Do Not Pay Ransomware & Other Security Tips

Unsecurity Podcast

Less than one short week after Evan and Brad discussed the Riviera Beach, FL ransomware attack, another Florida city has paid off attackers in a ransomware scheme (do not pay ransomware)! In episode 34, Evan and Brad take a look at what we can do about civic ransomware, and how what we’ve learned about these cities applies to schools as well.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hi everyone. This is Evan francine, your host for episode 34 of the Unsecurity podcast joining me is my right hand man Brad Nigh. Good afternoon, Brad.

[00:00:32] Brad Nigh: Good afternoon Evan. How are you? Uh, tired. I’m ready for the weekend.

[00:00:37] Evan Francen: I know you and me both. So if you’re paying attention to the opening, you might have heard the word afternoon and not morning. We normally record these on monday mornings. Right? It’s friday afternoon.

[00:00:49] Brad Nigh: It’s bright. It’s light out. It’s weird. Just laid out. There’s some people here. There’s

[00:00:54] Evan Francen: people here. All right. Uh, And because we’re not going to be here on Monday next week is July four. It’s the birthday of America. God Bless America. There was a moment of silence there. All right. All right. So the, uh, this friday afternoon, um, you’re supposed to dispute from wisdom according to the show notes. Do you have any wisdom to spew

[00:01:17] Brad Nigh: quick? Getting no, no wisdom dispute. I’m going to save my fiery later held this up

[00:01:27] Evan Francen: later on this. Uh

[00:01:28] Brad Nigh: huh. Riled up fitness. I don’t know I’m making up words now. Well,

[00:01:33] Evan Francen: Fridays are interesting days because especially at the end of the quarter. Right? This is the last day of the quarter. Just walking in. You know, I heard the sales people were celebrating another client and you know, it’s that kind of that kind of day. So, uh, we could share our vacation plans, but that would be against best practice. I can share

[00:01:54] Brad Nigh: mine. I’m gonna be working tonight. Hard

[00:01:56] Evan Francen: incident response.

[00:01:58] Brad Nigh: Yeah, I’m gonna

[00:01:59] Evan Francen: get my wife’s thrilled. Yeah, I bet she is. I’m gonna get some writing in. That’s nice. Killing bugs is what I call it.

[00:02:07] Brad Nigh: Bring floss.

[00:02:08] Evan Francen: Yeah, you can tell a happy bike rider right by the how many bugs they have in their teeth. All right. So you’re supposed to ask you some more wisdom and then, uh, then we’re moving right in. So a couple of weeks ago, uh, you know, I brought up, we talked about Asco, the Belgian airport Air part aircraft parts manufacturer, Uh, got hit by ransomware. Right. We had a good discussion about that. That was episode 32. Um, and we were sort of asked to talk about that by one of our listeners, you know, and the uh, it was a great suggestion. It was and it was a good talk. So then last week, you know, between then and the next week, we we see additional ransomware attacks. And one of them that sort of caught my attention was the Riviera Beach ransomware attack. And that one really twisted my, what do you what do you call it, torque, torque, those twisted. I was mad picked ticked off. Yeah, because Riviera Beach voted to pay the ransom. Now they were hit with their ransomware on May 29, June 20 is when they voted unanimously unanimously to pay the ransom. Right? And we talked about that and how that that also. Well, like I said, it ticks me off. Um, and so we wrote it, one of the things we talked about after that breach was how we were going to go talk to our cities, right? I live in the city of Laconia. You live in the city of victoria. And so I wrote a blog post, uh, after that and essentially gave a letter template. Right? This is this is the letter that I sent. Um, and I wanted, uh, you know, the important part about all this is to be courteous to be kind. But I, but I as a citizen, I should, I have a right to know how you’re protecting this data so that I don’t have to pay.

[00:04:06] Brad Nigh: I think it’s kind of like to fold right? As a citizen Hey, what are we? Where are the protections? And then as a security professional to alert them. Hey, were you aware? Yeah,

[00:04:16] Evan Francen: this is going on. And even offering some help. Right? If you need some help, I can help, you will do whatever charge you. I mean, it’s my city. That’s where I live.

[00:04:25] Brad Nigh: It’s cheaper to help them than have them pay a ransom. Right?

[00:04:29] Evan Francen: Well, until the city of Riviera Beach, uh, you know, they paid the ransom. But you know, then they claim that, well the only, uh, They only had to pay the deductible, $10,000 deductible. It’s like, Okay, you’re, yeah, you’re totally missing the point because That’s $600,000 of the Attackers have that they can reinvest. And plus the fact that we’re all gonna end up paying right in the long run. Right? So that was that. So I wrote that blog post. Um, and really, the point is, you’re not powerless anybody. You don’t have to be a security person to inquire. You know, if you go to my blog Evan francine dot com, you’ll see there’s a blog post there. Uh, it’s called ask questions, get answers. Hopefully, Hopefully. Exactly. Uh, and there it’s, uh, there’s some tips on, you know, how to reach out to your local government, city and county. Now, I think, affecting things at the state level, affecting things at the federal level. We are sort of powerless to that, right? I mean, it’s not close enough to us where we can really affect too much change as an individual, but I think

[00:05:40] Brad Nigh: it starts rolling up.

[00:05:41] Evan Francen: It should, right? I mean, that’s the, that’s the point because I know every time I read about one of these breaches, I hear lots of people complain about it. Lots of people, you know, and I hate, people don’t like the word, but a lot of people bitch about it. But few people do anything, right. Right? So this was a blog post to get you to do something. So we discussed reaching out to our local government officials. In the last episode, I gave instructions in that blog post, including that email template. Some people, it was cool to see it actually reached out to their local governments and told us about it.

[00:06:18] Brad Nigh: Yeah, we started getting feedback. Yeah.

[00:06:20] Evan Francen: Uh, and even today I was talking to are, what’s Peter’s

[00:06:26] Brad Nigh: job title? That’s a great question. Uh, something Director of operations and something.

