Cyber Risk in Construction: What Leaders Miss — and How to Fix It

[00:00:00] [MUSIC] [00:00:03] Welcome to Talk the Tauc from the Association of Union Constructors. In this podcast, we explore the latest labor trends, industry insights, and important issues in the world of construction. Join us for conversations with industry leaders, subject matter experts, and innovative visionaries as we discuss how we are building the world of tomorrow. Talk the Tauc, presented by the Association of Union Constructors. [00:00:24] [MUSIC] [00:00:27] Kirk: Today we're joined by Mike Hamilton, founder of Pisces International. Mike works at the intersection of cyber security, workforce training, and real world threat response. And his organization provides no cost cyber monitoring for small governments, public utilities, and similar organizations. [00:00:42] Using live threat data to train the next generation of cyber analysts. We asked Mike to join us because cyber security risk is no longer theoretical for construction companies. And many leaders still aren't sure what actually puts them at risk or where to focus. Mike, thanks so much for joining us. [00:00:59] Mike: Thanks, Kirk, I was happy to be here. [00:01:01] Kirk: Before we kick off, I always like to try to keep things fun and interesting, get to know you a little bit. I know you work in a music studio as well, but what is the last song you had stuck in your head? Like the last earworm you just couldn't break free from? [00:01:13] Mike: Okay, all right, I hate to say this, I guess, I don't know. It was Bruce Springsteen's version of Purple Rain. [00:01:21] Kirk: Interesting, I don't know that I've.. [00:01:24] Mike: I only did it live right after Prince died and I was watching it last night on YouTube and it was the first thing in my head this morning. [00:01:28] Kirk: Okay, no, that's fair. That's a good one though, I need to check that out because I don't know that I've heard the boss do Purple Rain. [00:01:34] Mike: I don't know if it has anything to do with this, but Prince being from Minneapolis, maybe that's got something to do with that at all. [00:01:39] Kirk: I don't know, well, let's see. For someone new to this space, cyber security training often sounds kind of this abstract or theoretical. A lot of people, myself included, don't necessarily understand cyberspace. You work with real attacks as they're happening. Can you walk us through what that actually looks like? You come into work, how do you know you've been attacked? What does an attack look like? [00:02:00] Mike: Let me back up a little bit, just give you a little bit of the framing of this. [00:02:04] Kirk: Sure. [00:02:04] Mike: Everybody's got a company, lots of construction companies,lots of people doing infrastructure work, things like that, okay? And we see everybody's getting cybered. Latest statistic I saw, statistics/survey by some company, was 81% of small and medium businesses have had some kind of event, right? Doesn't necessarily mean ransomware burned them down, but they had some kind of event there. [00:02:26] If you want to manage that risk, there's two parts to risk. The likelihood that a bad thing happens and its impact. And you multiply those together and that's how you get risk, okay? The likelihood of an asteroid destroying all life on Earth is really, really, really tiny, but the impact of that is enormous, game over, right? We can't say that it's zero-likelihood. [00:02:54] Kirk: Right. [00:02:54] Mike: Same thing when you're worrying about cybersecurity. If you want to buy down risk and you address that likelihood term, you apply preventive controls, you filter your email, you train your users, you manage your vulnerabilities, you do all that stuff. You will never drive risk to zero by trying to reduce the likelihood of one of these things happening. [00:03:13] When I say a bad thing happening, what do I mean? It's not scary Russian cyber buffer overflow, SQL, forget that, okay? Unauthorized disclosure of records, theft, extortion, disruption, and being used as a third party to attack others. That's five business outcomes, okay? You're trying to reduce the likelihood of one of those things happening. [00:03:34] Kirk: Real quick, just because that list was fascinating. Can you do those five again for me? What were those five? [00:03:39] Mike: It's unauthorized disclosure of protected records, right? The records breach, right? You lose personally identifiable information. That could end up in a class action suit. [00:03:47] Kirk: Sure. [00:03:47] Mike: In fact, lately it always ends up in a class action suit. Number two is theft, okay? Theft is from business email compromise, account redirection. Third one is extortion. That's what ransomware is. They also use denial of service as an extortion technique. We'll just throw so much stuff at your network that it doesn't work anymore. Phone call comes, hey, you want that to stop? Here's how much it's going to cost, okay? That's extortion. [00:04:12] Disruption, just for the sake of disruption, just knocking you down. And in today's geopolitical context, that's becoming more