Brian Wagner

Brian Wagner: “Rule Number One… Don’t Pay Ransomware Hackers”

In this exciting interview, Mark Matthews sat down with Brian Wagner to hear his advice for protecting your business against cyber attacks. As Chief Technology Officer and the former Head of Compliance at Amazon Web Services, Brian reveals the leading cause of data breaches, his finest career accomplishment, and the factors that make companies susceptible to cyber-attacks.

Q: What is your top tip for businesses wanting to protect themselves against cyber-attacks?

Mark: “Businesses in all sectors find themselves exposed to cyber-attacks, so what is the best way to safeguard against those attacks?”

Brian: “The absolute top tip is easy to implement and realistic, use a password manager.

“I think a lot of the breaches that we see now are commonly used passwords or passwords that are leaked on the internet. That’s probably the absolute number one easiest way to prevent a breach.

“Another one is to be vigilant about emails. So phishing, if you’re not familiar with the term, is a way to get people to send information, either their username, password or bank details. We’re talking about businesses, so when someone gets phished, it’s typically for their credentials, and then someone uses those credentials to log in. So, there’s not one individual action, but just be sceptical of phishing emails.

“I think one more useful tip for businesses is, everybody is using third-party services these days. Everything is a subscription, you pay monthly for just about every software we have, and there are logins everywhere.

“If you enable multi-factor authentication and you do lose your password to somebody if they don’t have that second factor of authentication, then that password is effectively useless.”

Q: What is the leading cause of data breaches in business?

Mark: “Many actions, negligible to the untrained eye, could cause data breaches. But what is the leading cause of data breaches in business?”

Brian: “Sadly, it’s human beings. Humans are trusting by nature, something that is just ingrained into our being.

“With phishing, people are the weakness. Before email was a big thing, the exploit would be something more physical. For example, you walk into a front office and say, ‘I’m late for a job interview, can you please print my CV?’, and then they hand over a USB stick and that’s the thing that breaches it.

“I think to answer your question, people are unfortunately the weakest link in any organization when it comes to data security.”

Q: What has made businesses more vulnerable?

Mark: “Corporations and entrepreneurs are now more exposed than ever. What factors have increased the vulnerability of businesses?”

Brian: “The difference between working in an office and working from home is that in the office, you are using a known network in a known space. It varies from business to business, but I guess, it’s at least predictable. It’s expected. You know where the perimeter is.

“When you work from home, the perimeter is dissolved. Think of it like a Castle or fortress, you protect the walls. When you’re in the walls, theoretically, the people inside the walls already have some level of trust because they wouldn’t be there if they weren’t trusted.

“Same goes with an office. It’s like, ‘well, if you’re here, you’ve passed some level of trust’. Without that perimeter, the attack surface is exponentially larger and there are more opportunities for attack.

“If someone wants to attack a business, I’m generalising here, you have to breach the perimeter. But now, when you want to attack a business, every individual person who is no longer within that perimeter and working remotely is now a target. So, you go from one to many targets, which makes everybody more vulnerable.”

Q: What did your role entail as the Head of Compliance in Financial Services for Amazon Web Services?

Mark: “As the head of compliance for Amazon Web Services’ financial services, what did the job entail and what were your responsibilities?”

Brian: “The financial services industry is regulated all over the world. Every financial institution in the world is regulated by multiple bodies. The point of that role was to create pathways for those financial services to use [Amazon Web Services].

“They needed to figure out how they could leverage AWS cloud services to benefit their business and their customers without compromising their safety and security.

“So, my job was twofold. One was to show them that path because usually, financial institutions are a few years behind technology. If you’re a bank, if you’re an insurance company, you don’t want to be using cutting-edge technology because it’s not embedded. You don’t know how safe that is and you have to protect the assets of your customers.

“When you move to the cloud, it’s a very different experience. There’s a lot more control, but with control comes more areas to fail. So, it can be a very risky pursuit for these companies. As I said, my role is twofold. One was to show them what they could be doing differently in order to maintain or increase their level of security, the other side was in-house.

“If we had an institution that had requirements we could not fulfil, we would look at their requirements, look at what we offer, and find out how we can if we don’t match. We would ask, ‘is this going to be a sensible change for us to make or a sensible addition to our services’, and ‘who else would benefit from them?’.”

Q: What is your proudest professional achievement?

Mark: “Reflecting on your career… What has your proudest professional achievement so far?”