[00:06:33] Evan Francen: Yeah, he directs something. Uh, and so I asked him, where do you live? And he’s like, well Eden prairie. And I’m like, did you email in prairie? Well, no, we’ll get on it. Right. I mean, come on. Why do we part of my frustration And part of this episode is I wonder how much people really want to be secure. I mean, you know, we like to complain. We like to play the victim, but how many of us actually care to do something

[00:07:02] Brad Nigh: about? Yeah. I mean even as simple as emailing uniform, right? You just have to fill in the blanks and send it.

[00:07:10] Evan Francen: Yeah. I mean, I don’t know how to make it any easier, right? For people. And so, um, so the good the good was we did get some people who did email their cities and we got some of them got good response is one in particular was the city of Startle gave a great response. Awesome. Yeah, I reviewed it and I was like, man dead on, that’s awesome. So then you know, the person who emails, who had emailed the city gets reassurance that yes, my city is doing the right thing. I can feel proud of that other cities. Like I emailed my city and have yet to receive a response. Did you get a response to yours?

[00:07:51] Brad Nigh: I did. I got a response that day to, hey, I live in the same neighborhood. Stop. I will talk. Okay, so you can do that. I just haven’t had time. Well you got a response that you’re working on. But yeah, we, I got a response right away and it was, it was a good answer. You know, it’s like, I think this is more complex than just simply an email response. I’d love to sit and talk with you about it.

[00:08:12] Evan Francen: Yeah. Hey, that’s awesome. It is awesome because it starts with that dialogue rather than burying our heads in the sand and just hoping that we’re not going to be the next city or the next company, Right. They get hit with ransomware. We’re actually going to have a discussion about

[00:08:25] Brad Nigh: it. And honestly, I mean I wouldn’t be thrilled if they have nothing but the fact that it wasn’t like ignored and we’ll see how it goes, but if they have nothing and hey, we don’t have anything, but what should we be doing? That’s a win, right? Right. We’re going the right direction. We’ve got that dialogue going.

[00:08:44] Evan Francen: And I think to your point, I mean having the discussion is a win. Um, and if it’s bad, well then now, you know, it’s bad. Now we can start our discussion there and actually work on putting something in place if it’s great. Well then great. We just confirmed it, you know, and I can sleep a little bit easier at night knowing that my city actually takes information security seriously. And many of these things. So the frustration with ransomware in particular is No matter what I do, it’s not 100, I can’t 100% protect myself from getting infected. Getting hit with ransomware But I can 100% protect my self from having to pay correct the ransomware. That’s the frustration. It’s a sure thing. If you take the right steps, you can 100% guarantee you’re not going to have to pay the ransom.

[00:09:33] Brad Nigh: Right? There might be some lost data. Sure, but it’s better than paying 600, whatever, 100 thousands of dollars.

[00:09:43] Evan Francen: Right? And so you can talk about like the city of Baltimore, They got hit, they didn’t pay the ransom. And now what’s the bill? 12 million, something like

[00:09:52] Brad Nigh: That? 12 – 18 somewhere in there.

[00:09:54] Evan Francen: Yeah, So they’re gonna, they’re paying a ton of money. So they didn’t prepare obviously. Yeah, I mean you didn’t prepare. Well, you might have had some things in place. But overall it shouldn’t should not have cost you $12 million dollars to have to recover from a ransomware attack. So the theory is if you reach out to your city and they’re not doing the things that they should do that we can help. And when I say we, I mean the community, I don’t say, I’m not saying fr secure, I’m not saying security studio, I’m saying we Can give them some good advice. You know, I created this ransomware readiness assessment back in 2017 that we used at a bank for, I forgot that I created it and I even posted that on the block. Right. Start

[00:10:38] Brad Nigh: there. That the crest Yeah, tool. I mean those are good, good tools, Right?

[00:10:47] Evan Francen: They don’t cost you a dime. No. So if I’m the city, there’s incent, there’s nothing, there’s, it’s a no loss situation I guess to respond. So if you get, if you get, I guess they call the action in this podcast and they called the action on the blog is to email your city. Ask them how they’re protecting the city from ransomware. Yeah. And not doing that. Not participating. That’s the part. I’m struggling with people that decide that they’re not going to do something and instead they just complain or are they just going to play the victim and just, they don’t care.

[00:11:26] Brad Nigh: Yeah. Yeah, That’s a good question. People don’t want to ruffle feathers and they’re like, well, so jumping ahead a little bit like the Lake city. right? Like I never like this would happen to us were small. How many people have that thought process? It doesn’t matter. Right?

[00:11:45] Evan Francen: Yeah. When I read that one and that that was the mayor, right? The mayor said, Yeah. I just never thought, I mean, not my wildest dreams. Did I ever think that this would happen to us? Right? Everybody thinks that

[00:11:58] Brad Nigh: they’re going to go after the big fish? No, they’re going to go after the easy targets to

[00:12:02] Evan Francen: go after. Yeah, anybody. They don’t discriminate.

[00:12:05] Brad Nigh: No, no. And the bigger places have all the kind of the easy, low hanging fruit typically buttoned up. So what are they looking for? Those low hanging fruit? Yeah. And it’s the people go, I don’t, we don’t need that. There were not a target. So we’re not going to do these fundamental things. And Mhm.

