July 11, 2025 • 30 mins
Cyber breaches have evolved from simple experiments to malware like Trojans and email worms to phishing and botnets. The largest data breaches, often involving billions of records, have occurred since 2005, coinciding with the digital transformation of businesses and governments. How do you protect yourself? Let's talk to Colette Tomasiak, Director of Product Marketing at SpyCloud, to find out.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:05):
Welcome to Virginia Focus. I'm Rebecca Hughes of the Virginia
News Network. Cyber breaches have evolved from simple experiments to
malware like trojans and email worms, also to phishing and botnets.
The largest data breaches, often involving billions of records, have
occurred since two thousand and five, coinciding with the digital
transformation of businesses and governments. How do you protect yourself?
(00:29):
Let's talk to coll It to Masiak, director of product
marketing at Spycloud, to find out. Welcome to the show.
I'm glad you could be here with us today. I
know it's important what we're talking about businesses protecting themselves
from cyber attackers, and especially now when so much more
information is online than ever before.
Speaker 2 (00:48):
Thanks for having me, Rebecca, No, I agree. I think
it's really important for us to kind of take back
control of our digital footprint and get a really good
idea of what's out there, just to help protect our ourselves, organizations,
business and everyone from bad actors trying to access our
information and taking advantage of it.
Speaker 1 (01:07):
Yeah, most definitely. I know you're with Spycloud. Why don't
you kind of tell the audience what it did you
do for them and what makes you an expert in
this area.
Speaker 2 (01:15):
I've been at Spycloud for two years and I'm the
director of product Marketing and I've been in cybersecurity for
a little over seven years.
Speaker 1 (01:22):
That sounds great to me. Let's talk about one of
the things that, as I understand it is a problem
is digital identity risks and outdated data. Why don't you
talk about what does that mean?
Speaker 2 (01:37):
Yeah, So, when we look at how we operate today
as an individual, as a business, everything is so digitally dependent.
We're online all the time, we expect instant access. We
have our phones, our laptops, work issued, personal we are
(01:57):
always connected to the internet. And with that, our identity
kind of sprawls and where we have access and the
username and the credentials and the data is continuing to
expand across this evolving digital footprint. That gets harder and
harder for us to maintain. But to combat that, I
(02:18):
think a lot of people really sacrifice security for convenience.
And that's true for individuals for businesses, and it's just
again harder and harder to manage. But with that comes
a lot of using the same password or even taking
things from earlier on in your digital journey. Like think
(02:39):
about in high school we had aim screen names or
AOL email addresses, and it was either a favorite band
or like a favorite pet. That kind of extends into
how we secure digital lives today with things that are
personal and easy to remember. But then that password reuse
is what extends across our digital footprint. So let's say
(03:01):
if I'm a shopper on Amazon and I use the
same password. Let's say on Amazon my bank account, my school,
my work account, but Amazon or another regail company gets breached,
a hacker can then or a bad actor can take
that information and connect my identity across all these other
places that I have an account and I have my
(03:22):
information stolen, and that's what leads to account take or
But that's what leads to fraud and other targeted identity
cyber attacks. So it's not even the recency of something.
It's because we have this digital baggage of our past
digital life, our present digital life, and where we're going
in the future. It's securing that that makes it difficult,
(03:42):
but it's easy for bad actors to connect those points
to get access to things today, even if accounts are
stale because our kind of human behavior in what we
do and how we operate online leans towards easy and
easy is often easy to guess or reusable passwords or
(04:03):
things that aren't as unique across our different accounts.
Speaker 1 (04:07):
Right, I agree with that. I think we kind of,
like you said, we sacrifice security for comfort. And one
of the ways I think we do that is we
just assume that cyber criminals are dumb and are going
to get caught whatever. But the reality is a lot
of criminals out there, and especially in the cyber world,
are extremely intelligent, and they are studiers of people and behavior.
(04:32):
And let me ask you this, what role do past
data breaches play in what we're talking about?
Speaker 2 (04:39):
Yeah, so that's the thing. Most people assume that, oh,
it's an old account that I created five years ago,
I don't use it anymore. But in that account, again,
you had a password, probably one that you're reusing in
a variation in other accounts, you have your birth date,
and do you have your email address? All this information
that can still connect you to let's say, Rebecca of today.
(05:04):
So RecA of the past can still be connected to
Rebecca of today. And then all the other things that
you actually do use within your digital life, whether again
it's work or personal. Bad actors can uncover that. No
one is more motivated than a cyber criminal who can
profit off of stolen data. And not only do are
they do they innovate fast, they're super sophisticated. So yeah,
(05:27):
we have this assumption like, oh, hackers, like maybe they're
not too smart or they won't target me. They have
automated systems, the way they're doing things is highly sophisticated.
So that's the thing. Like even something simple as an
old account where we have a reused password could be
a really detrimental impact to either our personal life or
(05:48):
our work work business life.
Speaker 1 (05:51):
Wow, now I do I did see where Spycloud did
a twenty twenty five identity exposure report. Do you have
any of the results of that in front of you?
Could you talk about it?
Speaker 2 (06:03):
Yeah, So every year we do our identity exposure report
just to kind of look at the landscape of what
threats kind of exist and just even in twenty twenty four,
digital identities are continuing to be the top target for
cimber criminals. And again it's as a personal professional kind
(06:24):
of point of convergence for risk for these identities, and
we found that ninety one percent of organizations reported suffering
an identity related incident in the past year. But that's
nearly double the previous year's reported numbers, and nearly eighty
percent of breaches still involve the use of stolen credentials.
So it's back to that thing we were talking about
(06:45):
earlier on whether it's your current password that you're reusing
or a past password, your entire digital footprint, what we
like to call your holistic identity, can have an impact
to your life today, to your business, to the organization
that you work for based off of credentials and you're
evolving digital identity.
