About the Episode
If you’re not concerned about cybersecurity at your organization, you’re putting your job at risk. A single successful cyberattack can negatively impact an organization’s revenue, reputation, and data for years. So what can you do to help protect your organization from data breaches, cyberattacks, and hacking incidents? Forrest Senti, Vice President of Programs and Operations at the National Cybersecurity Center, has some great tips to share. In this episode, he explains how organizations can improve their cybersecurity by using creative training methods, building better data policies, and adequately vetting the security of new tools.
Meet Our Guest
Forrest Senti has taught organizations the ins and outs of cybersecurity for the past five years. As the Vice President of Programs and Operations at the National Cybersecurity Center, he spends his days teaching organizations of all sizes how to build a culture of security. Yet his presentations are anything but boring—using interactive activities and sharing real examples, Forrest can easily get anyone interested in cybersecurity and how to better protect against online threats.
Lindsay McGuire: Cybersecurity. If you're anything like me, you probably make a little face when you hear that word because it feels way above your head, but that's why I loved my conversation with this episode's guest so much. Forrest Senti is the VP of Programs and Operations for the National Cybersecurity Center, and he has a gift for bringing cybersecurity lessons down to the ground level.
On this episode, we're talking about how innovation efforts have a direct impact on the security of your organization and what's at stake if you don't innovate. And listen y'all, I can't help but tease a few of the practically genius ideas you're going to get from this episode. Forrest shares with us an example of how he makes cybersecurity training not only effective for his team, but fun as well. I mean, it's really crazy. You have to listen to it. He's also sharing his checklist for how anyone can vet the security of new tools with just a few questions, and he's of course sharing some fuel for our paper hating fire because what's more vulnerable than literal paper? Am I right?
We're so excited to have you on the show today to talk all things security and digitization. As you know, the show is for innovators who are championing digitization within their organizations, and I believe you are a champion for maintaining security across an organization. Why are you passionate about this?
Forrest Senti: Yeah, so I got involved with security at a young age. Back then I was working to kind of help students, high school environment where I started off in to be more secure and then getting into college continued that pathway and then as I came an adult, I got to do more work with the government and then some of the corporate people across the country, and I got to see a lot of what was going on there. And the thing that made me the most passionate actually was elections. So my first work in the security realm as a grown professional was in the election community. So I got to do a lot there. When you talk about our democracy, the security is really important when it comes to stuff like that, so it's always mattered to me.
Lindsay McGuire: Well, that's quite an interesting story and definitely appreciate your work in that, nothing is more crucial to the lives we live than having those elections happen and them being secure. So thank you for doing that work. So tell our listeners a little bit about your role at the National Cybersecurity Center. What do you do there? What do you handle day-to-day?
Forrest Senti: Sure. So my role is kind of a hybrid between the internal facing role and an external facing role. A lot of what I do internally is I oversee traditional things like HR, finance, I help with strategic planning, overseeing our growth, business development, all that kind of stuff. But then on the external side, I serve at two functions. One, I serve in situations like this as a subject matter expert, whether it's for state legislatures, federal, giving advice to companies, those kinds of things. I do that all the time. And then I also oversee several programs that we run here at the National Cybersecurity Center.
So a few of which things like the Colorado Cyber Resource Center, which is a three year low cost resource center for helping county and city governments with improving their cybersecurity. We do things like offering free cybersecurity training and all that kind stuff as grant funded through the state, different stuff.
We also do something we call the National Cybersecurity Center Student Alliance. So the oldest thing and the longest thing we do is we're really passionate about getting kids into cybersecurity careers. So we spend a lot of time working with high schools, middle schools, even elementary schools in some cases, getting them interested in pursuing a cybersecurity career. So that's something we oversee. We work with a little over 2000 students every year. We run summer camps where we get kids interested in the summer, like a one week format. So I oversee those kinds of works too as well as we did a program last year where we educated all 50 states and the US territories, the state legislature themselves, like the state senators, state representatives on cybersecurity best practices, policy, that kind of stuff. That's the broad strokes of everything I'm involved in.
