This post was written for the GoodSense blog. I have posted it here also, to spread awareness of the mission.
As a 20 plus year practitioner in the information security industry, I was keenly aware of the threats facing individuals and organizations. On the eve of the pandemic, I became involved in a ransomware case affecting a large organization. Navigating the case, I saw how many things needed to be fixed in the response process. Regardless, we succeeded in closing the case, with mutual agreement from the organization and the threat actor. GroupSense, a Digital Risk Protection company of which I am a founder, became a go-to for ransomware cases for the cyber insurance and cyber breach law practices. Initially, because of the aforementioned channel, the profile of the clients we serviced were typically large enterprises, brand names, big targets. It was some time later that we added the ransomware offering to the GroupSense website. After doing so the profile of the clients expanded to include…well….everyone else. Suddenly, we were servicing large enterprises, mid-size construction companies, healthcare, food industry, software companies, all the way down to print shops, microbreweries, law firms and similar. Some of these victims were so small that I couldn’t bear to charge them our fees, opting to do pro-bono in exchange for a free beer (I am a wine guy) or some legal advice.
I quickly realized that we were dealing with a digital pandemic that was affecting the large companies, yes, but was hitting main street USA even harder. When I worked a case for a large company, I was Zoom’d in or jumped on a Cisco Telepresence. There were executives, lawyers, finance people, law enforcement involved. Of course, it was emotional and intense, but it was a business setting, a transaction. When I worked a main street USA case, it was Mary or Joe. They built this business up themselves or through generations. They had 15, 25, 40 employees that were not going to get payroll on Monday if we didn’t resolve this quickly. They may go out of business, bankruptcy, life impacting stuff. Those circumstances were very emotional - I realized the digital pandemic was more “deadly” to these people than our fortune 1000 clients.
When working any case, we take inventory of how the threat actors gain access to the victim systems and networks. We get this information a couple of ways, on the large victim cases, they are engaging an incident response firm. That firm produces a report explaining how the breach occurred. We also negotiate with the threat actors in every case to provide us a “report” on how they gained access. They often do, and sometimes this report is comprehensive. All this said, the evidence suggests that the attacks employed on victims, large and small, are not sophisticated. They are most often the result of poor cyber hygiene, sometimes falling short on the simplest of security measures. In short, this is preventable.
I found the narrative coming out of Washington naive and short sighted. First, if you are a hammer… The idea of dismantling threat actor capabilities through attacking their infrastructure seems unlikely to yield long term results. The actor groups are operating in countries where they are afforded some amnesty (yes, I am aware of the REvil arrests, and I find them dubious at best), and there is no US authority or extradition. Plus, the cloud makes rebuilding and scaling infrastructure almost instantaneous. Further, the idea of policing or making ransom payments illegal or selective will not drive the intended behavior, stopping payments. It will only drive the behavior underground. You see, as a small business operator, faced with the choice of missing payroll, going out of business, or paying an illegal ransom through anonymous means, you are likely to choose the latter.
I had the opportunity to speak with folks involved in federal policy, think tanks, staffers, and feds. In one case, a round table, I made note that when discussing policy the focus remained on the large enterprise and critical infrastructure. I made it clear that those victims only represented a small number of the total victim population. I was adamant that we needed to think inclusively about main street. The argument was made that our primary focus should remain on critical infrastructure. I argued, and I believe this strongly, that main street and small to medium business are critical infrastructure, collectively. They make up nearly half of the US economy and generate the majority of the jobs.
On my business trips, I began volunteering at associations, chambers of commerce, universities, tech centers; anywhere that would let me talk to small businesses and tell them the story, the why, and then give them the basic cyber hygiene knowledge to reduce their risk measurably. This yielded mixed results, but generally the feedback was positive. Over the course of a year I iterated on the content and developed some training materials that helped me better convey the changes needed. This approach has picked up momentum and I began receiving inbound requests for the training.
One challenge I noted was despite the simple steps required to make these changes, some small businesses still struggled. Further, I saw a need to identify whether a small company was already compromised. I looked at a few models, working with MSPs and local IT operators, and universities. We are currently testing both of these models and see real promise with a syndicated university/education supported program. There will be another blog entry on this program, but it solves multiple issues around cyber attack detection, prevention, and makes meaningful impact to the cyber skills gap problem. I am excited. Further, I have commitment from some of the brightest minds and leaders from the Cyber community backing me up on this.
In order to foster these programs, and make a scalable impact, we are forming GoodSense. Our mission is simple. To provide education and services to assist in reducing technology adoption risk for individuals, small businesses, education, and municipalities. Technology, more than ever, is critical to success and competitiveness in life and in business. But technology is changing so rapidly that it is unreasonable to expect individuals and small organizations to understand and mitigate the risk associated with the use of that technology. That is why we are here. We are GoodSense and we will protect US critical infrastructure, starting now.