Cybersecurity Best Practices with Michael Gray

Jay Bradford: Hey, how’s it going? This is Jay and Michael here on the IT Directors podcast. Hello, powered by Clear Winds, and we have a very special guest this [00:01:00] afternoon. Michael Gray, head of all engineering, uh, at Clear Winds. Michael, how are you doing, man?

Michael Gray: Doing great. Doing great.

Michael Thomas: Yes sir.

Michael Gray: Thanks for having

Michael Thomas: Head of all things engineering. What’s your nickname around those walls at Clear Winds?

Michael Gray: I couldn’t tell you.

Michael Thomas: Goes by several, but we’ll leave that at that.

Michael Gray: Yeah.

Jay Bradford: So, what’s your role at Clear Winds? What do you do?

Michael Gray: Well, I’m over several crews. We’ve got our support team, our engineering team, structured cabling, and security operations center with various levels of training and technical skill sets throughout. It keeps us pretty busy.

Michael Thomas: Yeah. How long have you been in this industry?

Michael Gray: A little over 32 years.

Michael Thomas: Okay.

Michael Gray: Yeah.

Jay Bradford: Looks like we got the right guy, Michael, to talk about cybersecurity today. Michael’s over all the various departments. You know, cybersecurity is such a vast topic, right? It really is. People throw that around like, “You’re secure,” but in cyber, you can drill down to so many levels. Mm-hmm. So, in cybersecurity, Michael, what do you need? What are some key points to secure your network and your infrastructure?

Michael Gray: Good question. Good question.

It has definitely evolved over the years, and traditionally, the biggest thing one could focus on was a firewall, which looked focused on the perimeter. Let’s keep the wall up and keep the bad folks out.

Jay Bradford: Yeah.

Michael Gray: Times have changed drastically, so that’s no longer effective. They’ve upped their game. What we’re seeing today is quite a bit more of the human aspect of it. So, whether it’s phishing or smishing—I’ve got all kinds of these little acronyms, but it’s basically taking advantage of human nature.

Michael Thomas: When you say smishing, what is that?

Michael Gray: It’s akin to texting. They’ll send a malicious text that will lead you down a primrose path where you may download an app on your phone. And now if you have anything privileged on your device, then it’s gone.

Michael Thomas: Mm-hmm. Okay.

Michael Gray: Yeah, there are so many avenues that are being exploited today. Almost everything, but most people like these, you know, your home cameras.

Jay Bradford: — doorbell cameras.

Michael Gray: Yes. Those Rings. They’re great, but they’re also tools that we’re seeing threat actors take advantage of. Now, granted, in a home, what are they going to get? And it just depends on what you’ve got access to, but in businesses and schools, wherever you see externally exposed devices, it’s fair game. So, it is advanced where they’ve come over the years.

Michael Thomas: I’ve only been in this industry six years, so I feel we’ve kind of gone on the arc. It went from people really not thinking it’s necessary. You start to hear more and more impact. I feel like you’re at the point where most people accept that this is something I have to consider, but I still talk to a fair amount of people that think it’s bogus. What would you say to that group of people that says, “Hey, that’s not something you really need”? Why me? I’m a doctor’s office in the middle of nowhere; nobody cares about me.” I hear that kind of stuff all the time. What do you say to that part of the audience?

Michael Gray: That’s a very good question. We do hear that a lot. “That doesn’t happen. That wouldn’t happen to me.”

Michael Thomas: Mm-hmm.

Michael Gray: You know, things of that nature. Really, what we could say to that is, due to what we’ve seen personally as a company That the business nature, size, or location is all irrelevant. We’ve seen exploits against various vectors of industry. So, just make them aware that because even though you feel like you’re not known, the threat actors don’t care. They don’t care if you’re at Betty Lou’s diner with three people. If it’s an available IP address, they love to exploit it. They’re going to get in. If there are any assets or anything they can take advantage of, they will.

Jay Bradford: Michael, you brought up a good question about people that think it’s not a big deal, right?

Michael Gray: Mm-hmm.

Jay Bradford: They think it’s not a big deal until it happens to them.

Michael Gray: Yeah.

Jay Bradford: And then they call Clear Winds and they’re like, “Michael, how do we pay this $2 million ransom and get our data back?” Well, do you have cybersecurity insurance? What measures have you taken?

We’re filming this here in Birmingham, Alabama. So, in the city of Birmingham, one of my good friends is CIO. They were cyberattacked. The deeds to people’s homes, and all this data was compromised. They had cybersecurity insurance, they had firewalls, they had all these things, but it was the human element. Someone answered the email like you were talking about, and then it led to phishing, which took over the device. It took over the old Unix system.

It’s what you were talking about; no one really cares until it happens to them. It’s kind of like insurance, right? When you have flood insurance or cancer policies or whatever, you don’t think about it until you really need it. And when you’re in trouble, you really need it.

What do you say around, like, the whole cybersecurity policy and how you become compliant to that? Have you seen organizations shift into that lately in terms of wanting to become really compliant to get like cybersecurity insurance? And then platforms with clear winds and different things—what have you seen?