and more prevalent. And then the last one is being used as a third party to attack your business associates, all right? Those are five business outcomes. [00:04:26] Kirk: Sure. [00:04:26] Mike: And that's maybe one or two more you could probably come up with that. That fairly describes the outcomes we're trying to avoid from a business perspective, right? We're trying to buy down that risk. We do everything we're supposed to do. Well, cybercrime has been called the third largest economy in the world. I think they're up to about $10 trillion a year in global losses. That's the GDP of a country, okay? [00:04:48] Construction company, are you going to go glove to glove with North Korea and when? No, you're not. Stuff is going to happen. That's why lawyers now call this a foreseeable event. Very specific language in the legal profession. If you fail to take steps to mitigate the risk of something that's foreseeable, you're guilty of negligence. Negligence is starting to pop up more and more in these lawsuits, okay? You've done everything to buy down risk by lowering the likelihood, but you'll never get it to zero. [00:05:16] Once you've exhausted everything you can do, you turn to the impact term and we would like to minimize the impact. The impact can be our help desk cleaned up somebody's workstation. The impact can be the FBI just called and all of our customer records are for sale online. You get to pick which one of those is yours by monitoring your network, investigating aberrational events and quickly dropping into response to put out the grease fire on the stove before the house is engulfed in flames. Did that make sense? [00:05:48] Kirk: It did actually. You actually put that in a way that I appreciate that. That was very clear. [00:05:53] Mike: I've briefed senators and you have to, he's very specific. [00:05:56] Kirk: Yes, you do. [00:05:58] Mike: All right, what we do is we work with that impact term. You asked me was, what's this look like in real life? Okay, so there's various ways that you have what are called detection analytics. You're monitoring the network. You're monitoring what's going on at the endpoints. You're monitoring what's happening in the cloud. And there's all of these different ways that you can use it. But something weird happens and maybe it's something obvious. [00:06:23] We just saw the Emotet Trojan delivered to this workstation. Okay, time to go into response mode. Cut them off from the network, quarantine them. We'll get somebody out there and we'll clean that up. It can be your system that aggregates logs and correlates logs says, we just saw a system where the antivirus went off three times in a row, which means number four was probably successful. [00:06:44] Then it was talking to China. Now it's scanning the network. Three strikes, you go to the top of the priority list. That's rules-based detection, okay? Or maybe it's behavioral-based detection. You just did something so weird you've never done before. We got to check you out, right? And that's done with machine learning. We create a baseline of what's average behavior for every object on the network. You do something that's two standard deviations from the mean. It's like, ah, we got to look at you. [00:07:10] So that's how it starts. Something weird will throw off an alert. That alert has to go to an analyst, a person. In tomorrow's world, almost today's world, that alert will be picked up by an AI agent that will do the first pass investigation and then hand it to an analyst. A whole bunch of the work is already done. But what an analyst has to do is say, okay, what happened five minutes before and five minutes after? What are the IP addresses involved? What protocols are involved? Are they using some kind of weird, you know, like, so DNS, the domain name system? That's how you look at IP addresses, right? [00:07:49] Well, they can be using DNx text records as command and control. We got to check out very deeply what's happening at the network level, what your endpoint is telling us, and figure out what's our response here. And that response may be, this is a false positive. That response may be, they got to go into quarantine and we got to clean them up. The response may be, you're getting picked on by a bad actor out here. Nothing worked, but we think you ought to block this bad actor. [00:08:18] If you have that impact minimization all in place, where you have analysts and your AI agents and all of that stuff, investigating all these aberrational things that happen on a network, you put out the little fire, both floor of the house burns down. [00:08:33] Kirk: Let's actually talk about that a little bit. We hear about the big ones. We hear about the colonial pipeline. We hear about these large extortion, they shut down this company. But I have a feeling that that is probably the minority of these attacks. How many of them are quiet in the background that go on for long periods of time that people don't even notice they're leaking information or something else? [00:08:55] Mike: Those are generally more nation state types of things when they want persistent