you know like like the the spoofing, voice spoofing, and even the video spoofing and digital, like the digital um spoofing of their leadership team while the leadership team was away at an offsite um and ended up creating $25 billion worth of losses in um in in multiple payments. Good, you know, and these aren't firms, like you said, they like you know, just from a revenue perspective, you're like that's like a like that's the revenue. Yeah, it's a lot of money. We could lose the whole thing, the whole year um because of something like that. And uh and and it it does occur. You and I got uh involved professionally from a business perspective, initially because of insurance. But one of the reasons that, and as CFO, this has kept me up at night is uh the examples or the incidents that I've seen on uh some of the consultants and contractors out there just in the last couple of years. Uh recently, in the last year, there was a well-known subcontractor that got hit with an email ransomware. And gosh, it took them down for at least two weeks. FBI got involved. Um, and I'd probably I'd be interested to hear from you a little bit about incident response and what that means, because that was part of why we got involved professionally, is being prepared when something does happen. Where do you go? Like what's your first call? It's that ambulance incident you talked about. But what happens when an incident occurs? Let's say it's ransomware with an email, locks down the system. Um, a lot of things are triggered at that moment. And if you're not prepared as a professional, then this can really extend the disruption by days or even weeks. Sure. Yeah, the the average ransomware downtime is 16 days. Wow. So you know, and and that that is still a major attack vector. It's not the largest attack vector in the space. Um, I think fraud on the BEC, like the like the payment fraud is the largest loss from a dollars perspective. Ransomware can be very disruptive, though, as well, because if the business is down for days or weeks, um you have a problem. So the first thing you want to do is you don't want the first time that you're talking to your, you know, your team, your your response team to be the day of the incident. So like trying to find someone. Yeah, like don't pick your team on game day and and like it go like have have a plan. So if you have cyber insurance, one of the good things you get with that is a network of providers. So even if you just have a small policy, anybody that's considering cyber is like kind of on the fence, I would just encourage you, even get a million-dollar policy. Um, it's not that expensive. I mean, that the premiums are from you know $3,000 to $15,000 a year. And that really depends. Like cyber insurance is not binary. Um, and I know I think we're gonna talk about insurance a little more later, so we'll cover that then. Yeah. Um, but from an instant response perspective, you get that network of providers that are vetted by the insurers. Um, you know, you you want to make sure that the breach coach is one of the first people that gets pulled in so that any of the work that gets done is under privilege or is protected as much as you can. Over the last couple of years, the courts have been pretty aggressively like pulling privilege off of forensic investigations. So you need to make sure you do everything you can to protect that up front. Oh, wow. Um so even like the statement of work with your incident response provider should go under the, you know, the the GC or the breach coach that's managing that. We, you know, we aren't immune to it. Even before we started putting in place some of the new measures, cybersecurity measures, we had a uh a ransomware, um, I guess it's it's software that's built into the email essentially, but it passed through our email system to a client of ours. Somebody opened it on the client side and ended up taking down their servers. Thankfully, they didn't hear, and communication is a big part of it, even though we have not historically, but you know, I would say 2025 and previously had a lot of the measures we need in place. Um, one of the things we did, and I think we have done well is communicate. We constantly talk to staff about being vigilant. If you don't recognize the email sender, if something's not right, you know, the the usual hover over the email to make sure it's who it says it is, because the spoofing both um in in voice and then in text is a big part of how they get the ransomware uh uh across. Yeah, and and identity is a big part of that, and and the hackers don't really hack in as much anymore as as They do logins, so like if they've got credentials, and third-party risk is a big part of it. So one of the things about this business is how the teams work and operate together and how teams are built and the the business relationships that go back years with you know, like with you and your clients and and your subs and the people that you work with, but they change for every project and the the information and everything is shared in a very open way. So, you know, a impact to one organization on that team can really impact everybody very quickly. And there has to be some kind of trust built in the world. You don't want to be that guy. No, you don't. And I I also think it's kind of our fault as a security industry that we've got