[00:12:25] Evan Francen: Guess what? Right. And these things, it’s funny because backups aren’t anything new. Are they

[00:12:31] Brad Nigh: back

[00:12:32] Evan Francen: up? You know, we’ve been preaching backup since forever, Right? It used to be to protect yourself against, you know, hardware that was flaky, you know, hard drives were expensive and, you know, stuff like that. But now, I mean, it’s the same. But it’s the same protection,

[00:12:46] Brad Nigh: right? Right buys you that assurance that if something happens regardless of what it is you’re gonna be able to recover,

[00:12:54] Evan Francen: Right? So you have that backup. You adequately protect that back up. We used to do it physically. We used to do it on tape and we start the tape far enough distance away so that a natural disaster that hit the main site wouldn’t affect your tapes. Same sort of thing applies. Just an illogical,

[00:13:11] Brad Nigh: you know, it’s a virtual tape library now. Same thing. Just

[00:13:15] Evan Francen: yeah, it’s gotta be. Yeah. Right. So anyway, so you mentioned the Salt Lake, I’m sorry, not the Salt lake, the Lake city florida. They voted also to pay ransom. Yeah. Uh And there was a so I wrote another blog post. Right? So I did some blogging this week just because it really frustrates me when there’s something that’s so obvious that we can address yet. We don’t uh And I still wonder and I don’t know, we don’t have the data but how many cities are still, you know prone to this because they are under attack Attackers know just as well as we do if not more that hey, cities are pretty easy target. Let’s keep going after cities

[00:13:59] Brad Nigh: they’re underfunded. They don’t have the resources. Yeah, but they have all the sensitive information.

[00:14:05] Evan Francen: Well right. And they don’t need the resources. Right? That’s the crazy. You know, you just don’t need a lot of resources. So yeah, the quote of the day from that breach the are from that ransomware which you know is a breach the lake city florida. The mayor Stephen wet, you know, God bless him. Uh He says I would have, I would have never dreamed this could have happened, especially in a small town like this Now a small town put that into context. It’s about 12,000 residents. So not that small balcony is about that size. What size is your city

[00:14:40] Brad Nigh: a little bit smaller? Seven or 8000.

[00:14:43] Evan Francen: Yeah. So the fact that he could have never dreamed it’s like, are you not? I don’t know. That’s more of a, I guess I kind of view that more as a failure on our part because somehow we haven’t reached him somehow we haven’t gotten the message out. So therefore even more reason to send an email and inquire about these things. Uh huh.

[00:15:05] Brad Nigh: Yeah. I liked your, your points on their well

[00:15:11] Evan Francen: on that starts here. Yeah. Yeah. And it’s not hard. It’s really not. And and we need people like it doesn’t mean the same thing. If I email Minneapolis,

[00:15:23] Brad Nigh: I don’t live there,

[00:15:25] Evan Francen: right. I’m not a resident of Minneapolis. So you know, it means a lot more to city officials when it comes from a resident that they actually answer to. So in the second. So then that led to another blog post. Like I said in that blog post on Evan francine dot com is called to action. Do something about civic ransomware. Now highlight the point again and then I say, you know, do something start here and here’s the, here’s what I’m asking you to do. So listeners, this is what I’m asking you to do. And I think it’s all reasonable because it’s, it’s your city. It’s your tax dollars. It’s not mine. Uh, so asking to do these things because it’s like, it’s almost like a civic duty unless you like criminals stealing your money. Is that what we’re at now? Are we like this? Yeah. So I had to take my money. I

[00:16:15] Brad Nigh: understand because it’s, insurance is gonna cover

[00:16:19] Evan Francen: it. That’s what, you know, and that’s why I struggled so much to get just get my head around like the logic because there isn’t it. So anyway, here’s the things that I’m asking you to do one. If you haven’t emailed your city or county government officials enquiring about ransomware readiness. Please do it. Yeah. And I give you an email template that you can use or use your own. You don’t have to use mine. But just email them, ask do it in a and then the next, if you have emailed your city and our county government officials, but haven’t received a response in a few days email again, that’s exactly what I plan on doing. Uh, Now I, I e mailed the city administrator. Uh, you emailed the mayor. You got a response. Maybe my next email will just be to the mayor. It’s not a big deal. And it’s not to throw the city administrator under the bus. I just need an answer. So I can help. So be not, I guess tenacious, but in a good way, right? Stay persistent, persistent. There you go, determined. Uh, and if you emailed your city or county government officials, uh, and have received a response, uh, we’d love to see it. What I would suggest you don’t do is publicize the response. You don’t wanna, you know, post it on a website somewhere. But if you feel comfortable sharing it with us at the un security podcast, you know, share with us at un security at proton mail dot com, we won’t out you we won’t out the city. We won’t out anything. It just be interesting to see what the responses are that are coming. So we can get more of a feel of what’s actually happening on the city level, on the county level with uh, with this stuff. Um, so those are the things I’m asking you to do and no matter what you do, these are the simple rules. And again, this is all on the blog. Always be courteous. Uh always be respectful always or do help if you can and remember the goal. We’re trying to help and we’re trying to prevent more occurrences of Atlanta Baltimore, Riviera Beach Lake City, you name it. We’re trying to help. Right? This is this is a problem.

[00:18:20] Brad Nigh: It’s only gonna get worse. It

[00:18:22] Evan Francen: really is man. I’m God. Anyway, uh, do ask questions, ask us questions if you have questions and make suggestions if there’s something you don’t like about this. Let us know. we don’t know everything. And we’re in this together at the end of the day, uh, don’t try to answer questions that you don’t feel or no, you’re not qualified to answer again. You can email us at, on security at proton mail dot com. Uh, we don’t know the answer. We can certainly point in the right direction. We can find an answer together and don’t use threatening language or insinuate threats of any kind. That’s all in that blog

[00:18:59] Brad Nigh: post, threatening government doesn’t typically go, well,

[00:19:03] Evan Francen: well, right. And that’s not the point, right? It’s counter to what we’re trying to do. We’re actually are trying to help cities and counties protect themselves from ransomware. Um, and then in that same blog post is the email template itself. It’s pretty straightforward. Um, I assume that I assume that most people can read so it’s there, but we do need to start fighting back and I don’t know of anybody else who’s kind of trying to do this. So if you know somebody else who is trying to do the same thing that we’re trying to do, put us in touch, let’s work together. Right. This isn’t, this isn’t about making a name for ourselves. It’s really pissing me off that cities are paying

[00:19:40] Brad Nigh: well and ransoms and then not, not just cities, but then schools and colleges and these other, you know, kind of in the same vein.