access because the criminals that want to monetize this, I mean, they want to get in, do the business and get out. It's when we're talking about persistent access and somebody surveilling a network for a long period of time. That's generally governments doing that. For example, you know, we have a partial government shutdown right now. For the last government shutdown, they got rid of the contractors and they got rid of all the CISA people that do two fundamental things. [00:09:24] Number one was they were watching the network to see if weird things happen. And number two, they were doing incident response to put out the little fires. And so when those people were not available and a vulnerability is announced for a piece of technology that faces the Internet, all the countries of the world climbed on board, exploited the vulnerable technologies and embedded themselves into the networks. And they're just stealing all kinds of secrets. War plans, economic strategies, all kinds of things. The persistent access is generally for espionage, stealing state secrets, things like that. [00:10:03] Kirk: Probably not something the small business is going to need because like you said, the criminals want to get in there and get out. Again, I'm a small business owner.] I have a team of, you know, six to 60. I'm working on a few different contracts. You gave me those alerts, but what does it look like? [00:10:20] I don't mean on the technical side. I'm not a CISA, I'm not a IT guy. I'm just a business owner. I come in one day and they say, you've been attacked. What does that, is it, you said like denial of service, is it the website went down? Is it the, what are the real functions from the outside perspective? [00:10:37] Mike: Okay, well, it kind of depends on what we're talking about, right? If you've been attacked by ransomware, you're going to be stored it, nothing works. Your entire network is encrypted. That's how ransomware works. Everything starts the same way. Somebody gets a little piece of unwanted software on a computer. Well, if it is a ransomware operator, what they're going to do is they're going to get interactive access to your network. [00:11:01] They're going to come and go as they please. And they're going to find your backups. They will find your key systems.They will find your records. First, the records go out the door because they know that they can use these as leverage and I'll come back to that. And then they lay in encryption software and it comes down to one key press. Everything is encrypted, nothing works. No email, no business, no manufacturing, no nothing. And then you get the extortion demand and the extortion demand will say, we want you to pay for the decryption key. [00:11:29] Here's what it's going to cost. And by the way, if you don't pay us for the encryption key because you did good backups and you can restore all that stuff, if you don't pay us for the encryption key, all these records we stole, we're going to make these public.And as soon as they're public, you're going to have to do a public breach report and there are attorneys all over the United States waiting for this to happen so that they can go out and seek plaintiffs as a class and sue you. [00:11:57] They've got all this leverage and interestingly, they're getting away lately from ransomware and just stealing the records because they have so much leverage there. And these are laws that we made. We're doing this to ourselves. The California Consumer Privacy Act has this private right of action. If your record has been disclosed, you can join a class as a plaintiff and sue regardless of whether you've not really had any harm from that. And that's just crazy. All we're doing is making lawyers rich. But that's what it looks like when you walk in the door. Nothing works and you have an extortion demand in front of you. [00:12:32] Kirk: So you actually kind of already covered this, but how does that start? Like you said it starts with these minor things of people coming in back doors and putting in pieces of software? [00:12:40] Mike: Well, no, they don't come in a back door. They get you to install a back door for them. And there's all these techniques. I'll just describe one technique that's being used right now. It's called click fix. All right. You're surfing around the Internet and you go to some site. That site has been injected. Somebody put something bad in there so that you visit that site and you get the bad thing along with the content that you're asking for. Ok, let's set aside what injection is, right? And this thing pops up on your screen. And it says, oh, snap, Mozilla Firefox has had a problem. If you want to fix it, click here. [00:13:18] Kirk: I see those a lot. [00:13:18] Mike: Click there and it says, Okay, to click this, here's the command. We want you to run this command from a command window. And basically, you're just installing malware for them. This is very prevalent right now. There's other ways that this is done. For example, there is a domestic group called Scattered Spider. They have a few names, but Scattered Spider. These are Gen Z teams