Speaker 1 (07:07):
Okay, now, I know this is kind of going to
run more summertime, of course, because this when we're doing
the interview, But would you recommend spring cleaning, you know,
for businesses and how should they go about doing that?
Speaker 2 (07:20):
So it's not just spring, I mean this is a
thing with spring cleaning. It's so ingrained in US as
a society for the longest time. Like spring cleaning, you do,
like the tedious things that you don't do every year.
You clean your windows and not just from the inside,
like you open it in whatever complex way they're designed.
You clean the outside, you powerwasher patio, you clean out
(07:41):
the attic, you take things out for donation and things
like that. It's so much easier for humans, I think
in general to have it stack, especially if you want
to be successful. So as a step one is attaching
maybe a digital cleanse to a season where you're already
aware of this notion of cleaning things out. But the
(08:04):
thing is is to even start that. And again it's
any time is a good time for a digital cleanse,
whenever you have the inkling to do so. But to
start that, like let's say, even with spring cleaning, you
have boxes in the attic and you want to make
decisions to donate or throw out. You can't make that
decision until you open the box. And that's the same
(08:24):
thing with how your digital identity audit kind of needs
to happen. Is in order to decide what needs to
be remediated and fixed and changed passwords and edited accounts,
were deleted accounts and things like that, you need to
open your digital box. So my recommendation is like a
good starting point, whether you're a business or consumer, is
(08:45):
going to check your exposure dot com. And that's like
a simple starting point, and it shows you what information
is already out there, so then you can take control
before someone else, like a bad actor does.
Speaker 1 (08:56):
Oh wow, Okay, so I'm probably one of the people
you are most definitely talking to because I still have
my email address from college and that was I hate
saying this out loud, but I'm going to I left
college in nineteen ninety eight. Yeah, it's been a minute.
Speaker 2 (09:13):
Like people don't realize the extent of their digital baggage
and the impact that it has on our personal life today.
But then at the same time, especially for businesses, it's
again that convenience factor plays a role human behavior, so
enterprises can only do so much with you know, controlling
human behavior. So having the right tools, but more importantly,
(09:37):
having the right data on the landscape of exposures within
a person's holistic identity is critical to take action. You
can't act on what you can't see, so really uncovering
that or illuminating is like a good first step.
Speaker 1 (09:53):
Okay, So what I'm learning, and I hope other people
listening are also figuring out if they didn't already know
this is you know, you hear about data breaches and
you get the emails or you get a message you know,
some form or fashion there was a data breach and
your information was involved. And most of the time, as
long as it didn't leak anything like my social security
number or things that you know, you typically don't want
(10:14):
leaked in real life. You know what I'm saying, Like
I wouldn't want somebody to steal my driver's license or
my social security number. As long as those things don't
get leaked, I don't worry that much about it. But
basically what you're saying is I should be worried about it.
Speaker 2 (10:28):
Well, I don't want anybody to worry. I think we
just want to be aware of how what we do
online has changed over the years and continues to change.
So just being a aware and a little bit more
diligent in maintaining and preserving your identity or the security
(10:51):
of your identity online is critical and that just requires
again more awareness and like even a good step is
a password manage. Again, you don't want to reuse passwords
because criminals can correlate that and it can impact multiple
accounts again for your personal accounts or even for work.
(11:11):
But a password manager at least lets you have unique
and diverse passwords across your digital accounts. So that's like
a good bare minimum just to get going.
Speaker 1 (11:22):
Yeah, okay, is this something that as far as businesses
are concerned, is this something that would be solely for
the IT department to handle, like I shouldn't worry about
it as an employee, or is there some way that
I can do that even within my scope of work things.
Speaker 2 (11:41):
I love that you ask this question. So I think
in general, identity has to and has become more of
a team sport across organizations or for enterprises, there's different
teams and departments that manage the security operation, or manage
the identity teams, or manage applications, all these different access
(12:05):
or entry points to an organization's network and systems that
getting access to that can be as easy as again
taking over someone's identity. So a lot of these teams
should work together to understand what that looks like. So
that's like a good step one and maybe potentially reducing
some tool sprawl or data silos or team silos that
(12:28):
happen with an organization to better uncover that. But they
also have to remember that it's that human behavior piece
that they can't control. So again, using the right data,
the right tool, something like spy cloud could help those
teams bridge the gaps to have a more uniform approach
to protecting the identities of their workforce and their employees,
(12:48):
but as humans, whereas as good employees. One thing for
us to kind of remember is again, yes, we expect
that convenience and access, So especially as we're in this
more remote friendly work environment than we were five six
years ago. I would say, again, we use our personal
devices to access work stuff, We use our work issued devices.
(13:11):
We're on vacation, we need to check an email. Maybe
we use our child's laptop or our friend's laptop. Again,
all these other things that we don't have control over
in terms of what could be infected, but also what
it and security teams don't have control over. So just
again being more mindful of what we're accessing and where,
and then for enterprises to just kind of continue to
(13:34):
do an audit of governance and policies on access, on passwords,
on just overall digital footprint and that holistic identity of
their employees would be helpful.
Speaker 1 (13:46):
Okay, I love that. Are there any things that I
would need to pay attention to, Things that I should
be noticing that would say, hey, some of your older
data is causing problems.
Speaker 2 (13:59):
Now, yeah, so let's say a like a clear sign
that something is stale or stolen is putting security at
risk for a business. For example, is an increase or
a rise in account takeovers, so your users they're getting
locked out or they're reporting suspicious log ins from different
locations that maybe they don't reside in. You could also
(14:20):
notice an uptick in strange activity from devices again or
those locations that don't match what is normal, and often
the root cause of that is exposed credentials. So if
you're seeing any kind of anomaloust behavior around logins and
access notifications from different applications, from devices, different locations, that's
(14:43):
a good sign that something's not right and you might
want to either reset some passwords, do some step of authentication,
and just make sure that you can remediate that exposure
of that identity.
