FBI Cyber Expert Saves Your Business - M.K. Palmore

Imagine your data being protected on the same levels of the United States Marine Corps and the FRI.

“That's what today's guest brings in. MK tells us all about risk assessments, how to protect”

our data in the ever-evolving world and how even with AI you can remain safe. The show starts now. I'm really looking back to the show. MK, I'm really excited to have you here. Excited to be here, appreciate it, Charles. So, for the four or five people on the planet who actually don't know who you are, can you kind of give it a little bit deeper, what you are, what you've done, how you gather.

I'm sure there's more than four or five, but MK Palmore, I'm a consulting leader, a preferred called Apigy Global RMS. My career spans a career in government, 32 years in the U.S. federal government, I'm a U.S. Naval Academy graduate, United States Marine Corps officer. I then went on from the Marine's to spend 22 years in the federal Bureau of Investigation of the Special Agent, retired from the FBI as an executive leading the largest cyber security team that the FBI has here

in FBI, San Francisco, and then I went on to work for two Fortune 500 companies, Palo Alto Networks and a Fortune 5 company, Google Cloud, as a essentially a field chief information security officer. So, great experience working at the enterprise level and then broke off out on my own in order to support SMBs and the global public sector through Apigy Global. So, there's a lot to unpack there, and as much as I want to dive right into the intense stuff at the end of the enterprise and the SMB,

let's kind of slowly get it out there. We know that data's being hacked every day. We know that we have things that are being built, WhatsApp or signal or own personal stuff that's identity

being stolen across the board. The audience is always gonna ask me, where is the first thing I can

do right now? Okay, I get it and you've done this on the exception. I love looking better with the FBI. What is the basics stuff that most people get wrong every single day when it comes to their data and they're protecting of what's going on in their world? It's the basics stuff, you know, apps will oftentimes come to you with default settings that make them easy for you to utilize. And that ease of use is what the adversary relies upon in order to gain access to

your digital footprint, your private information. And so, I would ask people to take that extra step. And that extra step is not hard. It just simply means enabling things like multi-factor authentication and the applications that they use or the the SaaS applications, the portals for which they gain

access to. It doesn't take that much time. People will derive things like SMS as the second factor

for authentication, but some authentication is better than none at all. And so, I would encourage people to, yes, utilize SMS if that's the only available resource that you have. But there are a number of our finicator apps out here and now that you use a higher level of encryption and provide codes for you to gain access to your email or applications. And that's probably at a baseline for consumers, one of the best things that you could be doing is just simply doing the basics. Make it harder

“for an adversary to gain access to your information. And then if you want to take a few extra steps,”

there are things like monitoring your background, your credit, all of those things. You can actually set it up in Google so that if your personal results happen to show in Google, they will send you an email saying that your personal results like your address are showing up on this particular website and you can go through a process to have that information removed. It's not that hard to do. And again, those these are simple things that everyone should be doing in order to

reduce their exposure and decrease the risk of their digital privacy being violated. Are there certain apps that you just wouldn't install? This one's too invasive. We know this is kind of a gatekeeper to things that cause problems. I'm not for me. So I'm a heavy user of social media one because I use it to amplify my my business brand. And then once you've exposed yourself to social media, you know, very few of

us. Me included have read all of the legal agreements. We seem to agree too when we download applications

“and we allow them to gain access to our digital footprint within our phones. I think we're given”

up quite a bit when we do that. And so there's a there's a push and a pull associated there are pros and cons. You just have to understand that you're giving up some amount of your privacy. And then again, take those minor steps that you can going into the settings of these applications and then limiting the amount of access that the applications have to the rest of your digital footprint and information. The only other thing I would encourage is that, you know, the the likes of Google

through their play store, Apple through their store, go through very exhaustive steps to make sure that developers go through a pretty rigorous process. And that is continuously monitor process. The applications when they drift or fall outside of the regulations of those platforms,

don't follow the framework for which Apple and Google establish for being able to use applications

or deploy applications on their platform. So I would say for the most part, try as best you can to use those, you know, if you're using a Android device, the Google Play store is where you want to get your applications. If you're using the iOS device, obviously the Apple stores where you want to get your applications, trying to avoid downloading applications from sites that you're directed to, because those applications may not necessarily have been that it.

Yeah, and then there are things out there that, you know, they scrubbed in that, they look for something, there's these softwares or this, this extra layer that people do, things like whatever incognito or things of that nature, is that something you would recommend on the consumer level, is that, is that just overkill? Not necessarily, it depends on what kind of footprint you want to have. Some people may need

to go to several extra steps in order to create a different persona for themselves. Maybe you as a business owner want to create a purely business persona of yourself, which means you have to be very diligent about which browser you're going to use that identity with, what information

that you ultimately are going to put into the browser that's going to tie back to your business,

“is that going to tie back to a physical location for you? So you have to, you have to be diligent.”

I think the problem that, you know, establishing those kinds of parameters and barriers for yourself isn't hard. The hard part is the consistency of the use of actually doing it every time that you use a particular application or every time that you're doing business for your company, to only use a particular browser and to ward off the temptation to say, well, you know, I'm out and about, and I've got my iPad with me, maybe I'll just use this to access that account

that I normally only access via my safe desktop computer. So you just have to be consistent, diligent about the process and it's, it can be very hard, but there are, there are ways, programs, applications, and things that can help you with that consistency. It just depends on how much you want to layer your own privacy and protection. Yeah, when I growing up, I was a Microsoft certified trainer and we built IT structures. What we did was instead of worrying about

it forward for it on the machine, we put our personal stuff into a trust. So anything I own privately is hidden inside a trust. It's based out of the Cook Islands. It's a good luck part of trying to penetrate that. It's just, it's different for numbers, different addresses. I am the poorest person on the planet if you look at my actual numbers. Whatever's in my wallet is all the