Michael Gray: Due to the knowledge or the realization that cybersecurity is real and that everyone’s at risk, we’re seeing more businesses try to acquire cybersecurity insurance. There’s been such a global vector and loss; you’re talking in the trillions of dollars lost in cyber that now insurance companies have become hesitant to provide insurance unless you meet such stringent requirements.

Jay Bradford: It’s tough.

Michael Gray: You’re going to have to be cybersecurity compliant. That’s driving the compliance. It used to be, “Oh yeah, you need a million dollars in cybersecurity? Sure, no problem.” Boom.

Jay Bradford: Yeah.

Michael Gray: But now, they won’t give it to you if you don’t have these certain criteria.

Jay Bradford: Yeah. I don’t know a company that has become compliant. We were trying to do it in my previous role; we had to do all these physical building things, but we still don’t qualify for the cybersecurity insurance.

Michael Thomas: Well, that’s what I was going to say. When we’re talking compliance, what are the typical boxes that you’re having to check for that?

Michael Gray: What we’re seeing a lot of people struggle with is multifactor authentication.

Michael Thomas: Mm-hmm.

Michael Gray: Multifactor. That’s it. It’s typically when we talk about authentication, it’s three methods: who you are, what you know, and what you have. So, you know who you are. Well, that’s biometrics; that’s your eye, your fingerprints, things of that nature. What you know: passwords. What you have: a token. You may have a tokenization that changes frequently. So, some factor other than just username and password.

So we’re seeing that multifactored is where a lot of people are struggling. Whether it’s allowing people to get remote access in, whether it’s email or desktop, that seems to be a major struggle.

It’s ironic because, in the cybersecurity realm, guess where the vast majority of the threats and exploits are happening from?

Humans. It’s phishing.

A phishing attack is where someone sends an email appearing to be credible, and we fall prey to it because there’s usually some urgency in it. “Hey, I need you to click here or we’re going to cut your water off. If you don’t click this, you’ve been delaying your bill.” And you’d think that people would know whether they paid their bill before they get an email. You’ll get an email from Bali or something, and if you click right here, you’ll get this inheritance. In other words, there’s not a lot of attention paid to the email, but it’s an email that appears to be legitimate. And there are hyperlinks typically on those that people can click on. It’s various methods that are used. It could be downloading software. It could be redirecting you to a website where you appear to be logging in to pay your water bill; however, you’re on a bogus website giving them your credentials. Then your credentials are exposed. That’s a phishing attack. And then if you fall prey to it, that’s usually where it’s game over. The next call you’ll be getting is from your bank, where you’ve just lost your savings or whatnot.

Jay Bradford: You brought up a great point about the human element. I think that is a lot of the cybersecurity risk. I don’t know a big cybersecurity attack where it wasn’t a human element involved. You know, I was preparing for this episode because I knew we were going to talk about cybersecurity with you. These scammers are calling old people and telling them they didn’t show up for their jury duty and they got a warrant out. Then they’ve got to pay them in Bitcoin. What county clerk’s office needs Bitcoin? Yeah. But people do it because they’re just not thinking, right?

Michael Gray: Yeah.

Jay Bradford: And so, I think that human element is hard. Mike, what do you do in terms of training end users and IT directors and organizations to correct that human element? How do you combat that with cybersecurity? What tools do you use for training?

Michael Gray: Well, to administer it first. A lot of people reject the training.

Michael Thomas: When you say “reject,” what does that mean?

Michael Gray: They say it’s not worth the money. A lot of security measures are perceived as just—as it’s already been spoken about, insurance, I don’t need insurance until I need it. And it’s just a doctor’s practice. A prime example is I can’t spend X thousands on all this stuff. You’re telling me I need endpoint detection? I need to have some training? I need to have MFA? My goodness, I’ve got patients to see. I’ve got to get these tools, this equipment. I’ve got to run a business. I can’t afford to spend money on this. That’s the typical response when we come in with security initiatives. Healthcare clinics have another measure needed here too, which is HIPAA regulations. It’s a requirement for them no matter what size they are, and a lot of them aren’t even aware that, with HIPAA, you must have some of these security measures in place. So those go hand in hand. I just picked the medical industry because that’s usually the one we see the most resistance to.

Again, it’s either “They’re not interested in me” or whatever.

Michael Thomas: Well, it’s that human element again because we’re talking about people rejecting it. I hear plenty of times as well, like, “Hey, I don’t want to have to use my phone to get into my computer.” Why are you making this so hard for me to just work?” You hear that kind of thing all the time. Well, you’re going to be in a different position if you don’t have some things in place.

Jay Bradford: Yeah. The MFA, the end users never like MFA, do they, Michael? I mean they never do. They want to just log in and roll on. They want to save their password.

Michael Thomas: I might be a little bit weird, but I turn my volume on just because I like the DUO sound. I just like that noise.

Jay Bradford: I used DUO in my previous role, and it’s a great tool, but people called me constantly wanting to bypass DUO. “Can you take me out of the DUO list? I don’t want it to be on DUO.” I’m like, “Well, you want to check your email? We have to be secure.”

