In this episode, we are returning to the Security Design Principles series, this time with Work Factor.
Work factor refers to how much work it’s going to take an adversary to attack your assets and succeed in doing so. This is coming directly from the world of physical security that was imported into the cybersecurity realm.
What you need to understand is you don’t need perfect security. You don’t have to create an impregnable system (if that even existed) to be able to protect yourself from most dangers. You just need to become a more difficult target than other organizations. And this is where work factor comes in.
While you need to make it difficult for attackers to consider you as a target, you also need to make sure you are not spending too much time and money doing so, to the point where you are building a $1000 fence to protect a $100 horse. Balancing security and business value is a critical aspect when planning out your security posture.
Another important aspect that a lot of people usually ignore is the anticipated resources available to the attacker. Understanding how your adversary works and what kind of resources they might be able to utilize can help you determine how much protection you need to put in.
Kip Boyle:
Hey everyone. Hi, welcome. This is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job or if you’re already working in cybersecurity, we are going to help you get that promotion that you want, the increased responsibilities, the better compensation. Maybe you want to change employers, you’re already working in cybersecurity and you just want to go someplace new with bigger and better challenges. Well, we’re going to help you with that as well, so we’re glad you’re here. My name’s Kip Boyle. This is Jason Dion. Hey, Jason.
Jason Dion:
Hey, Kip.
Kip Boyle:
Well, it’s great to be back for a new episode and according to the editorial calendar as folks are listening to this for the first time, it’s September. And if you’re a parent, your kids should already be back in school. And if you want to get a new job, this is peak hiring season for the rest of the year. And so if you do want to change employers, you’d better get busy. If you’re not busy already, you need to get busy. And I’ve got a suggestion for you. If you haven’t started this, get a new job task in front of you right now, and maybe even if you’ve just started, I want you to go and sign up for a course that Jason and I made. It’s called Irresistible, and what are we doing in that course? Well, it’s an online course. It’s at Udemy. I’m going to give you a URL in a moment that’s going to give you the best possible price on this course.
So it’s an online video course, and this is what we did. Jason and I took every hiring manager secret that we discovered over the long period of time that we have been hiring people and building teams. We found out as we were doing that, there were certain people who stood out to us as we were reviewing resumes and conducting interviews. And of course, as we hired people, we had to live with the consequences of our decisions, and we learned what makes candidates stand out in the hiring process and what are those qualities that also tell us that this person’s probably going to do a great job once we bring them onto our team. Jason and I put all that we knew together and we put it in this course for you. So if you want to know what it’s like to sit on the other side of the hiring table and you want to get into our head and know what it is we’re looking for, this is the course that’s going to let you do that.
And now the best way for you to get there is I want you to go to yourcyberpath.com/udemy. When you go there, you’re going to see a link to all the courses that Jason and I have done together for our listeners here. You’re going to see the one for irresistible. I want you to click on that, and then that’ll take you over to the purchase page and then you can check out the course. And again, you’re going to get the best possible price. Jason, how does that work getting the best possible price? Why do it this way?
Jason Dion:
Yeah, so if you go to Udemy directly, they’re going to basically use a bunch of different factors to give you a price. And that price is going to be based on where you live in the world. It’s going to be based on if you’re on a Mac versus a Windows machine, an iPhone versus an Android. I’ve noticed that Android users get cheaper prices than iPhone users don’t know why, but apparently they do. And there’s all sorts of different factors that Udemy uses, time of day, how well the course is selling on that particular day versus another day, all sorts of different factors. But if you go over to our website at yourcyberpath.com/udemy and you click on those, those have an embedded coupon link already inside them. And usually the coupon link is just the three digits of the month and the year. So if you’re doing this right now as it came out, it’ll be September 2023. If you wait until October, use OCT 2023, et cetera.