Lindsay McGuire: Well, you talked to some very important people it sounds like. So I'm flattered you took time to talk to me today. So a little bit of a basic question, but why is cybersecurity so important and why is this something all businesses should be thinking about? And not even all businesses, but all employees. I think a lot of people hear cybersecurity and think, that's not my job. That's IT's role or that's tech's role or insert the whatever piece of your org handles that part and that business, but it really should be something that everyone keeps in mind. So can you talk a little bit about the importance of that?
Forrest Senti: The simplest way I could talk about cybersecurity being important is that especially in today's world, and this is part of the reason I wanted to come on here, is 80% of a business is typically automated, on average in the US today and across the world even in most first world countries, we automate so much of what we do. The average company has at least 10 different pieces of software that they use to integrate between different places. All of those places require an account with individual security, with individual passwords, with individual connections. All of those are something that touches the internet. And the internet's a beautiful glorious thing that's enabled us all to be here right now doing this thing, but the internet also wasn't built and designed to be secure.
Lindsay McGuire: It's also very scary.
Forrest Senti: It can be very scary, you're right. But the ultimate design of it is really about connecting people, but people have learned how to exploit those things and to exploit those connections and how to use that kind of network effect across different companies to go and attack people. So in today's world, there's a highly technical aspect to the behind the scenes of securing these different things that we use and interact every day. Like this software run recording this as an example. But the reality is that we're 95% of the problems lie for most people when it comes to cybersecurity is what you're saying, it's the people. The people element of governments, of business, of just everyday life. You as a marketer, you as an individual, it's mind blowing how much the individual plays into all of these things. 95% of all the cyber attacks that happen can be prevented just by individual people paying attention to what they're doing.
So when I go and I speak to corporate, government, whatever, any type of people, the biggest thing I like to stress is this idea of building a culture of security. It's about just becoming cautious and aware. As an employee when you fit into the greater nexus of what a company does, that culture of security really matters when you as an employee feel like you are a part of securing this overall entity. Think of the military. Every single person in the military knows that they're a part of this greater network of people that are all working to secure a country. Think of it the same way in terms of the company. That's why I think cybersecurity matters so much for the everyday person is that we're all a part of this greater web of protection, of trying to help protect where we work because that's how we receive a paycheck, that's how we get access to all these great things we like to enjoy, all this different stuff.
Lindsay McGuire: I want to have us take a few steps back though real quick because a lot of our show is talking about the case for digitization and why we need to get out of paper and paper processes and then the step above that, the manual work we're doing that might be digitized. And so before we jump too far into all of the risks that are in the world of the internet, which they are a lot and it is very spooky and scary at times, but it's also glorious and great. But before we get into that side of it, let's go way back and talk about what are some of those security threats for those that are still stuck in paper? Can you talk a little bit about that?
Forrest Senti: I'll just really start with two. I think they're really important. The first one ultimately is people, again, people are human obviously, but we make mistakes. We can make mistakes. We can do things like double entry. We can misplace files. We can do things like trying to correct a mistake and actually make it worse. And there's a lot of things with the paper processes that impact that. You look at a country like Japan where a vast majority of their processes are still paper. You see mistakes there all the time where the average productivity of an American worker versus a Japanese worker is almost double because oftentimes they have to go back through and they spend so much time trying to rectify mistakes, trying to identify a place where they made a human error in terms of data entry and those types of things. And that's just one point. That's just the people side of it.
If you go even a little deeper when it comes to security in terms of the insider threat, the ability for someone to destroy a document, the ability for somebody to maliciously change a document.