and 20-somethings. They know very well how processes work in the United States, including help desks. [00:13:45] They can find enough information on an employee at a company, call the help desk, impersonate that employee and say, I need a password reset. They'll help desk reset the password for how they just walk in. They can lay in whatever they want. There's a whole lot of user interaction that results in these things. That's not the only way. The other way is the one I mentioned, when you have a vulnerable piece of technology, right? Cisco says, oh, we have a vulnerability. Here's your patch, OK? [00:14:17] Well, as soon as that comes out, nation states, criminal gangs, they get the patch too. They reverse engineer it, find out what it fixes, and then code up an exploit to break that thing. Simultaneously, they start scanning the internet for vulnerable exposures. They load up the exploit as an automated exploit. And as soon as they find you, you're popped. I worked in government private sector as the managing consultant for VeriSign Security. [00:14:47] I've talked to tons and tons and tons of small businesses, small local governments, things like that. They say, we're too small. We have nothing to steal. Why would they come? The scanner doesn't care how small you are. If you have vulnerable technology that you haven't patched before they find you, you're getting popped. [00:15:04] Kirk: I have a really good friend who's a penetration tester for banks. I won't say which ones because I'm sure he wouldn't appreciate that. And he's always told me, he's like, we've gotten the technology good enough that there are uncrackable systems-ish, but they're not uncrackable people. The social engineering aspects, if I can get one employee to be stupid for one minute, I own you. It's not necessarily about hackers. [00:15:26] Mike: Three prevalent ways that people will get into your business network, okay? Number one, social engineering, I'll fool you into doing something, okay? [00:15:34] Number two, credential abuse, right? [00:15:37] And that's got a few flavors. [00:15:38] Number one, people pick stupid passwords. [00:15:41] That's one. [00:15:42] A failure to use multi-factor authentication, that's another one. [00:15:45] But now that can be circumvented as well. [00:15:47] There are password dumps out there. [00:15:49] You know, Yahoo lost a billion passwords. [00:15:51] And if you were in that Yahoo dump and you use that same password elsewhere, they're going to find you. [00:15:56] And then the third one is vulnerability exploit, like I explained. [00:15:59] So it's social engineering, credential abuse, and vulnerability exploit. [00:16:03] Those are the three prevalent ways that your network is compromised. [00:16:07] Kirk: That was actually my next question. What are the best ways? I appreciate that. [00:16:11] Mike: Well, I told you, I have brief senators. It's the threes and fives. [00:16:14] Want to get your company message in front of the top leaders in union construction? Place an ad on Talk the Tauc. Our listeners are owners, contractors, and labor leaders who shape the future of our industry. It's a direct way to reach a powerful, engaged audience and show your support for union construction. Learn more about advertising opportunities at talk.org. [00:16:36] Kirk: How is IT security different than risk management? [00:16:40] Mike: Well, IT security is the process of going through and deploying all of those preventive controls. Active directory has to get screwed down. Operating systems have to be hardened. Vulnerabilities have to be managed, things like that. Risk is where you use a framework, like the NIST cybersecurity framework is a really good one to use because it's an outcome-based framework. It doesn't say, have this specific control in place. It says, make this thing happen. Remote access is managed. Well, your construction company is going to do that different than Lockheed. [00:17:13] Kirk: Sure. [00:17:14] Mike: But you can still meet the requirements. Risk is going through and evaluating what's the likelihood because this control is not in place. We go through this framework. Do we do this? Do we do this? We don't do that. Well, your failure to do that, what's the likelihood that you get records disclosure, theft, extortion, disruption, or being used as a third party? [00:17:38] If that happened, what would that impact be? That's risk. We're talking about consequence and likelihood, okay? IT security is, hey, man, you've got to harden that operating system. You take the instructions given that are informed by the risk assessment, and you put those in place. That's what IT security is doing. [00:17:59] Kirk: Is there any particular reason that construction and infrastructure seems to be more of a target of these kind of attacks? [00:18:10] Mike: Yeah, well, they're essentially low hanging fruit. Because typically, because they're not defense industrial based or anything like that, they haven't had a lot of regulatory requirements to force them to do things, right? There's the voluntary framework, the NIST cybersecurity framework. But