um people getting attacked so easily just doing their normal jobs. Because like, how do we communicate as companies, right? Email is a jet a big way that we communicate. And if you teach somebody not to trust something, then they're gonna use it less. Yeah. So, you know, like we've we've now taught everybody that they have to be, you know, cybersecurity engineers and they're you know, like their part-time job is being a cyber person. And I just don't really agree with that. I think that we the the industry has to do a better job with controls and technologies so that if you're following the cyber rules of the road, like the basics, like you know, don't do anything obviously wrong, um, then you should be okay. And we're we're still not there yet. I mean, I think that we there's still work to do. So that's a great segue into the idea that it's easy to think that cybersecurity, my MSP, my managed services provider, they're handling that, or that's the IT department's um job. Why may this not be the case today? Why do you not have cybersecurity as top of mind with some of these usual consultants that you have, um like your your managed service provider or things like that? Yeah, I I think it's it's the assumption that gets made pretty broadly is you know, we've that's part of what we did. You know, like we if if you're you you're we're on you we're on Autodesk platform, we're using ACC and like they cover the cyber for us. Um but the reality is that data is your data. And the responsibility for protecting that data is your responsibility ultimately. Um if you're if you're on a project and you've got you know cli uh like private client information that gets exposed, even through a third-party cloud partner, um, that that's still, you know, like the lawyers are gonna come for you. Um and you gotta make sure that you have you know like the security controls in place to help manage some of that so that um so that you're not you know both held responsible but also the reputational risk and everything that goes along with it. Does the average MSP contract cover a lot of cybersecurity? Um and maybe you're not as familiar with the MSP second. No, I'm I am and and it so um MSPs do a do a good job. Um like in in general. I think that the assumption made by their clients that this is covered or or or it's not as as deliberate in that conversation to say, like, this is what we're doing, this is what we're not doing, so that you can build that governance layer around it. And it's really what I built my business around because the like the Institute of Internal Auditors has the concept of three layers of defense. So the the first layer of defense is operational. So either your internal team or your MSP typically handles like your cyber operations or your IT operations, and that's where that where a lot of the controls are put in place. Layer two is a governance layer, and that's policies and procedures, strategy, all that. And that's a lot of what I do and what I bring to the clients that I work with. Um, and then layer three is audit. So there's you know, there is not a regulator that's auditing this outside of like we said, CMMC. Right. Um, but there there can be internal audit, and and I even some of the work that I do is cover some of the audit layer two, just to make sure that the that all the risk is considered and it's appropriate, right? Because cybersecurity is not a game of perfect, it's a game of good enough. So, what does good enough look like? If you just think about physical security, like like you know, we you've got glass doors on the building, right? How hard would that be to break? Yeah, well, that's a choice you make because it's a it's it's aesthetic, it's functional. Uh you know, there are locks on the doors. There's a physical lock on the bottom, there's a magnetic lock on the top. So you like we we can lock this, but if somebody wants in, they're gonna get in. Yeah. Um and you can't make the email filters so restrictive that you don't get emails from the people you need to hear from. Yeah, and and the snarky security guys are like the the most secure systems, like not connected to the internet and probably not connected to power. It's just like it's just a box sitting there. Uh you guys recently did, and and this is kind of the heart of what I I want to hear about today. You guys recently did what was called a cybersecurity risk assessment study for us. Now, at risk of going too far in the weeds, I think it's worth taking um a few minutes to talk about the five themes that you built this study around. Um, because I learned a lot in this process, and I think our audience could really learn a lot about cybersecurity and think about their business processes and what they do and how they can, how they need to make improvements. But in that study, and and I'm looking for like layman's terms, descriptions of this, the number one thing was identity and credential governance. What does that mean? Yeah, so uh that is um identity is one of the ways that hackers really leverage to get in. There's even there's a separation of duties in the hacking community where there's an access brokers that their their job in the cybersecurity like underworld is to go get credentials, right? Go get access in organizations. They're not actually doing any of the attacks. And then they sell credentials, they're