Cyber Defense: Mark B Cooper of PKI Solutions On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Train your employees: Teach your employees to spot phishing attempts and set out clear rules for engagement if they suspect an attack. They should know how to verify information and trusted mechanisms to use. For instance, they should also know the CEO will never ask them to go buy xBox gift cards and send the codes over email to a gmail account. This has actually happened to one of our new employees after we posted a picture on social media of their first day on the job.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Mark B. Cooper, President and Founder of PKI Solutions Inc., a leading cybersecurity firm providing Public Key Infrastructure (PKI) products, services, and training. Cooper has been known throughout the industry as “The PKI Guy” since his early days at Microsoft. He and his team at PKI Solutions have deep knowledge and experience in all things PKI, the foundational technology for almost every identity and data encryption solution used throughout the world.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
When I was 10 years old, my family moved from the east coast to Portland, Oregon. My family was of extremely modest means living on government assistance programs while my single mother worked as an artist to provide for us and fulfill her passion in life. All of which meant that our entertainment and activities were limited outside of the house. Over time, I learned how to entertain myself by reading everything I could find about technology and working on computers.
As I headed into high school, my freshman year happened to be the year that the Mac SE debuted and I volunteered to help the school typing teacher (soon to be computer lab teacher) set up the computer room. As it would turn out, we deployed the first network of computers in the Portland Public Schools district. As a reward, I was allowed to take an old 50lb black and white Wyse terminal home for the summer. I lugged that heavy computer for almost 2 miles as I walked home and proceeded to connect the 300 baud acoustic modem to the only phone line in the house.
Most of my high school life centered around computers, and I often joke that I spent more time sneaking into Reed College than attending high school. Reed College had a very open campus and the students never questioned why a high-school-aged kid was hanging out in the lab 24x7. They had far more advanced equipment and communications lines than I could access anywhere else.
After high school, I attended a local college in pursuit of a career as a pilot. Unfortunately, that is a very expensive field to enter and having little financial backing, I soon ran out of money. One day when I was visiting my old high school, I noticed a help wanted sign for an entry level IT person at a downtown law firm. I figured I’d drop out of college, work for a little while and then go back and finish. I never looked back and never got the opportunity to go back to finish college.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My exposure to cybersecurity is an interesting story, and it probably depends on where the story starts. The long story goes to back to a week spent at a conference in New Orleans and a very lucky week at the Blackjack table — like I said, a long story.
The short story is that almost 20 years ago, I wound up taking a job at Microsoft. At that time, I had been in the IT field for almost 15 years and was looking for something new. I had left a job as a Director of Development for a local firm and was hungry for something more technical and interesting. On almost the first day we were going through technology orientation and a few of Microsoft’s top engineers brought up the subject of Public Key Infrastructure, largely under the guise of “well, here is this encryption technology that nobody really understands and we have a hard time supporting.” After a few hours, I thought to myself that this “stuff” made sense and wondered what all the mystery was about. My love of PKI was born.
It quickly became apparent to me that PKI was a critical infrastructure security element and it’s use was growing. It turns out I was right. What was a relatively burgeoning technology 20 years ago is now common place and provides the foundation for just about every piece of encryption and communication that is in use in enterprises and throughout the internet.
In the end, I left Microsoft after my manager wondered what the heck my job was and why there was only one of me, yet he needed 500 people to work on Microsoft Exchange. He also commented that perhaps I needed to go learn Exchange — which ironically, has now largely been replaced by cloud-based email. Contrast that with the success of PKI technology which is now found everywhere from airplanes, thermostats and everyday banking and internet communications. I think I chose wisely.
Can you share the most interesting story that happened to you since you began this fascinating career?
When I was faced with leaving Microsoft to start PKI Solutions, I was hesitant about making that leap. I had financial responsibilities and was largely the provider for the household. But there is never a perfect time to leave a corporate job and start a new business. After hesitating for months waiting for the “perfect” opportunity, one never materialized. So, I had to decide to make it happen.
After notifying Microsoft I was leaving, I spent the next several weeks laying the foundation for my new business — in hopes of securing customers and projects. I borrowed from my 401K and made myself a commitment that I had to find work but, once the loan was used, I would go back to the corporate life and lick my wounds.
On the official first day of my business, I received calls from some of previous customers I had worked with over the years and they signed up on the spot. Those customers are still with us today. They’ve always supported me and the vision of PKI Solutions. Now that we are moving into the product space with PKI Spotlight, it’s amazing to see that long-time partnership support our future as well.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Customer focused: When I started my business, I knew I wanted to offer better customer support than I had seen others do. I created our PKI Support Services program to be completely different than every other tech support contract that customers typically sign. Unfortunately, customers that have a support contract always seem to do the same thing whenever they have an issue or need arises. They ask themselves, “Should I open a ticket? What if it’s a simple issue and I wasted those hours? What If I need those hours next month for a complete failure and I have no more hours?” So, these customers waste time looking for answers on the internet, finding bad details and making silly mistakes or causing a bigger problem. Then at the end of the year, the major disaster never happened and the sales person is in the position to try to sell them a renewal, only to hear “why would I renew? I hardly ever needed the contract.” I was determined to change that. We offer (and still do), our Support Agreement that provides unlimited support. If it’s a simple issue, we talk, and the customer quickly has their info. If it’s a big issue, it’s a good thing they called! In the end, we wind up being our customers’ trusted advisor and they pull us into anything they need in relation to their PKI. As a result, we have never had a Support Services customer not renew their contract.
