0:00:01 – Announcer

You are listening to the National University Podcast.

0:00:10 – Kimberly King

Hello, I’m Kimberly King. Welcome to the National University Podcast, where we offer a holistic approach to student support, well-being and success – the whole human education. We put passion into practice by offering accessible, achievable higher education to lifelong learners. Today, we’re talking about cybersecurity and data protection options. According to a recent article in CyberArk magazine, ongoing AI transformation and pervasive cloud computing is increasing the risk of identity-related attacks. Organizations must adopt a new strategy centered on identity security. Stay with us for today’s podcast.

On today’s episode, we’re talking about cybersecurity and data protection strategies. Joining us is the director of the National University Center for Cybersecurity, Chris Simpson. Chris is also the academic program director for the Master of Science in Cybersecurity program at National University. He has developed innovative curriculum and labs in ethical hacking, pen testing and incident response. Chris is retired from the US Navy in October 2009. And after 27 years of service, he has extensive experience as an information assurance manager, including a tour of the information assurance manager for the Commander Combined Forces Command, Afghanistan. He holds a Bachelor of Science degree in computer and information science from the University of Maryland and a Master of Science degree in information security and assurance from George Mason University, and he holds other certifications there. And we welcome Chris to the podcast. How are you?

0:01:55 – Chris Simpson

I’m doing great, Kim. Thanks for having me.

0:01:57 – Kimberly King

Thank you and thank you for your service. Why don’t you fill our audience in a little bit on your mission and your work before we get to today’s show topic?

0:02:05 – Chris Simpson

Yeah, so, at National University, our goal is to help grow the cybersecurity workforce. We help adult learners prepare for careers in cybersecurity. We have both a bachelor’s and master’s program in cybersecurity, and we also have been designated by the National Security Agency as a center of academic excellence in cyber defense education.

0:02:32 – Kimberly King

Well, that’s excellent. Today, we are talking about cybersecurity and data protection strategies so timely, so relevant. So why do so many organizations still fall victim to data breaches, even with increased awareness and security measures?

0:02:47 – Chris Simpson

Yeah, so it is challenging for organizations to protect themselves. And if you think about the attack surface, so you know, any system that’s on the internet can be connected or attacked from any other system around the world. So it is a very broad attack surface. And from an attacker perspective, you know if they can, let’s say, send out 300 million phishing emails and they only have a 0.1% success rate. That’s still a pretty high success rate of, you know, getting information, stealing information or gaining access to different systems.

0:03:25 – Kimberly King

Unfortunately, right, it’s just it’s really getting crazy today in the amount of these emails that are going out and other ways. So what are some of the most common vulnerabilities that hackers exploit in organizations today?

0:03:38 – Chris Simpson

Yeah, so there’s a great report that Verizon does. It’s called the DBIR Data Breach Report, and one of the things they notice- social engineering attacks- that’s one of the common methods causing data breaches, especially things like phishing and email and even now with some of the new AI tools phone calls, people imitating people’s voices like a CEO, or things like that. Another cause for some of these successful attacks is configuration mistakes. So you know, there’s complex systems out there, so a configuration mistake can cause a vulnerability or provide an attacker potential access to a system.

0:04:17 – Kimberly King

Wow, from a consumer perspective, why do we receive so many notifications about our data being compromised? And you do bring up a really good point with AI in there too.

0:04:26 – Chris Simpson

Yeah, so great question. Actually, in some ways, that’s a good way, because now consumers are being notified that their information has been compromised. So part of that is just many countries, states, counties, they have regulations requiring data breach notification. So that’s impacting and there still are, you know, a large amount of data breaches out there. So I think that’s why we’re seeing the notifications.

0:04:56 – Kimberly King

So, on that note, are there any particular industries or types of organizations that are more prone to breaches, and why would that be?

0:05:04 – Chris Simpson

Yeah, sure. So if you think about it from an attacker perspective, if they want to steal data or information, they’re going to try to attack the organizations that hold a lot of data and information. So government agencies are a primary target because they have tons of sensitive information- tax records, social security numbers, things like that. So they’re frequently targeted, and that’s both at kind of the federal, state, and local level. Health care industry- that’s another industry that has a lot of data, and if you think of the health care industry, not only do they have personal information, but they have financial information and things like that. So they’re another big target.