But the second one, and this is more so when it comes to cybersecurity, it's a very important thing. It's this idea of offsite backups. With paper, doing offsite backups in the event of a fire or a major emergency or your office gets contaminated with something or whatever. Those are edge cases, but they're really important when it comes to the management of just data, because paper is ultimately just data. That's one thing with paper that's so difficult. For you to have to then invest into not only the staff time to copy said piece of paper and then move it to an offsite location where it's independently secured and managed the same way that your existing site is managed. There's a lot of easier ways to do that. If you could start this idea of getting off paper, so to speak, or minimizing it at least.
Lindsay McGuire: There's just some organizations and some industries that are very hesitant to change and might I say, even resistant to change. So what would you say to any of those leaders who might be in maybe that hesitant to resistant to change pocket of people about why it is important to digitize these processes and how does that relate back into not only your security overall, but like you said earlier, your reputation as an organization?
Forrest Senti: People are getting increasingly expensive, and I don't see the cost to hire a full-time employee, whether hourly or salary, going down over the next few years, if not ever.
Lindsay McGuire: No way.
Forrest Senti: Historically it doesn't, so it's one of those things where at some point you're $20 an hour, $25 an hour, $30 an hour employee who is overseeing the chain of custody for these paper processes and scanning and copying and replicating and doing all these different things, managing files, shipping files, sending files, all these different things.
Lindsay McGuire: Faxing.
Forrest Senti: Sure, exactly. That person's going to become increasingly more expensive. The amount of paper and different things you're managing is going to become increasing more expensive because buildings are not cheap. I don't know if people realize that. Getting a bigger supply area just for paper. We have some file storage in our building. It takes up a small corner of a room because we have everything online. I cannot imagine if we did everything for HR, finance or grant making, all the different stuff on paper, it would be impossible. We'd have to take the whole room. So I think the workforce aspect is really important for that because in terms of moving these things along, more and more as we continue on, we're going to see highly skilled employees are really what a company wants. They want an entire team of Navy Seals and specialists that can all kind of work in different directions and be specialized in one area, but can do anything as an innovator.
If you want to get your business going in an upwards trajectory, in a positive trajectory, invest more money into things like business development or better managers or better software, because you don't want half your staff to just be data entry file managers. You want them to be people who are helping to improve and upgrade your business. So I think the workforce element, I think is a piece that is understated because in cyber, that's where we see it. You want to automate as much as possible because you want that Navy Seal managing your network to help protect you versus a team of 10 people who are managing keys and stuff, like it's a whole different thing.
But the second thing I would say, and possibly more important, is security is not getting any easier. And physical security is one of those things where people undervalue and underinvest the most. And again, that custody of that information when it comes to files is so difficult to manage the people, the cameras, all the different things around it. It's very, very hard. Versus shifting those things to a digital process, you're now relying on Microsoft, Google, and Amazon to manage and secure the physical facilities of their data centers, of your data, of those kinds of things. And those companies know what they're doing. They've been doing it for decades. So it's one of those things where do you want to trust your office manager with a clipboard or do you want to trust Microsoft's 10 billion security center kind of thing. So it's up to you.
Lindsay McGuire: I really like that you brought up that workforce piece because I think another part of that conversation that's not brought up enough is the retention piece too. So if labor costs and employee costs are going up and everything's going up, I think in our most recent email to all employees, they talked about benefits going up generally across orgs, about 30% or something. I mean, it's just wild. There's so many costs that go into this conversation, and if you're able to put in processes that make it easier for employees and make it more secure for employees and limit those risks and those huge things that can come and really destroy your workplace productivity, think about all the money that you save long term. But we've also found there's a correlation there with your digital maturity.
So we did a study called the 2022 State of Digital Maturity, and we found that the more digitally mature an organization, the happier, healthier, and longer retention employees have with an organization. So you just brought that all full circle. The more you invest into your employees and their atmosphere at work and the automations and the digitization, the more likely they're going to stick with you and be happier and healthier. And that just reinvests into your org. So I really appreciate you brought up that because it is so important, and I think a lot of people gloss over it a lot of the time.