Adaptable: Almost every innovation, offering, or revenue growth that we’ve had in our company’s history has come from listening to our customers and adapting. Years ago, one of our large, east coast municipal police departments commented that their procurement process and paperwork was a pain to go through every year as they renewed their Support Services contract. Together, we figured out that by offering a three-year term option, that they could reduce the time they spent on paperwork and we had a strong commitment for a longer period. It turns out, most of our other customers also liked that idea and switched over to longer contracts. Another great example is when we kept seeing issues with our customers operating and managing their PKI. We were left wondering why they had these issues. We saw that organizations were facing significant pain points and impacts to their line of business because of these challenges. As a result, we sat down and started looking at the issue. This led us to realize that there was an entire segment of the cybersecurity space that was unaddressed. That is when we created PKI Spotlight to solve these very real problems — all because we adapted based on what we were seeing happening in real-time to our customers.
Pragmatic: It is part of our DNA to approach security solutions from a pragmatic standpoint. Businesses have to operate, to function and they need to do that securely. However, there is risk in business, as in life. So, we have to approach identity and encryption solutions based on PKI from a pragmatic standpoint. That takes deep subject matter expertise as it’s one thing to know something is a best practice or not and to inform a customer of a misconfiguration. Without knowing why it’s a best practice, it’s hard to understand the nuance of the risk and why that best practice was created. If you have that knowledge, you can advise a customer on the risk, best practices and recommendation. In addition, you can advise them on what risk they are accepting or mitigating and how that may or may not align with their security objectives.
Are you working on any exciting new projects now? How do you think that will help people?
We’re very excited to have recently introduced PKI Spotlight, the industry’s first and only solution that provides real-time monitoring and alerting of the availability, configuration, and security of all of an organization’s PKI environments — all consolidated into one easy-to-use dashboard. PKI Spotlight launched on March 14, 2022 and reflects 18 months of concept, design and development work. But its origin spans my last 20 years of working, teaching, presenting and advising in the PKI space. Our professional services team is second to none, but it will never scale to meet all of the PKI needs for all of the enterprises that are reliant on PKIs around the world. PKI is a foundational technology for almost every identity and data encryption solution used throughout the world which means that there are a lot of companies that could use PKI Spotlight’s help.
Through the automation and implementation of PKI Spotlight, we are helping customer see, monitor, and secure their PKI and ensure their identity and data encryption solutions are reliable. Ironically, as foundational as PKI is to every organization, and to the internet, almost every PKI deployed is operated in a reactive, firefighting-only mode to respond to issues when they break. There just isn’t any existing tooling to provide the visibility, alerting and security of their PKI in real-time. In hindsight, it’s amazing this space has gone for so long without someone addressing this issue.
Our challenge is not in solving customer problems, or being able to quickly demonstrate value, but rather it’s the first market mover’s dilemma. We have no real competition other than generic tools and solutions focused on ancillary issues. But that means we have to define, educate and make the market aware of our solution. It’s an incredibly exciting space and one that presents daily surprises, wins and challenges.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I’m specifically an authority in Public Key Infrastructure (PKI), which is a subset of the cybersecurity space. PKI is the foundational technology for almost every identity and data encryption solution used throughout the world. Not only have I spent the last 20 years of my career solely focused on this technology, but I have made sure that my company, PKI Solutions is the strongest, most focused, and deeply knowledgeable team on the subject of PKI. Some cybersecurity authorities are generalists and can speak to many topics, while we run very deep in a narrow set of technologies. It just so happens that our area of focus is foundational across the identity and data encryption space that support the cybersecurity space.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
The most frequent type of cyberattacks that we are seeing now is ransomware. It tends to be indiscriminate and targets vulnerable users, networks and computers. As a result, anyone can be the victim of ransomware which encrypts your information so that the victim is not able to access, read or use their files. The attack is driven by a monetary objective and the victim must pay or risk losing their files forever. Social engineering is another common attack that focuses on convincing a victim to provide information so an attacker can impersonate the user, steal money, access a network or otherwise commit a crime while using someone else’s identity. The other common attack we hear about is a malicious activity of denial of service. With the war going on in Ukraine, many organizations and enterprises had a fear of a nation state cyberattack to deny the ability of an organization to provide services, information or operation over the internet. There is little financial profit motive here, as the motivation is generally to disrupt and aggregate a victim.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Today, both business and private individuals need to be concerned about a cyberattack. Individuals are easier targets as most don’t have strong security controls, processes or monitoring over our every facet. But, it’s often cost prohibitive for an adversary to specifically target an individual and that’s why it would be unlikely to see a denial of service attack against an individual. However, a social engineering attack against someone know to be trading in cryptocurrency would make an attractive target. Businesses have better budgets and tools, but offer a greater attack surface through more computers, networks and people. They also offer bigger paydays, so while they are harder to compromise, the payout is generally much larger. Tools like Ransomware have changed the game as they are indiscriminate tools that attack individuals and business and are largely automated tools to extract a profit.