And then so, speaking of finances, right, so the financial industry and the insurance industry. They have that personal data and that financial information, along with the retail industry. So those tend to be some of the common attack methods, but also some of the smaller businesses that might carry information, personal information or financial information, because in some cases it’s harder for a smaller business to protect their data. They may not have the resources available. Kind of one most recent one that was announced was a company called National Public Data. They had over, I think, 200 million records compromised- social security numbers, and when I was getting ready for the podcast today, I guess they’re submitting for bankruptcy because of the financial impact of that attack ,and they were actually a data broker. So you know that’s a target right. So obviously any organization that handles a lot of information can be a target for these attackers.

0:06:54 – Kimberly King

Isn’t that so-? That’s so terrible that this is going on and now they’re folding. What are some of the key indicators that an organization’s security posture is insufficient to protect consumer data?

0:07:08 – Chris Simpson

Yes, so good question. So sometimes it’s hard to tell as a consumer how well an organization is protecting their data. But a couple of things you can, you can look for. You know, have they had prior data breaches? Sometimes an organization will get a lot better if they’ve had one breach, just due to the impact of that breach. In general, you know, does that organization keep their software systems up to date? Are they using new or updated security solutions? Do they have access controls in place?

A good indicator is if that organization is collecting your personal information, do they do some type of multi-factor authentication? So multi-factor authentication, that’s where, in addition to doing like you’re into submitting a password, you have what’s called a second factor, typically like a text message or a random number that’s generated via some type of application on your phone. So it’s kind of a two point method to verify who you are. So, especially if you’re doing with a financial institution and they don’t have some type of some type of multi-factor authentication, that would be some- That would definitely be a red flag for that organization. And then you can also- let’s say you’re working on a business partnership or something like that- See what type of external assessments that organization has done. Obviously, they’re not going to share you the specific results, but have they contracted out, have they been certified that they meet certain levels? It could be for credit card processing, for how they handle information, how their data centers are set up, and things like that.

0:08:44 – Kimberly King

You know, and I always think, oh, this is such a pain to have to go through that, but it’s really, it’s better for all of us when we have the two-pronged approach there, with that authentication. How do insider threats, whether intentional or accidental, uprise?

0:09:00 – Chris Simpson

According to the 2024 Verizon data breach investigation report that I mentioned earlier, internal actors were responsible for 35% of the breaches that they reported on and that was a significant increase from the prior year. So, if you think about it right, insider threats so from the intentional side, people with inside knowledge that you know, through greed or on, you know, unethical activities, they know that inside of that organization, so they know what they can steal or how they can get to that that information. And then you know, also accidental, just unintentional. So phishing attacks are very sophisticated. You know I I’ve seen some really good ones that I’ve received an email You’re like, oh, that’s pretty good, that looks pretty, you know, pretty real. So it can be a challenge. You know, if you, if you want to kind of put that into the internal threat category.

0:09:57 – Kimberly King

It is. It’s just- again when you did say AI earlier, and just how advanced it is they’re- They’re just getting more and more sly every day. How has the rise of remote work influenced the frequency and severity of these data breaches?

0:10:12 – Chris Simpson

Yeah, so it definitely has made it more challenging. There was an IBM and a Ponemon Institute report. They noted that there was an increase in remote work and that caused an increased cost for specific data breaches. And if you think about it, let’s say you’re a defender of an organization. If you’ve got everybody in the same building, it’s a little easier to protect everything of your organization. You’ve got kind of a funnel point. You can monitor inbound and outbound traffic, you can monitor employees, you have the physical security around those information systems. But in this remote work environment people at their houses, they may have family members there, they may have renters or people staying at their house, so you lose a lot of that physical protection. It’s a lot more challenging to monitor these systems in these external, remote environments and so I think that really adds to the challenges for a lot of organizations. Although some organizations you know if they’re using cloud-based services, things like that, they can enhance their security in some ways.

0:11:21 – Kimberly King

You know it is so interesting the whole thing with being remote and just not being able to see what’s going on over there, you know. But yeah, certainly this is such an interesting and relevant topic right now with the cybersecurity breaching. What can consumers do to protect themselves, even if they cannot control how organizations handle their data?