Forrest Senti: Yeah, no, that's awesome. I'll have to read that study because none of that sounds out of norm to me. That makes total sense. I mean, nobody likes doing mundane tasks. If you're working in a medical office, you want to do medical work, you probably don't want to be worrying about all these different processes, fooling around all the time. You want to focus on helping patients and making people happy and healthy and having to manage paper is not in that.
Lindsay McGuire: So we've talked a little bit about paper, the risks with paper and why there is such risk there. But now let's talk about when you have made the epiphany, you know what, we're not going to do it this way anymore, and it's time to change. It's time to modernize, digitize. What are some of the risks in transferring from that paper process into a digital/automated process? What are things people should be thinking about if they're going through that process right now?
Forrest Senti: One, I think the biggest thing is that ultimately if we're talking about moving from paper to PDF, converting it, scanning it, whatever, we're still talking about converting data into a different type of data format. So the biggest thing for me when I talk to companies, especially in the privacy realm, is this idea of garbage in, garbage out. If the quality of that scan or if the quality of that copy or the quality of how you're storing and keeping those PDFs isn't good, then the ability for that PDF to be read and then translated into a different data set is not going to work. If people are using illegible handwriting on a piece of paper and that gets scanned, that stuff is difficult to interpret. It's very difficult. So when it comes to the scanning and that kind of stuff, that process can be really difficult, very cumbersome at first. But I think being able to manage that is effective, as effective as you can, whether it's replicating or those kinds of things. It's a reality of a situation when it comes to it.
The other piece of it too, with the actual storage of those PDFs, once they're created, you have to treat those a confidential document. So oftentimes people are just like, oh, we just throw up in OneDrive. We sort it in different folders based on what they're supposed to do, and then that's it. We did it. We're in the cloud. You're like, well, but that OneDrive is accessible by every single one of your employees. You're not managing who's accessing it. When, how, and why. Are you encrypting those files? Are they requiring password? Are they requiring a permission from certain users to actually allow you to see those files? Because if you just go today and just scan a document into PDF, it's just going to be a picture on your computer essentially. That's all it is.
But being able to layer in those different processes to actually secure those files, especially if they're sensitive, is important. So I think that's the biggest thing for me is that idea of, okay, you made the first step in doing this, yay, congratulations, but now you really got to worry about how you secure these things. That's really what comes with a PDF because PDFs a great powerful thing, but how do you manage it? How are you automatically setting rules to save those documents in a certain way and that kind of stuff. Those are the first things I think about when it comes to PDF.
Lindsay McGuire: You talk about having some of these security best practices, let's call them, in place of who has access to what and when and how. Can you talk a little bit more about that and how can an organization instill some of those and what's the best practice there? Is it making a tech usage policy? Is it having just standardized kind of like a confluence accessible, like a backend wiki? What are some of your suggestions for ensuring that organizations have those regulations?
Forrest Senti: I like to look at things in terms of a maturity cycle, so it depends on where you're at in that cycle. At different steps of that life cycle, in terms of becoming more and more digitally mature, there's going to be things like, do you have an IT manager? Do you have offsite managed IT? Do you have a chief information security officer, chief information officer? Depending on what types of roles or what size of organization, does DevOps handle it for you? Is it an operations manager that kind of oversees your IT contract? All those different things are going to be different life cycles in the organization in terms of size or the industry they're in, et cetera.
In different phases, the very first thing I would do across the board, policy and all that kind of stuff is really important, and I'll get to that, but security training, you have to start with security training. That's like the single biggest thing that almost half of our businesses across the US and the world don't do is invest in any kind of semi-annual, quarterly, annual security training, that even though it can be boring, oftentimes you can increase the likelihood of your business not getting hit by a cyber attack by almost 50 to 80% if you just train your employees one to two times a year, literally. It's just keeping it present of mind.