“money I have. Everything else is inside trust. It's inside protected environments. That's what”

we did because I knew I couldn't compete against what was happening on the computers. Which is obviously this is a very different method where we get into business environments. When we talk about this thing to business, we're about to do. You don't have some of the luxuries of that. And they don't understand how the data breaches can happen. So to talk about that, when we get into the SMB world, when we get into small businesses, I don't think the consumer truly understands

how devastating a breach is. Could you kind of walk us through how absolutely catastrophic it could be when someone does have a data breach? Yeah, let's look at the relative size of organizations, enterprises that, you know, have thousands of people, thousands of digital resources are able to issue out devices to pose provision those devices. They take very, very deep steps in terms of ensuring that their digital environment is protected. The SMB space may not be as well resource,

but guess what? They have to operate at exactly the same level as the big folks on the block because from the vantage point of the adversary, they really don't care how big or small you are, what they care about is whether or not there's an exploit available that will allow them to gain access. And if you fall prey to whatever channel or methodology that they choose to use the

avenue of attack or approach, it's a win for them because access to the information is the first

step for success for them. And then once they obtain the information, there are myriad of things that they can do with the digital information of anyone particular individual, much less a large-scale business. And so think about those resources in terms of the requirement to respond.

“There are laws on the books. If you suffer a breach, you have to notify all of the individuals”

for whom you have digital records for it. That's the first step. Even just that notification can be troublesome and a challenge for organizations that are prepared for it. Then guess what? You're likely opening yourself up to some level of liability. So hopefully you've gone through the process of doing a risk posture assessment. Hopefully you have cyber insurance and you're actually able to pull in resources that will allow you to both respond from a digital forensic

standpoint. In other words, you respond through your insurance carrier. They likely have one staff or panel organizations that can help you from a digital standpoint, write the ship. So to speak, get your

has to happen. And there are costs associated with that. We have leveled out now somewhere between

three to five million dollars is the on average cost of a digital breach. And that's been

pretty consistent for a number of years. And that number may not sound big, but at the same time, again, for a small to medium sized business, could you re-down or recover from a $3 million hit to your business? The short answer to that, I'm sure for most small businesses is no. And we have seen historically breaches that have gone as high as $270 to $300 million paid and used to mitigate the effects of a breacher impact on a business organization. And so because of that wide range,

the last thing you want to do is leave yourself open to potential victimization by an adversary. Because the damage that they do, it is so devastating to organizations that sometimes the financial component associated with it makes it unrecoverable from a business standpoint. And we want businesses to thrive. We want you to get out there and get your wares and your products and things out there to the consumer marketplace. My proposition is that nearly every business today is a digital

business. And so taking time to understand what your digital footprint looks like and making sure that you secure your footprint is just a part of business operations today. And that's part of the reason that we're in business. Well, I think one of the things that doesn't get talked about enough,

“this is a reputation as well. When you have to reach out to your client base and say, hey,”

congratulations, I've had a data breach. This is one of the reasons I left myself on company. They've got, they've been, they were breached. The first thing I was like, I find it's a lot of work, second time they got for each I left. I was like, we're done. We're leaving. So I think that's that reputation hit. That even if you do find a way to mitigate, hey, I've protected you from this one.

It's kind of like the first time someone ever cheats on you. You're never going to trust them again,

no matter what you do for the rest of your life. There's always going to be that issue. There were things that you went over that most fall business owners have never heard of before. They're like a assessment insurance. What are you talking about? They're going to be like, what? I'm just trying to sell my widgets, dude. What are you doing? Let's try and get some of these people up to date on. What are these assessments? What is cyber insurance? There's a lot of things you went over because again,

this is you come from a world where it was literally life and death. It's just that's your world. You keep people alive. For these people, yes, it might be life and death for your organization, but they've never heard of any of this because most of them are just struggling through day-to-day because you and I both know to get to the 10 million you could do it for brute force. It just means that you're probably not thinking about all these other things in the back end.

“So exactly. What are these assessments and what are these insurance that they're running into?”

What does that entail? How long does it take? Let's start at the top of the pyramid. Risk. Risk management is a discipline that essentially came to fruition because businesses realize that not everyone has unlimited resources. In fact, no business will have unlimited resources. It requires you to prioritize how it is that you devote those resources to business operations, sustainability and resilience. Cyber has grown to be part of the risk management profile,

and I would prefer to anyone that's listening that your cybersecurity is in all likelihood a critical

component. By critical, I mean, it's a path to failure for your entire business operation. If you are not taking steps to reduce the risk or potential exposure by adversarial activities to your enterprise. And so starting at the top of that pyramid, every business should be conducting a risk assessment to determine what their digital exposure is. In other words, have we done the right things in order to mitigate, I completely remove because that is impossible,

but to mitigate the possibility of a cyber attack having a devastating or critical impact on our business. And notice that I did not say completely exclude the possibility of having an attack happen because part of the challenge in our industry is that we have to get folks over the hump of bad things are going to happen to you from a business standpoint. Maybe even bad things in your digital environment. What we try and do as an organization is help businesses understand

“that resilience is the key. We want to help you understand, okay, things are going to happen,”

but we're going to take steps to make sure we reduce the possibility of that happening. But the work that we do is about resilience. How quickly can we get you from that point of failure back to full business operations and then help you fully recover so that the impact, the blast radius of that is extremely limited and it's actually manageable and something that you can deal with. And that exercise contains a myriad of things. And the assessment is merely one

of the many things that you should be doing. Cyber insurance is another thing. Businesses, I think,

Even I would say even go as low as the million to three million more. If you're doing a million