like, hey, we we've got on the black market. Yeah, 20 credentials to these kinds of firms. Whoever wants them can buy them. Um, and and there's various methods for how that works. Um, but but identity protection is one of the more critical things you can do. And especially as AI really takes off, um, it's it's being able to prove to prove you are who you say you are, you know, and how do you do that? And you've talked about you know multi-factor and other things, I'm sure you've heard about that. And that's so and and even though that's now relatively defeatable, um, there there are the the identity governance space in security is one of the top ways. So like if you've got controls over who has access to what and role-based access controls and least privilege and some of the like the security concepts, because cybersecurity, they talk about it as being like layers of the onion, and and you're really building um just because you do one thing doesn't mean you're secure. You're really trying to like layer in um security controls to keep as many of the bad actors out as possible because you just want to, you know, you don't want you you don't have to be the most secure person, you just want to be the not the least secure person. Yeah, you want the guy to move on down the street when they see that the door is at least locked. Yeah. Yeah. So when Google sends me that email that says we found your password on five other sites or something, I should pay attention to. Yeah, you that that's a good time to go reset those passwords. If it's actually Google. Yeah, well, okay, good point. Okay, number two in that report was endpoint protection gap. I'm guessing this has to do with devices and things of that nature. Yeah. So what you don't want is a well, you don't want something to happen that you're not aware of. And then you don't want something that happened to that happens to one machine to happen to all the machines. Okay. Um, so part of endpoint protection, if you think of the old days, that's like semantic antivirus, you know, or Norton. I think everybody had like some kind of antivirus in the past. Um, what happened, you know, sometime back was the early machine learning models started looking at heuristics. And instead of being signature-based, which is antivirus, so every every virus has a signature or a hash that you can just search a table and say, is this exist? It doesn't let it through. Um, so the the new endpoint detection is behavior-based. So it's looking for behaviors that malware would typically use. Um, and so like there's there's agents on all of all the machines that look for the behaviors that are not normal behaviors. Routines, right, out of the routine that that person normally does. Right. Or or should be doing. Someone in that role should not be, you know, you know, like requesting that kind of access. Ah, okay. Um, and and then and having that in place is really important. And what now is even called it's not EDR, but the like which is endpoint detection, but it's manage detection or XDR, which is even like the network side of managete, so that you're it's just more information about what's happening happening in the environment so you have visibility and can detect and stop an attack sooner. Number three was detection and dwell time. What does that mean? That's stuff that gets in, potentially software monitoring stuff that gets behind the door. Right. That's do you know if something's going on? And and attackers used to live in the environment for six months before they did anything, and they would just sit and watch. So it you had to So this is exactly what we just faced. When as part of one of the, I guess, the technologies we leveraged to improve our cybersecurity at your recommendation, we went through and did these scans of everybody's email. Tens of thousands of emails, hundreds of thousands of emails number. Yeah, six months of your your exchange server. Yeah, yeah, exactly. And then what you found was like 24 agents sitting there that weren't active, right? Or something like that. But this is the kind of thing you're talking about here. Yeah, but like we without disclosing too much. Yeah, there's like two active um incidents that we were unaware of. Completely unaware, blind to had no idea it was sitting on our servers, our exchange servers. Right. And so luckily, right? Um I think that the other thing in cybersecurity is luck is such a big part of this. Like it is better to be lucky than good. Yeah. And and that happens all the time. I mean, I've I've I've been on a number of incidents where um I so the scattered spider, which was the MGM hack a couple years ago, um, before like two weeks before that that incident, I had a Fortune 100 client that called me and had a scattered spider event that was going on, and their entire organization, the backups were in Microsoft Azure, and there was one checkbox in a configuration file for immutability that saved 80% of their backups. Wow. Yeah. They were one checkbox away from losing everything. Good, great. Yeah. So like it is better to be lucky than good. So, like back to the question again. I want to make sure I answer it. Yep, detection and twelve and dwell time. Yeah. So like you you just yeah, you need to be able to detect that. And part of that is the EDR, the front and the point we talked about before. Um, but