[00:19:52] Evan Francen: So at that 0.1 of the things that I had done to earlier this week, cause I emailed our news, one of our local news stations. And I’m like, hey, how can we spread the word? Right? I there’s nothing to sell here. We have, I don’t know how many cities in the state of Minnesota, how many cities are in your viewing area. How many listeners are, how many viewers that should email? And it’s okay if multiple people email the same city, right? I mean, it’s not like, you

[00:20:20] Brad Nigh: know, it’s kind of gets good because then then people get in charge say, oh, this is a real thing. Yeah, people are interested in this and we should focus on it. Right?

[00:20:31] Evan Francen: So I thought it was a great, you know, story. Uh, you know, they, it was, it was declined, which isn’t, isn’t surprising. I mean, they have their content meetings, but it was sort of surprising because it’s like, this is something, this is a big problem. I excited, you know, all the news, you know, articles about this and like, we got to get ahead of this unless we just wait again for another damn city to get to fall victim. And then it’s like, okay, well look, poor X, Y Z city and anonymous state

[00:21:02] Brad Nigh: will come back to you when, when a city in the viewing area is hit. And now it’s like, which is so reactive

[00:21:08] Evan Francen: hate that, man. So my reply back to to them was okay, I’d expect the next one to hit within a week. I mean it wouldn’t be surprised if we read another story. This one of a city that gets hit. I said cities are under siege right now. Have a great weekend and 4th of July that was it.

[00:21:26] Brad Nigh: Yeah. I’d be willing to bet we’re talking about this on the next podcast. Another city.

[00:21:31] Evan Francen: Oh my God. Yeah. Well we have to if people are doing well, I’m

[00:21:35] Brad Nigh: saying there’s gonna be a new one between now and our next podcast. Yeah,

[00:21:39] Evan Francen: I agree. So all that leads us to now the good. There were good people who did want to help, who did email their cities and that’s just awesome. I think I do think at what point do we make information security sort of a civic duty? What at what point do we expect everybody to participate in? Information security rather than pointing fingers rather than playing the victim rather than just bitching and complaining at what point do people to actually assume some responsibility in this mess that we’ve got ourselves in? That’s my frustration. So the good is we had some people who did it, the bad is most people didn’t, Most people listen, Most people maybe read it. Maybe just skim over it. But as soon as you asked them to do something there, like I’m

[00:22:25] Brad Nigh: out, it’s like when you were at that conference, everybody is nodding their head in agreement. He said, well how many are doing it? And like nobody raise your hand and it’s like, yeah, that’s a great idea. Well, let’s do it.

[00:22:37] Evan Francen: Uh No, I’m good. That that requires work. That sounds

[00:22:41] Brad Nigh: hard. Where’s my easy

[00:22:42] Evan Francen: button? Oh my God. So that’s that’s my frustration and that’s kind of the point of the podcast. You know, it’s do people act do people even want to be secure? Mhm. I mean, what what has to happen? What has to hurt?

[00:22:57] Brad Nigh: See, I think, yes, they do, but they want someone else to do it for them, right?

[00:23:02] Evan Francen: And and it just can’t know, just can’t secure your family. I’m sorry. I can’t stop you from putting Alexa in your living room. I can’t stop you from buying that refrigerator. That’s gonna order milk for you. I just can’t stop that stuff. You have to take responsibility yourself. It’s your security, not mine. And the thing that ticks me off is if you don’t take security seriously, it affects me, which then it becomes personal. And it really pisses me off because, you know, the Attackers now, your computer systems are part of a botnet that,

[00:23:32] Brad Nigh: you know. Well, and you know, talking about personal, we had three incidents come in, Wednesday went through completely disrupts everything, right? It’s already busy, go through triage we identify. Yeah, you’ve got somebody actively in here’s what’s going on? They all said, okay, well that’s good. I think we’ll handle it ourselves? So you didn’t know for how long and now you can handle it. There’s that attitude of okay, well we don’t need we don’t need your help either. I don’t know. I mean, I mean, okay, fine. But it’s disruptive to them, to their camp, to their organization, whatever it is to their in this case there are students or customers or whatever it may be. And then what happens when well we get shut down now? There’s now there’s cost, it’s going to be higher than it was,

[00:24:32] Evan Francen: but then they still don’t

[00:24:32] Brad Nigh: care. And then uh

[00:24:36] Evan Francen: yeah. I mean what does it take? I don’t know. I don’t know either, man. That’s I guess that’s the trillion dollar question.

[00:24:42] Brad Nigh: You know, somebody’s gonna get fired.

[00:24:45] Evan Francen: Just read last week that the United States is the number one source of human trafficking in the world. And you know how much of the United States government, I think, I can’t remember the exact number. But I’m gonna I’m gonna guess I’m gonna try to remember it how much the U. S. Government the Department of Justice paid or yeah paid paid funded Organizations like no it was like 16 million or something like that. It was like that’s not even a drop in the bucket and you’re talking about human beings that are trafficked like eggs like bread. I mean it is it’s crazy. So anyway, I don’t this ransomware thing uh if your city gets hit and you didn’t I mean if you heard this, are you read this right and your city gets hit? It’s on you, man.

[00:25:39] Brad Nigh: Yeah. You had the opportunity to at least start a dialogue to start something and perhaps fend it off or at least get it prepared to be less disruptive. And if you don’t do anything, Yeah, you got to look in the mirror

[00:25:54] Evan Francen: for sure. And so and and kind of qualify all of this. I’m not saying that you can prevent all breaches from happening. You can’t prevent all bad things from happening. But in terms of ransomware you can 100% prevent having to pay a ransom

[00:26:09] Brad Nigh: correct and you can absolutely minimize the impact of it. Right with some singer. You down. How long does it take to come back up

[00:26:17] Evan Francen: with some simple hygiene best practices? Right. I mean it’s not rocket science. It requires a little bit of discipline, a little bit of forethought. But to be this, you know, to be in a position like this, you know, this Mayor of Lake City, that’s our job, man. It’s my job. The fact the mayor didn’t know that means somebody insecurity, Somebody who does know. Never told him. And that again. That that pisses me off because you’re complicit.