Brian: “I think it was my very early career as a software engineer. I grew up in the Midwest, which is an automotive area, and I was a contractor at Ford Motor Company. I think I was 20 years old, and the problem they were trying to solve was the Ford Focus car.

“If you look at the actual list of all the parts that go into a Ford Focus, it is around 300 parts. If you look at all those parts, you’re seeing the same car on three different continents or countries – they did it by continent.

“So, three cars, three different continents, the bill of materials only had 20% similarity. How are you building them completely differently, and trying to reduce the differences?

“I was tasked with facilitating that problem. So, I created a piece of software that allowed engineers for these different car platforms from different regions to basically collaborate and say, ‘Right, here’s my bill of materials.’ It would ingest all of those, check the master database and say, ‘This is the part that’s needed here, match these up’.

“That created about 80% similarity on these vehicles across three different continents, which I thought was pretty cool.”

Q: What do you believe will be the next big style of cyber-attack?

Mark: “Let’s look to the future, how do you think the next style of cyber-attack will present itself?”

Brian: “We’re making strides in terms of quantum computing, and as our competitors get more and more powerful, there’ll be a time when our current encryption mechanisms will be rendered useless.

“I don’t know if it’s going to be the very next one, but if we look at how encryption is done today and how data is protected digitally, there’s a time in the not-so-distant future where that’s going to be– I wouldn’t say obsolete, but it will be broken into within a reasonable amount of time by things like quantum computing or just generally more powerful computers.”

Q: Ransomware is an increasingly worrying issue, what should businesses do if financially extorted by hackers?

Mark: “Most businesses are not as technology versed as needed to safeguard against ransomware. What should a business do if they find they have been financially extorted?”

Brain: “First of all, do not pay them. That is the absolute number one thing, do not pay them. If it didn’t make people money, no one would do it. That is number one.

“I think number two would be to figure out what the impact is. Ideally, if you’ve already been backing up and archiving data, then it would be an inconvenience at worst. You wouldn’t theoretically lose data. Let’s say your data never becomes unencrypted, you would ideally have a backup.

“Now, the inconvenience there from the business side is that it will take time to restore that data. So that’s an outage for some period, which again is an inconvenience at worst. Now the other side of it depends on what data is being stolen or ransomed because if your attacker decides they want to exploit the data, ask yourself, is that personal information, is that information about your customers or is it internal information?

“Not to say internal information is any more or less bad, my point is if they have logins and passwords and data, then you as a business have an obligation to notify those people. Not just under GDPR, but just as a respectable business. You should absolutely reach out and say, ‘Look, this is what’s happened here’s what we think.’

“But like I said, rule number one, don’t pay them.”

Q: Since the introduction of GDPR, how has it transformed how businesses manage people’s data?

Mark: “Since the introduction of the General Data Protection Regulation, how do businesses manage people’s data differently?”

Brian: “It’s really put a lot of responsibility on the business – I mean, that was the whole point. It put a lot of responsibility on how data is handled.

“I think before GDPR was a thing globally, data was treated very casually. GDPR makes you really think about how that data is being used and shared. It’s inconvenienced a lot of companies who weren’t really looking after their data because they’ve had to restructure the way they store and share that data.

“Asking for consent from every individual is not something a lot of companies were used to doing. But what it’s really done is it’s brought a lot of responsibility and consideration into how you build infrastructure, how you protect data, which is good for everybody. It’s beneficial for the whole world, businesses and individuals alike.”

Q: If you could give your younger self one piece of advice, what would it be?

Mark: “To better prepare yourself for the future, what advice would you offer your younger self if you could go back in time?”

Brian: “Don’t be afraid to fail. Just try stuff, especially in early careers of any kind, not just my own. I think there’s this tendency for perfection. You’re like, ‘I have to be the best’ or ‘I have to do XYZ’.

“The other thing is, stick with your strengths. I’ll use an example, if someone says, ‘Oh hey you’re good with computers, can you fix the printer?’, you say ‘no, actually I’m here to do my job’.

“I think people have a tendency to say, ‘yeah, of course, I’ll help you do this or help you do that’. But if you stay on track, you command authority over your domain, which I think is also very important.”

Hire Brian Wagner for Your Cyber Security Conference or Event

To hire a cyber security speaker like Brian Wagner, get in touch with a booking agent by calling 0203 0070 318 or by completing our online contact form.

Social Share

Share on facebook
Share on twitter
Share on linkedin