Sorry, if you just go to yourcyberpath.com/udemy, we already have that link in there. You click on it that tells Udemy you came from us and we’re able to set the price once a month at the lowest possible price. And we talk about the pricing on Udemy. Generally it’s somewhere between 10 and $20 for the course. This is not a $1,000, $2,000, $3,000 program. We made this specifically on Udemy to be an inexpensive thing because we didn’t want price to be getting in the way of you getting the information that you want. So as I said on Udemy, it’s going to cost you somewhere between 10, 15, 20 bucks at most, and it’s about a six hour course that’s going to teach you everything we know about how to write your resume, where to find jobs, how to do your interviews, how to do your negotiations, how to succeed the first 90 days on the job, all those kinds of things are all bundled into this course. Really download our brain into yours.
And if you are a longtime listener of this podcast and you’ve listened to all 100 plus episodes, at this point, you’re probably not going to learn anything new to be quite honest. Because we’ve covered almost all of this in this podcast over this time. The big difference here is instead of having to go and listen to 50 hours of podcast, you can listen to five to six hours of tailor-made course that walks you through these steps. And especially in the resume section, we spend three or four videos, almost an hour, hour and a half of content going through how to write your resume. We do examples on the screen of showing you a resume and what kind of bullets you want to write and all that kind of stuff. So it’s really valuable and like I said, very low cost, less than what you probably pay for lunch. It’s 10 to 20 bucks.
Kip Boyle:
Yeah. And it’s a great way to just bring all of our lessons together and it’s going to be super convenient for you. We’re just going to walk you through everything and like Jason said, it’s going to be the cost of a nice lunch.
Jason Dion:
And really the thing is we’re trying to make it easy and make it so it’s not hard work for you, which obviously brings us to the topic of today, which is work factors.
Kip Boyle:
Work factor. Nice segue. Welcome.
Jason Dion:
Hey, there you go. That’s what I’m good for.
Kip Boyle:
There you go.
Jason Dion:
I tried to pull you back in Kip, but yeah, so today we’re going to be talking about work factors. I think we’ve sold you enough on the course, but yeah, if you want to give that course, you can go over to yourcyberpath.com/udemy. And just as a side plug, as you all know, I’m from Dion Training. We sell all your certification courses. If you need a certification course, you can go to diontraining.com/udemy. Same thing applies. Any course with Jason in it. You’re going to be able to get there at the lowest price by going to slash Udemy on our website, so yourcyberpath.com/udemy or diontrain.com/udemy, you’ll find irresistible listed on both those sites. All right, so now getting into our topic of the day work factors, and we’re returning back to our series. We’re on the fifth SDP or secure design principle, and that’s what we’re going to be talking about today. So what is a work factor, Kip, what are we talking about?
Kip Boyle:
So work factor, again, this is straight from the minds of academics in 1975. So takes a little decoding for us to understand what these things are in the modern day, but trust me, this is absolutely relevant. So what work factor means is how much effort is it going to take for somebody to attack you and succeed? Now, this is something that we have successfully borrowed from our friends in the physical security world. And specifically if you’re going to buy, let’s say you run a bank branch and you want to store a bunch of gold bullion, well, you got to figure out, well, what kind of safe should I purchase because safes come in all shapes and sizes? One of the characteristics you’re going to look for is a rating that’s going to say, how many hours would it take a dedicated criminal with the right tools to compromise this safe and steal the gold bullion that’s contained within it?
So there’s actually a work factor rating on physical security products, and we’ve taken that and we’ve imported here into our digital security world. But the way we talk about it these days is we want to make it too expensive for attackers to actually compromise you. We want to make it so that they have to work too hard. And let’s face it, they don’t want to work too hard. They’re just like you and me, we’re looking for the low hanging fruit. What’s the easiest thing to tip over and scoop up the digital assets and run away? I mean, that’s kind of what’s going on. So I tell my customers all the time, you don’t need perfect security. You don’t need world-class security. You just need to become a more difficult target than the other targets that the bad boys and the bad girls are thinking about going after. If you could just be a little bit more difficult, if you can get that work factor up there for them, they’re probably just going to go on to the next opportunity.