0:11:43 – Chris Simpson

Yeah. So that’s another great question. So you know, from a personal protection standpoint you want to take some of the same measures that an organization might do. So you know you want to run the latest software on your computer systems. You know, patch your software. You know, automatic updates might be a good thing to do here for the personal consumer.

Be suspicious, right, don’t trust anything that you haven’t initiated. You’re not going to get an email saying you’ve won 300 million dollars, or, I saw a comic today. It was something in effect, you know the CEO doesn’t want to be paid in gift cards. So you know, gift cards anything if it seems kind of odd, you know don’t do it. And if you’re still unsure, you know don’t do it. And if you’re still unsure, don’t respond. You, let’s say somebody says they’re from the, your credit card company, and you know you need to update this data. Well, if you’re suspicious, you know, go to your recent bank card statement, call their 1-800 number. You can validate and verify. And then the other big thing is, like I mentioned earlier, definitely, you know, for sensitive information, make sure that organization is doing that multi-factor authentication. That’s a great way to reduce your risk.

0:12:55 – Kimberly King

And you know that’s really those good advice. I know I had a cousin that was recently scammed, almost. But my husband jumped in and really said why don’t you call the bank directly, don’t be on the phone with whoever just called you, and fortunately there was another person in the house that had another phone, so she did call and they thwarted that scammer. But I just you hear it all the time. Sometimes you get a text from a UPS. Is that something that’s happening right now too, and that seems like such a scam.

0:13:27 – Chris Simpson

Yeah, yeah so. So in in some cases they’ll, they’ll take advantage. They know people are busy and you know most of us are many people get typically get a package every day or a couple of packages a week, so it’s easy. They know people are busy, so they may. Oh, yeah, it’s okay. Yeah, I’m expecting that package and they’ll click on the link and, and you know, maybe give away some personal information. Also, you know, maybe give away some personal information Also. You know I’m an older person myself. A lot of older people are susceptible to a lot of the phone calling scams.

0:13:54 – Kimberly King

Oh, sad yeah.

0:13:56 – Chris Simpson

And these are very sophisticated operations. I mean, there’s some really good YouTube videos about scamming, the scammers and how these certain groups will kind of fight back against these scammers. But it’s really scary and you know, one of the scams is you know, this is your granddaughter and you know she’s been arrested. She needs bail money or something like that. Always be careful. And they’re just really playing on people’s emotions when they do those types of attacks.

0:14:23 – Kimberly King

That is heartbreaking. I really hate to see that, but I like that we can look at scamming the scammers, so that would be great. How does a lack of investment in cybersecurity training and awareness affect an organization’s vulnerability to breaches?

0:14:41 – Chris Simpson

Sure. So you know, one of the primary attack factors against organizations is social engineering. So it’s important to invest in cybersecurity training for your organization and it’s got to go beyond kind of just the you know, click through the training and you’re done with the training of training. Our CISO here at National University, he does these brown bag lunches, makes it really interesting for the faculty and staff at National University to learn about cybersecurity, how to protect themselves. He does a nice little award program for them too if you report phishing emails and things like that. So it’s kind of more than just kind of the PowerPoint presentations, it’s really making your employees and your teams understand how they’re the primary attack target of some of these cyber attacks and that they can really help protect your organization.

0:15:35 – Kimberly King

Good point. What about what role does outdated or unpatched software play in enabling data breaches?

0:15:44 – Chris Simpson

Yes, so that certainly is an attack vector against organizations. So it’s important that organizations patch their software and also, especially for organizations that develop applications and things like that, make sure they’re using the latest libraries for the applications they’re developing. There’s tools and systems out there that can help organizations do that, but that’s another way that attackers try to get in. They’ll find maybe some flaw in some library that an organization is using for one of their applications and libraries. What they do is it’s software that supports how an application works.

0:16:21 – Kimberly King

I do works. I do. I feel bad for the older generation that didn’t necessarily grow up with computers and like figuring out how to patch that or just how to I don’t know, like it would be really good for everybody to make sure they have somebody younger around that can really help them thwart these breaches. How can organizations prioritize security without sacrificing operational efficiency?