the dwell times are now hours or days. It's not six months. So um with in and this is this is even before the attackers are leveraging AI. So everything is even getting faster. You talk a lot about attackers. Where are these attacks coming from? Um most of them are financially motivated. I think you know, years ago we talked about you know the nation state attackers. And there was a breach this year from an Iranian group that hit Stryker where they leveraged Intune, which was a mobile device management software that is used to you know like manage access to the environment. And and they they used Intune to delete either 70,000 or 200,000 devices. Wow. And like, you know, took everything out. It was pretty pretty pretty wild. And it's not a sophisticated attack. They just had access to an Intune console in that environment and used it. Um because attackers are living off the land. So nation state is rare, but it happens. The other thing about that comes up with nation state when you're talking about cybersecurity and insurance is the act of war clause. So in that case, like the like insurance doesn't cover an act of war. So if you if you are attacked by a nation state, um, you know, like there are challenges to like you may think you have a financial backstop that doesn't exist at that point. Luckily, that's not most of the attackers. It's mostly financially motivated. And this all happens with the forensics team that your insurer is gonna bring to your office or digitally leverage against your network to see what happened, right? That's right. Yeah, and and I think everyone, business leaders always want to know like pay like who when did they get in? What do they touch? What do they take? Um, you know, like who was patient zero? How did this all occur? Um, there are ways to identify patient zero. It's it's harder to identify exactly what was taken because of the way network traffic gets routed. A lot of times attackers will leave uh at like tables or information behind that they build and then they'll delete to cover their tracks. But if if 20 gigs of data went out and we're not sure what 20 gigs were there, but we can find a tree that was created that has like the accounting folder and the things under accounting, and that that's about 20 gigs worth of data, there's a pretty good assumption there. Okay. Um, and then the forensics team will build, you know, even like tables to show what data was touched or where there was access so that you can kind of try to triangulate and get that information so that you have you can make you we we give that information to the lawyers to help them advise you on what the real risks are because from a data breach. Yeah, what are you facing? A data breach perspective, that's the personally identifiable information or like, you know, like any information about clients or any information that like with you could be subject to a lawsuit. And when you hear about breaches versus incidents, like incidents happen all the time. Um breaches don't happen quite as much because that's the public disclosure piece. So it it is, and and there are state rules around reporting, and the the the the state GC has requirements uh for you know any kind of data breach. So if something happens, you do have a requirement there that could also put you in trouble too. Another reason to have a cybersecurity expert helping you out. We've got to keep moving. I want to keep asking and digging, but we've got to keep moving. Engineering IP and cloud data exposure. This was number four. Maybe you kind of touched on this already. Well, not so much with intellectual property, but this is the client's information at the end of the day that we've got on our servers and and in our files. So the two big things in AI security are really around identity, which was the first thing, and then data governance, which is this question. Um, so data governance is really understanding what data you have access to. Is it private, is it public? Because you protect that differently. Um, you know, who has access to it natively, who could get access to it, how how you request access to something, um, because you you don't want everyone to have access to everything, right? Like your your HR folders are gonna be really, you know, a restricted information about you know pay scales and who's doing what, and everybody's like what kind of health plans that they're on, and all that information is protected. So even if you don't have any other regulations, if you have employees on a plan, you know, you're protect you have to protect that data a little bit more sensitively. But the your intellectual property and building designs and plans and owners information or your marketing and proposal template, and I know you guys do such a good job with how you market and how you think about that. It's like that's competitive information that you wouldn't want to get out. So you need to protect that differently, and that goes down to data governance. Last one on here of the five points in your report was governance and insurance posture. What does that mean? Yeah, so that's the overall governance. Like, do you have a cybersecurity policy? Like, are you other other than just acceptable use? You know, there's a number of policies that everybody should have in place. Um, you know, from an insurance perspective, you