Identify people in your organization that have the right attention to detail and interest to be your dedicated authorities for your business.
Mobile attacks are continuously increasing. Rather than have 2-factor send challenges to your phone via text message, use a proper multi-factor tool like Google Authenticator.
Have an antivirus tool and an anti-malware tool on your systems and keep them up to date. They can’t find everything, but they help tremendously. Also, just because you have these tools does mean you can relax and not be vigilant.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Benjamin Stotts, Vice President of Program Management at LegalShield. He leads the Product Development Team for IDShield — an industry-leading privacy and reputation management solution. Previously at CapitalOne, Ben has more than 15 years of experience working in technology management and IT strategy. He graduated from Texas A&M with a B.S. in chemical engineering and holds an MBA from Southern Methodist University and M.S. in computer science from Texas State University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My dad was in the Airforce, so my sisters and I spent most of our childhood adjusting to new places to live. He was a Navigator and then moved into the realm of Electronic Warfare. He had a big influence on my life, and as Cyber Security became the standard phrasing, I started thinking deeper about Computer Science. My Mom is a Family Nurse Practitioner and sacrificed a lot of her career advancement to take care of us kids. We are a close-knit family.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I would love to be one of those people who have an origin story, but in reality, I had friends who were working in the cyber world for the Department of Defense and thought there was an opportunity to help change the industry through real-time prevention techniques leveraging artificial intelligence.
Can you share the most interesting story that happened to you since you began this fascinating career?
Just recently, my wife and I were victims of a SIM Swap attack. Someone in New Jersey walked into a 3rd party cellular company and switched my phone number to their device. I share this story to prove two things:
1 — The psychological impact this had on my wife was huge. We determined what had happened very quickly and were able to prevent any financial impact BUT the emotional impact was taxing.
2 — Everyone is vulnerable no matter the technology we use to help thwart such evil people. Yet, the more vigilant we are, the smaller the blast radius.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are many people I have had the joy of being associated with over my career to date. All of them brought something unique that I learned from. Perhaps the most impactful thing I learned from someone came while I was at Capital One. My mentor there and I were discussing an issue I was having gaining alignment on an initiative that was better, more efficient and more impactful than what was being considered. I was exasperated by the fact that the committee wouldn’t admit it was the “right” approach. He said to me “Being right is a great place to start, but it isn’t the end.” That simple phrase changed my entire approach to leadership. It isn’t about being right…it’s about coming to the solution together.
Are you working on any exciting new projects now? How do you think that will help people?
I am working on experiences for real-time facilitated cyber prevention. Rather than focus on the remediation part of the domain, we are focusing on helping people change behaviors in real-time. This could make it so that the threat landscape for personal attacks becomes smaller.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Cybersecurity is a very psychologically impactful domain. The beneficiaries of our work will live happier lives because we are taking care of them. Never forget the people who benefit from what we do…and take a vacation from time-to-time.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cybersecurity never gets dull because bad guys are always concocting new ways to steal from you and hurt you. That is both terrible and interesting. As such, my three things are:
- The opportunity to thwart bad-guy machinations means I am never without something interesting to work on
- As Machine Learning continues to evolve, I am excited about how it can be matured to help humans defend themselves from bad actors.
- Our ability to help people practice better real-time risk avoidance techniques will make it much more complicated to leave an exploitable footprint.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
We live in a connected world. Deliberate social engineering attacks against companies, people and 3rd parties will become much more complicated with time.
Consider that while you might be able to stop yourself from posting an image of your vacation, you could end up being posted in someone else’s photo on that same vacation without your knowledge.
Given face recognition advancement and other spheres of influence technologies, social attackers could learn a great deal about you even when you practice safer security standards! As such, the availability of information in the wild will drive a threat landscape that can be exploited through Artificial Intelligent facilitations and basic research.
- Additionally, and this is not a deep concept, but the more popular a service, the more target-rich the environment. As such, as vulnerabilities against certain Cloud providers become available companies will need a multi-cloud strategy.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I once had a client who had a data breach due to a successful phishing attack. The attackers were able to find the payroll system and reset employee passwords through the “forgot password” option. Once they received the new password, they started siphoning money out of the system and into new bank accounts. They were able to carry out this same attack against multiple employees. While the amount stolen was not huge, the effects of losing payroll for the impacted people were huge! I became involved after the attack and helped the team redesign their security so this could not happen again. The main takeaway is that the CEO of the company was not concerned with security before this happened. A little investment in prevention would have saved him both financially and in reputation.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
To be honest, I don’t use these tools anymore. My career turned to focus on Identity Theft Protection, Privacy Management and Reputation Management. When I was involved, I used a few like EnCase, Wireshark, Nmap, Snort and Nessus. I used the Encase forensics tool. When we would go to a business after an attack, we would use EnCase to pull data off the hard drives for analysis. Wireshark is a network analyzer. It can dissect packets of data flowing through the network and provides detailed information about each packet. I would use it to sniff packets on open networks and see what I could find. Nmap is a strong penetration testing tool. Leveraging it I could find open ports, services and OS specific information. Snort is a great tool for preventing intrusions in a network. It performs live traffic analysis and can determine incoming packets for port scans, worms and other behaviors. Nessus is a vulnerability scanner. It is pretty great because it tells you not only what is open but how it can be exploited!