“plus in revenue, you should have some kind of liability insurance in place to ensure that you can”

recover digitally from a potential attack. Again, adversaries don't care how big or small you are. They care about the probability of their exploit landing and in the intended victim actually being put in a position where they have to make decisions. I'm sure we can get a new conversation about ransomware, which is one of the most malicious types of attacks that you can be victimized by. Because there's so much out there on the landscape that you have to be cognizant

of taking these steps in a risk management review, a risk assessment review, or prejudicial essentially to business operations. And I would proper again, if you're in the in the zone of

a million plus in revenue and certainly if you're in the in the neighborhood of ten million plus

you should annually be doing some kind of assessment to ensure that you've taken the steps cyber insurance. Your digital environment is is orchestrated in construction in a way that makes it difficult for an adversary to get done what they need to get done. And that doesn't need to get you to the compliance and things or the regulatory aspects of adhering to particular vertical compliance to safe financial services, healthcare and other industries that have particular

baselines that make it increasingly more difficult to obtain those certifications in the be able to operate. But it's all sort of this big I won't call it a mess, but it's this big

“masala of things that you should be thinking about and our businesses to help organizations”

think about these things in a way that's constructive and substantive and puts them in a position so that they can reduce risk to the overall enterprise. Most people think that hey I'm going to buy a new router or pop a new VPN on and I'm good to go. That's about the equivalent of throwing a mosquito in front of a semi-truck trying to stop it. It's not going to do a heck of a lot. When you talk about these assessments and when you do it specifically with your clients,

where do you start, you start with the people, you start with the hardware, what is what is that look like and how long does an assessment take? Yeah, so one of the things that we've done as an industry is that we've gotten pretty good at establishing frameworks that will guide folks through the process of evaluating themselves. These frameworks, some established by NIST, the National Institute of Science and Technology, other frameworks established say by the

Center for Internet Security, the critical controls. These frameworks are pretty good. They provide

a great amount of oversight and advice. The difficulty is walking through the frameworks and actually answering the questions and aligning your operations to the guidance that's provided by the frameworks and that is what we do. We select the framework that's appropriate for your level of

“business or the vertical that you have to be operating in and we walk through the hundreds of”

questions and steps associated with them and an honest exchange, providing both documentation and verbal answers. We essentially walk you through the process to make a determination as to what your digital footprint looks like. And then once you have that in hand with some curated advice that we then pour into it, we help you prioritize the gaps, vulnerabilities and figure out exactly what your current posture is. We help you create a roadmap that essentially will allow you

then to take steps to reduce the overall risk in a systemic way. Instead of just saying, hey, let's go get some name brand firewall or router and implement it into the system and assume that everything is okay. And I can't tell you the number of times I've gone into conversations with even folks in my lane, the technical personnel and instead of talking strategy, they want to talk about products. And we are product-ignostic thankfully and we have a litany of partners that we

that we partner with in our organization, but we want to be in a position to be able to meet the customer where they are. So our solution base is immense and extensive. And I want to be able to identify exactly which solution is right for that particular customer. And that means that I can't just align myself to a particular product because some are great and do exactly what they're supposed to do, but not all of them. And you may have already made technical investments that prohibit you

from actually getting the benefit of maybe the name brand product that might be part of the solution set. So maybe there's an alternative that gets you part way down the road and gets you to where you need to be. And then we want to be a position to make that kind of advice. So I like that it's not dated by the product. So the router that you bought 30 years ago,

but sitting down and breaking down exactly which one I'm talking about. When you talk about the framework, most people who are doing the suspect the SMTs, they have no idea what an IT framework are. They don't have a protection plan framework. They don't understand and you say,

“hey, the framework matters more than the product. I think conceptally they'll get that. But when you”

say, hey, there's a framework that we have to do that, you might as well be speaking Sanskrit to them. Wouldn't rain me when you talk about a security posture that's based off of the framework? What does that mean? So the technology industry through government identification and partnerships with civilian organizations have created essentially best practices that any organization can follow to ensure that they are taking all of the necessary steps that an organization can take to protect itself.

That is a very, very oversimplified way of saying, are you doing all of the right things that you can do as an organization? That sounds pretty simple, but the challenge is that as organizations grow, scale and expand, every business wants to increase revenue, they want to increase the exposure of their product or their services across the market. And guess what that means in today's language? That means that their digital footprint is likely changing and evolving exponentially.

“Especially if you're a global firm and you have services or products that you want to deliver globally.”

Guess what? You have third party, third parties that are part of your ecosystem,

part of your channel that are connected to your digital footprint. There are enough historical examples of breaches of using third party suppliers that now we understand that not only are you responsible for your digital footprint, you're responsible for everything that you are connected to. And that can get to be really, really challenging. And oftentimes because your technical staff on hand is just dealing with the day-to-day, the tyranny of the now, it is helpful to bring in

external advisors who can take a step back and give you that outside-in perspective that you desperately need so that you can then action on behalf of your organization, the things that need to be prioritized and get done. And so what it means is not, it's not that these organizations aren't capable of doing these things themselves. They just don't have the time, capacity, or resources to do it. They are concentrating on running the business, getting the business to the point where

it's profitable and doing all the things they need to do to satisfy their customers and the truth of the matter is that investments in security still to this day are oftentimes deprioratized and especially in SMB environments. I can't tell you the number times I come across, quote unquote the security team of three people for a multimillion dollar business. And the security team is three people and they're expected to do everything. The governance risk of risk

and compliance, they're expected to be the IT backbone of the organization. They are also expected to be the security of the organization. And while these people may be immensely competent, there is no way that they can operate at both the strategic and tactical level without the appropriate help or resources to do that and oftentimes the security teams are some of the most under-resourced teams within a business. I mean, we're talking about technology is the critical

factor that's going to keep you in business. And the fact that we don't spend more money, more time, more resources on security still to this day amazes me. And again, that's part of the reason why I established Apology. I want to get into help organization scale that problem.