So if you start there, this idea of, I have a trained, educated, aware workforce. Now to mature from there, this idea of policies, this is how we manage data, this is how we assign roles, this is how we do this, and it's kind of this blanket function. And the goal for most organizations now, especially at 200 plus employees, is this idea of zero trust, which means you're giving access at the lowest possible level at all points in time. So that's something that's really popular right now, and I think it's a great thing. What ends up happening is that you are basically saying, I trust you as an employee, but if your account were to get hacked and I gave you limitless access, now I can't trust you as an employee because it's not about you. It's about the fact that your account was hacked.
So working from there, this idea of if nobody needs access to that document in real time all the time, you don't give them access to it, you just take it away and you give it to them when they need it because if they only need to touch this document once a year, say like in a doctor's office, an annual checkup for a patient's file. They only need any access to that document when they're building their notes ahead of time, when they're there with the patient and when they're closing out that patient, that file shouldn't be touched any other time, and those policies should reflect the ability for that individual worker to be able to have those kind of constraints.
So that's a really important thing. I think when it comes to best practices, things like MFA on all user accounts, multifactor authentication, if you're using multifactor authentication, and you can have not as long as a password, but it's still important to have unique passwords in all those accounts because if you've got 12 accounts that can access the same file, you give them all MFA and one of those accounts gets breached, that user will know. Because they'll get a text or they get an notification, or if that's something that's out of band and they can detect it.
On the other side of it too, being able to stay up to date on all the different softwares that are associated with your environment is really important. Those are things that can help with those roles, those permissions, those different things we're talking about. So that policy, that blanket policy, the FCC actually has a really good list of a top 10 that a business should start with. So if a company is moving from paper to digital, that's a good place for them to either give their IT manager or the CEO or whatever just to be like, hey, as we're doing this, we should focus on these top 10 things too because we can mature ourselves greater, faster, et cetera.
Lindsay McGuire: For any organizations who are maybe revamping their security training or maybe even doing it for the first time, but you're taking a step in the right direction. But for anyone who is doing that, do you have any advice on how to get better buy-in across the org? Especially for people who think this isn't a big deal, this is the thing I'm going to do in 30 minutes and I'm going to be on my phone while I'm doing it. You talked about building a culture of security, maybe is what you said. How do you go about doing that?
Forrest Senti: The way I always advise people to do it is it's bottom up and top down. Cyber is one of those things where it's almost like mental health in a weird way where it's this thing that it's not very tangible, but we know it's important and when it's bad, it's bad. So it's one of those things for me with cybersecurity when it comes to getting people to invest in things like security training or those kinds of things. And what that means for me in terms of how we do it in our organization, how I tell other people, is you have to find a way to make security either exciting or enticing. And when I say that, I mean oftentimes people just buy these off the shelf security training programs and then they say, hey, you got to do this for compliance. And compliance doesn't necessarily mean excellence or progress, it just means that they're checking a box.
So oftentimes for most people, when you take your annual security awareness training in an organization, you're just clicking through this thing and you're listening to this video, and then you take a test at the end and you're done. Versus could you empower managers to, if you give them a PowerPoint and give them a budget for food or prizes or something like to say, hey, sit down with your team and add 30 minutes, 20 or one-on-ones, and go over this with your team and tell them why it's important and tell them how you impact the organization when these things go wrong. This idea of getting [inaudible 00:20:32] and getting people interested and obvious, and there are things too.
One thing I did two years ago was I had an intern, I gave them a project where I told them to fish the organization. I said, "I want you to send malicious emails and I want you to tell me who you get and how you did it. And we're going to then do a presentation at the end where we show everybody how we got them and then we're going to do a training based off of that." That was fun. That person is forever engaged. He still works with me, they're super awesome. You can make these things exciting to make it a part of your culture to improve the organization through security. So that's one of the ways.