they're not going to get audited for controls. You're in business. You want to spend some money on something that doesn't make money for you? The answer is probably no. [00:18:37] So like I said, you're low hanging fruit. But because you are part of the supply chain for a lot of really important things. For example, because of the Chips and Science Act from the previous administration, there are lots of semiconductor fabrication plants constructed right now. If you're a part of that supply chain and you can be used, right, being used as a third party to attack your business associates or backdoor in some way that facility that you're building or use construction materials that are of dubious or whatever. That is why construction is in the sites, right? [00:19:17] Because they're part of the supply chain. Like I said, those five things being used as that third party, that's very prevalent right now. Being hammered from third party access is very common. It started with what was the first one? There was a company called BlackBOD. BlackBOD was a payment processor for hospitals, for philanthropic organizations, nonprofits, things like that. [00:19:43] When BlackBOD got popped, they had data from all of these other organizations. And each one individually had to go file a breach report and suffer the financial consequences of that, right? But it was all done by that one third party. Their security wasn't hit. It was their supply chain, right? Their business associate. So because construction is the business associate, the supply chain for all kinds of other things, that's why they're popular. [00:20:10] Kirk: What would you say is the single most important thing for the business leaders, not the IT team? But for the business leaders, the owners of these companies, what is it that they misunderstand or what is the thing they need to understand the most about these risks? [00:20:22] Mike: That's a great question. Thanks, Kirk. [00:20:24] Kirk: You're welcome. [00:20:25] Mike: The internet is not a nice place, okay? It's not. It's here to sell to you, steal from you, and manipulate your opinion. And as we get closer to this election, we're going to be waist deep in disinfo, all right? But set that aside, the internet is not a nice place. And remember, I said I like to simplify things way down. The one thing that you can do. I'll tell you how I can prove this in a minute, institute a policy of all personal use on a personal device. [00:20:56] Everybody's got a phone. If you don't have a phone, somebody give them a phone. Probably got a Wi-Fi network that your phone will attach to when you come in. Facebook lives here. Gmail lives here. Not on your work computer, all right? The reason I say that is because I used to be the chief information security officer for the city of Seattle. And as such, we made lots and lots of measurements. [00:21:16] And I could prove at the time. It's since been born out in other research 40%, 40% of the compromised assets on the network were due to the use of personal email, okay? You make one policy change, and you drive 40% of the problem off a cliff. Hey, that makes economic sense. That makes security sense. People are going to howl for a little while, but you know what? TS, get used to it. [00:21:44] Kirk: That's a big one. And I agree. I will say I am-- so I'm in the military. I'm in the Army Reserve, and I have a computer that they've given me. To that end, I can't do anything on that thing. It's almost worthless. I could do all my Army work on it. But if I try to do anything that is not very directly DOD, it gets real mad at me real fast. Because they certainly understand that one of my cyber guys in the military there were people bemoaning this. [00:22:11] And they said, listen, it comes down to this one thing. I love this adage. It's that if it's convenient, it's not secure. If it's convenient, if it's super easy, one phone to rule them all. We've heard about the email breaches. We're like, well, they didn't like carrying two phones or what have you. If it's convenient, it's not secure. And that wraps it up really nicely for me. But I take your point. I'm guilty of that one, but I get it. [00:22:37] And you talked about this at the beginning, but I want to hit it again a little bit more. What are the early warning signs that we need to pay better attention to and not ignore before incidents escalate? [00:22:47] Mike: Let's come back to that in a second, because I got one more piece you want to say, right? Construction companies and why are they. The other reason is they have no access to qualified cyber practitioners. [00:23:00] Kirk: Interesting. [00:23:01] Mike:They cost a lot of money. They're reluctant to spend that money because they're not regulated. In general, they don't have the people that know at a deep level, hey, this thing is going on and we really need to get in front of this. They're not monitoring their networks properly. That's got everything to do with why I work at the nonprofit that I started, which is basically focused on workforce development. [00:23:23] We're trying to flood the bench with so many people