[00:26:50] Brad Nigh: Yeah. One I think you’re right. There’s there’s plenty of blame to go around. How do we communicate with, as you say, the normal people are quotes so that they understand this? It requires us to

[00:27:05] Evan Francen: kill when it requires us to get off her ass to actually have to get up or maybe type an email, click send? Oh my God, what will they think

[00:27:15] Brad Nigh: my thought was? I don’t care. Right, if I piss them off. Okay, well,

[00:27:22] Evan Francen: exactly. And I have a stake

[00:27:24] Brad Nigh: in this.

[00:27:24] Evan Francen: Well there’s that and the fact that you got pissed off at something that was not piss off a ball. Right. My email is curious, my email was kind and I’m trying to help you and if you’re pissed off about that, that’s on you to me, I’ll sleep fine. I did what I could

[00:27:42] Brad Nigh: just asking a legitimate question. Right?

[00:27:45] Evan Francen: So anyway, I guess the call to action is still call to action, we need to do something about this. Yes, it breaks my heart to see, you know, these cities being offline, I mean just Riviera Beach, right, May nine, May 29th to june 20th. And I don’t even know if the payment actually worked on the ransomware. Let’s hope it did.

[00:28:07] Brad Nigh: Yeah, they haven’t announced any further details.

[00:28:09] Evan Francen: So, you know, $600,000 gone. What could I spent that money on? I mean, I could spend that money and all kinds of things. Mental health facility. Uh some kind of outreach, a food shelf. I mean

[00:28:21] Brad Nigh: education, homeless shelter. I mean there’s so many things that could have gone towards

[00:28:26] Evan Francen: instead. You paid some Jackass and another part of the world that does nothing but prey on others and that’s kind of the the onus I mean, really when you think about the onus of why fr secure exists and why security studio exists, it’s all because of this, Not this. But although I hate people taking advantage of other people. Absolutely hate it. Especially when I know that there’s something we can do about it.

[00:28:51] Brad Nigh: Right. Right. Yeah. It’s not always, yeah. It’s easy to see it and understand it. It’s hard work, but it’s not hard concept.

[00:29:02] Evan Francen: Well, how long did it take for you to send your email?

[00:29:05] Brad Nigh: Um, a minute. Right. It probably had, I think I had to look up to find his email address and send it. It was, yeah, a minute or two.

[00:29:16] Evan Francen: Okay. So it took a whole minute of your of your day. And I know how many hours you work this last week, you told me. So you work like 90 hours this week and you got a family with three Children. Uh, you’ve got a lot of stuff going on and you found it and you found a minute in your day, email The mayor.

[00:29:37] Brad Nigh: Yeah. How can you not though. Right.

[00:29:41] Evan Francen: So, I mean, most listeners, I don’t know what the average ours are. Say there 40, right? The average person works 40 hours a week, brad works twice that this week and he found a minute to email and you can’t tell me, I don’t get it, man. It just drives me nuts. So that leads me back to that question. Do people even want to be secure? It’s it’s politically correct to say, oh yeah of course. Yeah, of course I care about

[00:30:10] Brad Nigh: my I’m going to go safety and yeah, they do. As long as they don’t have to do anything right. It’s nuts. Well I pay for you know credit cards, right? They should be keeping my stuff secure or the government for taxes, for tax fraud. They should be keeping insecure. I shouldn’t have to do anything.

[00:30:27] Evan Francen: Somebody else should. Yeah. Which is okay. So then frustrating. So then going back because I like your answer but I think it’s it’s like a politician’s answer, right? Do you really want to be secure is a yes or no answer.

[00:30:42] Brad Nigh: I agree. And I think everybody will say yes, but

[00:30:46] Evan Francen: their actions show no

[00:30:48] Brad Nigh: it’s yes. Unless I have to do something.

[00:30:49] Evan Francen: But as soon as you know, I agree

[00:30:52] Brad Nigh: I’m with you on the same page. I think I think you’re right. It’s well, yeah. Do I have to do something? I just live with it.

[00:31:01] Evan Francen: Well then the answer is no. Right. Exactly. So then you’re a victim. We should take away

[00:31:05] Brad Nigh: that we should we

[00:31:06] Evan Francen: should take away your computer. We should take away your smartphone. We should take away everything that’s connected to anything that can affect me because you’re crap is going to get attacked and it’s going to be used to attack me. I mean that’s the way isn’t that what we are the world we live

[00:31:22] Brad Nigh: at the bottom. It’s with IOT and all that are just growing millions of devices.

[00:31:28] Evan Francen: Yeah. And you can

[00:31:29] Brad Nigh: see them take things down

[00:31:30] Evan Francen: and you’ve got to get this serious, right? I mean this is where we need to go. The good people need to go to a point where yes, we are actually going to take it seriously. The answer is yes. And we will do whatever it takes to do it. Right. And so what is do it? Right. Well then find out what do it right is you know what I mean? There’s but you have to start with the Yeah, I do want to be. And so I’m telling you right now as a 25 year information security expert and sitting across from another 20 year, we have 45 years of experience right here, right now telling you absolutely the right thing to do is to email your mayor, Your city administrator Andrew County and ask them how they’re protecting your city against ransomware five

[00:32:16] Brad Nigh: minutes. So if the answer to

[00:32:17] Evan Francen: So going back to the logic, if the answer is, do you even care about security? And if your answer is yes, then do that. Yeah. If you don’t that question, the fact, whether you even care

[00:32:32] Brad Nigh: I care if I don’t have to do anything. There you go, Right. Yeah, I mean,

[00:32:37] Evan Francen: so you’d be better for office in No way.

