Divide and conquer:It’s important to delegate tasks and to trust that people are capable of doing the work. I delegate busy work, like adding “frequently asked questions” to our product reviews, while I take the more varied, interesting work for myself, like investigative pieces.
Stay positive: In doing multiple rounds of edits with freelancers, seeing the same mistakes repeated over and over can get frustrating. But while I may be frustrated on the inside, I keep it positive and upbeat with the freelancers; if I’m too negative, it will make them stressed, which will only result in more mistakes. Rather, I try to give corrections in a somewhat casual and positive manner to make them want to improve rather than discouraging them.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Aliza Vigderman, an industry analyst and senior editor at digital and home security website Security.org. Previously, she worked at the Schuster Center for Investigative Journalism and received her degree in journalism from Brandeis University. Aliza is passionate about revealing the hidden dangers of technology and helping people stay safe offline and online.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a suburb of Philadelphia and was always reading and writing from a young age. After high school, I attended college at Brandeis University, where I studied Journalism and English. I started freelance writing while still in college but didn’t get my first full-time writing position until 2018 at JAKK Media, writing for a website named Security Baron. That website eventually got acquired and became Security.org, where I work today.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
One of the most influential movies for me is “The Breakfast Club.” I first watched it when I was around 11, and I absolutely loved it and watched it probably once a week for months. It resonated with me not only because it was hilarious, but also because the characters broke down each other’s barriers and got to know the person underneath the stereotype. With my dry and sometimes biting sense of humor, I often felt misunderstood as a child, so I think that’s why the story affected me so much.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Ever since the rise of the social media giants and the subsequent data issues that have taken place, I have become aware of the issues in how these companies collect, sell and share user data. When I saw an opportunity as a cybersecurity journalist at Security Baron, which is now Security.org, I jumped at the chance and started writing about these issues professionally.
Are you working on any exciting new projects now? How do you think that will help people?
Right now the project I’m most excited about is a parents’ guide to social media, which includes original research from hundreds of parents and teens. It will help parents keep their kids’ personally identifiable information safe online as well as consider their child’s online reputations, which they often affect before their kid is an adult or in some cases, even before they’re born.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
Account takeover market: Account takeover is an increasingly big problem; our research shows that the average losses from takeovers of financial accounts are almost 12,000 dollars per person. Plus, from 2019 to 2020, there was a 250 percent increase in the account takeover market, so this is an area I expect to see even more growth in in 2021. Read more of our research on the account takeover market here: https://www.security.org/digital-safety/account-takeover-annual-report/
Personal antivirus software: 91 percent of U.S adults are aware of antivirus software, according to our original research, and currently, the industry sits at 1.8 billion dollars a year. I think this industry is going to grow even more in the coming year; from 2018 to February of 2021, the increase in Google searches for “best antivirus software” increased by nearly 270 percent, so I’m looking forward to more people protecting their personal devices with antivirus software. More info here: https://www.security.org/antivirus/antivirus-consumer-report-annual/
Increase in COVID-related scams: While I’m not thrilled that people are falling for COVID-related scams, I am glad that there has been more awareness of the FTC’s spike in reported scams, as the median loss was 300 dollars as of September 2020. As more information comes out about specific scams, people are better able to protect themselves. See my research here: https://www.security.org/digital-safety/covid-scams/
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
- Data privacy: Obviously, large tech companies offer free services in exchange for a ton of our personal data. As more free and useful websites and apps are created, more of our data is used for targeted advertising. To address these concerns, more people should be made aware of VPNs, which hide your IP address and web activity when you surf online.
- Remote work: Given the rise of remote work due to the COVID-19 pandemic, many employees are using personal devices to handle potentially sensitive business information. My concern is that there will be hacks and/or data breaches that will compromise both customer information and the employee’s position with the company. The solution is to either provide devices for workers preloaded with antivirus software, VPNs, encrypted storage, and the like or to add these services onto employees’ personal devices.
- Cryptocurrency: The promise of cryptocurrency was a decentralized currency that didn’t need to be stored in a bank, but storing currency yourself comes with a host of cybersecurity issues, like lost passwords. I’m hoping that more people will learn how to store their Bitcoin securely and ensure that they don’t get locked out.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Account takeover is one area that I think companies need to start preparing. Currently, over two in 10 U.S adults have been victim to account takeovers, with average losses of, as I said earlier, almost 12,000 dollars. Worse, 58 percent of these incidents occurred in the past year, which shows that it’s a growing threat. Companies need to start preparing by implementing password managers with advanced authentication to all work-related accounts.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have never helped fix or stop a cybersecurity breach, as I’m on the journalism side of the industry.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
- VPNs: I use VPNs whenever I’m on public Wi-Fi networks to reduce my susceptibility to hacking. VPNs hide my web traffic and my device’s private IP address so that I’m the only one who can see my online activity.
- Antivirus software: All of my devices, save for my iPhone which doesn’t require it, have antivirus software to protect against viruses, malware, ransomware, spyware, adware, and other cyber threats.