know, do you have the right kinds of coverage? Cyber years ago used to be covered under other policies, but pretty much every carrier is making explicit coverage now. So you have to have an explicit cyber coverage, but every cyber policy is not the same either. And I think we'll probably talk a little bit more about that. Yeah, that's actually a good segue because that's next on my list. What impact does insurance have on cybersecurity? This was the very reason you and I uh started talking from a professional level uh to begin with. You were with Aeon at the time and we had a cybersecurity policy in place, and the cybersecurity carrier came to us and said, Okay, hey, fill out, Mr. Client, fill out this self-assessment. We want to see what your cybersecurity posture is like. So we filled it out. No, we're not doing that. No, no, no. And they came back and said, you know what, if you don't fix at least these three items, then we're not gonna cover you next year. We won't, we won't take the policy. Um, so I can imagine that insurance is right in the middle of all cybersecurity issues and your posture. Yeah. So so cyber insurance is really looking for macro issues. They're they're looking at trends in claims. So if they see a trend in a claim that like these clients, all these clients that got hit didn't have multi-factor authentication, that became the rule. Which was exactly our first step was we had to, I mean, sad to say, we had no multi-factor authentication requirements two years ago. Right. So it's so that that was something that was really popular when the market got hard, you know, about four years ago. It was something that would create denials in that in in applications or renewals. Uh so yeah, and a big part of my job at Aon was just helping clients build proactive programs that that made them insurable or put them in a little bit better category. And I think security guys always want to know exactly like, hey, this $50,000 project that we did, you know, how much should that save me on premium? And it's not, it doesn't get graded like that by an underwriter. The way that underwriters look at um risk, really like the the type of business you're in has a lot to do with it. Just like think of the uh like auto insurance analogy. If you're a 16-year-old male that just got a driver's license, your insurance is higher. Like, why is that? It's the claims data, right? So, like if you're in an industry that's been attacked a lot, your insurance is gonna be higher because that's a bet that's a higher risk for that underwriter to carry. Um, you know, and if you don't have certain controls in place, your your risk is higher. And and and really from a pricing perspective, if they don't like it, they'll just say, like, we don't want to, we're just not gonna bid it, or they'll bid it in and dare you to the picket because it's like, yeah, if you're gonna pay that premium, we'll take it. We'll take the risk. Yeah. But that ended up being what what you can't, you can still be in a high risk category and go to that carrier and say, yes, but here is our cybersecurity policy, here are the measures we've taken to be more safe and end up getting coverage and a decent. I mean, this is what's happening to us right now. We're facing renewal, and they've come back and barely increased our rates because of all the measures we've taken in the last year or so. I think it was a 9% decrease. Yeah. Yep. Yeah. So it's it, you know, like it it and that also is market-driven more than it is anything we've done. It it's like when the when the market is competitive and the there the the carriers are competing for new clients, you're you're gonna get a better deal. When the when the market is pulling back and saying, like, we've got too much exposure, we're not comfortable with this wave of claims that's occurring. Um, that's when no matter how secure you are, you're gonna have a hard time with a renewal. It's what all my peers are doing, right? It doesn't matter what I'm doing. At the end of the day, what we're doing to keep our data protected is for our own security, peace of mind, financial security. Um I'd say it's a little of both. I mean, it matters. It does matter, and it is a driver. And cyber insurance is a financial backstop that that can be used. Everybody thinks about like the ransomware amount and like an the average ransomware amount, according to the recent COVID report, is only about $115,000. Oh, really? It's that low. Yeah. It and and So a million dollars of coverage is good. But the ransomware amount is not the exposure, right? The exposure is like if you're if you're two weeks of lost income and operations. Yes. That's right. Okay. It it's way bigger than that. And I think that's what people underestimate. I mean, when you think about it, and this is what kept me up at night, the risk of having 150 employees that can't access their email or have no ability to log into the network because we we're we're in the process of standing it back up from the backups that are off site, those are the kind of risks that are huge. It's not, you know, to your point, it's not what I have to pay the the uh criminal out there asking for the ransom. It's really what income I'm losing and the costs I'm spending. Yeah, business interruption is the biggest cost for sure. Yeah. And and and cyber insurance does cover third