And when it comes to the CEO, you have to have a champion. So whether it's a CEO or you're a CIO, like somebody just needs to champion it from the top down. To reiterate it, if you have a monthly standup, if you have a big meeting, bringing it up and talking about it and saying, "Hey, this is something we're caring about. If you see a problem, say something." That's really how I get people interested. That's the best way I've seen.
Lindsay McGuire: I mean, that's practically genius. I mean, if you're not watching this, which if you want to watch this head on over to our YouTube channel, but if you're just listening and not watching my face reaction to his fishing story, I mean, please just go watch this clip because I am mind blown right now. That is hilarious. But also, like you said, it's an exciting and enticing way to make it all full circle. So can I ask, how did he fish his coworkers?
Forrest Senti: I'll use me as an example. He got me. I was impressed.
Lindsay McGuire: Wait, he really got you?
Forrest Senti: Absolutely. Yeah. Yeah.
Lindsay McGuire: Forrest. Okay. Do tell now. Now I'm hooked.
Forrest Senti: Oh yeah. Well, I had him do it in levels. I gave him constraints. It was like level one should be like your traditional phish email. It should be bad. There should be grammar misspellings. It should be obvious that it's a fake email address. Most people should not get hit with that one. Level two should be using just open source, publicly available information. Send an email to me as something that you think would be personal to me. You were targeting me for a reason. I don't remember what he did on that one, but I got through that one. The third one was I want you to make it way too personal. I want you to track me on social media. I want you to track me on LinkedIn. I want you to identify something that's very personal based on something I've posted online, Twitter, Facebook, et cetera, and send me an email based on that.
So the mayor of Colorado Springs, where we live, is on our board. And so I know him through that. We talk, those kinds of things. But he created a faked email for the mayor and sent me an email on a day that we had publicly said that the mayor was going to be there with us for an event. We were doing something in our building, and he sent me an email saying, "Hey Forrest, can you print off my notes for me ahead of this meeting," whatever. And I was like, yeah, sure. It's weird that you didn't call me first, but yeah, I clicked the fake Google Drive link, and it was a website that he had created that was like, gotcha, and all this kind of stuff. And I was like, oh my God.
Lindsay McGuire: I am shook. But that is brilliant. Scarily brilliant. Just think about though, you are never going to forget this interaction and you're never going to forget this story. So for anyone who thinks that cybersecurity training has to be boring, OMG, y'all, because that is, wow, I'm never going to forget this. And I didn't even go through that experience.
Forrest Senti: It was pretty fun. It was cool. I was impressed.
Lindsay McGuire: Anytime you can make something more engaging, whether it's implementing a new technology, implementing a new training system, that's always so important to get people engaged and bought in. And that is a really creative and wild way. And man, please nobody do this to me though, please. Well, speaking of not being a cybersecurity professional, as most listeners probably know, I am a marketer, so I would not consider myself very cybersecurity savvy. And so what would you say are some non-negotiables when you're needing some kind of new technology for some kind of issue, problem or pain, what should I be thinking about when starting my Google search and vetting out some options?
Forrest Senti: Honestly, it's really simple for me personally. There's a lot of questions you can ask in terms of do you have SOC compliance? How do you manage your security? What type of cloud system are you using? Those kinds of things. Because if you get into the deeper conversations around, okay, how are you securing the movement of my data? All those things, if you are somebody who is technology agnostic or you're not in that world of having to vet a company, the simplest thing I tell people is, do they have MFA? It's that simple. Is part of their mandated account process that you have to have multifactor authentication? That to me most of the time is a strong indicator that a company is secure. Because when a company takes a stand that you have to use a second form of authentication to get into these accounts and to change major features and to do these different things, that to me sends a very strong signal that a company cares about it.
You can walk away from it from saying, does the company offer it? Because at this point, virtually every company should offer some version of two FA or MFA on their accounts. That's really a good place to start. And then just to kind of go from there, things like PCI compliant, are they doing those things? Are they paying attention to those things? That's really where I would go to. It's just you get a feel that they're compliant. Or for y'all, if you're on the phone with one of the business development people, ask them, "Hey, can you tell me about security?" Just ask the broad question. "Can you tell me about security and how you maintain this data," and blah, blah, blah, and just see if they have an answer. Do they have information ready to tell you. We're this or that, or SOC or yada, yada. Those are good things to ask.