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Honestly, the size of the team is not as important as how seriously you take the risk. Knowing your risks and the sensitivity of your data should inform you about how much impact a breach or cyber-attack could have on you. For example, a cash-based business shouldn’t need a sophisticated cyber strategy, yet this does not mean you shouldn’t consider a strategy. For example, knowing that you are still vulnerable to SIM Swaps and social engineering attacks means you should have a plan when something goes wrong. As such, I think the first step is to understand your data, your business patterns and your dependency on technology. Then, analyze your risk if something goes wrong. If an off-the-shelf solution can resolve what you uncovered in your analysis, then you should leverage those until your analysis changes. If you don’t think you are covered, consult an expert.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Most of my recommendations follow a pattern of “not what I expected”. Meaning, things like odd text messages or charges of a dollar can be an attempt to see if what a bad actor has is working. Be aware that this is not noise and should be considered! Any change to your normal billing and/or deposits is something that should not be accepted as normal fluctuation. An increase in the number of erroneous calls, solicitous calls and emails and other touchpoints are not innocent until proven so.
Lastly, social media is an awesome vector for bad actors to exploit. Don’t’ blindly accept new requests and an increase in the attempts to friend you may be an indication your data has been leaked somewhere. Be vigilant and curious!
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
In my experience, the best thing to do is to follow this checklist:
Verify that the breach is real and determine the type (leaked data on your website, hack, insider, etc.)Assemble a team of experts including data forensics, legal and DevOps
Take affected equipment offline as fast as possible
Remove leaked data from identified websites
Interview people who discovered the breach
Keep all evidence you can! Never delete evidence!
If required, notify affected parties
It is important to know that many of these things should be conducted in parallel as you need to move quickly.
At heart, I am an Artificial Intelligence advocate and data drives the success of these technologies. Without it, modeling is much more complicated!
Also, many companies see these laws as complications to their business. For example, many companies use this data to improve their products, change their experiences and create new opportunities. As such, while I agree that not having a wealth of data about your customers can make evolving your business a challenge, the right of customers to protect themselves must always be paramount. In the future, patterns of use will emerge that in aggregate will provide the necessary line of sight to new experiences. Also, necessity breeds innovation and I feel the market will respond to these laws in new and exciting ways. As such, I don’t think these laws hinder a company’s ability to thrive, it provides an outlet for the most consumer-focused companies to take care of their customers in novel ways.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake is the lack of a cyber strategy. Many companies believe that they are too small, or not well known enough to warrant the time to takes to understand the basest of responses. The second is a lack of training and discussion around the topic. Lastly, storing data and transmitting data in the clear. Encryption is so common today that not encrypting at rest and in transit is almost a cardinal sin.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We haven’t noticed any increases in the Identity Theft, Privacy and Reputation spaces. There is always a constant flood of attempts, and COVID has not spawned any blips in volume or efficacy that we have noticed.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
My advice is more for small businesses without a CISO and/or dedicated security staff.
1 — Have a cyber strategy. Every company and person is a target and can be taken advantage of. Having a strategy will help mitigate the risks when something happens.
2 — Identify people in your organization that have the right attention to detail and interest to be your dedicated authorities for your business.
3 — Mobile attacks are continuously increasing. Rather than have 2-factor send challenges to your phone via text message, use a proper multi-factor tool like Google Authenticator.
4 — Social engineering is the easiest way for a bad actor to get into your systems. Be very cautious and suspicious of sharing your data and opening attachments.
5 — Have an antivirus tool and an anti-malware tool on your systems and keep them up to date. They can’t find everything, but they help tremendously. Also, just because you have these tools does mean you can relax and not be vigilant.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
The most important thing is to change the way our country enforces the protection of our citizens. Make your voice be heard and tell your elected officials that responsible data and security practices are not negotiable! CCPA and GDPR are steps in the right direction, but we can do much more!
How can our readers further follow your work online?
I work for Legal Shield. Our Identity Theft Protection Product, Privacy Management Product and Reputation Management Product are world-class platforms I am proud to offer! Also, I am available on LinkedIn and at other speaking events.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!