Now, if you’re being targeted for espionage, that’s a different story, but most organizations aren’t. Most organizations are just going to become the victim of an opportunistic attacker, and this is where work factor is going to help you. And so how did I learn this? So way back in the early days of my career, no, I didn’t start working in 1975, get that out of your mind right now. But when I did work, I had a mentor and he said, “Don’t spend $1,000 to build a fence to protect $100 horse.” And that was an incredibly visual. I could see this broken down, $100 horse behind this high tech $1,000 dollars fence with razor wire across the top of it, and it just made the whole thing snap into place for me.
So it’s not just about making it hard for people, but it’s also about business value. Don’t make it so hard that you’ve actually spent more money than the things worth. So we’re talking about balance here, but you definitely do want the horse deep to look at that and say, “Screw it, I’m going to steal somebody else’s horse. That’s just too much effort.” But when we were doing show prep, Jason, you were telling me about something a lot more relevant and recent and you absolutely need to share this.
Jason Dion:
So yeah, this is one of those cases where I think when you think about the ROI and the business return of putting in some kind of a security aspect where it can make sense or it can not make sense, and sometimes there’s just some stupid business decisions that are made out there based on risk that make no sense to me. And this is one that actually hit me about two weeks ago. My mom owns a Kia Soul, and for those who don’t know here in 2023, Kia and Hyundai, who are both the same manufacturer, essentially had a big issue where they were not installing proper anti-fat devices in their cars.
Kip Boyle:
Wait, is the Kia Soul that boxy look and think that the hamsters are driving around?
Jason Dion:
Yes, that is the Kia Soul. Yes. My mom’s on her third one. She loves that stupid car.
Kip Boyle:
Oh my goodness.
Jason Dion:
She’s had three of them now over the last 15 years or so.
Kip Boyle:
Hamsters for the win.
Jason Dion:
Yes, the hamster marketing apparently won with her, and I think it works because she’s really short. So it’s like an SUV for short people. They designed it for teenagers and then all the older folks seem to buy them. It’s really weird.
Kip Boyle:
I didn’t know that. Sorry. Keep going.
Jason Dion:
Yeah, my mom lives in an area called the Villages, and I swear the Kia Soul is like the official car of the Villages. They’re everywhere over there.
Kip Boyle:
Oh my goodness.
Jason Dion:
But anyway, I digress. So the issue is that Kia and Hyundai, they make really nice cars and one of the things they’ve always pride themselves on is putting in features that customers want, but similarly, they will cut out features that customers don’t care about. So for instance, if I’m going to sell you a house kit, you care what the carpet looks like and the tile looks like and what kind of kitchen it has, right?
Kip Boyle:
Yeah.
Jason Dion:
But whether I gave you a closet that has a brushed nickel hinge on it with black screws or silver screws, probably doesn’t matter because you’re not going to look at that kind of detail. And so Kia and Hyundai are known for taking some shortcuts in places that people don’t see, and one of those was this anti-theft lock device. Most modern cars, if you don’t have the right key with the chip and all these things, you can’t actually actually hotwire the car and steal it. Well, it became known that Kia and Hyundai didn’t put those things in their cars. And so there was a TikTok trend, go TikTok again, that was, hey, let’s go steal cars and go for joy rides. And people started doing that. And so it became such a problem that the insurance industry started dropping customers and saying, “We are no longer going to insure your vehicle because you have a Kia and it has not gotten retrofitted with some kind of anti-fat device.”
So Kia and Hyundai have gotten a lot of flack for this. They’ve now dedicated, I think almost half a billion dollars towards fixing this problem and having customers bring back their cars. But the problem is some of these cars cannot be physically upgraded because they never had a part for it. It wasn’t like it was a feature that broke, it was a feature that did not exist. And so my mom has this older Kia Soul and she brought it in for the recall, and the solution that Kia had was here is a club, and they installed the club. And her insurance company said, “Okay, we will give you coverage, but we need that the dealer installs this anti-theft device.” So the dealer literally installed the club, which for those who don’t know, this was really big in the late ’80s, early ’90s.