Speaker 1 (14:56):
Okay, you know, I'm part of the generation that really
kind of was of age, are starting to be of
age when computers really starting to become more commonplace and
to have a password manager or you know, my mother
had a little book that she wrote things down the
passwords that was like Oh my gosh, how lame, you know,
(15:17):
but you're saying that that's something we need to be embracing.
What prevents the password manager from being hacked?
Speaker 2 (15:24):
That's the thing. Unfortunately it because you have a master password,
so if that gets hacked, there's access to that other
information within there. But again it's cyber criminals are innovating.
We can't keep up as fast as they are innovating.
But this is still a good first layer. The password
(15:45):
manager is a good first layer. Enabling multi factor or
two factor authentication is a good layer to make sure that,
again you're accessing something on a device that's maybe in
a different location than normal, you get a ping on
your phone to confirm that it's you. Those type of
first layers of defense is probably the best thing we
can do to kind of get started.
Speaker 1 (16:06):
Okay, that makes sense, And like you said, we can't
keep up, and to be honest with you, we've never
been able to keep up. From the moment that I've
first encountered the Internet and things, there have always been
risks and trolls and you know, people out there doing
nefarious things. Do you think that society will in some
(16:29):
way kind of regress away from technology for some things,
just because it is so hard to stay ahead of
the game for people trying to steal important stuff.
Speaker 2 (16:41):
I think that's such a tough question to answer. I
think sometimes people might have like technology fatigue and things
like that, But you can't argue how intensely you can
scale with technology in the things you do every day
and the access that you have and how businesses grow.
And it's understanding or at least individuals or enterprises having
(17:05):
threshold as to what they're willing to kind of tolerate
or sacrifice in either direction. So it's tough to say
it comes down to preferences, but there's pros and cons
to both side for sure.
Speaker 1 (17:19):
Yeah, definitely, have you seen or do you think that
AI will in some way play a role in these
cyber attacks and data breaches, and if so, how do
you think that will play out.
Speaker 2 (17:35):
Yeah, that's a great question. It's a little outside of
my expertise. What I can speak to is that I
know a lot of organizations are leveraging AI, a lot
of bad actors are leveraging AI, and we're still a
little bit in earlier stages overall and understanding the scope
and the impact of it. But it is happening, and
I know everyone has their eyes on it.
Speaker 1 (17:57):
Yeah, And the most recent thing I saw was people hackers,
whatever you want to call them, deviants, they're using AI
to create basically ghost students, I think is the term
that was used. And the students are applying to colleges
and they can have conversations and send emails and you
think the college thinks it's a legit student, you know,
(18:18):
and they're getting financial aid and they're sending the checks
back and forth. And then you turned out turn to
find out that the AI was your you know, student,
and there is no person that they can identify at
least behind that, and now the money's gone.
Speaker 2 (18:32):
Yeah, so that's that's a risk for sure, But that's
again verifying these identities also includes understanding it everyone has
some type of exposure. Especially with the NPD breach, the
National Public Data breach, there's always an exposure. So a
person not having exposure is also an indicator of is
(18:53):
this identity actually for real? So again, one way that
enterprise is where universities can you know, better understand potential
students or potential employees is kind of again looking at
that exposure check to understand the risks, whether they exist
or whether they don't. It's a good step. What we
see kind of a spy cloud, and it's not directly
(19:13):
related to AI, but we're seeing kind of hiring fraud
coming out from different countries in terms of hiring contractors,
and they're either insider threats or insider risk accounts, and
that's something that businesses should also be kind of aware of.
So again it's it's not only protecting the identity that
(19:34):
we have, but it's also understanding the scale of is
this a real identity? Also is this a legitimate user?
And I think again that's one area where spycle plays
a great role in getting businesses the information needed to
make those decisions like is this really an employee, is
this a actual contractor? Is this an actual customer consumer
(19:57):
trying to transact on the website, Just again looking at
your own digital exposure footprint and remediating that. It's verifying
whether this identity is legitimate or if it's a bad actor.
Speaker 1 (20:10):
Yeah, and I think that's going to be more and
more and more important, especially with AI. It probably already
should be, you know, but I don't think we're there yet.
Are there any overlooked areas when we're going through our
past digital history and we're you know, doing what you're
talking about. We're cleaning out, we're unsubscribing, we're closing accounts.
(20:30):
So is there anything that we might overlook that we
need to be sure to pay attention to?
Speaker 2 (20:35):
So I think the overlooked thing is just even being
aware that you have this digital baggage. That's like a
step one, it's what do I have in these boxes?
An attic And it's the same thing for your digital footprint,
just even like the step one is again check your
exposure dot com and just understanding what outdate you probably
(20:58):
have accounts that you forgot about again like yes, you
have college accounts or like your first internship, what about
those like embarrassing aim screen names and Aol accounts that
we all had or were hotmail or whatever it was,
Understanding how that could impact our lives today and just
looking at what do we really need to clean up, organize,
(21:18):
diversify our passwords with, eliminate or decrease some reuse. But
Step one comes from understanding our footprint and what's actually
been exposed, and that's where check your exposure dot com
can kind of help. It's a free tool shows you
kind of the landscape, the scale of the exposures that
are out there, and it's just a good first step.
Speaker 1 (21:38):
Okay, that sounds awesome. I'll be checking that out when
we're done here. Let me ask you this. I'm really curious,
and you are the expert. Is there anything the audience
needs to know that I just haven't thought to ask
you about?
Speaker 2 (21:52):
Again, I think it's really the notion of a holistic
identity and how our past and present lives will continue
to impact and shape our future lives. And that's personal
and professional and they're so intertwined and connected and they
will continue to do so and be so because again,
(22:14):
we sacrifice security for convenience. We have expectations of instant access,
and I think with how quick everything has become on
the Internet, we've lost our patients a little bit. It's
not the same as waiting for that doll tone to
log into AOL and and that was just the norm.