[00:32:39] Brad Nigh: Well, I

[00:32:40] Evan Francen: wouldn’t last five minutes in in public office because I’m such a

[00:32:45] Brad Nigh: I wouldn’t I would never want to do that. Now. I’m just giving you the answer that people that you would hear. Yeah, that’s not my answer.

[00:32:52] Evan Francen: No, no. I know. I know that for sure. Will you email? I mean, and you work 90 hours dedicating your life. Really. Both of us dedicate our life to trying to help people secure the information. Money has always been secondary for us. We can both make more money. Another places we have this passion because we hate seeing people getting taken advantage of and I will do whatever it takes to to fix it.

[00:33:15] Brad Nigh: Yeah. I go home at the end of the day at the end of the week and I can go and rest easy because I feel like I really help someone or I made a positive difference. Right? That’s the whole point. Exactly. It’s not worth cash. You know, it’s not about cashing a big paycheck.

[00:33:32] Evan Francen: When you know that those things will will eventually come anyway. I mean, the theory is, if you focus on the mission, money comes. If you focus on the money, mission never comes,

[00:33:40] Brad Nigh: so do it right. And things take care of itself.

[00:33:43] Evan Francen: So again, listeners, you have no excuse if you really care. And if you don’t care, you should really turn off every piece of electronic equipment. You have anywhere in your house, go live in the hills somewhere. Right? And just get away from you? Because you’re a danger to everybody else, truly? I mean, isn’t that the truth?

[00:34:00] Brad Nigh: I mean, you’re a potential,

[00:34:03] Evan Francen: you’re a dangerous

[00:34:04] Brad Nigh: potential risk to everyone else. A threat I guess would be the better way. You’re a threat to everyone else. Yeah.

[00:34:09] Evan Francen: It’s kind of blunt, isn’t it? This is what happens on friday afternoon when Evan doesn’t get enough sleep?

[00:34:14] Brad Nigh: Not far

[00:34:15] Evan Francen: behind. Right?

[00:34:16] Brad Nigh: No, I’m with you. I think it’s, uh, well, and how many times do we hear like, uh, family members say things and you’re just like, are you, are you kidding me? Right? And I can only imagine they’re hearing us rant all the time and they still say these things what the other people that don’t, the majority of the population that doesn’t hear these things is completely oblivious, right? Yeah.

[00:34:44] Evan Francen: When I get I get the fact that you’re not, you know, so when I talked to a family member, I get the fact that they don’t do information security, They’re not as educated about security as I would be. Just like, I’m not a security, you know, not as educated about dentistry as a dentist is, but I do know that if I don’t brush my teeth, that I’m gonna have problems,

[00:35:06] Brad Nigh: Right? I think they should know to ask, Right? It’s like you did what? And you’ve asked me questions before, why would if you thought this, why wouldn’t

[00:35:15] Evan Francen: you ask. Right? And I know that if the dentist tells me, hey Evan you need to floss If you don’t floss, you’re gonna income disease. Okay. I will floss if I take gum disease seriously, I will floss right now if you ask me, do I take gum disease seriously? Probably not. But you know what I mean? But security is the same way. Like, do you take security seriously? Do you care? Yes. Then do this thing. Yeah. Then brush your teeth,

[00:35:42] Brad Nigh: basics, the fundamentals.

[00:35:45] Evan Francen: And if you don’t care, then all right, well then we should just take all your teeth.

[00:35:50] Brad Nigh: There you go, kicking all your teeth that I’m giving. I’m giving everyone who doesn’t email a flip phone. Right? Right. Just Alright, go back to the old. You don’t get a smartphone that could actually do something.

[00:36:01] Evan Francen: Yeah. Because I have a lot more tolerance for somebody who uh you know, it’s never been told they’ve never been told that they need to patch their computer. I get it. That’s my job to teach you that. Because I’m thinking like I have um like my mother, my mother in law, you know, she’s up there in age. She doesn’t understand. Oh, patch my computer. How do I do that? Well, let me show you how to do that. You know what I mean? And uh And I’ll turn on automatic updates and things like that. So, I mean, I understand that people are just that they’re not aware of? Certain things? A certain

[00:36:38] Brad Nigh: population.

[00:36:39] Evan Francen: Yeah, but if you’ve heard this, if you’ve heard this whole rant about the fact that you need to get involved and and ask your city and county about ransomware if you’ve heard that and you choose not to do anything about it. That’s what I’m complaining about. I’m not complaining about, you’re not a computer security expert, you know, stuff like that.

[00:37:00] Brad Nigh: Right? No, you’re right. That’s a good point. But to some extent, I don’t know. I still feel like how do you not have heard these things and ask a question?

[00:37:13] Evan Francen: I don’t know. Well, and part of that’s my job to reach out like this mayor, somebody and somebody in information security somewhere. If in fact what he says is true. Uh We we missed him. We didn’t reach him somehow. And then, which is all the point. You know, a lot of this stuff is all the point for the second book to which I am now working on heavily again, which is you know, what are the things that I need to do to help? You know? And it is going to be blunt. What’s gonna be blunt like this? Right? I mean, either you’re going to take this seriously or not.

[00:37:47] Brad Nigh: Well, and I think if you can decode it sugar coated however you wanna put it, the message has lost it. Does you have there’s a certain uh huh right, Who is it? Was it mike. Tyson you never know how you’re gonna react to get punched in the face. Whoever that was. It’s kind of it’s kind of the same thing. Yeah. Right. Well, I think I’m secure. Well, we’re gonna find out.

[00:38:08] Evan Francen: Well, yeah, but in the sad thing to, you know, and that this is part of the book is uh, just the safety components and the privacy components. I mean when you get punched in the face, that black eye is never going to hell.

[00:38:22] Brad Nigh: Right. Well, do you think who is it the uh, video camera that when they were supposedly wiping it and reselling it? The previous owners could see the new owners camp what the feed was? Right. Like it doesn’t matter. Yeah, It’s not necessarily a computer. It’s not necessarily these other things. It’s these every component that’s connected is a risk.