It's, the problem is IT has never seen as a profit center, even though we are backbone of it,

we're just not a profit center. So when we come into it and a lot of issues that we have in this environment is most IT guys don't speak human. And it's a completely different conversation. We speak geek. We're going to sit down and we're going to break things out. We're going to go outside of the bat at the other person. It's kind of like having your accountant talk to marketing. They don't speak the same language. They count in the marketing team do not speak the same,

they never have, they never will. So I'm trying in this one, when we talk about framework, because most of the people are listening to this, our small business owners, they're going, what the hell is an assessment framework? What does that even mean? Do I give my blood type, do you give my sperm count? Do you give me the model of my computers? Where am I? Because I'm trying to break it down so they can understand that. So when we talk about framework and an

assessment framework, how long does it take? What does it include? How do we trust the person

“coming in? What do they take away with them? Are they there on site? What does that look like?”

So starting with the last part of what you're saying. So every engagement has in DAs associated with it, you basically are an extended arm of the company operating on every half when you engage in a consulting agreement. The information provided belongs to the company that is providing

it always and it is maintained and retains the property value of the information or access that's

through a question and interrogation and document collection. What steps you have already taken to

secure your applications to secure your identity measures within the environment? To ensure that you are patching on a regular basis, the technology patching is a way of identifying and changing vulnerabilities or gaps that may be inherent on the hard tools that you're using or even the cloud-based tools that you're using. Every digital cycle is dominated by multiple domains within the technology spectrum for which cybersecurity again has its own domains and an assessment

will essentially walk you through in a step-by-step process. Whether or not you have done or adhere to the principles of that particular domain and it's not just simply a yes or no, you want to give companies credit for the amount of effort that they've put into some areas. It works on a gradient. Maybe you've knocked it out of the park. So yes, that's a complete full fulfillment of that particular aspect of say identity management. But maybe you've done

a little bit but didn't do quite enough to get a forestar rating on that particular question. You get credit for what you have done. We identify the gap between where you are and what

“excellent looks like. And then tell you here are the things that you need to do to get to”

excellent in this particular category. So as you're going through all of these and you're working through a team, what are some of the issues that you run into with people who haven't done this? When you've walked in you're like, okay, we did the assessment, you're crushing it over here but good God, this is dangerous over here. What does that look like? What it looks like is again a resource challenge because the teams are under-invested and small. You get a lot of nods, folks saying,

yeah, we're kind of doing that or yes, we've taken steps to do that. And then we need to ask the

natural follow-on question, have you documented that somewhere? You always get either the blank

stair or it's in draft. We were going to get to that but they haven't prioritized it. So what that looks like in practical terms is what you find is that most businesses are doing some things related to their security posture, they're not doing all of the things that they could be doing. And that again is where an outsider's view coming in and giving you that un-varnished opinion on where you are can be immensely helpful. And it's not that the internal people

again, don't understand it or are going to give you a misinformation. They may just not, they give themselves credit in areas where maybe credit is not quite due by simply saying, hey, we got that covered. And that's probably the worst expression that you can hear. If one of your technologies tells you, if their answer to everything is we've got that covered, you probably should be digging a bit deeper because that simple answer is not enough.

“And you touch on something that's super, super important. This language that technologists use”

when communicating business concerns, this is the area of risk. And if if technologists are not talking in business language in the language of risk, believe me, the folks, the stakeholders on the other side of that conversation do not understand a word that you're saying. Oftentimes, even if they've come from technology backgrounds themselves, once you are in that operating circle where everything is about risk, risk exposure, risk mitigation, that is what needs to be communicated

to the C-suite and the Board of Directors so that you then enable them to make a decision about where they're going to prioritize the resources of the company. You mentioned that they don't

speak the same way. I've never heard this word "doctorment" before. I've no idea what you're talking

and I see that we don't document any, it's bad. We just don't have the time. We're like, we're trying to just keep things operational and you want me to sit down in doubt. You let what I did. I'm like, you're out of your mind. Yeah, we just don't have the bandwidth to do it.

“So that's, and that's the one I've done IT for longer than I'd like to admit. I can't remember.”

I remember the first time I had to sit down and write a white paper out. I was like, what the heck are you talking about? At the time, I was advising that I was working with Microsoft. I'm like, you want me to document all this? I'm like, I've got fires to put out. I'm like, I've got to deal with Susan who has it remembered her password for the 19th time today. And you want me to sit in this, we just don't have that. So that is what it is.

When we talk about risks, what is a real risk? Give me a real example of a data breach that calls real problems that you had to come in and you had to save. Let's talk about ransomware because ransomware to me is not only one of the most malicious types of victimizations and experiences that an organization can have. It's pretty insidious when you think

And let's take note of that. Still to this day, 2026, email is still the best avenue of attack for

an adversary because it's the highest probability of access by malicious links, other information that then drives user users to maybe watering holes where they go to a malicious website. There aren't enough protections enabled throughout the enterprise on the browser and say, you know, John from your enterprise is actually able to go to a malicious site. Click on some link that says, hey, here's a report that's dealing with your industry download

and read the report. PDF, right? What's good to be wrong with a PDF? Downloads the report and the next thing you know, the actor, the threat actor has access to the environment. Ransomware and the way that it works is it then a couple of things. It could sit on a time hack in other words sitting and waiting for a particular period of time to be exploited or it could get

to work immediately, basically attempting to find root access or ground access to a system

environment and then slowly begins to encrypt important files that essentially it's been designated to encrypt that ultimately will cripple the organization and there have been thousands of victims

“worldwide of ransomware incidents. And when I say malicious, I think it's malicious to take someone's”

own information and then make it unusable to them or not have the ability to access that information. It's, we say that it will use a term encrypted, which means it's garbled in a mathematical fashion that then makes it unreadable or unusable. And the mathematical key that's necessary to unlock the information and return it to you, often requires you to pay money or some of money through Bitcoin

or some other crypto currency in order to be able to gain access to the stuff that you already own.