(22:35):
Everything's so fast, and it's the norm now that it's
easy for us to forget to potentially take a few
extra steps to ensure our digital identities are secure so
we can prevent exposures or just checking in on our
digital identity and that holistic identity to see what needs
to be remediated. So that's where the whole spring cleaning
(22:57):
thing comes in. But it's again not just it's whenever
you have the notion to do like a nice organization
or the rearranging of things, whether it's furniture or whatever
your preference is, just ask everyone to think of your
digital life in that same lens of what can I
do to like reorganize my photos, reorganize my passwords, reorganize
(23:20):
my playlist, like in that same vein is that digital
cleanup needs to be a regular part of our kind
of annual checkpoints.
Speaker 1 (23:29):
Okay, now what do you recommend? I assume the same site,
but are there any additional recommendations for those of us
who may be needing to do this for our parents,
our elderly parents, or even for our children.
Speaker 2 (23:43):
I love that you said this. I don't know. I
hate that I'm referencing this. But like, like in the
last few years on TikTok, there was this whole thing
about the are you the password child? Are you familiar
with this? Rebecca?
Speaker 1 (23:55):
I think so? Yeah, go ahead and explain it though,
just in case I'm.
Speaker 2 (23:58):
Wrong, havemultiple If you're an adult and you have siblings,
the parents usually pick a child to be the password child,
and that the notion was that that was the most
responsible child to be tasked with the password child. So
now picture this, you're the password child. So you're managing
your digital footprint and all your passwords. Then you've got
(24:19):
to remember mom and dads or your grandparents' passwords and
their digital kind of security situation. Maybe you have teenage
children and they're starting to dabble with online things, so
you're managing not only your personal passwords, your grandparents or
parents' passwords, your children and family's passwords, your work passwords,
and all these things. That's a lot. So again it's
(24:42):
then it's not only your identity that is potentially at risk.
And I don't want to like make this scary or
anything like that. It's just again that awareness, but it's
your identity that could be at risk. But then there's
that correlation and connection to your family members and your parents,
your children, whatever it is, because they're could be that
potential of crossover. I don't want to call it cross contamination,
(25:05):
but essentially in the past words, yes, so even a
great while for businesses for sure, check your exposure dot com.
We have two components on there that can look at
your enterprise domain risk, but then also your personal risks.
So that's where you can check your information, your grandparents,
your parents, your friends and neighbors. Just check your exposure
(25:27):
dot com is a great first step again just to
see what's out there, and then you can make a
plan on how you can remediate those exposures and those risks,
but then have a better idea of how to better
enable protection of your identity going forward.
Speaker 1 (25:43):
Right, And I know for my children they've gotten older
of course through the years, but you know, when they're
younger and they're just journeying into online access, you often
put your email as the recovery or the you know,
secondary or whatever.
Speaker 2 (25:59):
And wells can relate that.
Speaker 1 (26:00):
Right. That's what I was about to say, is should
we not be doing that or we just need to
keep a close eye on it.
Speaker 2 (26:07):
I don't have a good answer for that. It's not
my particular air of expertise, but in my opinion, keep
an eye out on it. But I'm sure there's other
more informed opinions on that topic around that security.
Speaker 1 (26:23):
Yeah, Yeah, for sure, are there other things that we
may be finding ourselves attached to in this same way
of what we're already talking about that we don't might
not think about right off top of our.
Speaker 2 (26:37):
Head, attached to in terms of what are.
Speaker 1 (26:42):
Our online identity?
Speaker 2 (26:44):
Yeah, so in terms of our online identity, I think again,
people still might feel that there's a clear delineation between
work and personal. And again, you you have your work
devices and things like that, but it's so easy to
forget that it gets blended, especially again on your on
(27:07):
your how how many people are checking their work slack
or teams or work email or sometimes joining from a
meeting or accessing information on their mobile or they have
other devices or we have you know, it's it's easy
for people to forget that those are two separate things.
But then it's easy for enterprises to sometimes not I
(27:30):
don't want to say look away, but like have oversight
or have lack of oversight in terms of how their
employees' personal digital footprint can impact the enterprise and put
it at risk a little bit. Again, because it's that
human behavior and the passwords that we choose and how
we behave a little bit. So it's just having people
(27:52):
be more aware that digit that personal and professional does
blend more than we think, and trying to really separate
the two as individuals is a great start to keep
both at risk separately. But again, also for enterprises in general,
is understanding that holistic identity of your employees that correlates
(28:16):
that past and present professional and personal. That's going to
help you as an enterprise, as an organization, make better
decisions on how to protect your employee identities and secure
access to your corporate environments and systems.
Speaker 1 (28:32):
Okay, all right, that makes a whole lot of sense
to me. I've learned so much today. I cannot tell
you how much I appreciate that. Will you give us
a few online resources that we can learn more.
Speaker 2 (28:44):
Yeah. One of my favorite, and I'm biased, but it
is check your Exposure dot com. It is a free tool.
It's a great starting point that allows people to see
what personal and professional information might already be out there
as a result of past breaches. But if you want
more information on what constitutes a holistic identity and what
(29:05):
spy cloud does when it comes to holistic identity through
oat protection, then just checking out spycloud dot com is
there a great resource before information on how we can
help businesses protect their employee identities as well as your
consumer identities.
Speaker 1 (29:21):
Awesome. Well, I know we're at the end of our time.
I just want to make sure to say thank you,
thank you, thank you. This was so informative and I
hope that we've helped some of the listeners. I know
it's helped me a lot.
Speaker 2 (29:32):
Well, thank you for having me, Rebecca.