It’s basically a big red or big yellow bar that goes across your stealing wheel and locks into place so that could you turn on the car? Yes. But could you drive it really easily? No, because got this big stick across it that gets in the way. So that’s the whole idea of the club. Anyway, it’s not a permanent solution. It’s something you have to put on and take off every time you’re going to park the car, you put it on, every time you’re going to drive the car, you take it off. And literally her insurance company made her go to Kia, which was 20 minutes away from her house, have the guy install it, take a picture and email it into the insurance company going, we Kia installed the club. And then as soon as they did that, they took it off and put it in the passenger seat next door her, and that was considered good enough and the insurance company gave her her insurance.
So what does that have to do with all of this? This is talking about what they should have done was a actual recall and they should have modified the cars with a new part that actually had the anti theft device that would stay in the car all times. Instead, they went for the cheap solution, the $100 solution for the $100 dollars horse, which was let’s give every customer a $50 club and go, yep, we’re done. And to be fair, Kia and Hyundai did not have any legal obligation to do anything about this problem. It was not a manufacturer defect, it was a design choice they made. There’s nothing by the NTSB. There’s nothing by federal regulations that say, well, it’s a must have. There’s things that say you must have seat belts, you must have airbags. There’s nothing that says you must have anti theft devices, but it now became a problem for all their customers because you can’t get insurance on these things because of that. And so there was-
Kip Boyle:
Let alone know that it’s going to be in your driveway when you go out to actually use it.
Jason Dion:
Exactly, right?
Kip Boyle:
Yeah. And so the principle behind this I think is a great story because what was going on here, well, what was driving the entire debacle here is the insurance companies were saying it’s too easy to steal this car, make it harder, increase the work factor. I mean, that’s what the insurance companies were looking for.
Jason Dion:
And when we’re talking about this, this wasn’t a one year problem. This is something I’m looking back at the dates and pretty much every model since 2011, so we’re talking 12 years of models.
Kip Boyle:
Yeah, it’s a long time.
Jason Dion:
2011 through 2020s, 2021s, 2022s even on some of these cars. Pretty much every make and model owned by Kia and Hyundai are affected by this. And so this is a massive issue. And so if the federal government stepped in and said, Kia and Hyundai, you need to go and replace everybody’s ignition starter with this new anti-fat system, it’s going to cost you $2,000 per car. They might go, well, why would I spend $2,000 to upgrade an old 2011 Kia Forte that might only be worth $2,000? So they said, “Hey, the club makes sense.” And so you’re going for $100 fence for $100 horse in this case, but you’re right, it is trying to increase this work factor.
Kip Boyle:
Right. And I also think it’s illustrative of the frustration that I sometimes feel like, let’s say I work for the insurance company and I’m saying to myself, we need to increase the work factor here, otherwise it’s not going to be profitable for us to write these policies. And so we issue a bulletin, we tell the Kia dealers like, this is what you need to do in order for this to be insurable. And then these yahoos take a photo of this club on the steering wheel and then throw it in the backseat. And has anything really been accomplished? No.
Jason Dion:
Right. Because that is an active defense, which means I as the customer have to literally put it on every day.
Kip Boyle:
Yeah, every single day.
Jason Dion:
It’s the same thing at my house. I get an insurance discount because we have fire sprinklers installed in the house when they built it. We have certain wind ratings because I’m in Florida, and if your roof is put on a certain way, you get a wind mitigation discount and all those kinds of things. Those things are great because they exist in the house whether I do something or not. There is no discount for me having a lock on my front door, but I’m expected to have a lock on my front door and to lock it, but if I don’t lock it, somebody can just walk in the front door. And that’s work effort versus me having a alarm system that goes off with bells and whistles and all that kind of stuff. And so these are the kind of things you have to think about when you’re building your system is what kind of systems you’re going to put in place and what kind of protections and what kind of data are you trying to protect.