party and first party business interruption. So something happens to a CZ system, you've got coverage under the first party business interruption. Something happens to a partner, AWS East goes down, and now AutoCAD's offline for a day. Um, there there is a potential claim that can be made through a third-party dependent business system interruption policy. So, what I'm hearing, one of the points here is make sure you've got a cyber security insurance policy and you know what's in it. You've got an expert like you looking at it saying, And that was done. And I'm and I'm not a licensed broker, but I I work with them all the time. And on that, and like with you in particular, you know, like we've got a really good team. You and you want somebody that does this every day. You like you you you want a specialty broker for your cyber policy. You don't want to use the guy that that's doing your general PNC and everything else. Um, it's it's the best practice is have someone that just does cyber work with you on your cyber. It's not a time to go cheap and pick and it's not even about cheap. You know, like and and I think people think cyber insurance is binary. Like if you think about auto insurance, like you can get minimum liability and then you you can say I have insurance. I have auto insurance, right? But uh a good policy is gonna have the equivalent of comprehensive collision, uninsured motorists, you know, rental reimbursement, all of that stuff. Like that's what a good cyber policy is gonna look like with the things that are important to that. All right, briefly before we wrap up our podcast today, AI and the evolving threat landscape that um comes into view when you're talking about cybersecurity. Talk a little bit about that. AI is getting more advanced, being used by criminals more and more every day. We're starting to use AI internally more and more. What does this mean to cybersecurity and our posture? So the the attackers have first mover advantage. Um they're they're they started using it before we did. And you know, and it's better than me. One of the examples is just the better hack like phishing emails, you know, like so like all of the the terrible grammar. Yeah. Yeah. So So, like there that that's getting better, but that's not really the even the most dangerous. I think um there was uh something got released recently, um, Mythos and Darkwing or Glasswing from Anthropic was the the foundational AI tools are really good at finding issues and vulnerabilities. So Anthropic went out and found like a 27-year-old BSD vulnerability, which is a something that is the core of the internet that could that could break the internet if it wasn't fixed. Um, that no one no pen tester and no person had found in 27 years. Wow. Um, and then the Glasswing project was a group of about 20 of the big security companies they brought together to say we've got to really address and fix this. So the the models themselves are being used to find problems. Now the reality is about 3% of vulnerabilities are ever even attempted to be used. So we don't have a problem of fixing everything. It's really we have a problem of fixing the things that attackers would potentially use. And that's how you have to prioritize because it's not about perfect, it's about good enough. And you know, let's just make sure that we're doing the appropriate things to protect what you know what we're trying to protect. So a lot of firms today are looking at leveraging AI and adopting new tools and getting an anthropic subscription, a claude subscription or chat GPT subscription for more and more people. Um, what what should we have in place as a as an AEC firm to make sure we're protected in those areas? Yeah, so I I think it goes back to a good core cyber policy and just good cyber maturity and then an understanding of what people are doing as you're leveraging AI. Um like and what you don't realize, you may think, okay, we're gonna do this, you know, this anthropic subscription and we're gonna like start implementing that and using it. But there's AI in everything that you use. I mean, there's there's AI in your billing platform, your project management platform, your your your you know, your your Autodesk platform, everybody's got AI built in. So how is that being used? What is it being used for? How that like getting an understanding around that and really building a good AI risk profile, similar to what you're doing around cybersecurity or cyber risk profile, is really important. Is it better to have company provided AI subscriptions than just tell your staff, hey, we we want to encourage you to go use AI, go use Chat GPT or whatever. That there's a problem with that. Yeah, there that I wouldn't recommend that. Um one of the things is you don't want any proprietary data training a model. Um so like you don't want to take all of your proposals and say, like, hey, how do I make these better? And now like that becomes part of Claude's model. Yeah, put all that out there on the page. Anyone else that queries, Claude can like potentially get your answer as part of their request. Um so you don't want to do that. But there there's there is certainly a better way to do um like an enterprise AI rollout. And I know you you guys are you know working with some experts there, and and you know, like it's it's important to have a