Speaker 1 (29:35):
I hope you've enjoyed today's show. Thanks for tuning in
to the show on your favorite local radio station. You
can now listen to this show or past shows through
the iheartapp or on iHeart dot com. Just search for
Virginia Focus under podcasts. I'm Rebecca Hughes with a Virginia
news network, and I'll be here next week on Virginia Focus.
Welcome to Virginia Focus. I'm Rebecca Hughes of the Virginia
News Network. Cyber breaches have evolved from simple experiments to
malware like trojans and email worms, also to phishing and botnets.
The largest data breaches, often involving billions of records, have
occurred since two thousand and five, coinciding with the digital
transformation of businesses and governments. How do you protect yourself?
(00:29):
Let's talk to coll It to Masiak, director of product
marketing at Spycloud, to find out. Welcome to the show.
I'm glad you could be here with us today. I
know it's important what we're talking about businesses protecting themselves
from cyber attackers, and especially now when so much more
information is online than ever before.
Speaker 2 (00:48):
Thanks for having me, Rebecca, No, I agree. I think
it's really important for us to kind of take back
control of our digital footprint and get a really good
idea of what's out there, just to help protect our ourselves, organizations,
business and everyone from bad actors trying to access our
information and taking advantage of it.
Speaker 1 (01:07):
Yeah, most definitely. I know you're with Spycloud. Why don't
you kind of tell the audience what it did you
do for them and what makes you an expert in
this area.
Speaker 2 (01:15):
I've been at Spycloud for two years and I'm the
director of product Marketing and I've been in cybersecurity for
a little over seven years.
Speaker 1 (01:22):
That sounds great to me. Let's talk about one of
the things that, as I understand it is a problem
is digital identity risks and outdated data. Why don't you
talk about what does that mean?
Speaker 2 (01:37):
Yeah, So, when we look at how we operate today
as an individual, as a business, everything is so digitally dependent.
We're online all the time, we expect instant access. We
have our phones, our laptops, work issued, personal we are
(01:57):
always connected to the internet. And with that, our identity
kind of sprawls and where we have access and the
username and the credentials and the data is continuing to
expand across this evolving digital footprint. That gets harder and
harder for us to maintain. But to combat that, I
(02:18):
think a lot of people really sacrifice security for convenience.
And that's true for individuals for businesses, and it's just
again harder and harder to manage. But with that comes
a lot of using the same password or even taking
things from earlier on in your digital journey. Like think
(02:39):
about in high school we had aim screen names or
AOL email addresses, and it was either a favorite band
or like a favorite pet. That kind of extends into
how we secure digital lives today with things that are
personal and easy to remember. But then that password reuse
is what extends across our digital footprint. So let's say
(03:01):
if I'm a shopper on Amazon and I use the
same password. Let's say on Amazon my bank account, my school,
my work account, but Amazon or another regail company gets breached,
a hacker can then or a bad actor can take
that information and connect my identity across all these other
places that I have an account and I have my
(03:22):
information stolen, and that's what leads to account take or
But that's what leads to fraud and other targeted identity
cyber attacks. So it's not even the recency of something.
It's because we have this digital baggage of our past
digital life, our present digital life, and where we're going
in the future. It's securing that that makes it difficult,
(03:42):
but it's easy for bad actors to connect those points
to get access to things today, even if accounts are
stale because our kind of human behavior in what we
do and how we operate online leans towards easy and
easy is often easy to guess or reusable passwords or
(04:03):
things that aren't as unique across our different accounts.
Speaker 1 (04:07):
Right, I agree with that. I think we kind of,
like you said, we sacrifice security for comfort. And one
of the ways I think we do that is we
just assume that cyber criminals are dumb and are going
to get caught whatever. But the reality is a lot
of criminals out there, and especially in the cyber world,
are extremely intelligent, and they are studiers of people and behavior.
(04:32):
And let me ask you this, what role do past
data breaches play in what we're talking about?
Speaker 2 (04:39):
Yeah, so that's the thing. Most people assume that, oh,
it's an old account that I created five years ago,
I don't use it anymore. But in that account, again,
you had a password, probably one that you're reusing in
a variation in other accounts, you have your birth date,
and do you have your email address? All this information
that can still connect you to let's say, Rebecca of today.
(05:04):
So RecA of the past can still be connected to
Rebecca of today. And then all the other things that
you actually do use within your digital life, whether again
it's work or personal. Bad actors can uncover that. No
one is more motivated than a cyber criminal who can
profit off of stolen data. And not only do are
they do they innovate fast, they're super sophisticated. So yeah,
(05:27):
we have this assumption like, oh, hackers, like maybe they're
not too smart or they won't target me. They have
automated systems, the way they're doing things is highly sophisticated.
So that's the thing. Like even something simple as an
old account where we have a reused password could be
a really detrimental impact to either our personal life or
(05:48):
our work work business life.
Speaker 1 (05:51):
Wow, now I do I did see where Spycloud did
a twenty twenty five identity exposure report. Do you have
any of the results of that in front of you?
Could you talk about it?
Speaker 2 (06:03):
Yeah, So every year we do our identity exposure report
just to kind of look at the landscape of what
threats kind of exist and just even in twenty twenty four,
digital identities are continuing to be the top target for
cimber criminals. And again it's as a personal professional kind
(06:24):
of point of convergence for risk for these identities, and
we found that ninety one percent of organizations reported suffering
an identity related incident in the past year. But that's
nearly double the previous year's reported numbers, and nearly eighty
percent of breaches still involve the use of stolen credentials.
So it's back to that thing we were talking about
(06:45):
earlier on whether it's your current password that you're reusing
or a past password, your entire digital footprint, what we
like to call your holistic identity, can have an impact
to your life today, to your business, to the organization
that you work for based off of credentials and you're
evolving digital identity.
Speaker 1 (07:07):
Okay, now, I know this is kind of going to
run more summertime, of course, because this when we're doing
the interview, But would you recommend spring cleaning, you know,
for businesses and how should they go about doing that?
