Putting policy into practice is more important than writing policy.
An employee at a company was fully up to date on cyber training, but thought it was inconvenient to encrypt an email that contained sensitive information. His email was compromised along with the sensitive information
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Adam Jackson, Founder & CEO of 360 Privacy, which provides complete management solutions and privacy solutions for online data presence and security. Jackson spent 10 years in the Army as an Infantryman and Green Beret. He has multiple deployments to sensitive and highly volatile environments. Upon concluding his service, he began helping high profile individuals and celebrities secure their homes, tours, and personal information before founding 360 Privacy.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in southern Indiana. I come from a big family. I joined the Army in 2007 after high school and spent my first few years as an Infantryman and my last bit as a Green Beret.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was doing physical security for country musicians and I kept seeing cyber issues move into the physical realm. Several stalkers that started in the digital world we able to gather enough information about celebrities to move the threat into the physical world
Can you share the most interesting story that happened to you since you began 360 Privacy, maybe something during your military days?
I don’t know if there has been one single “most interesting story”. I would have to say the most interesting part of the job has been seeing the extreme variety of day to day issues lapses in cyber security and PII can cause.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
The person that has had more influence on the culture of what we are building at 360 Privacy is my team sergeant from 5th Special Forces Group. He gave his subordinates enough room to create some pretty awesome results while still maintaining some of the most rigorous and intense standards I have ever had to measure up to.
Can you tell us a little bit about what 360 Privacy does and any new news?
In a nutshell, we help people control their own personal information on the internet. There are over 280 sites that will build profiles about almost everyone in America and sell that profile to anyone that wants it for 0.99 — 30 dollars. Those profiles include SSN’s, address, VINs to vehicles, criminal history, email addresses, phone numbers, and lists of relatives.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s impossible to burn out if you are doing something that truly matters to you.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
1. It completely changes every 2 years
2. The impact of good cyber security on personal lives and bottom lines for business is growing
3. It’s rewarding to know that you are protecting good people from some truly bad people
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The blending of multiple modes being deployed in one attack. We are seeing Personal Identifiable Information (PII) used in spear phishing attacks that deliver a ransomware payload more and more every day. I also think we will start seeing more sophisticated attacks involving IoT devices.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Yes. We regularly see spear phishing attacks that lack enough information to fool their intended victims.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Rubica VPN — It encrypts your internet connection and routes it through a different server to stop some online tracking. It also scans all traffic for malware before it ever gets to your computer
MalwareBytes — Detects malware on computers
Signal — Encrypted messaging application
Burner — An app that gives users a disposable phone number for a specific period of time
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I would say that you should start by understanding cybersecurity is the single most important cost center of any business. It affects company reputation, employee safety, customer satisfaction, bank accounts, and much more. Executives at big and small companies need to understand that and allocate budget accordingly. There is not a specific threshold for bringing in a managed service provider or a CISO, but I would say that any company that is storing the PII of their customers should have an expert involved in their process.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
1. Increased spam to email accounts or phone numbers
2. Small “test” transactions you don’t recognize
3. Gut feeling — It’s always easier to replace a credit card or change a password than it is to remediate a breach
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
It depends on the size of the company. The first step is to identify the source of the breach and remediate. The next would be to deal with your customers as honestly and transparently as humanly possible. Their safety and security should always trump any business goals your company may have.
Companies should learn from mistakes, identify the vector that was used to exploit their system, and build a security plan that addresses it. As far as customers go, if companies fail to protect their customers data, they owe them whatever it takes to keep them safe. In most cases that involves providing identity protection for a period of time.
GDPR is a great first step for privacy but does not really help Americans. CCPA is a law that had great intentions but was shredded by lobbyists before it was signed into law. It is extremely cumbersome for small businesses and offers very little protection to consumers. It is actually harder to remove California residents from data aggregators than anyone else.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The two most common vectors hackers use is social engineering via email and incorrectly configured remote desktop protocols.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
A huge uptick. When employees work from home all of the vulnerabilities of their home network are brought into the corporate structure. Corporate VPNs provide a ton of security unless the device connecting is compromised. Once that happens the compromised device has full network access.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Good policy always trumps good tools
-A company had a state-of-the-art email scanner but didn’t scan emails on its own domain. An employee’s password was compromised, and a hacker was able to deliver malware from the compromised email account
2. Putting policy into practice is more important than writing policy
-An employee at a company was fully up to date on cyber training, but thought it was inconvenient to encrypt an email that contained sensitive information. His email was compromised along with the sensitive information
3. The Basics go a long way. Generic naming of machines, phishing training, etc. would stop most attacks.
-An EVP of a major airline logged on to open Wi-Fi at an airport without a VPN. His computer name was “Exec_VP_xxxAirline”. He was targeted by hackers on the Airport’s Wi-Fi because it was easy to identify him as a VIP
4. Experts are an expensive necessity
– A major clothing company in LA hired a wildly unqualified CTO because he was cheaper than hiring a qualified one. Within 6 months they had been breached at least 4 times and suffered immeasurable harm to their brand
5. Common sense trumps everything
– An employee received an email from his boss at 1 am saying he was in the middle of a conference call and needed him to get 2,000 dollars of iTunes gift cards for a client. The employee fell for the scam.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
– Treat everyone you meet like you would want to be treated on the worst day of your life. You never know what the angry/difficult person you see out in public might be dealing with that caused that reaction.
How can our readers further follow your work online?
Please visit our website at www.360privacy.com
This was very inspiring and informative. Thank you so much for the time you spent with this interview!