So pretty malicious. And there are certain business verticals that still are falling prey to this health care jumps to mind as a particularly vulnerable vertical that's still especially small regional health care entities that haven't taken the steps to identify where their gaps in vulnerabilities are relying very heavily on technology, folks are paying attention to the health care space relies as much on technology today as any vertical, which means they should be investing

in security and technology. The thing about ransomware is that there are a couple of different types of ransomware adversaries out there. There are individuals who may have bought and explained or ransomware kit off of the dark web and are just going to town on their own using it, setting up their digital wallets and collecting money for ransom, but there are also ransomware gangs in the organized crime realm. You could find yourself the victim of a ransomware

answer that and they might just provide you an international phone number to call so that you can get help with your ransomware incident and they will walk you through the process of providing them money so that they can potentially provide you the decryption key for your own information. And I say potentially, because there is something nowadays called the double impact of ransomware, they're now threatening to release your data or information. So there's double payments associated

with it and there are known instances of where the ransom has been paid and they haven't

“still never provided the decryption keys, which means you have to start from zero if you haven't”

taken the steps from a resilience fashion to make sure that you have backups that are immutable and protected and can't be hit by a potential adversarial activity. So there's a lot involved just in that short conversation. I barely touched on some of the areas that you could go very, very deep on, but the assessments that we provide would have essentially determined whether or not you had taken the steps necessary to buttress a potential attack like that or as I like

to say again limited the blast area so that you could rebound and recover from the potential attack like that and you won't know that unless you have actually gone through the steps of a risk assessment and made those determinations, please do not just take the nod from the IT guy who says here we're good to go. We can recover from that. That's not a good answer for the Board of Directors for

“our company. I think there's so many important things you just said where we talk about that”

there's a time delay. Now for those of you who are playing at home who don't know IT, the time delay matters because our default reaction as IT guys said, "Oh, we'll just restore the backup." But like I'll give you, we got to reach five days ago. It's five days at

that are six months old. The problem is let's say your back happened to you five months ago.

And again, we'll we'd have backups that date back a year. Congratulations. You just lost a year

“of data. Can you survive that? And they're like, "Wait, what? So that's what why we have”

time delays in this situation." And people like, "Oh my god, I'm not ready for that. What do I, well, how long can my backup speed?" It's not a question of how long your backup should be in that environment. I think it's more of a question of how have you done the assessment, how have you done the things to protect yourself? Because one of the tests we, and again, this is 20 years ago, we would then, we would send emails to people. Like, "Hey, here's a PDF. We would spoof the email."

And in other words, make it seem like it's coming from your internal department. To you, click this link for this meeting. We have coming up later today. And then just see how many people click the link. And the majority of the people click the link. And my favorite was when the sea level, when the sea suites, they would click the link. And oh my god, I can't believe Susie from HR did that. She's stupid. Really, sir, CTO. You clicked on it too. And they're like,

“"Oh my god, you're an idiot as well." So the problem is that it's universal. It's just in”

process of our day, we're just so used as clicking and firing. And this is why, again, to your point, you're three or four guys that are evil-lead, unbelievable individuals who are running your IT organization. You can't, this isn't 300. You can't expect 300 guys to stop the entire army. That's coming at you. You gotta get them in sources. You gotta get them hell. Now, I want to talk about the Introduction of AI. Now AI, we already know it doesn't mean artificial intelligence.

We already know it means always incorrect. We're still using it. And we're still uploading

vast amounts of information into it, which is an absolute nightmare from a security person. It's a nightmare. What do you tell the organizations you're working with? They're like, "Hey, yeah, I know you want to work with open- you know, open- claw, or you want to, or work with applaud, or you want to put codex, or you want to put madness?" And they're like, "Hey, why don't you just walk outside and make it?" What do you tell the people in that environment to protect them

who are? Because we're becoming an AI first world. We were in that first world. Now we're an AI first world. How do you protect them in that environment? There's a couple of different things that we do. One, I've assembled a partner network that has a variety of solutions that meet customers needs as it relates to the adoption and implementation of artificial intelligence in the business environment. And I've aligned myself with these potential technology providers because I love their

technology and it does what it is that they claim it's able to do. That's part of the challenge. We, we from a standpoint of making sure that there's a knowledge transfer or that we acquaint our client with the challenges they may be facing and using AI have built an internal process that will allow them to take the steps in a diligent fashion and make sure that they aren't just simply opening the gates and allowing their employees essentially to give up the

the company's goods through the use of these tools. It requires a lot of diligence. It requires companies to take steps like creating a change committee or an artificial intelligence committee for which they do in evaluation of the potential impact of these solutions on business operations. In other words, each business leader might have to contribute what kinds of information they intended put into the system and then what their expectations are for what kind of access

the bots agents and other aspects of AI will have throughout the enterprise. All of that needs to be governed in a governance risk and compliance fashion and it requires you to stand up committees and yes take very, very diligent steps that will allow you to assess whether or not a particular solution can be helpful but then implementing it in a fashion that is safe and secure and then

ultimately helpful to business operations. And so it requires you to think about it. It's not just

the matter of going to the site signing up and just assuming that that technology provider is going to provide you all of the security measures and default settings that you need in order

“to protect your enterprise. You have to take extra steps and that is thinking through those extra”

steps is what we do as an organization. We help organizations identify how they think through those steps. We bring experts to the table who can explain the risk associated with anyone particular solution and give them a general approach that will allow them to reduce the opportunity of any particular adversary to exploit their system and/or just make bad use of AI. There are gaps in the use of artificial intelligence. I have heard some interesting stories recently about AI or large

language models that have been given widespread access to enterprise information and in doing that because they only understand language props have gone out into areas and retrieved information and presented it to users and that user didn't have access to that particular information from

information. These are all challenges that are fixable but they're only fixable if you are

taking the preemptive steps necessary to make sure that you're protecting your digital information

“wherever it may reside. I think assuming that whoever you're working with, whatever”

software it is that's trying to protect you, it's not doing that. It's evolving too fast and the best example I can give over this is for those of you playing home I created it. I had a box that had none of my personal information and I created a VM board. I created little virtual machine inside my box. I then loaded a version of that inside of it called OpenClaw and I wanted to see I'm like all right I'm going to do the resources as none of my personal information and I watched it.