Speaker 2 (07:20):
So it's not just spring, I mean this is a
thing with spring cleaning. It's so ingrained in US as
a society for the longest time. Like spring cleaning, you do,
like the tedious things that you don't do every year.
You clean your windows and not just from the inside,
like you open it in whatever complex way they're designed.
You clean the outside, you powerwasher patio, you clean out
(07:41):
the attic, you take things out for donation and things
like that. It's so much easier for humans, I think
in general to have it stack, especially if you want
to be successful. So as a step one is attaching
maybe a digital cleanse to a season where you're already
aware of this notion of cleaning things out. But the
(08:04):
thing is is to even start that. And again it's
any time is a good time for a digital cleanse,
whenever you have the inkling to do so. But to
start that, like let's say, even with spring cleaning, you
have boxes in the attic and you want to make
decisions to donate or throw out. You can't make that
decision until you open the box. And that's the same
(08:24):
thing with how your digital identity audit kind of needs
to happen. Is in order to decide what needs to
be remediated and fixed and changed passwords and edited accounts,
were deleted accounts and things like that, you need to
open your digital box. So my recommendation is like a
good starting point, whether you're a business or consumer, is
(08:45):
going to check your exposure dot com. And that's like
a simple starting point, and it shows you what information
is already out there, so then you can take control
before someone else, like a bad actor does.
Speaker 1 (08:56):
Oh wow, Okay, so I'm probably one of the people
you are most definitely talking to because I still have
my email address from college and that was I hate
saying this out loud, but I'm going to I left
college in nineteen ninety eight. Yeah, it's been a minute.
Speaker 2 (09:13):
Like people don't realize the extent of their digital baggage
and the impact that it has on our personal life today.
But then at the same time, especially for businesses, it's
again that convenience factor plays a role human behavior, so
enterprises can only do so much with you know, controlling
human behavior. So having the right tools, but more importantly,
(09:37):
having the right data on the landscape of exposures within
a person's holistic identity is critical to take action. You
can't act on what you can't see, so really uncovering
that or illuminating is like a good first step.
Speaker 1 (09:53):
Okay, So what I'm learning, and I hope other people
listening are also figuring out if they didn't already know
this is you know, you hear about data breaches and
you get the emails or you get a message you know,
some form or fashion there was a data breach and
your information was involved. And most of the time, as
long as it didn't leak anything like my social security
number or things that you know, you typically don't want
(10:14):
leaked in real life. You know what I'm saying, Like
I wouldn't want somebody to steal my driver's license or
my social security number. As long as those things don't
get leaked, I don't worry that much about it. But
basically what you're saying is I should be worried about it.
Speaker 2 (10:28):
Well, I don't want anybody to worry. I think we
just want to be aware of how what we do
online has changed over the years and continues to change.
So just being a aware and a little bit more
diligent in maintaining and preserving your identity or the security
(10:51):
of your identity online is critical and that just requires
again more awareness and like even a good step is
a password manage. Again, you don't want to reuse passwords
because criminals can correlate that and it can impact multiple
accounts again for your personal accounts or even for work.
(11:11):
But a password manager at least lets you have unique
and diverse passwords across your digital accounts. So that's like
a good bare minimum just to get going.
Speaker 1 (11:22):
Yeah, okay, is this something that as far as businesses
are concerned, is this something that would be solely for
the IT department to handle, like I shouldn't worry about
it as an employee, or is there some way that
I can do that even within my scope of work things.
Speaker 2 (11:41):
I love that you ask this question. So I think
in general, identity has to and has become more of
a team sport across organizations or for enterprises, there's different
teams and departments that manage the security operation, or manage
the identity teams, or manage applications, all these different access
(12:05):
or entry points to an organization's network and systems that
getting access to that can be as easy as again
taking over someone's identity. So a lot of these teams
should work together to understand what that looks like. So
that's like a good step one and maybe potentially reducing
some tool sprawl or data silos or team silos that
(12:28):
happen with an organization to better uncover that. But they
also have to remember that it's that human behavior piece
that they can't control. So again, using the right data,
the right tool, something like spy cloud could help those
teams bridge the gaps to have a more uniform approach
to protecting the identities of their workforce and their employees,
(12:48):
but as humans, whereas as good employees. One thing for
us to kind of remember is again, yes, we expect
that convenience and access, So especially as we're in this
more remote friendly work environment than we were five six
years ago. I would say, again, we use our personal
devices to access work stuff, We use our work issued devices.
(13:11):
We're on vacation, we need to check an email. Maybe
we use our child's laptop or our friend's laptop. Again,
all these other things that we don't have control over
in terms of what could be infected, but also what
it and security teams don't have control over. So just
again being more mindful of what we're accessing and where,
and then for enterprises to just kind of continue to
(13:34):
do an audit of governance and policies on access, on passwords,
on just overall digital footprint and that holistic identity of
their employees would be helpful.
Speaker 1 (13:46):
Okay, I love that. Are there any things that I
would need to pay attention to, Things that I should
be noticing that would say, hey, some of your older
data is causing problems.
Speaker 2 (13:59):
Now, yeah, so let's say a like a clear sign
that something is stale or stolen is putting security at
risk for a business. For example, is an increase or
a rise in account takeovers, so your users they're getting
locked out or they're reporting suspicious log ins from different
locations that maybe they don't reside in. You could also
(14:20):
notice an uptick in strange activity from devices again or
those locations that don't match what is normal, and often
the root cause of that is exposed credentials. So if
you're seeing any kind of anomaloust behavior around logins and
access notifications from different applications, from devices, different locations, that's
(14:43):
a good sign that something's not right and you might
want to either reset some passwords, do some step of authentication,
and just make sure that you can remediate that exposure
of that identity.