to be analysts that the price per goes way down and everybody gets somebody that knows what they're doing on the network. Okay, so I want to make sure I got that in there. [00:23:36] Kirk: No, we're actually going to touch on workforce. That's one of my questions here in a second. But just going back to that one, what is the thing, we talked about what do they need to understand? [00:23:44] The internet is not a happy place. You need to have the people that are qualified to be monitoring it in lieu of that. And I don't want to say in lieu of that because those are things that just need to be fixed. But change happens slowly while they're getting those things into place and while they're instituting those policies. What are the big red flags they need to be paying closer attention to? [00:24:03] Mike: Well, how much internet access their users are typically using, what is their cadence in being able to patch vulnerabilities that are announced? Because remember, it's a race now. You're racing against China. When Cisco has a vulnerability and you have that Cisco product, China is coming for you. Hurry up. [00:24:21] The third one is credential abuse. Make sure your users are using good passwords. We'll come back to that in a second. But very importantly, use multi-factor authentication. When I say pick up a good password, the National Institute of Standards and Technology, NIST, has come out with guidance that says, all that stuff about uppercase, lowercase, numbers, special characters, that's out the window. Changing it once a quarter, that's out the window. [00:24:47] Here's what we want you to do now. Use multi-factor authentication. But use a pass phrase. Not 11 characters of garbage that you're, it's going to be really hard to remember. And it's only 11 characters. Pick the first line of a book that you like. Punctuate it properly, and that's your pass phrase. All right, it lasts forever. There are so many bits of entropy in there that it would take longer than the universe will exist for you to randomly guess what that is by just, random characters in succession until you find, monkeys with a typewriter until you get it. [00:25:22] Now, multi-factor authentication. We'll clear this up because a lot of people really don't understand what this is. If you go to a credit union site in the Midwest and you log into your portals, what's your password? Okay, what's the color of your first card? That is not multi-factor authentication. Now, there's two things you know. Multi-factor authentication is defined as the following. [00:25:42] Two or more of something you know, something you have, something you are, that's it. Something you know is a password, your pass phrase. Something you have is your authentication token, which is usually a phone. Give you the code that came over the phone. You now prove you're holding the phone, something you have. And the last one, something you are. Your iris scan, your palm print, your fingerprint, your DNA. Hey, let's not go there, but. [00:26:10] Kirk: Sure. [00:26:11] Mike: You combine these things, right? You've addressed social engineering. You're not letting your computers just have willy-nilly access to the internet. You've addressed credential abuse. Make your users pick good pass phrases and combine that with multi-factor authentication. [00:26:28] You've addressed vulnerability exploit. Hey man, when the patch comes out, drop what you're doing.This is an incident, get after it. That's really what you need. If you're going to make this as basic as you can, those are the things. [00:26:41] Mike: I like it, because we have a lot of people that have kind of asked us about, you know, because as you said, I can't spend the money on things that aren't directly making money. What does good enough look like? Good enough look like is MFA. [00:26:51] Mike: MFA, good passwords, manage those vulnerabilities. Manage those vulnerabilities.Really get a battle rhythm going there. And then the social engineering, make your users use their phones for their personal stuff. [00:27:01] Kirk: Sure. You actually mentioned workforce development a minute ago. I want to talk about that. In the, especially in union construction, we talk about the worker shortage. We're building this mega site that needs hundreds of this type of craftsperson, but there aren't that many craftspeople in that area of that specialty. How is the cybersecurity pipeline? Are there enough of these analysts out there right now? [00:27:27] Mike: No. That is evidenced by the fact that two years ago, according to Bureau of Labor Statistics, cyber analyst, okay, the person that watches the logs and the events going on on the network and investigates things was the 10 fastest growing job. Now it is the fifth fastest growing job. By outside the BLS, I've heard it's the third fastest growing job. These are the people we meet, right? If those are the butts that you need in seats. This is why we do what we do, which is we monitor small networks, mostly for cities, counties, public utilities, rural healthcare, school districts, and we do it for free. [00:28:07] And the reason we