This is something that really hits home with me because I worked for many years in classified spaces for the government, and we would spend billions and billions of dollars building these secure facilities where you could not have any wireless signals coming in or out of the buildings. There was no windows in these buildings for that reason. We’re working out of basements and we have all these top secret information we have access to. And then I would get an email from somebody like Kip and go, “Hey, you want to meet for lunch at 1:30?” And I’d look and it would be classified top secret because people classify things all the time on a top secret network like, oh, by default what’s your top secret? I’m like, it’s not top secret, Kip. You want to meet me for lunch? That’s not a top secret thing. That’s just regular lunch. Let’s just go get lunch.
But because if you classify that as top secret, now we have to protect that for the next 40 years, and that’s storage costs, that’s encryption costs, that’s all those things add up. And we had this huge excess of costs because of over classification. And so something that if you’re working at the government sector, you’re always trained on, classify it to the lowest level possible, that still gives you the protections you need. And not everything is top secret. Not everything is secret. Not everything is confidential. A lot of things are just unclassified. Like is Jason going to the doctor this afternoon? That’s not a top secret appointment. It’s just an appointment,
Kip Boyle:
Yeah. Right. So yeah, this work factor principle is pretty interesting, and I hope that the examples that we’ve given so far has helped you understand why it is that we need to make it difficult for attackers, but not so difficult that we’re actually spending too much money to protect something. You see what I mean? We’re looking for balance here. We want it to be hard enough, but we don’t want it to be too expensive. And that’s really what work factor is. And I think that was a great example you gave. I can give so many examples. In fact, my book Fire Doesn’t Innovate, I talk in there in part two about the never ending struggle to demonstrate that dollars spent on cybersecurity can create good business value. And it doesn’t just slow people down and kill productivity and make people think that they’re standing in a long sweaty line at the airport trying to get to their flight, which is what a lot of senior decision makers think about when I bring up the subject of, hey, we need to install this new control.
So the business value of cybersecurity is such an important aspect of this whole thing about work factor. Now, one of the things that we’ve been encouraging you to do is to bring these security architecture and design principles to work with you and to use them on the job so that you can better understand new technologies that may come at you on the job or new architectures going from on-premises to cloud. Whatever the change is, whatever the new thing is, you can use the security design principles to understand it better, faster and to know how to secure it. So if there’s a new product that comes along and you’re asking yourself, what should we do to secure this thing? You can think about work factor and you can start to think about, okay, what’s the value of the asset in this? Is this just a content management system that contains marketing materials?
Well, that’s a completely different situation than a content management system that contains personal information or citizens of the European Union, which is like radioactive waste. You can get in big trouble if you don’t protect that stuff really, really, really well. So you want the work factor to be really high on the content management system that has the PI, and you don’t need it to be that high on the content management system that has the marketing material. So I hope that helps you understand how you can bring work factor on the job. Jason, did you have any other thoughts about how they could use work factor to do good work?
Jason Dion:
Yeah. So one of the things I just realized is as we went through this, we went right into the examples and we never actually gave the definition from the paper. So I’m going to go back and do that real quick. The actual definition we talk about work factor is to “consider the cost of defeating security with A, the value of the asset being protected, and B, the anticipated resources available to the attacker.
Kip Boyle:
I think that’s consistent with everything we’ve said so far.
Jason Dion:
100%.
Kip Boyle:
I still think we’re okay.
Jason Dion:
Yeah, we are. I just wanted to get it out there of what the official definition is. And I think these are the two things that are always things that we need to consider. It’s what is the thing you’re protecting and how much is that really worth to you? And the other piece that’s really important is the resources available to the attacker. And that is a piece that a lot of people don’t consider. So for example, let’s say I have a little cabin in the middle of nowhere. I’m in the middle of the forest, I’m 50 miles from the closest neighbor, whatever. I could probably leave my door unlocked and no one’s going to go there because A, they have to know where my little cabin in the woods is, and B, they have to get there. That’s just a lot of work. And there’s no roads and you’ve got to hike 50 miles or whatever. It could be really a challenge.