measured, you know, strategic approach to how you roll this out. Yeah, good advice. All right. We're gonna have to wrap up cybersecurity discussion in the interest of time, and I want to go to a fun segment we call overrated, underrated. And the goal here is I throw something out there, you just say overrated or underrated, and maybe tell me why. Okay. So in the spirit of the spirit of cybersecurity, password managers. Overrated, underrated. I still think they're underrated because uh not enough people use them. Um it like one one of the major ways people get you know popped is like password reuse. So having some kind of password manager. So my Google Sheets password spreadsheets, probably not the best. No, that no, that that's that is actually just a physical password manager, you know. Like like you need to make sure that that is protected. That has a really good password, at least on that document. Um but but using a password manager, you just want to make it easy to have a long password. Okay. That's really it. Password complexity used to be the thing that everybody talked about. It's length is the thing. And and and as quantum comes out, I mean, like, you know, China's got a quantum computer that breaks encryption. So every password that we currently have of any length with any kind of anything um is is breakable. I wish I could pull on that thread. Multi-factor authentication. Underrated, overrated. Uh I I would say it's overrated. Hmm. Uh because MFA bypass is a thing. It's pretty effective. And through AI or just other there, there's there's multiple ways that that you can bypass MFA. So one-time passwords or anything like text-based with syn swapping is is you know, is is relatively easy to do. And and but like MFA fatigue, there's a lot of attacks where the attackers will just send you a like a prompt, like if if you have to approve with authenticator over and over and over at midnight, and you're just like hitting your phone on next to your bed and and and you hit approve, right? And those are just like the non-technical ways, and then there's technical ways to bypass it. To defeat it. Yeah. Well, it won't hurt my feelings if no, it's not going away, but it's overrated. All right, face ID or touch ID. Um, so in when you talk about multi-factor, it's something you know is one factor. It's one of the factors. Yeah, and then and then something you have or something you are, right? So a face and touch ID are something you are, it's part of multi-factor. It's also it's it's pretty safe. I mean, I I'm I'm for it. Uh I maybe a little bit underrated. I feel like the only place we do the touch ID or face, well, face ID really is Apple. Apple does this so well on the phone, but I know there's a lot of laptops you can set this up and do work. We're not doing that internally. That might be something we look at doing. Travel itineraries. Uh I'm a I'm a big fan. In my family, I would say they're underrated. Uh, because my wife and kids are just like free spirits and like don't like plans. Yeah. And and I think that we just missed so much on a trip. Like, there's so much we we could have done if we would have just thought about it. 100%. Yeah. Travel itineraries. To your point, mixing a little A in here, AI in here, just to explore. Uh we were looking at a trip this summer, and I went into uh Claude and said, here's what I want to do, here's the ages of the family, here's where I want to go. We're we like history. We've got a young one too. We need to make and I was amazed at the itinerary that came back. It was absolutely astounding. Yeah, I did I did a trip with my older son when he turned 16. We bought a car in Seattle, flew up there, and drove it 3,500 miles back to San Antonio. Oh my gosh. And we used road trippers and said this is where the main things, places we want to go, what do we need to see? And it was un, it was an unbelievable trip. Yeah, one you'll always remember. Yeah, I'm a big fan of travel itineraries as well. Totally underrated. All right. I know you're a razorback, so this is kind of uh in the spirit of UT, 6th Street in Austin. Um, I I think it's overrated. I don't really go to 6th Street, so it's like it's kind of a hard thing to answer. But like, is it wasn't 2nd Street the cool place to be for a while and other places? And now, like, I mean, there's the guys shooting people on 6th Street, so you gotta be careful. Physical security, no cybersecurity. Yeah, I'm with you. Uh uh overrated. Barton Springs in the summer. Um, I just think that's overrated. There's so many great places in Texas that you can go to. Um, you know, and if you get out to the Frio River or other places, there's like it, that's I would do that instead. Yeah, I shouldn't admit that I've never been to Barton Springs, so but I did want to ask you. All right, this one's a good one just because of uh our family, and I think you and I have had conversations, but MMA fighting. Um I I think it's underrated. I like like full disclosure, I in one of my last companies, we worked for Zofa and did their IT, built their website, handled, handled an attack from anonymous. It's like the stories for another day. It was it was amazing. But one of the things that Dana White always says is that everybody understands fighting. It's it's one of the oldest sports. You know, like it, like everybody knows what it is. You