Speaker 1 (14:56):
Okay, you know, I'm part of the generation that really
kind of was of age, are starting to be of
age when computers really starting to become more commonplace and
to have a password manager or you know, my mother
had a little book that she wrote things down the
passwords that was like Oh my gosh, how lame, you know,
(15:17):
but you're saying that that's something we need to be embracing.
What prevents the password manager from being hacked?
Speaker 2 (15:24):
That's the thing. Unfortunately it because you have a master password,
so if that gets hacked, there's access to that other
information within there. But again it's cyber criminals are innovating.
We can't keep up as fast as they are innovating.
But this is still a good first layer. The password
(15:45):
manager is a good first layer. Enabling multi factor or
two factor authentication is a good layer to make sure that,
again you're accessing something on a device that's maybe in
a different location than normal, you get a ping on
your phone to confirm that it's you. Those type of
first layers of defense is probably the best thing we
can do to kind of get started.
Speaker 1 (16:06):
Okay, that makes sense, And like you said, we can't
keep up, and to be honest with you, we've never
been able to keep up. From the moment that I've
first encountered the Internet and things, there have always been
risks and trolls and you know, people out there doing
nefarious things. Do you think that society will in some
(16:29):
way kind of regress away from technology for some things,
just because it is so hard to stay ahead of
the game for people trying to steal important stuff.
Speaker 2 (16:41):
I think that's such a tough question to answer. I
think sometimes people might have like technology fatigue and things
like that, But you can't argue how intensely you can
scale with technology in the things you do every day
and the access that you have and how businesses grow.
And it's understanding or at least individuals or enterprises having
(17:05):
threshold as to what they're willing to kind of tolerate
or sacrifice in either direction. So it's tough to say
it comes down to preferences, but there's pros and cons
to both side for sure.
Speaker 1 (17:19):
Yeah, definitely, have you seen or do you think that
AI will in some way play a role in these
cyber attacks and data breaches, and if so, how do
you think that will play out.
Speaker 2 (17:35):
Yeah, that's a great question. It's a little outside of
my expertise. What I can speak to is that I
know a lot of organizations are leveraging AI, a lot
of bad actors are leveraging AI, and we're still a
little bit in earlier stages overall and understanding the scope
and the impact of it. But it is happening, and
I know everyone has their eyes on it.
Speaker 1 (17:57):
Yeah, And the most recent thing I saw was people hackers,
whatever you want to call them, deviants, they're using AI
to create basically ghost students, I think is the term
that was used. And the students are applying to colleges
and they can have conversations and send emails and you
think the college thinks it's a legit student, you know,
(18:18):
and they're getting financial aid and they're sending the checks
back and forth. And then you turned out turn to
find out that the AI was your you know, student,
and there is no person that they can identify at
least behind that, and now the money's gone.
Speaker 2 (18:32):
Yeah, so that's that's a risk for sure, But that's
again verifying these identities also includes understanding it everyone has
some type of exposure. Especially with the NPD breach, the
National Public Data breach, there's always an exposure. So a
person not having exposure is also an indicator of is
(18:53):
this identity actually for real? So again, one way that
enterprise is where universities can you know, better understand potential
students or potential employees is kind of again looking at
that exposure check to understand the risks, whether they exist
or whether they don't. It's a good step. What we
see kind of a spy cloud, and it's not directly
(19:13):
related to AI, but we're seeing kind of hiring fraud
coming out from different countries in terms of hiring contractors,
and they're either insider threats or insider risk accounts, and
that's something that businesses should also be kind of aware of.
So again it's it's not only protecting the identity that
(19:34):
we have, but it's also understanding the scale of is
this a real identity? Also is this a legitimate user?
And I think again that's one area where spycle plays
a great role in getting businesses the information needed to
make those decisions like is this really an employee, is
this a actual contractor? Is this an actual customer consumer
(19:57):
trying to transact on the website, Just again looking at
your own digital exposure footprint and remediating that. It's verifying
whether this identity is legitimate or if it's a bad actor.
Speaker 1 (20:10):
Yeah, and I think that's going to be more and
more and more important, especially with AI. It probably already
should be, you know, but I don't think we're there yet.
Are there any overlooked areas when we're going through our
past digital history and we're you know, doing what you're
talking about. We're cleaning out, we're unsubscribing, we're closing accounts.
(20:30):
So is there anything that we might overlook that we
need to be sure to pay attention to?
Speaker 2 (20:35):
So I think the overlooked thing is just even being
aware that you have this digital baggage. That's like a
step one, it's what do I have in these boxes?
An attic And it's the same thing for your digital footprint,
just even like the step one is again check your
exposure dot com and just understanding what outdate you probably
(20:58):
have accounts that you forgot about again like yes, you
have college accounts or like your first internship, what about
those like embarrassing aim screen names and Aol accounts that
we all had or were hotmail or whatever it was,
Understanding how that could impact our lives today and just
looking at what do we really need to clean up, organize,
(21:18):
diversify our passwords with, eliminate or decrease some reuse. But
Step one comes from understanding our footprint and what's actually
been exposed, and that's where check your exposure dot com
can kind of help. It's a free tool shows you
kind of the landscape, the scale of the exposures that
are out there, and it's just a good first step.
Speaker 1 (21:38):
Okay, that sounds awesome. I'll be checking that out when
we're done here. Let me ask you this. I'm really curious,
and you are the expert. Is there anything the audience
needs to know that I just haven't thought to ask
you about?
Speaker 2 (21:52):
Again, I think it's really the notion of a holistic
identity and how our past and present lives will continue
to impact and shape our future lives. And that's personal
and professional and they're so intertwined and connected and they
will continue to do so and be so because again,
(22:14):
we sacrifice security for convenience. We have expectations of instant access,
and I think with how quick everything has become on
the Internet, we've lost our patients a little bit. It's
not the same as waiting for that doll tone to
log into AOL and and that was just the norm.