So that would be, hey, the value of the asset probably pretty small. It’s just an empty cabin. The anticipated resource available to the attacker, lot of work for them to get there. Consider that versus where I live now. There’s a million people within probably 20 miles of my house. There’s a lot of threats out there that could get to my house, and there’s all my stuff. I’ve got my checkbooks and my papers and my computers and my electronics and all that stuff. So this house, I lock the door, I have security cameras. I’m in a gated community, so you have to have a code to get into the community and all those kinds of things because there’s more value that I’m trying to protect, my family included. I don’t want people coming in here and holding my family hostage, for instance, and the resource available to the attacker. I’m trying to stop the majority of people.
I’m not going to stop everybody. And if there’s a determined threat, they can climb the fence, they can piggyback on somebody else’s cars as they’re driving in the neighborhood. They can break a window and jump into my house, whatever it is, there’s ways that they can do it, but it all comes down to how much effort are they going to have to put into it, and is it easier to do that than it is just to go to the neighborhood across the street that doesn’t have a fence and doesn’t have a gate and they didn’t lock their doors and there’s no lights on and all those other things. So these are the things we want to think about. And I think you made a great point in your book when you talk about don’t go for perfect, your whole job here is to optimize your security to deal with a cyber attacker and really just to be a harder target than the guy next to you.
It’s like the old joke, if a bear is chasing you and your buddy in the woods, what do you have to think about? Can I at least run faster than my buddy? Not the bear. I just got to run faster than my buddy so I can get away and Kip’s going to get eaten by the bear. That’s really what we’re talking about here is the attackers are going to attack. And even a couple episodes we were talking about, I was going through my logs and we saw these different attacks, and really it was just opportunistic attacks. People are throwing windows exploits at my Linux server. They had no research, they had no idea what was going on, but because the resources available to do that, which are bots in a cloud-based environment cost them almost nothing, then they can just throw attacks all day long and hopefully they’ll hit something. And that’s what they’re trying to do. And we are trying to do the opposite by making it harder, by putting in firewalls, by putting IPs, by putting in AI and ML based detection systems and all that.
Kip Boyle:
Without overspending and without making people’s lives awful, and they can’t get their job done because that goes back to psychological acceptability. So all these security design principles, they’re related to each other. They touch on each other. And so we absolutely need to be considering really all of these things together because we push too hard on one, it’s going to mess up another one. There’s kind of an equilibrium we’re looking for.
Jason Dion:
Exactly. And I think one of the biggest things that you have to keep in mind is that second part of the definition, the anticipated resources available to the attacker. So I think you mentioned this at the top of the episode, if there’s an APT coming after you, an advanced persistent threat, they’re going to get in. If they want to, they can spend unlimited… For instance, if the US government wanted to hack my computer or the Russian government or the Chinese government, they’ve got way more resources than any of our companies do. They are eventually going to get in.
Kip Boyle:
That’s right.
Jason Dion:
How much time are they going to spend?
Kip Boyle:
They probably have a license for Pegasus or something like Pegasus, which can completely compromise your mobile device silently and with 100% or near 100% certainty. And it’ll operate in a way that you’ll have no idea that it’s actually happening there. And so yeah, that is an attacker who for all practical purposes has unlimited resources. How do you protect against that? Well, you can put on your tinfoil hat. You can live in a Faraday cage.
Jason Dion:
You can get so paranoid that you can’t get your operations done. But honestly, I run a couple of companies, you run a couple of companies as well, and we’re not going to put that level of effort to protect our stuff because we’re not holding nuclear secrets in launch codes. We are holding corporate proprietary data. And so there is a level that we need to protect and we want to be good stewards of the information we hold of our customers and all that kind of stuff. But we’re also not going to spend a million dollars to protect a $10 asset. Instead, we are thinking about the anticipated resources of the attackers who are going to go after companies our size.