PowerSchool is one of the global student information companies. They got hacked.

Michael Gray: Yeah.

Jay Bradford: I got an email. You probably did Michael. Everyone in the state of Alabama that had kids got an email: “Hey, your kid’s information has been leaked.” I was like, great, what are you? And they sent us a $10 voucher to LifeLock or something. And I’m like, well, that doesn’t do anything.

They already leaked the data; there’s nothing you can really do after it happens. What do you think about some of the dark web monitoring and some of those tools? What have you seen in that?

Michael Gray: Well, the bad news is, as you’ve already said, if it’s already out there, it’s too late. So, is it good to know it’s out there? It is, but I can almost assure you there’s nobody on this planet that does not have their social security number or their information exposed. I can almost assure you. So, while it’s neat to say, “Hey, I’m seeing you’ve got some dark web monitoring out there.” It’s probably been out there for a while. So, the information’s there. It’s just not acted upon or alerted unless somebody is doing so. “Oh, let me try to get Michael Gray again.” Then suddenly it shows back up as being active.

But the information, more than likely, is there. There have been so many breaches that have been reported. Imagine the ones that have not been.

Michael Thomas: Yeah.

Michael Gray: I mean, it’s good to know when you’re seeing some activity out there, just to be mindful that I need to make sure I’ve got good hygiene. I’m changing my passwords. I’m making sure my bank information is being recycled. I’m not leaving this stuff, and I’m not monitoring it. Just taking and looking at banking accounts. Don’t just get a statement and go, “Oh, okay, I’ve got X in there. We’re good to go.” Review it. Monitor it.

We’re so busy. We overlook a lot of those things, so just pay attention to detail.

Michael Thomas: I know we jumped forward a little bit. I’ve heard you say endpoint detection and response. What would you say are some of the basic things you need to have in place? We’ve set a firewall. I’ve heard of endpoint detection and response. What is that?

Michael Gray: Yeah.

Michael Thomas: And then what else would you say is something else you need to make sure, “Hey, these are the core things I need. At the very minimum I need these things.”

Michael Gray: We’ve already talked about human error, and there’s no technology that you can put in place to prevent that. Then we have to change our mindset and think, “Okay, it’s not ‘if,’ it’s ‘when.’” We really have to think differently, so when I fall prey to something, what kind of tools and defenses can be put in place to keep the damage minimized?

That’s where your endpoint detection and response comes into play. The traditional tools we’ve had just aren’t good enough.

Michael Thomas: Like antivirus.

Michael Gray: Like antivirus. Right. Antivirus has had heuristic-type capabilities, meaning they can learn. It’s learning things as they come in, but they’re typically signature-driven, meaning they’re going to get the master database of viruses pushed down. So, when it’s a zero day, which means it’s real-time, there’s no antivirus signature written to combat it. When a zero-day virus hits, then that’s when the difference between a traditional antivirus and the more modern Endpoint Detection and Response comes into play. So, it detects it and it acts upon it. That’s another significant difference. EDR will respond at 2:00 AM when everybody’s sleeping. You don’t have to walk in the next morning to a fire. The response is typically to take that device offline, to pull it off an MDR, and to take it a step further. So EDR is sitting there running while it’s doing its thing. But an MDR, which is where you really get your biggest bang for the buck, is where somebody’s monitoring the traffic and the logs that are coming in. Something may come in that doesn’t appear to be extremely high risk; it may be zero-day, so there’s nothing to know about it yet. So, being able to evaluate that information as it comes in is extremely critical to keeping the damage of a potential exploit minimized.

Michael Thomas: Do you have to have antivirus and EDR, or can EDR take the place of it?

Michael Gray: What you’ll find if you have both on there is sometimes they may compete with each other and actually be a detriment. The signature may be put up as false and cause a problem. We just need to have one tool.

Jay Bradford: This has been an amazing episode. We’ve covered a lot of great topics around cybersecurity. It’s a broad topic. We talked about firewalls, we’ve talked about EDRs, and we’ve talked about threat response. We’ve talked about antivirus and the human element. To close out the episode, when hackers attack your system, if you’re a Fortune 500 company or organization, they want to get your backups. So we’ve got to protect the backups. That’s part of the disaster recovery plan. Mm-hmm. And, um, so, you talked about that, and I think a lot of companies don’t do that. They don’t think about protecting their backups or encrypting them or having them offsite because if hackers attack you, the first thing they go after is your backup where you can’t restore the service because they have your data.

I think this is going to be an amazing episode for our listeners and viewers because you’ve covered such a vast topic that could be very detailed. We’re just so glad to have you on, Michael. I appreciate your time today coming into the studio, and this has been a fantastic episode for all of our listeners and viewers.

Michael Gray: Oh, absolutely. Thanks for having me. I enjoyed it.

Michael Thomas: Yes sir.

Jay Bradford: Yeah, we appreciate you. Go follow us on Instagram and X, and soon we’ll have a lot more platforms for you to follow our podcast. We appreciate you joining us today, and this is Jay and Michael; we’re signing off.