Who should be called first after one is aware that they are the victim of a cyberattack? The local police? The FBI? A cybersecurity expert?
Each attack and impact can widely differ from one victim to the next, as well as the type of attack. I wish there was a national hotline or helpline like 911 but there isn’t. Some states like Oregon has worked to establish a college-backed and state-recognized helpline to help residents. The first thing I would recommend if you feel your identity has been stolen or credentials may be compromised is to practice some self-hygiene and find a safe computer and change important passwords for banking, financial, other sources of monetary impact as attackers often quick to exploit these sources.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The most common thread is employees being duped into unknowingly helping an adversary or an employee by accidently allowing their information to be used by an adversary to access a system. In short, humans are the problem! It’s hard to overcome the innate instinct of people to interact and communicate. Sometimes, we let our guard down and unwittingly allow an attacker to affect our systems.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Ransomware attacks are extremely indiscriminate and can be launched from a variety of tools, locations and methods. That makes defending against them extremely difficult. The best protection is to also ensure your data and systems are isolated, backed up and protected. Assume someone will be compromised and ransomware will enter your network. Think about what you can do to slow it down or stop it and how you will recover from it. If you can’t block all attacks, you can at least prepare now for the attack and devise your protection and recovery.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
Train your employees: Teach your employees to spot phishing attempts and set out clear rules for engagement if they suspect an attack. They should know how to verify information and trusted mechanisms to use. For instance, they should also know the CEO will never ask them to go buy xBox gift cards and send the codes over email to a gmail account. This has actually happened to one of our new employees after we posted a picture on social media of their first day on the job.
Stay current: Read periodicals, cybersecurity announcements and reports of evolving threats to individuals and organizations. Things change daily and weekly and if your plan is based on activities and threats from last year, you are at risk.
Trust no one: Assume you will be attacked. Plan how you will try to minimize the impact, how you will recover and the impact to the business. You must assume your network can and will be compromised. Many of our customers have only found out about an attack months after they were initiated and are left having to find covert ways to communicate internally to eliminate the threat. That makes using gmail accounts temporarily to communicate a tricky thing when trying to remove an adversary — see recommendation #1
Watch your environment: This is the premise of our PKI Spotlight tool. You must have real-time visibility and alerting of your environment, threats and security. Otherwise, you won’t know about an attack until you feel the impact to the business and then it might be too late. If you can be alerted to activity early on, you might have enough information and time to respond and prevent further damage.
Raise the visibility: Find a way to raise the visibility and significance of a cybersecurity threat and protections that are needed within your organization. Many enterprises are under funding or under staffing their cybersecurity efforts. The ones that are spending the most are the ones most recently affected by an attack and are trying to recover and prevent. It is much harder, and more expensive, to address the issue after the affect. Make sure the topic is top of mind through the entire reporting structure of the business — regardless of where you are in the chain. Report it up, ask about it downwards, in any case, start by reaching out and making sure there is communication and focus consistently within the organization.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I think a strong, national, digital identity solution would make a large impact on many types of cyberattacks, financial thefts, fraud and waste. Political and privacy issues aside, our current form of a unique identity for each institution (and employer) means we are constantly trying to identify and distinguish who someone is and isn’t. It also means some identities are going to be stronger than others. Fraud and abuse is commonplace in scenarios where we still rely on paper and signatures. Is it any wonder tax return fraud is rampant when the identity of the filer is hardly vetted?
Providing an identity that we could use to uniformly interact with our state and federal government for services as well as voting and assistance would be a great step in the right direction. Also, enabling employers, clubs, non-profits, banking, real estate and more with a trusted, well verified identity would make identity theft much easier to spot and harder to execute. Additionally, it would save an immense amount of money spent detecting and addressing fraud, theft, impersonation, not to mention potentially life changing financial impacts to theft of funds from individuals. Other countries have been successful in this, and it can be done. It doesn’t have to happen overnight, but you can begin the process and set goals on the scale of decades for phases. But, you have to start the effort somewhere and sometime. I’m not in favor of disenfranchisement by overly aggressive timelines that exclude portions of the population. But, I believe that we could set a vision for a strong, national, digital identity solution and execute on that vision for the future.
How can our readers further follow your work online?
We are active on a few channels. We have our PKI Blog at https://www.pkisolutions.com/thepkiblog/, our YouTube channel at https://www.youtube.com/c/MindingtheKeystore and social media @pkisolutions on twitter and LinkedIn https://www.linkedin.com/company/pki-solutions
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