[00:38:52] Evan Francen: All right. So the call to action again, email your city, email your county, asked them about ransom. Where if you have no idea how to answer any questions or any replies that you get back, email them to us and we will help you un security at proton mail dot com. Uh, the other things. Um, Yeah, I mean, there’s plenty of other things for us to do in terms of keeping ourselves secure, but start there, we’ll have more stuff in future podcast where we can rip on you some more like even though we’re not trying to rip on you truly the motivate, we’re trying to motivate you were trying to like, it’s just, it’s

[00:39:34] Brad Nigh: a kitchen. It’s frustration to see people just continually complain without doing anything. Exactly. Just do Something. five minutes find you find me. It took you a minute. Well, I’m just skilled.

[00:39:48] Evan Francen: That’s true. You’re, you’re

[00:39:50] Brad Nigh: a professional. Look it up. I am a professional. No. Uh, no. But yeah, even just say five minutes out of your day, look up who your contact is. Whoever you need to email, copy the, the format.

[00:40:06] Evan Francen: And again, if you don’t know where it is. Evan francine E V A N F R A N C E N dot com, go to blog and you’ll find it there.

[00:40:16] Brad Nigh: Call to action. Do something. Yeah, Please just take five minutes to do it.

[00:40:21] Evan Francen: Yeah. All right, good talk. Well, another thing to one of our loyal listeners who, you know, I just love when he sent his message is is Jason dance. I didn’t get his approval to use his name, but I have now used his name, but I think it’s fine. Uh, he points out that the same thing applies at schools. So if you, if you start with city or county, but you know, once you start kind of getting comfortable, asked the schools the same thing. Ask anybody any public

[00:40:53] Brad Nigh: And here’s what’s scary to this, especially K through 12 or even higher ed Ferpa does not have a mandatory disclosure requirement. So you may never even know that your student, your kids. I know I’m not crazy information was leaked and that they have Social Security medical, they have everything and there’s no requirement to alert. It’s nuts.

[00:41:16] Evan Francen: So the same things apply at the schools. That’s what Jason tells us and it’s true. Other things he says. I thought they were great suggestions. He said if you don’t get answers other than if you don’t and you don’t want to keep emailing emailing. Uh He says ask during a town or city meeting.

[00:41:31] Brad Nigh: I don’t make people uncomfortable but

[00:41:34] Evan Francen: I like it. Yeah I like it too. Uh Yeah that would take you to get out of your shell a little bit more and be a little bit more committed to the cause uh if you want me to go if you live in this area and you aren’t getting a response back and you want to drop me a line, I’ll show up at a meeting with you. I think it be fun

[00:41:51] Brad Nigh: that will make other people uncomfortable. But at the point that you’re asking no I’m with you though. Yeah.

[00:41:56] Evan Francen: I just have to I just want to help. Honestly it’s not to point out and they expose you as being some kind of crappy I. T. Manager at some city. That’s not the point. The point is what can I do to help. Uh Yeah

[00:42:10] Brad Nigh: and we do get that a lot to people think we’re trying to like exposed. I’m gonna call him out. No it’s the same as if an employee clicks on spam or phishing email. It’s education. It’s never you should never shame.

[00:42:22] Evan Francen: Yeah. The only people I’m shaming are the people that hear this message are not doing anything

[00:42:25] Brad Nigh: right? But from the other side, Banon, you know the normal people right? Exactly, educate them. Don’t shame. Alright. If you punish it’s just gonna quit responding. They’ll shut down and it’s right negative opposite of what you want.

[00:42:40] Evan Francen: Yeah. Good point. Other things he says if you don’t get an answer is file an F. O. I. L. Is that a freedom of information? Should be a, he had foiled a freedom of information. Just copied it.

[00:42:54] Brad Nigh: I don’t know who is the freedom of information act. So maybe this letter. Yeah.

[00:42:58] Evan Francen: Uh But file one of those for specific information. If you don’t know how to do that email us that too, I’ll go find out how I don’t know how to do that. I’ve done it. Uh Jason. Yeah he says and asked by facebook twitter or other social media because that would be a public regret. So it would be interesting

[00:43:16] Brad Nigh: to see harder for them to ignore.

[00:43:18] Evan Francen: So awesome advice thank you Jason. But we really have to get our crap together. Honestly. The pain will get worse really well. Yeah. Now for some news. Uh Just two quick stories today first was this broke the last, I don’t know, 24 48 hours was ex Equifax Ceo gets four months in prison for insider training. The article I chose. This is kind of all over the news. But the one I chose was the bank info security uh story titled the same thing. X. Equifax Ceo gets four month prison term for insider trading. Uh Do you think john king Yang, I’m Sorry. I mean the C.

[00:44:04] Brad Nigh: I. O. I guess it’s it’s I don’t this doesn’t sound wrong but it’s progress right. So he knew about the breach and profited off of it. And now there is a punishment but it was for insider training for profiting, not for overseeing a breach. Right? So if he hadn’t done the insider trading, there’s nothing

[00:44:27] Evan Francen: right rather than other than probably would have lost his job.

[00:44:30] Brad Nigh: Well, yeah, but how long is it gonna take him to find somewhere else or get a golden parachute? He doesn’t need one.

[00:44:34] Evan Francen: True. We see that. How many times. Well the uh this is a touchy subject we have to make, this may be a podcast future one and maybe one for you is maybe get Jim nash our state representative and discuss criminal, there’s been a couple of bills I think that I haven’t made it out of committee where they want to hold C level executives criminally responsible for breaches. I think it would be a great discussion.

[00:45:03] Brad Nigh: Yeah because that’s a really fine line

[00:45:05] Evan Francen: because I’m very much against that, but I’m fine with having the discussion with somebody who might be for it.

