Sammy Basu is the founder of Careful Security, where he uses his extensive cyber security corporate background and teaching experience to create fun and easy-to-digest lessons that can help career professionals and cybersecurity aspirants gain a holistic understanding of cybersecurity concepts.

Before starting his consultancy, Sammy worked in different aspects of information security for established Fortune 100 companies Warner Bros. Entertainment, EA Sports, Pfizer, State Farm Insurance, and Goldman Sachs.

He is a highly credentialed information security professional with numerous certifications and loves to help students navigate through their own cybersecurity adventures.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Calcutta, India with a lot of family around in a pretty competitive environment. We were constantly graded on exams in school and my parents were strict regarding education. It was stressful. I also played a lot of sports and took part in a lot of extra-curricular activities. I was quite an enthusiastic and adventurous child and was very willing to raise my hand and jump into unknown waters. At 18, I headed out on my own for college near Bangalore, India. I attended the same college that Microsoft CEO, Satya Nadella did but the similarity ends there.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I loved playing soccer, played it every opportunity I could, and just before I was about to start college, I fractured my knee while playing. I spent a month and a half in bed, during which I read all of the Sherlock Holmes novels. I just loved them! I discovered I had a natural affinity for mysteries and discovering the hidden path. When I later discovered cybersecurity, it was like being in a real-life mystery novel, hunting down the clues and trying to solve the case. So, I know it’s cliché, but in my life one door closed and an entire career opened.

Can you share the most interesting story that happened to you since you began this fascinating career?

I’ve worked with a lot of high-profile clients and the most interesting stories involve protecting digital assets and battling hackers and other unscrupulous types. During one high profile job, we were fighting the people who claimed to have stolen data, in real time, and refusing to pay them their desired ransom. We were in the headlines fighting a live cyber battle of utmost importance. It was wild to be in the thick of it and to see it reported in the press at the same time.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I have to credit my wife for this. In the early 2000s, I had started my career as a system and network administrator. I was really becoming more interested in cyber security. I started studying more and more about cybersecurity, but I had to take a certification exam to become eligible for a job in it where I worked. I spent two years procrastinating the exam before I got married. Once I was married, well, my wife took over in the best of ways. She really encouraged me to go for it, she would make sure that I didn’t doze off with the boring certification books, which I’d found made great pillows and were good for an arm workout. She motivated me to double up on my studies as I was working and take the exam. As a newlywed husband, of course I had to listen to her. And thanks to her, I was so inspired I passed with flying colors. That’s how I got started.

Are you working on any exciting new projects now? How do you think that will help people?

In addition to my cybersecurity business, I’ve been teaching cyber security. I teach small groups who have little experience and equip them to get jobs in cybersecurity, which is facing a huge talent shortage at the moment. I’ve been teaching them for the past two months, andthree of them have already got jobs. I am creating jobs for people and helping to fill job opportunities, it’s exceptionally fulfilling. It’s a really great career choice and I’m so happy to be a teacher and mentor to my students.

What advice would you give to your colleagues to help them to thrive and not “burn out?”

Cyber security professionals have a high burnout because they are telling people what they cannot do. Most career guidance says, “be positive,” however in cyber security it doesn’t quite apply. There are important cybersecurity steps that must be taken before a product is launched, because we need to make sure it is secure. These often conflict with the business interests that are more focused on the bottom line with security sometimes taking a backseat.

One timeless principle of cybersecurity is the tradeoff between security and cost or convenience — you see this with your PC or smart phone. Double authentication is higher security, but less convenient.

Security professionals are often paranoid that if something happens, they are the one who are going to be blamed and it’s their head that is under the axe. And that’s partly true. At the same time, when they go to businesses with these concerns, businesses sometimes turn a blind eye. As a result, we are burdened with the knowledge that the company can get hacked any time yet our hands are tied. A good cybersecurity expert takes the time to learn about product roadmaps, time to market, and gross margins so he or she can help the client navigate this path to find the sweet spot.

Now, that situation is drastically changing these days with the increase in hacks and the dramatic impact these hacking attacks are having. So, my advice is it’s really essential to make sure that the company you’re working with values security as part of its near and long-term bottom line and that choices stem from that. With some of the recent high-profile (and costly) hacks, people are seeing the risk/reward connection and that cyber security affects the bottom line, protects and preserves the business.

Okay super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the cybersecurity industry? Can you explain?

It’s a high-stakes cat-and-mouse game that plays out in real time. The attackers are crafting out new attacks, and vendors and the security software are always playing catch up. It’s an arms race waged with computer hardware and software.

Cybersecurity is a combination of art and science and there is no one solution-fits-all approach. I wish there were, but there isn’t. I can build all this defense, have all the skills, but the attacker will always find a way. A Security team has to be on alert mode 24/7; there can be no lapses. In thwarting attacks we have to be right 100 times out of 100; an attacker has to be right only one out of 100 times.