OpenClaw figured out that it was inside of VM and the inside of virtual machine and then it was like huh I need more resources. It then penetrated out of the sandbox to try and get more resources from my parent Alas and I was like okay no we're done I'm going on the whole of Alas out. I was like

we're done I've never seen anybody do that before and I'm like I don't want to play any more

goodbye but I've never seen and it wasn't doing it at the time diminusiously but I've never seen a piece of software break out of a VM and then go at the parent Alas. I was like what that's always that. I'm starting to hear more stories like that because it's interesting you know computers and technology does what we tell it to do and if you tell it to do a task it then assumes that it has to complete that task yes and it has all of the variable things available

to them to include what might be considered malicious behavior to achieve the task that you've

“given it and so these are important elements that we need to be thinking about. I heard a very similar”

story in the context of you know RSA that was that occurred this week in San Francisco above of a AI agent essentially executing a exploitation in order to gain access to information to satisfy the original task right and it was given which is which is crazy to me but guess what it makes sense you told it to do that and it thinks that it has all of these things available to it you didn't tell it that there were boundaries and these are things that we're going to have

to learn as humans that oftentimes not only do we have to give it a task but maybe we have to give it the limitations for which they can execute that task right I tell people all the time AI is a toddler at this point if you're like hey I need you to build a kitchen and it needs wood it will tear down the rest of the house to get the wood for that rest of that kitchen it's because it doesn't understand oh you need the rest of the house you just want to build a kitchen

there I knew there was wood somewhere I went and found wood I could stop the next problem you're running too and I don't think people understand this really on the tech levels much as we picked on tech guys the opposite occurs as well when we IT guys show up and you don't understand what we're talking about and we're really dorky the culture has to change in your org like let's these are your vulnerabilities we did the assessment these are the problems there's only so much we can do here you go this is

going to happen and then your C-suite or your SMB or whatever it is it's like dude I got to get

“these widgets out the door I don't you have to have a culture change when you run into that for”

your clients how do you pivot the entire culture to get them to understand this is part of the reason that we operate across multiple variable variables of the risk spectrum so we are an enterprise risk company in terms of our advisory work I believe in my heart that no single solution like a digital widget is going to solve the problem that you're actually needing to solve and so when I think about people process and technology which is sort of the consulting mantra

we do all three we come in and we may we may help you identify the digital solution that's helpful to you and then you may come back to us and say well I'm still short on people we'll guess what we have interim resources we can add to the to the solution so that you can have a period of having folks that have the expertise available to them to ride along with you to help the company continue to grow and then you can take the time to plan how you're going to hire a permanent

person to do the job that this interim person is doing and they're doing it in an excellent manner

and maybe the solution is for some limited period of time to have it be that adjunct person

or fractional as we like to call in our industry be the person that's going to ride along with you for that phase of your growth and development you will get to a point where yeah you want to hire someone permanently and that's where we also come in with okay now that we've provided the fractional technology talent to help you grow and scale to a new phase of your company's operations now we're going to go out on the field through our broad network and actually help you identify

who's the right person to do a longer term engagement here multi year maybe even become part of your FTE workforce and give you that person and guess what we've we've been on part of the journey

not just from a skill set standpoint but who's going to be a good fit for your organization for

“the next phase that you're moving into and so we want to be supportive across that entire”

people process and technology cycle so I want to dissect this model a little bit more so when when I was doing this again allow go we were what was known as an MSP which is a matter of service provider we would come in and we would provide small to medium company's IT departments and it was really simple it's like you can pay this guy 120 k a year or you can pay me two grand a month which is like twenty four thousand dollars and we're going to do ninety percent of what you need

you don't need that full-time person at a hundred eighty thousand two hundred thousand dollars a year because most of the time in IT we're going to just be surfing the internet and goof it off because

they don't wait every thirty seven seconds it just lets be honest so you don't need someone full-time

I think what you need is you need that elite level of support you need that elite level of experience that comes in it says okay I'm going to do what's going to take somebody else who has no idea

“I'm going to do it about an outlet I got this here it is this is what you need to do now”

you got to figure your culture out you have to do all that we're going to advise you but I think most small businesses are like you know they hear MK that Jesus Christ is going to cost me a half a million dollars I'm not going to be like oh my god they forget like whoa this is fractional the model's important to come in and say listen here's an expert we're going to sit with you but I don't think and correct me if I'm wrong my experience with this is it's not a problem

we're doing us doing the assessment and us giving you the expertise it's you now sitting down and pivoting your culture and this is where someone who's got the experience can say okay we just found out we're exceptionally vulnerable now you're not going to give it to your sea level