(22:35):
Everything's so fast, and it's the norm now that it's
easy for us to forget to potentially take a few
extra steps to ensure our digital identities are secure so
we can prevent exposures or just checking in on our
digital identity and that holistic identity to see what needs
to be remediated. So that's where the whole spring cleaning
(22:57):
thing comes in. But it's again not just it's whenever
you have the notion to do like a nice organization
or the rearranging of things, whether it's furniture or whatever
your preference is, just ask everyone to think of your
digital life in that same lens of what can I
do to like reorganize my photos, reorganize my passwords, reorganize
(23:20):
my playlist, like in that same vein is that digital
cleanup needs to be a regular part of our kind
of annual checkpoints.
Speaker 1 (23:29):
Okay, now what do you recommend? I assume the same site,
but are there any additional recommendations for those of us
who may be needing to do this for our parents,
our elderly parents, or even for our children.
Speaker 2 (23:43):
I love that you said this. I don't know. I
hate that I'm referencing this. But like, like in the
last few years on TikTok, there was this whole thing
about the are you the password child? Are you familiar
with this? Rebecca?
Speaker 1 (23:55):
I think so? Yeah, go ahead and explain it though,
just in case I'm.
Speaker 2 (23:58):
Wrong, havemultiple If you're an adult and you have siblings,
the parents usually pick a child to be the password child,
and that the notion was that that was the most
responsible child to be tasked with the password child. So
now picture this, you're the password child. So you're managing
your digital footprint and all your passwords. Then you've got
(24:19):
to remember mom and dads or your grandparents' passwords and
their digital kind of security situation. Maybe you have teenage
children and they're starting to dabble with online things, so
you're managing not only your personal passwords, your grandparents or
parents' passwords, your children and family's passwords, your work passwords,
and all these things. That's a lot. So again it's
(24:42):
then it's not only your identity that is potentially at risk.
And I don't want to like make this scary or
anything like that. It's just again that awareness, but it's
your identity that could be at risk. But then there's
that correlation and connection to your family members and your parents,
your children, whatever it is, because they're could be that
potential of crossover. I don't want to call it cross contamination,
(25:05):
but essentially in the past words, yes, so even a
great while for businesses for sure, check your exposure dot com.
We have two components on there that can look at
your enterprise domain risk, but then also your personal risks.
So that's where you can check your information, your grandparents,
your parents, your friends and neighbors. Just check your exposure
(25:27):
dot com is a great first step again just to
see what's out there, and then you can make a
plan on how you can remediate those exposures and those risks,
but then have a better idea of how to better
enable protection of your identity going forward.
Speaker 1 (25:43):
Right, And I know for my children they've gotten older
of course through the years, but you know, when they're
younger and they're just journeying into online access, you often
put your email as the recovery or the you know,
secondary or whatever.
Speaker 2 (25:59):
And wells can relate that.
Speaker 1 (26:00):
Right. That's what I was about to say, is should
we not be doing that or we just need to
keep a close eye on it.
Speaker 2 (26:07):
I don't have a good answer for that. It's not
my particular air of expertise, but in my opinion, keep
an eye out on it. But I'm sure there's other
more informed opinions on that topic around that security.
Speaker 1 (26:23):
Yeah, Yeah, for sure, are there other things that we
may be finding ourselves attached to in this same way
of what we're already talking about that we don't might
not think about right off top of our.
Speaker 2 (26:37):
Head, attached to in terms of what are.
Speaker 1 (26:42):
Our online identity?
Speaker 2 (26:44):
Yeah, so in terms of our online identity, I think again,
people still might feel that there's a clear delineation between
work and personal. And again, you you have your work
devices and things like that, but it's so easy to
forget that it gets blended, especially again on your on
(27:07):
your how how many people are checking their work slack
or teams or work email or sometimes joining from a
meeting or accessing information on their mobile or they have
other devices or we have you know, it's it's easy
for people to forget that those are two separate things.
But then it's easy for enterprises to sometimes not I
(27:30):
don't want to say look away, but like have oversight
or have lack of oversight in terms of how their
employees' personal digital footprint can impact the enterprise and put
it at risk a little bit. Again, because it's that
human behavior and the passwords that we choose and how
we behave a little bit. So it's just having people
(27:52):
be more aware that digit that personal and professional does
blend more than we think, and trying to really separate
the two as individuals is a great start to keep
both at risk separately. But again, also for enterprises in general,
is understanding that holistic identity of your employees that correlates
(28:16):
that past and present professional and personal. That's going to
help you as an enterprise, as an organization, make better
decisions on how to protect your employee identities and secure
access to your corporate environments and systems.
Speaker 1 (28:32):
Okay, all right, that makes a whole lot of sense
to me. I've learned so much today. I cannot tell
you how much I appreciate that. Will you give us
a few online resources that we can learn more.
Speaker 2 (28:44):
Yeah. One of my favorite, and I'm biased, but it
is check your Exposure dot com. It is a free tool.
It's a great starting point that allows people to see
what personal and professional information might already be out there
as a result of past breaches. But if you want
more information on what constitutes a holistic identity and what
(29:05):
spy cloud does when it comes to holistic identity through
oat protection, then just checking out spycloud dot com is
there a great resource before information on how we can
help businesses protect their employee identities as well as your
consumer identities.
Speaker 1 (29:21):
Awesome. Well, I know we're at the end of our time.
I just want to make sure to say thank you,
thank you, thank you. This was so informative and I
hope that we've helped some of the listeners. I know
it's helped me a lot.
Speaker 2 (29:32):
Well, thank you for having me, Rebecca.
Speaker 1 (29:35):
I hope you've enjoyed today's show. Thanks for tuning in
to the show on your favorite local radio station. You
can now listen to this show or past shows through
the iheartapp or on iHeart dot com. Just search for
Virginia Focus under podcasts. I'm Rebecca Hughes with a Virginia
news network, and I'll be here next week on Virginia Focus.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.