CyberSecurity is pervading into all aspect of our daily lives. From politics to pipelines, health care to Hollywood, meat-plants to mobile phones, the more we connect to the Internet, the more we widen the threat landscape. Nobody’s off the target list. Finally, my parents have a better understanding of what I do for a living.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

The recent increase in ransomware attacks has shown that many companies, utilities, banks and governments fail to adequately protect the nation’s infrastructure. They are completely unprepared for the onslaught that I foresee accelerating. If an attacker wants to hack somebody, they will hack them — that’s how unsecure we are currently. There needs to be a huge change in mindset.

Also, we clearly were never prepared for the growing level of corporate and hostile nation espionage and attacks that we’ve seen recently. If you can imagine it happening, someone else has already thought of it and is exploiting it right now. It’s the threats we haven’t even imagined yet that worry me.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

There are plenty of stories. Attacks can come from anywhere. Security is only as strong as the weakest link. I’ve seen large organizations getting hacked because someone clicked on a bad link in their personal email account and inadvertently allowed the entire organization to be infected. The takeaway is everyone in the organization has to be vigilant and aware of cyberattacks, not just the security team. Most cyber-attacks happen because of human errors.

Also, most attacks don’t happen on a Monday morning, they are launched on a Thursday afternoon before a long weekend, or on a Friday evening. Hacking attacks take place just before the Thanksgiving vacation or before your Christmas holidays because hackers know the company will have a reduced workforce and that is when they go to war. It’s an age-old principle of military tactics.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Well, I use a combination of open source and commercial tools that can proactively break into a system just to simulate hacker behavior.

The tools keep evolving with time, despite our desire to believe there is one silver bullet that can prevent all cyber hack attacks. Even though sales pitches may say, “Buy our product and you’ll never get hacked,” — truly robust cybersecurity is a product of people, process and technology.

Technology alone will not resolve your people and process vulnerabilities. I can buy the best car in the market, but if I am a bad driver accidents can still happen. Cyber security operates on the principle of least privilege. Don’t give anybody more access than they need.

How does someone who doesn’t have a large team deal with this? How would you determine when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Simply buying a tool off the shelf is never adequate, because you still need to tune it to your business processes. Taking the advice of a qualified cybersecurity professional will go a long way in building secure processes, ground up, rather than retrofitting security as an afterthought. So please engage with your security professionals as early as possible and plan ahead. The bigger or more valuable the company, the more it will be targeted.

Data has shown that preventative work with a cybersecurity specialist is around 3% of the cost of trying to fix the breach afterwards. Prevention, prevention, prevention and love your cyber security professionals.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss?”

A lay person knows what ‘normal’ looks like for their device and can quickly spot the unusual. So, be observant, and be aware of what ‘good’ looks like. So, when something looks different, like an anomaly, then you can bring in an expert to dig further. For example, if your system is crashing, or if the router light is always on, then you know, this isn’t normal, this needs looking into.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

If you have an infected system, you need to quarantine it. So, isolate the infected system from the rest of your live systems and analyze the extent of the impact.

Plan in advance. Assign a value to your various categories or tiers of information (digital assets) and keep your asset inventory updated. That way, if your customer data has been breached, you know the dollar value associated with that data and you have a plan to prioritize, recover and restore operations.

Plan for trouble before it happens, because if and when it happens, every minute counts and teams get stressed and mistakes can be made.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?

California Privacy Act states that consumers have a right to know what personal information companies have of theirs, and to request it be deleted.

This has forced companies to go back and look through their systems and identify all the different places where they have been storing sensitive information of their customers. Sometimes it can be with third party marketing companies, but it has helped organizations take an inventory of the sensitive assets. It has been beneficial because you have to know what you’re protecting, before you can come up with a plan to protect it.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Security is only as strong as the weakest link. Supply chain security is becoming a big area of concern as third-party vendors are suffering data breaches thereby exposing customer data of the bigger parent company.

User identities are getting compromised because of a lack of multi-factor authentication. System vulnerabilities are compromised because of misconfiguration and missing patches. The list is long but it all boils down to two things — identity and data.j

Since the COVID19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Studies have shown that cyberattacks have increased as much as 500% during the remote work-from-home paradigm. That’s primarily because people had to connect to their company’s internal assets from their home networks. The lockdown was so sudden that very few companies were prepared to provide to handle the additional security demands that such remote access requires. This is not going away anytime soon, as even after the pandemic people will continue to work from home and use their personal devices to connect.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

So, five things companies need to do:

Have the right security policies and procedures in place. Have a backup and incident response plan in place. Run proactive testing and monitoring for security weaknesses. Mitigate risks on a prioritized basis. Have a good cyber security professional on speed dial.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Hmm, great question. I’d say the reason security has failed until now is because security hasn’t been usable. So, make security more user friendly. It will increase user adoption.