- Identity theft protection services: I also use an identity theft protection service to prevent identity theft. This software automatically monitors several credit, financial and criminal areas for my personally identifiable information. It also includes identity theft insurance.
- Password manager: I truly don’t know what I would do without my password manager. It stores all of my usernames and passwords in an encrypted vault, so instead of having to sign in manually, I just use Touch ID on my phone or enter the same master password on my computer. It also generates strong passwords for me and did a password audit, telling me which ones were old, weak, or repeated.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Yes, here are three signs that you may have been hacked:
- There are purchases on your credit card or bank account that you don’t recognize.
- Your computer or phone is running much slower than usual.
- Your email contacts tell you that they’ve received odd emails from your account, or you notice messages in your sent folder that you haven’t sent.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- First, fix the vulnerabilities to pretend further data loss.
- Secure the physical area of your work devices and change all of your access codes.
- If your website was vandalized, get it back to normal and remove any wrong or malicious information.
- Talk to the people that discovered the breach to figure out its causes.
- Keep all evidence.
- Notify any customers or agencies that were affected, following your state’s data breach notification laws which I outlined here: https://www.security.org/identity-theft/what-is-a-data-breach/
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
- Not securing employee-owned devices used for work purposes: Many remote employees use their personal devices for work tasks, which is fine if they have the proper cybersecurity software installed. However, in the scramble of abrupt remote work transitions due to COVID-19, this step has been skipped. However, employers can easily fix this issue digitally by giving employees credentials for online accounts and apps that they can download from either company websites or app stores. At the very least, all of the devices should have antivirus software.
- Not implementing any password hygiene rules: Many employees use the same password, or a variation of the same password, for multiple work-related accounts. Additionally, our research has found that nearly half of Americans use passwords that are eight characters or less, which makes account takeover much easier for hackers. Employers should have employees use password managers for all work-related accounts. The password manager will perform an audit, ensuring that all passwords are complex and unique, and will store all of this information in an encrypted vault. Another option is to use Security.org’s secure password generation: https://www.security.org/how-secure-is-my-password/. Learn more about America’s password habits here: https://www.security.org/resources/online-password-strategies/
- Not telling employees how to recognize phishing emails: Inexperienced employees cause most data breaches, and phishing is one of the most common ways that hackers can access accounts. Teach employees how to recognize and avoid clicking on phishing emails, texts, and websites.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
As of the most recent 2020 U.S. census data, women make up almost half of the workforce but only 27 percent of STEM workers. While I’m happy that there have been increases in women working STEM jobs (women only made up eight percent of STEM workers in 1970), we still have a long way to go before they are equally represented (Source: https://www.census.gov/library/stories/2021/01/women-making-gains-in-stem-occupations-but-still-underrepresented.html). I think we need to encourage girls who are interested in STEM to pursue it from a young age and do away with the notion that girls aren’t good at math and science. Girls should also be encouraged to do special programs and workshops surrounding STEM that demonstrate the opportunities available; the Girl Scouts, for example, have added such content to their repertoire. Also, more STEM workers need to mentor young women through internships; there should be a push, from the internship level, to hire equal numbers of men and women. By starting at the bottom of the funnel, we can strive towards equal gender outcomes in STEM.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
I think there’s a myth that all cybersecurity-related jobs require hard skills in STEM such as software engineering. However, you can work in the industry in a bunch of different ways; for example, I’m a cybersecurity journalist with a background in investigative journalism. There are also sales, marketing, and legal jobs within the cybersecurity industry.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Divide and conquer:It’s important to delegate tasks and to trust that people are capable of doing the work. I delegate busy work, like adding “frequently asked questions” to our product reviews, while I take the more varied, interesting work for myself, like investigative pieces.
- Be flexible: Working with a bunch of freelance writers, I have to be sensitive to their schedules. If someone is having trouble making due dates, rather than throw them out the door, I ask what schedule they can make so that we can maintain a relationship that works for both of us.
- Consider the source: As a journalist, I am always looking for primary sources of information. Whenever I’m looking up statistics, say VPN statistics, for example, there are always a bunch of sites with many statistics listed, but no primary sources, so it’s impossible to verify the information. Rather than simply copying from other tech websites, I find the original source of the information, which is typically a university, government agency, nonprofit organization, or market research organization.
- Be timely:In journalism, it’s always important to make sure that the information you’re using is current, especially while reporting about something as volatile as the cybersecurity industry. I try to only use third-party sources from the last couple of years, and if there are no recent data available, I create original research.
- Stay positive: In doing multiple rounds of edits with freelancers, seeing the same mistakes repeated over and over can get frustrating. But while I may be frustrated on the inside, I keep it positive and upbeat with the freelancers; if I’m too negative, it will make them stressed, which will only result in more mistakes. Rather, I try to give corrections in a somewhat casual and positive manner to make them want to improve rather than discouraging them.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?
I would like to have a private meal with a journalist named Jesse Signal; he does a really interesting podcast called “Blocked and Reported” about the internet and recently wrote a book called “The Quick Fix” about pop psychology. I would love to discuss internet culture with him, a topic I’m very interested in.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!