Lindsay McGuire: I think most people know about MFA, but can you speak just a little bit about why you deem that's so important?
Forrest Senti: When it comes to things like MFA, so MFA stands for multi-factor authentication or two-factor authentication. And basically what it has to do with the idea of you have your password coupled with something else, something external to the device you're putting in your password on. Typically for most people, it's your phone, getting a text message on your phone. You can have things like Microsoft Authenticator or Google Authenticator. I think most of the password managers have their own authenticators now, this also accounts as like a security key, almost like a flashcard that you stick to your computer that has a code on it that's tied to your account.
But the reason why it's so important is let's say, use the same password across everything and one of those accounts that you're using doesn't have MFA and it gets hacked. So what happens in hacker security world is when they get that table of information, they then go, okay, email@example.com is associated with this password. Let's assume it's password 1234. So what that person does is typically if you get this account, that person's going to have these top 25 associated accounts that almost every single person in the United States has, and they're going to take that password and that email, and they're going to go to each one of those places and just put it in and the accounts that you don't have multifactor authentication on, they're going to get into and they're going to get into those accounts. Say it was your Amazon account, they'll then go and buy things. It's your Netflix account. Maybe they'll just watch movies for free forever. I don't know.
But it's one of those things where when you have that MFA piece activated, especially on accounts associated with buying or purchasing things, it prevents somebody from doing so. It protects you from somebody getting unauthorized access to your account because that person probably didn't steal your phone, which is that external source, the additional thing that you have to protect yourself. So that's why it's so important, and especially in the workplace, imagine those same scenarios, but it's customer data. If that person works in finance and they put their password that they use for their finance accounts like QuickBooks onto that e-invites and e-invites gets hacked, they could go and do that if they didn't have two FA. So you can see how those scenarios can play out.
Lindsay McGuire: So obviously you really think MFA is an important crucial part of cybersecurity, but what else is on your mind? What are some of the cybersecurity trends, best practices or even threats that you think people should be more aware of?
Forrest Senti: Password management, MFA, updating software, maintaining good policies, best practices. If your organization isn't doing those things, regardless of what Gartner or whatever is saying going into 2023, you got to do those things now.
Lindsay McGuire: Baseline.
Forrest Senti: 100%. You have to get the baseline. Yeah, you got to do that first. But in terms of trends, probably the biggest thing we're seeing right now is insider threats. So when we go back to the beginning of our conversation about paper and some of the malicious things you could do there, the insider threat is becoming a bigger and bigger issue. And when I say insider threat, what that really means is that it's either a disgruntled employee or an employee that's been paid to do something malicious to your company from the inside.
So we saw some cyber attacks for the first time in the past two years where people were basically recruited over places like Facebook where they say, "Hey, we'll send you a Bitcoin if you take this flash drive and stick it in your company's computer." So how do you protect against that? What do you do? There are policies, there are best practices, there are things you can do to prevent against things like that. But that is one example of things that are beginning to be more prevalent is people are realizing that the external web facing of a company is now getting more and more secure, but the internal side, human side is becoming a bigger threat.
Lindsay McGuire: Well, that is really, really, really scary. So what advice do you have for trying to minimize that risk? Because it's one of those things where you can never fully protect yourself. It just is impossible. But what are some things that people can have in mind to insulate themselves from that risk that you're seeing starting to build?
Forrest Senti: There's a few different things. So one of them is, we really shouldn't be using flash drives in the workplace anymore. We know that's dangerous. We know it's bad. That's a simple one for somebody as an IT manager or executive to go send an email, what do we got to do to disable the ability to use flash drives across all of our computers, period? Or why do we have computers with flash drives ports? And then in terms of other best practices, again, go back to what I said previously, it's the roles and responsibilities.