CEO who's never logged into anything other than their Gmail or you're going to have to have someone

hold their hand but it doesn't have to be those cost prohibitive thing in the world is that kind of the same model you guys are still using or by just outdated myself at this point no no it's it's the model we're using but maybe I'm taking an even an extra step to explain it let's just use a some noional figures and a noional scenario say you determine as an organization that you're ready we need to hire a security executive to champion our security expertise and the things

that we need to be doing from a security standpoint guess what security persons with deep experience acknowledged like myself come at a high price for permanent personnel I did pretty well I did pretty well working for a couple of Fortune 500 companies here in Silicon Valley and so even at the S&B level you want that level of expertise but you're not ready to pay the same amount that you know the likes of google or palo Alto networks is going to pay so why not hire a fractional person

that you didn't get at essentially a fourth of the price and still get the expertise and level of engagement that you need and you get to go through a period of the valuation quite frankly to determine if they can do the job because oftentimes what happens is that they make these high dollar value hires and the person doesn't even work out and so they've essentially wasted time here here's

“the other component I'll tell you that I think it's fascinating you hire a c-cell and let's just”

use the c-cell because that's sort of the go-to persona if you will for technical expertise at the c-suite level you hire a c-cell they are immediately going to want to build a team so you aren't just hiring one executive you're hiring an executive who then is going to build a road map to building a team that's capable of executing because I don't care even even the most technically mine at c-cell doesn't want to be the the person actually developing and shipping security within the enterprise

they want to be spending time on the strategic measures so they're going to go out and hire that great security engineer that they worked with at company x they're going to go out and identify that person at GRC that they worked with a few years back who was just excellent at documenting process and state and making sure that the team stayed on point in terms of policies procedures and keeping all of that stuff updated and before you know it you've got you know your one-person

hire has ballooned into a 50-60-person team that cost an immense amount of money for talent again for for a fourth of that you can have an expert team come in operate in a fractional capacity and then help you in a slow mature fashion identify the long-term resources that you're going to need or quite frankly maybe you're determining that the fractional model which is becoming super relevant today I can't say the number of technologies I know that are on the bench

by choice because they'd rather operate fractionally rather than do long-term projects they want to take their expertise and go from project to project because they don't want to work for a large

expertise and like you said what might take you 10 hours to do because I have the expertise I can

come in and do it in an hour and a half and it's done in an enterprise level fashion and then guess what I have the rest of that time available to me to go do other projects or do something else that I intend to do in my case I get to go run the other aspects of a business which means that the fractional experience and engagement that I need in order to get that customer to where they need to be I can parse that out and give that to 10 companies at one time

as opposed to one company at a time. I agree a thousand percent and I've said this again 20 years ago you do not need a full-time IT department period full-stop you do not need a full

“time see so you don't this should be outsourced you should be hiring I would rather you spend”

for the expertise than the time because the expertise is going to save you that time and having

somebody that's sitting there for half a million dollars a year sitting there who's going to

build out an entire team just going to drain your revenue streams having someone who's got the experience that comes in says hey these are the next five things you need to do we're going to do this let's sit down and talk about it you will now be more protected but you will also have saved them at some amount of money the reason I say that you're more protected is because he's not experiencing it just at one client anymore he's now experiencing a hundred clients at a time

so the experience of one breach that's happening client queue is now happening we're help out client aid and I just don't think small business owners understand that there's this ego that like no they have to be mind they have to do that you're not getting the best

“opportunities and you're wasting it of medicine out of time and money in order to do it so just”

just don't do that for those of you guys who are playing at home who are small business owners are like listen this is this is Sanskrit to me I don't understand any of this look at a fractional environment be it mk or anybody else but on any level your IT's stuff and I'm sure I'm going to get some nasty grabs from your IT guys you don't need to be full time be honest we're all just browsing YouTube way too much anyway so yeah get off of that and then it's just it doesn't

necessarily have it so having that so if the people are watching for home and I have two I have

two questions I want to ask you one is what are the things if they never run into you if you get

it by a purple dragon today you disappear or you win the lottery make a hundred billion dollars and you put your phone in a blender what are the fire six things that the fire six things that they could do right now they're okay I need to do this there's this online tool or there's this thing that I could do or what are the things that I could do right now to protect myself on a personal level and then the things that I could do for my business environment we provide a risk assessment

that folks can take freely at our website that risk assessment will walk you through some basics to give you a high level understanding of where it is that you may have not made the proper investments in the reduction of risk to the enterprise and we cover multiple domains again where we're people process and technology advisory firm so I would say at the very least take some time to assess where you are as a company and you can do that with us you can do it

with others we we think we bring not just an immense amount of experience but a special expertise based on my experience and those of my executive team and the others that we have engaged but do something evaluation where you are as an organization and bring in folks who have experienced broad based expertise and will give you an unbornish opinion as to where you stand as an organization take the time to make the investment in that effort and it doesn't happen

overnight you know a typical risk assessment is likely a six to eight we can gauge it if done correctly just aligning time schedules going through the process of asking all of the there's you know probably 180 to 200 plus questions that get asked during the course of the assessment you do those in chunks you don't want to do those all at one time there's a gathering of data in information in terms of documentation or the absence of the documentation that

needs to be noted so the process takes a while so it gets started from a personal standpoint there are several things that you can do that just sort of evaluate where you are just google your name for starters going to an incognito browser and google your name and see what information comes up in a google search and then google how do you get google to remove your name and

“personal information from searches and it will tell you the steps that you need to take in order to”

essentially give google the information that it needs to be looking for and it will come back and tell you I do it myself it I get probably an email every three weeks or so hey your personal information is found on this site would you like it to be reviewed for removal I click yes in 99% of the time you can email back says it was removed every once in a while there's some you know site and because of the way that the information was collected they're unable to have it removed

it's not about eliminating it if you want to completely eliminate digital risk don't use digital