And generally it’s going to be what a basic penetration tester is going to use. Is there an open source exploit out there? Will it be exploitable by something like Metasploit? And when I look at the CVSS and the reports that we see for a particular vulnerability, it will tell you there is a publicly known exploit for this. Yes. Well then I’m worried about it. If there’s not, I’m not as worried because now we’re talking zero days and those things are worth a lot of money and people aren’t usually going to waste a zero day on somebody my size.
Kip Boyle:
They’re not going to burn a zero day on us. It’s not worth it because for them, that’s like launching a million dollar missile to kill a fly.
Jason Dion:
And so these are the things you have to think about. The value of the asset and what is available to the person who’s most likely going to attack you. And yes, you are taking some risk, but if we can get to the 90% or 95% solution and spend $10,000 a year, but to get to a 100% would cost me $100,000 or a million dollars a year, I’m probably going to do the $10,000 solution as long as that meets my legal and compliance requirements to make sure I’m protected.
Kip Boyle:
Yeah. And that actually goes over to a concept which I’m not going to unpack fully here because I’ve done it actually several times in my other podcast. But reasonable cybersecurity is what the Federal Trade Commission in the United States says. We are all obligated to practice. And their definition of reasonable comes back down to what is reasonable for an organization like yours considering the type, amount of data that you’re collecting and your size and your sophistication. So if I’m running a pizza joint and if I’m taking credit cards so people can buy their slice, I’m not going to be compared to a bank. I’m not going to be expected to have bank level security for my pizza joint. I’m going to be compared to other pizza places and if I’m wildly out of step with other pizza places, if people are giving me their credit card and I’m taking a photograph of it, storing in an iCloud, okay, well, I’m clearly out. I’m not in step with everybody else, so I’m being unreasonable. So anyway.
Jason Dion:
And I think I mentioned this in the podcast before, but for those who are interested in what Kip just talked about, this actually goes back to a 1932 court case. They went all the way to the Supreme Court. I love pulling out random things, but it’s actually called the TJ Hooper case. And I’m pretty sure I talked about this on the podcast, but essentially there was a boat that was carrying cargo going up the Mississippi River. They didn’t have a radio on board. Storm came out of nowhere. The ship went to the bottom of the Mississippi, they lost a million dollars in cargo, which is a ton of money in those days in 1932. That’d be like a couple hundred million probably today. So it’s a huge amount of money. The person whose cargo it was went to the shipping company and said, “Hey, your ship sank. You owe me the money for my cargo, give me my million dollars.” And they go, “No, no, no, not our fault. Act to God. We can’t control the weather.”
And they would all the way to the Supreme Court with this. And what the ruling was was, hey, ship most ships at this point, like 80% of the industry had radios. If you had a radio, you would’ve known that storm was coming. You would’ve gone back to port. You wouldn’t have been at the bottom of the Mississippi. The cargo would’ve been safe. So therefore, since you didn’t practice reasonable industry care, which is what you’re talking about, if you’re a pizza joint, you need to do what other pizza joints are doing. If you’re a bank, you got to do what other banks are doing, having that reasonable level of expectation and protection. If you don’t, you can be held liable for that.
So as a pizza joint, if you have a wifi network, it should be password protected. It shouldn’t be open if your cash registers on it. If you have a small network that has your point of sale terminals, you want to make sure there’s a firewall protecting you from the outside. Basic things like that, that cost very little money you’re expected to do, but you’re not expected to have government grade encryption and top secret vaults and Faraday cages and all that because you’re a pizza joint, you don’t need. And so those are the kinds of things you have to think about there anyway.