You should not give everybody access to everything to improve the speed of a business or whatever, and try to find information. You should give them the information that they need for the work they're supposed to be doing. And then if they need additional work, then you give it to them for a set timeframe, for a set reason, with set types of access. And with things in the cloud, you can do things like view only. You don't need to edit that document, you need to view it and see it. It's that kind of stuff, maintaining those roles and responsibilities.
Lindsay McGuire: A few more questions to wrap up our conversation Forrest, and one I want to hit on is legacy technology and the risks of legacy tech and security. We talk a lot up on the show about how legacy tech can impact an organization in really negative ways sometimes, and it can really keep them from reaching digital maturity, from being more successful, being able to adapt to market trends and changes. So what is the risk of maintaining legacy tech as it comes to security?
Forrest Senti: It's two parts. One, having modern security features. Again, to hammer home the whole MFA concept. If you're using a legacy tech platform that's 15 plus years old and no longer in service, updated software, probably doesn't have MFA and it probably has a lot of vulnerabilities that you don't know about. And I think with the vulnerability portion of it, patching, updating software, that kind of stuff, if you're using a legacy software that isn't really being maintained that well, like Windows 7 is no longer being updated, so if you're using Windows 7 because you've got this one computer that does this one thing, that just sits in the corner and it just sits there, runs something and nobody wanted to change it. People are finding vulnerabilities and those vulnerabilities are not being patched and they're able to be exploited, and it's something that can happen. So with legacy software, I think that's the single biggest thing, is that ability to actually keep it up to date and be up to date with modern vulnerabilities.
Lindsay McGuire: Well, two final questions for you. So first off, why should innovative leaders care about security?
Forrest Senti: You have to. It's just the reality of today's world. Cyber attacks are increasing exponentially every single year. When I say the comment on, it's not a matter of if, it's when, that rings true for almost every single company, government period in the world. You will at some point have some form of a data breach. You clicked a link, a flash drive incident, somebody hacked something. It's not a matter of if, it's when. And the more prepared you are, if you have a plan, those kinds of things, that it adds to your reputation as a company, it adds to your reputation as a leader, and it adds to your reputation as an innovator and a forward thinker when you invest in things like security, it's really important because the business costs, all those kinds of things.
You don't invest into it and you just kind of say, it'll be fine. They're not going to worry about us. The reality in the security world, hackers are lazy. They're ultimately thieves. So a thief is lazy. And when I say that, what I mean is there's two houses. This door has a locked door. This door doesn't, which house do they go into? So if your business is investing in security and the company adjacent to you is not, they're going to target that company. And that's how it works. It's literally a waterfall effect. They're going to go for the most vulnerable company and then work their way up. That's how it works.
Lindsay McGuire: One final question for you Forrest, it's been a great conversation, but if you had one piece of innovative advice for leaders on how they can start to digitize in a secure way, what would it be?
Forrest Senti: Don't be afraid. Even if you mess up or you have missteps along the way, you don't manage the cost of it well or the people or the different things associated with it. You're making an improvement to the business by moving in that direction. It's just like security. If you're trying to make an effort in security, it's better than not making an effort at all. So that's the biggest thing is don't be afraid of forward momentum and make mistakes, all those kinds of things, it's not going to be perfect overnight. It's those processes that help to make you better over time.
Lindsay McGuire: I think that perfectly ties into our whole story of our digital maturity report. So I think you put a perfect bow on our conversation today Forrest, thank you so much.
Thank you so much for joining us for this great conversation with Forrest. I'm taking all of my notes from this amazing conversation and applying them to our Practically Genius insider newsletter, which you should definitely sign up for right now. You can do that by clicking the link in the show notes, and as always, rate, review, share on LinkedIn and tell another innovator about the show. You never know, you might just get your next Practically Genius idea right here.