0:16:45 – Chris Simpson

That can be a challenge for an organization. Probably one of the biggest things for an organization is not to see security as a bolt-on, right. So build security in as they’re developing their applications. Make that as anything they do in their organization. They embed security into that process, especially organizations that develop software applications. That’s really critical. But if you just make it part of the normal workflow, that keeps you efficient while protecting your information and also having a robust risk management program, right. So really understand what your most important assets are and what’s critical to your organization. Develop tools and techniques and things to mitigate that risk, to reduce impact of some type of outage or attack and it’s not just attack, maybe environmental factors and other things like that.

0:17:42 – Kimberly King

Yeah, there are a lot of factors that go into that. What are the legal and regulatory consequences for organizations that experience data breaches, and are they enough to deter negligence?

0:17:53 – Chris Simpson

Yes, that’s a great question. That can be a bit challenging. So there are a lot of regulatory fines and sanctions against organizations- the National Public Data one that we talked about. That’s, I think, their primary reason for going bankrupt, and I haven’t verified this, but the article mentioned that their cyber insurance company was not going to cover their costs. So probably they didn’t meet the insurance, cyber insurance requirements, so there can be some significant financial consequences.

It’s hard to say whether it’s kind of negligence or lack of awareness. You know, especially like the smaller organizations, it can be challenging for a smaller organization to protect their systems. And that’s where cyber insurance comes in, one of the nice things about cyber insurance- You know in order to get the insurance, you typically have to do things right. It’s kind of like when you want to get life insurance you got to, you might have to get a checkup right. They’ll check your blood pressure and all those kind of things. So with cyber insurance, they’re going to give you a set of things you have to do and that’ll probably get you to a decent baseline.

0:18:55 – Kimberly King

You know, I never even really thought about that having cyber insurance so I think that’s probably a good way to go in the future. Can you discuss the long-term effects of a breach on an organization’s reputation and financial health?

0:19:11 – Chris Simpson

Yeah, so it can have a long-term effect on an organization If it’s significant enough. Regulatory agencies like the FTC, they might have to continue reporting requirements on the security measures that they’ve taken. The cost of cyber insurance could go up for those organizations if they’re breached, and then the potential loss of customers to their business. There was one extreme attack- there was a college in Ohio- they suffered a ransomware attack and they couldn’t process payments and they ended up going bankrupt. They went out of business because they couldn’t take in money. That’s how bad the impact was to that organization.

0:19:51 – Kimberly King

That’s terrible. What are some emerging trends in cybersecurity that could help reduce the number of breaches in the future?

0:20:00 – Chris Simpson

Yeah, sure. So, like we talked about earlier, awareness is a big one. A lot more organizations are aware of that requirement. A great thing here in the San Diego area. So, National University, we’re part of a Google cybersecurity grant. We’re in partnership with the San Diego Cyber Center of Excellence, San Diego State University, and Cal State San Marcos. And as part of this grant, our students are going to be able to go out and do projects for businesses here in the area and for our online students nationwide. Go out and actually do security assessments, help organizations develop policies and things like that, so that could help them reduce their risk for the future. At least let them know kind of where they’re at. At National University, we’ve been doing this for about five years now, doing external projects, helping some of these smaller businesses that might not otherwise be able to afford some of these cybersecurity services.

0:20:54 – Kimberly King

That’s good to know. That’s great that you have a grant there. So how do you foresee the relationship between organizations and consumers evolving when it comes to data privacy and protection?

0:21:07 – Chris Simpson

Yeah, so I think consumers are becoming more sophisticated about potential data breaches. I don’t know if I’ve met anybody in the last what three to five years that hasn’t had at least one data breach notification. So there’s definitely more consumer awareness and then that’s driving legislation right for some of the fines and regulatory requirements for these organizations and I guess in some ways for the cybersecurity teams of these organizations. It’s helping them work with their leadership to get the resources they need to better secure their systems.

0:21:44 – Kimberly King

Wow, so interesting and again such a relevant topic these days. So thank you for what you’re doing. What a great podcast today. We appreciate you joining us and if you want more information, you can visit National University’s website, nu.edu. And thanks again so much for your time today.

0:22:02 – Chris Simpson

Thanks for having me.

0:22:06 – Kimberly King

You’ve been listening to the National University Podcast. For updates on future or past guests, visit us at nu.edu. You can also follow us on social media. Thanks for listening. Thank you.