Kip Boyle:
Absolutely. And I’ve seen a lot of cybersecurity people get themselves in twists because they’re working for a non-bank and they get mad because the non-bank won’t go up to bank level security. And I’m just like, dude.
Jason Dion:
Well, I have this problem a lot as well, coming from a military background, sometimes I have to go, hold on dummy, this isn’t the government anymore. You don’t need that level of protection because that’s going to cost way too much for what you’re doing. And even I see this a lot with a lot of veterans that we bring in, or a lot of IT, or cybersecurity folks we take in from the military. And I have several on my staff, including my CTO is a former veteran as well. And I have to sometimes remind them like, “Look, we’re a training company. We’re not the NSA. We don’t need that level of protection.”
Kip Boyle:
But they’ve been trained to be twitchy when they don’t have a certain amount of protection.
Jason Dion:
Which is fine when you have Uncle Sam’s checkbook, but I don’t have Uncle Sam’s checkbook.
Kip Boyle:
That’s right. That’s right. This is Uncle Jason. He’s got different economics.
Jason Dion:
Yes. My economics or skill are a little different than the US military.
Kip Boyle:
Well, this has been a great conversation about this security design principle work factor. I don’t have anything else to add to this. I think we’ve done a pretty good job. I’m going to give Jason the final word on this, but if you think we’ve missed anything on work factor or if you have a question, if there’s something that you expected us to mention and we didn’t mention it, we want to hear from, you could just shoot us an email. You can go over to our website, yourcyberpath.com. There’s an ask button that you can click right there, and it’ll come straight to us. So don’t hesitate. We love to hear from you. But any final words, Jason?
Jason Dion:
Yeah. So you mentioned twice in the podcast. Hey, I mentioned this on my other podcast, but you didn’t tell them what your podcast was. So for those who are interested, Kip pitch your other podcast.
Kip Boyle:
Okay. Okay. Okay. So I have a podcast with another Jason. Actually he goes by Jake. His name’s Jake Bernstein. He’s a cybersecurity and privacy attorney. He works at a pretty big law firms called K&L Gates, and it’s called the Cyber Risk Management Podcast. What do you know? We’ve been doing it for about five years. And when I first went out to sort of claim my little podcast space for that, nobody had grabbed all those keywords. And so I was like, okay, I’m going to do it. So anyway, it’s called the Cyber Risk Management Podcast. You can find it anywhere you can find Your Cyber Path. So just open up your podcast app where you’re listening to us right now, and just do a search for the Cyber Risk Management podcast. And I invite you to check out an episode in there and see what you think.
Because what we’re doing over in that podcast is a little different. What we’re doing is we’re talking about cybersecurity issues that a CISO and an attorney talk about on a regular basis. And we’re talking about big decisions that need to be made, such as what does it mean to practice reasonable cybersecurity? And so this will help you do a better job of understanding why your boss comes and asks you these weird questions like what’s going on in your boss’s head as they’re trying to do good work and serve their organization and you’re on their team. And if you want to understand their headspace, go listen to my other podcast.
Jason Dion:
Awesome. Thank you so much. And the last thing I wanted to say is thank you all for listening to another episode of Your Cyber Path. If you just can’t get enough and you want to check out all the old episodes, we have them all at yourcyberpath.com. Any episode we ever mention, like episode 61 with John Strand, you can just go to yourcyberpath.com/61. Or go to yourcyberpath.com, in the top right corner there is a search bar and you can type in anything you want to learn about resumes, interviews, negotiations, certifications, whatever. And all the episodes will come up that relate to that so you can listen to those. Lots of great content out there and we look forward to having you again on the next episode. Until then-
Kip Boyle:
And by the way, the reason why you can do that is because every episode has a full transcript on the website. So if you don’t have time to listen and you just want to skim, you can do that too.
Jason Dion:
And yeah, other than that, I just want to thank you again for listening to us at Your Cyber Path, and we will see you next time at Your Cyber Path on the next episode.
Kip Boyle:
Bye, everybody.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!