do it for free is because we collect metadata from those networks, right? And so it's not like what email you read, what webpage you went through, it's what IP address you talked to, right, the metadata. And alerts that come off the network, IDS alerts, intrusion detection sensor. We put a thing on the network that's got this IDS built into it. It pulls the headers off the packets and it sends the packet headers and sends the alerts over to a big monitoring stack. [00:28:33] Fifteen universities across the country are teaching people to be cyber analysts, with the same curriculum that we developed in cooperation with Pacific Northwest National Lab. They're using live fire to do it. That way they get the operational experience of working with real time events in critical infrastructure. We're providing infrastructure protection for what is critical infrastructure, because local governments in particular make your toilet flush, make your water drinkable, fire department to your house before you're dead. IT holds all that up. We do that for free for them so that we can use the data to train the fifth fastest growing job in the country. [00:29:12] Kirk: That makes a lot of sense. And you've talked about it so much. I hate to ask questions like you've kind of touched on it, but more just directly, industries like construction, like you said, they're not IT, they're low hanging fruit. Their work isn't computers. There's lots of devices and internet of things going on, but how should these industries like construction and infrastructure think about cyber resilience beyond just what I hired a vendor? How should we be considering cybersecurity? [00:29:35] Mike: So resilience, right? What does that mean? To me, that means, if I was going to explain it to a senator, you gotta be able to take a punch and get up off the mat before the 10 count. If you get hit with ransomware and you have good backups and you have three copies of your backups on two different kinds of media, and one of those copies is offsite that's called the 3-2-1 rule, you can probably rebuild from backup faster than if you've got a decryption key and tried to decrypt everything because it's very time consuming. [00:30:05] You need to be thinking about this is going to happen. What is our plan for this? Have a plan, an incident response plan. Practice the plan with a tabletop exercise, right? When you're going to, tabletop exercise will really draw out where your limitations are, right? Bob, the one guy that knows all the IT is on vacation with his phone off. What do we do? [00:30:31] Think about resilience as exactly that. The ability to take that punch and get back to work, right? Impact management. I would say too, because there is this dearth,] this lack of qualified practitioners, especially cyber analysts, there are managed services that can be used, right? You contract a managed service, they will watch your network for you 24/7, 365. They're the ones that have all the analysts and you have processes that you build with them. If this thing happens, then you can take this action, right? [00:31:02] So for example, quarantine an asset remotely, if it's 3 a.m. on a Saturday and it looks like your network is getting hacked, you can put out that little fire. I would say lean into this whole philosophy of resilience and there are things that you do for that and backups are especially critical, but so is your plan and practicing the plan, but also think about a managed service. I mean, Pisces, right?Our little nonprofit, it is a managed service, but it's free and it's not 24, it's a happy meal. [00:31:33] Kirk: Yeah. Well, just kind of my last question then is, if you could leave the construction leaders that are listening with just one mindset shift, one thing they need to change that they can do tomorrow, when it comes to cybersecurity, what would it be? [00:31:45] Mike: That's your users off from the internet. All personal use will now be on a personal device, full stop. Let me just be clear, that's not an easy policy to enforce, because if you were going to enforce that, you'd have to have DOD level filtering in place and making sure that you know what's authorized, what's not blah, blah, blah, but I'll give you a famous line from a movie, nothing focuses the mind like a public hanging, right? [00:32:13] I mean, somebody is using Facebook and they decide to click on some cruft and that starts something bad, then something bad has to happen and you need to make an example of that to let everybody know we're serious about this policy. [00:32:25] Kirk: Nothing focuses the mind like a public hanging, what movie is that? [00:32:29] Mike: I can't remember. [00:32:30] Kirk: I've definitely seen it, I just can't, I can't. [00:32:33] Mike: I'm going to Google it as soon as we're done. [00:32:34] Kirk:Me too, me too. Mike, this has been incredibly helpful, practical, grounded and very clarifying. Thank you for joining us and for the work you're doing through Pisces. And thanks to everyone listening, we'll be back soon after another conversation focused on the real issues shaping union construction today.