[00:45:11] Brad Nigh: Yeah. Yeah. I’m not sure how do you? Yeah, that’s a whole another discussion because

[00:45:18] Evan Francen: yeah, so mr ying uh four months in prison, whatever. Probably not a big deal, I

[00:45:27] Brad Nigh: will say this, I would prefer not to ever spend four months in prison regardless, but you’re right in the scheme of it. Not not a whole lot,

[00:45:33] Evan Francen: that’s probably one of those white collar prisons where they kind of get everything.

[00:45:36] Brad Nigh: So I’m still going to go with

[00:45:37] Evan Francen: not fun, probably $117,000 in restitution. Find $55,000 pled guilty did not go to trial. Uh The charges were that he had insider knowledge of the breach, traded stocks on that knowledge prior to becoming public, which then makes it insider trading uh and he gets in trouble for it. Equifax will I think anything and that was such an impactful breach, You’ll have people talking about anything that falls out from that. Speaking of Equifax, if anybody any listener knows Susan Molden what happened to her, she was the season, she was the sea so at the tire to breach. Well she took so much flak because the fact that she had a music degree, which I thought was just Bs because who cares exactly, but she sort of fell off the face of the earth as far as I can tell. So if you know where she is, let us know. I think it’ll be interesting. It be cool. Yeah. Another thing I’m going down rabbit holes. It’s easy to do. All right. So the next news is, uh, cybersecurity professionals are outgunned and burned out that this comes from helping that security. And that’s the title of cybersecurity professionals are out gunned and burned out. Nearly 0.58% of cybersecurity leaders across France, Germany and the UK believe their teams are falling behind in the skills race. This is a study into semantic.

[00:47:08] Brad Nigh: I mean, we’ve hired people here who came from that who were utterly burned out and you know, it sounds bragging, but because you and I have both been in that same position, Everyone in leadership has been in that position. We’re very protective of that. It’s like they come here and it’s like a breath of fresh air. But we see it all the time

[00:47:32] Evan Francen: when you know how concerned we all are for each other. Right. I mean, you were telling

[00:47:39] Brad Nigh: me, I think I had like four people go, are you all right? Well, yeah. Yes, I’ll be fine. But yes, thank you. I

[00:47:44] Evan Francen: Appreciate it. We need to support each other. You know, because I know you’ve worked 90 hours this week and I want to know, how long is that going to last because you need to get back to your happy spot, You, your wife, your family need that. We can’t keep you there

[00:48:01] Brad Nigh: long and it’s absolutely appreciate it too. And I think that’s why we have, you know, our turnover is single digits. Yeah, I mean, there’s a reason for that in this industry, that’s unheard of

[00:48:13] Evan Francen: right now. We say I’ve been have potty mouth. I think it’s Friday, but we have no dickheads here. Right, right. Not a single one. I love it, man. So cool. Every place I’ve ever,

[00:48:25] Brad Nigh: the biggest issue we have is making sure people don’t work too hard,

[00:48:28] Evan Francen: right? Every place I’ve ever worked. There’s been decades, at least some here. None. So that’s good. So anyway, here the story is, uh, nearly two thirds of cybersecurity professionals considering quitting their jobs or leaving the industry entirely, which is terrifying

[00:48:46] Brad Nigh: when we’re already facing a shortage

[00:48:48] Evan Francen: one. And it’s the other sad thing about it is they’re leaving because we’re not doing it

[00:48:54] Brad Nigh: right? Oh, they’re fighting, banging her head against the law because they’re not getting by and they’re not getting funding to do the right things. They’re not getting the buy in from the organization.

[00:49:05] Evan Francen: We totally need to support each other management. If anybody is listening who’s from management, support your security. People give them love, man, inquire about how many hours they’re working, make sure that they’re being healthy. You know, if they need training, get them training, don’t, you know, don’t set unrealistic expectations. Champion security. Ceos who don’t champion security shouldn’t have security. You have to champion it. You have to you have to lead it,

[00:49:33] Brad Nigh: right? Yeah. And if not and you don’t do it, odds are we’ll be talking about you on the podcast in the story at some point here.

[00:49:41] Evan Francen: Yeah, that’s the truth man. So it’s sad. It’s sad because I think a lot of these people probably have really, really good skill sets. I think a lot of these people are good good people, but we’re beating them up. Mhm. It’s in that breaks my heart because this is a great industry. We have great people who work in this industry. There’s so many awesome people in this industry. And yeah, we need more awesome people

[00:50:11] Brad Nigh: man. Yeah. Yeah, we we need, yeah. Gosh, we’re facing a shortage. If these people start leaving, it’s how do you you know, you can’t fill that drain because it takes, the only way you get good is experience and

[00:50:27] Evan Francen: time. So yeah, every time you have like a 25 year 20-year security professional who leaves. That’s such a vacuum. It’s so hard to fill

[00:50:37] Brad Nigh: that even and then even 10 or 15 even. Right? I mean you just can’t build that skill set. No,

[00:50:45] Evan Francen: it takes time man. So anyway, those are the two news things uh seems like I’m leaving us on a downer. But you know, I’m not Friday we get the weekend. The 4th of July week. Got vacation

[00:50:58] Brad Nigh: won’t be in the office at all. So that’s good.

[00:51:00] Evan Francen: Yeah. So, you know, if you just, if we just bury our heads in the sand

[00:51:03] Brad Nigh: after we just talk about how great it is. Like we won’t be here at all. It’s gonna be fantastic.

[00:51:07] Evan Francen: We gotta have vacations that’s healthy. But yeah, so if we just bury our head in the sand for the next week, like everybody else will be fine.

[00:51:14] Brad Nigh: There you go. Just sounds good. I’m just turning off everything.

[00:51:17] Evan Francen: That’s not a bad idea. All right. So that’s how it is. Thanks again to our listeners and thank you brad the wise. That was based on my friend. Uh hope you have a wonderful weekend. A safe fourth of july. God, bless America. Honestly. Uh, you know, don’t forget you can follow me or brad on twitter. I’m @EvanFrancen, that’s me brad’s at @BradNigh email us on the show at Uh, if you want because that’s what all the cool kids are doing. Absolutely is all right. Thank you.