“products correct that's it that's the only way to do it that's the only way to do it but”

if you're if you're like the 99.9% of the rest of the world who has a phone and once access to this digital information there are basic things that you can do to protect yourself do the basics and that at least gets you on the right path because most folks aren't even doing the basics and that's what the adversary is channeling we talk about something in the military all the time about every day carry what are the things you carry every day be in from operational from military

for beauty side armies whatever that is what it comes to this what is your everyday carry for the stuff in your world that you use on a tech side are you like okay I use Android or I'm

going to be a Google guy or I'm going to always have a flash drive on me or whatever it is because

I keep a flash drive in my wallet that is I use very specifically that can breach me into any machine I've had it on me for 20 years it's just I'm like oh I get in anybody's seen that I ever get like that of it's just a habit I always have it inside my wallet what are the things that you have on your world that like these are my everyday carry so I'm going to have this on me or this is what I use all the time because through your immense experience for the

FBI and the Marine Corps and the Navy and thank you again for your service what are the things like you know what this is the case I'm going to use this is because those are the things that people are like what is he use he's got this experience what was he taught they want to know those things so what is your kind of your everyday carry let me answer it this way so part of what I bring to the table is a level of communication that can be helpful at the strategic and

“executive level so I'm a communicator by trade that's what I get paid to do in most instances”

is what I get paid for an enterprise and it's a skill set that I've developed over time and terms of my tactical carry today because I had such a wonderful experience at one of the biggest technology companies on the planet I'm a Google workspace user through and through I love the products I love the ecosystem I know the story behind the preferential use of zero trust in terms of the principles that were used to build out the environment and so guess what I'm a Chromebook user I like telling

folks the story that you know I love max just like everybody else the look feel and presence of a Mac is is is unmatched but if I'm traveling for business guess what I got my Chromebook with me it's

probably a safer platform to use there have never been an instance of a Chromebook being violated

via ransomware the the the probability of it happening is actually zero I use a pixel phone because

“it's tied uniquely to the the the Google ecosystem do I have Mac products absolutely I will tell”

folks they in a day out I'm an iPad user because I don't think that there is I have yet to see in tablet form something that is as useful from a utility fashion as the iPad you attach a keyboard to an iPad there's almost nothing that's restricted to you to be able to do I mean it is it is part of my go to carry and yes I have a tech bag or whatever you want to call it that I carry with me for business travel and when I'm out and about meeting with customers and clients but from

a tactical fashion I'd say my everyday carriers is that when I walk away from my home office I'm going to have my Chromebook I'm going to have my iPad I'm going to have my pixel phone and a tech bag that's going to essentially allow me to get in front of folks and carry on whatever kind of conversation I need in order to either develop business or quite frankly just to help them understand what I'm seeing and the challenges on the environment landscape. I'm going to

have to start looking at Google workspace again because I'm a Microsoft guy and I learned it so I'm going to have to transition. What are some of the tools I just I'm going to have to pivot because I'm such a Microsoft guy and it just it's worked and I hey what is it sheets and I'm like say can I just put an Excel they're like no there is there is such parity and operability between the Microsoft office tableabilities and Google workspace today that it's

almost 100% seamless so you'd be surprised. The transition may not be as hard as you might think that it is. Oh god that's okay oh we're gonna I promise I work on it. The next what are certain things that you're like dude that's just the way someone like they have these little stickers that you put on cell phones that reduce EMI or EMF and they don't mess with you right. What are some of the things you're like please stop dying this what are you people doing like what are

there anything out there that you could think of that's like no. No I don't want to disparage the use

have to worry about you know RFID readers the the common consumer but I noticed that you know there's even a stretch of folks out there that are selling like fairity bags to people that

who now they need to keep their technology in a third day gang and I'm just you can go too far

“I think with some of this stuff and that's I'm not that guy I'm not the person who's who's going”

to tell you that you know every time you you know don't use public Wi-Fi you know be careful when using public Wi-Fi you know they're still they're still the validity to the use of VPNs most most phones have VPN systems built into them. Turn on your VPN when you're out of the court Starbucks using Starbucks Wi-Fi or or when you're traveling and you're going to hotel you

know if you don't want to use a hotel Wi-Fi by your own Wi-Fi book and use that when you

travel so that you can have a safe you can make it like you know there's so you're saying how much

“you want to you want to inflict on yourself so you mean the shoe box that I have in my house”

that's wrapped with aluminum foil's not a good idea is that what you're saying I shouldn't you just all right with it said okay there's a bunch of people out there who are going like I I need to talk to someone it needs to be on an a fractional environment how do people track you down how do they get access to you how do they ask questions to kind of to lead themselves and protect themselves in a world that's getting more and more risk yeah a couple of

different things one I would tell them to visit our website at apigyglobalrms.io you can see the full suite of services that we offer as a company there's some stuff about our background and there's some information from a thought leadership standpoint in terms of our approach to

“security and enterprise risk and all of the things that that came up in conversation I think”

that's a great starting point from an individual perspective we have both a company presence and my personal presence on LinkedIn I'm a heavy I'm a heavy LinkedIn user so we can give a we can give a nod to Microsoft in that way if you like you know they own LinkedIn so I'm a big believer in LinkedIn I think it's a great professional social network I keep in touch with lots of people on LinkedIn I'm there as mkpalmore if you look me up I'm pretty sure I'm the only mkpalmore

on LinkedIn I'm open to outreach I can't tell you the number folks who reach out to me sort of blindly that I've had the opportunity to actually connect with and have conversations with so you can see a lot about what we're doing as a company and what I do individually for my own personal brand which amplifies the company brand either at our website or on LinkedIn perfect and if not we'll put your direct phone number your social security number your bank

to town and your home address in the show note I'm tattooed through shit to come on I really do thank you for sharing all the information that you did with us security isn't about having the fanciest tools it's about doing the basics every single time mf a on permissions locked down stay consistent that's it mk made it clear today the adversary is counting on your laziness

don't give it to them as always thanks for tuning in stay safe out there digitally and otherwise

See you next time!