don't have to understand the rules of like a fight's a fight. Um, what makes MMA so interesting to me is that it's not just about fighting, it's about preparing yourself mentally and physically to fight at a certain time on a certain day against a certain opponent with a set of rules. Um and so with those controls. There's rules in MMA. Yeah, some like you know, yeah, you can't like like no kicks below the belt, like you know, like no eye pokes. Yeah, there's rules. You can't bite the ears, or can't you bite the ears? Yeah, like you know, that's boxing. Well, I I I wouldn't have known anything about MMA until the last year or so, and my son's gotten so involved with the intramural MMA at Texas Tech that uh it's been it's been really uh fun to watch and to learn about it. So um underrated. Uh conference speaking. Um I think if you go to the adage that if you want to like if you want to really learn something, you need to teach somebody. So if you want to really learn something, go give a talk about it. You know, find something you're good at, go give a talk about it. Like, you know, you can find like small local talks or local user groups to do it. It will teach you so much about that. Plus, you know, like engineers and cyber guys are are pretty introverted and it helps break them out of their show a little bit. So I would say it's underrated. Yeah, totally agree. I think if you want to really learn something and become an expert, try to talk or teach somebody about it, and that's when you learn where your weaknesses are because you get questions and and you really learn, um you really become an expert in it. So totally agree. All right, last one pugs overrated, underrated. Yeah, so like that's that's a loaded question. Yeah, that's a loaded question. I think dogs are if if a dog can be underrated, you know, or any dog, dogs are great. I'm a dog person. Um, I think you need a dog that matches your personality. Because I've got friends that have gotten dogs that don't match their personality, and like, why did you get that dog? Like, you know, you're you're not like a marathon runner. Why did you get like the dog that needs a great day? Yeah, like 10 miles a day, right? So if you're sedentary and you're a clown and you um and you'd like a constant companion and a shadow, a pug is a great dog. I was just about to ask, what are the redeeming characteristics of a pug? But they're amazing. They're they're the only breed that was bred for compatibility only by the by the Chinese emperors and you know, a thousand years ago, and they came over um with the Dutch. There's paintings in Holland of the Dutch royal family because the like the Dutch um East India Company, not the wet, not the bad one, but the good one, the spice trade. They they got some pugs from the emperors, brought them back to um Amsterdam, and then the um the Queen and King of England had English bulldogs, and we're trying to kind of breed out some of the stuff in them, and they bred it with the pug because the old pugs don't look anything like a modern pug. Um, and that but the new pug is was what we have today, and uh we love them. You are a pug expert. This is I'm kind of a pug too. So yeah. Fantastic. That's interesting to uh hear the background on the pugs. All right. That's gonna wrap it up today. Uh really appreciate you coming in and talking, having this conversation. We could have gone uh so many other places with cybersecurity. I think there's a lot to talk about, but in the interest of time and not uh going just two hours long, I I think we've covered uh the surface of a lot of things and really hopefully got somebody thinking about it, that principal, that uh executive, that finance manager thinking about the risk associated with cybersecurity. So thank you, Lee, for coming in. Really appreciate it. Um where can the audience find you? What where are you gonna be speaking your social media handles? Yeah, so I've got a number of things coming up. I'm speaking at the Association of General Contractors Technology Conference in August. Okay. So um bringing a panel of folks up from San Antonio. The talk is called Nobody Gets Hacked Alone, why um cybersecurity is a team sport in construction. So that's gonna be a good one. Um I'll be at AEC Innovate in um Vegas in June. Uh, I think that's the 16th and 17th. Okay. Um, and and around and and the RIMS, which is the Risk Information Management Society. I'm giving a talk at their Texas regional conference in um in August as well. But on virtually and online or later, if you see this, if it's beyond the summer, um, whitecaprisk.com is my company website. Um, I'm Lee Karsten on LinkedIn and pretty active there and happy to have like have the conversation. I'm I'm I'm starting research on a book and looking for conversations with principals just to get perspectives about cyber risk. So, really looking for, you know, if that's something you think you'd be interested in or participating in, reach out to me and I'll I can let you know what I'm looking for. Yeah, I would encourage you to reach out to Lee just to have a conversation. He's really going to help you uh in the very early stages of starting to improve your cybersecurity risk posture. So that's gonna be a wrap for today. Thank you very much for joining us. Look forward to seeing you next time on the Up in the Air podcast.