An expert shares best practices for preventing cybersecurity attacks

Employees sitting at computers monitoring screens in a control room.

There are numerous ways organizations and individuals can protect themselves from cyberattacks. Photo Credit:Shutterstock

Welcome to From Florida, a podcast where you’ll learn how minds are connecting, great ideas are colliding and groundbreaking innovations become a reality because of the University of Florida. 

Charles Carmakal is a UF alumnus and senior vice president and chief technology officer at Mandiant, a cybersecurity firm that works with government entities, corporations and law enforcement agencies around the world. On this episode of From Florida, Carmakal shares what organizations and individuals should do to protect themselves against cyberattacks. Produced by Nicci Brown, Brooke Adams and James L. Sullivan. Original music by Daniel Townsend, a doctoral candidate in music composition in the College of the Arts.

For more episodes of From Florida, click here.

Nicci Brown: Welcome to From Florida, where we share stories about the people, research and innovations taking place at the University of Florida. I'm your host, Nicci Brown.

Cyber, ransomware and hack attacks are, unfortunately, commonplace today, disrupting operations at organizations of all sizes, from school districts, to manufacturers, small businesses, medical centers and government entities. Now, the White House has issued warnings that Russia may be preparing widespread cyberattacks in the U.S., a cause for alarm for all of us.

Our guest today is Charles Carmakal and he's going to help us understand why the president issued that warning and what we, businesses and individuals alike, can do to prepare and protect ourselves.

I'm especially delighted to have Charles with us because he is not only an expert in cybersecurity, but a Gator alum. Charles is the senior vice president and chief technology officer at Mandiant, a cybersecurity firm with headquarters in Reston, Virginia, that works with government entities, corporations and law enforcement agencies around the world.

Welcome, Charles. We are delighted to have you on the show.

Charles Carmakal: It's really nice to be here. Thank you.

Nicci Brown: Charles, before we go more deeply into the issue of cybersecurity, I'd love to hear about your time here at the University of Florida. You are what we call a ‘double Gator.’ What were your fields of study here at the university?

Charles Carmakal: Yeah. Look, first of all, I love the University of Florida. I really enjoyed attending the school, met a lot of people, made a lot of lifelong friends. I studied computer science and business while I was at the University of Florida. The name of the program at the time was called decision and information sciences. It was part of the College of Business. So I did both my bachelor’s and my master’s in the program.

Nicci Brown: What was your career path to cybersecurity? What attracted you to this field?

Charles Carmakal: You know, a hobby of mine was cybersecurity in middle school. And so I had a very unhealthy obsession with cybersecurity all throughout middle school and high school. At the time, I didn't really think there were career opportunities, but when I went to the University of Florida and I sat through a presentation from PricewaterhouseCoopers, they talked about this ethical hacking practice they were looking to build out.

I remember thinking, wow, you could hack into companies and you won't go to jail, and you'll get paid money? That's exactly what I want to do when I grow up. And so while I was at the University of Florida, my aspiration was to work at PWC. And so I did a number of things to enable me to get a job at PWC and ultimately do what I'm doing today.

Nicci Brown: Did that include internships or how did that come about?

Charles Carmakal: Yeah. So while I was in the university, one of the key goals of mine was to get an internship. Ideally, I wanted to get an internship at PWC, but quite frankly, as a student, I wanted to get an internship anywhere. I interviewed and interviewed and interviewed and it was a journey and a process. I ended up getting an offer for an internship with Exxon Mobil and PWC. Exxon's a great company, it would've been a great role, but it wasn't a dedicated cybersecurity internship, whereas PWC offered me an internship on their cybersecurity consulting practice, and that's what I wanted to do, and that's what I ended up taking.

This is a photo of a man who is standing before a screen and speaking.

Charles Carmakal is the senior vice president and chief technology officer at Mandiant, a cybersecurity firm based in Virginia. He received two degrees from the Warrington College of Business. Photo Credit: Mandiant.

Nicci Brown: I imagine this is a growing field. You maintain some strong relationships with the university and often work with our students. How do you help them prepare for this type of career?

Charles Carmakal: I really appreciated PWC coming in and speaking to me when I was a sophomore at the university. I wouldn't have learned about cybersecurity careers if PWC hadn't talked to me about it. And so as an outcome of that, I want to do my part to create awareness around cybersecurity roles. Now granted today it's very different than what it was like back when I was at the university. More people are aware of cybersecurity careers, but I want to do my part to inspire people, but also help people get jobs in cybersecurity. And so one of the things I did while I was at PWC is, I would come back to the University of Florida a day every semester and I would teach a class with a Dr. [Praveen Ashok] Pathak in the DIS program. It's since been renamed to ISOM [Information Systems and Operations Management].

But the idea was to provide practical learnings from what we do on a day-to-day basis in the real world and share that with students in Dr. Pathak's class. When I went to Australia for a few years for work, unfortunately, I couldn't come back to the university because I was so far away. But when I joined Mandiant, I wanted to come back to UF, and I started coming back roughly six years ago. So I come down to UF, or I teach a class, I'd say, maybe two or three days a semester for a few different programs to try to teach people about cybersecurity. I'm teaching folks in a computer science/business program, as well as from a law school program. So I'm teaching cybersecurity from a few different angles.

Nicci Brown: Have you seen a lot of change in the students in that period of time since you started working with the students here and to this point?

Charles Carmakal: Yeah, absolutely. When I first started doing this, roughly 20 years ago, most people didn't know there were cybersecurity opportunities after you graduated from university. Today, people recognized that. There is an acute demand for cybersecurity professionals. We hear about it all the time. We hear about the unfilled jobs that are in the millions. And so there's a lot more awareness. And really, what I'm trying to do is create some more excitement around it and help guide students into figuring out what are the things that they should do in order to get a serious start in cybersecurity?

Nicci Brown: One thing you mentioned, too, is that there is this multifaceted approach. So you're looking at the law, you're looking at the business, you're looking at the computer science, as well.

Charles Carmakal: Yeah, absolutely. There's so many facets of cybersecurity. When you think about it from a legal perspective — today when companies get hacked, there are a lot at different types of profiles of people that get involved in the response. You'll typically have a legal team that manages the overall communication and tries to manage the overall risks and the liability associated with data breaches. You’ve got board members of the organizations that are making decisions on behalf of the company or at least influencing management in their response to the event. You've got communications people that are handling internal communications of the company, as well as external communications. You've got HR people that are figuring out what are the implications associated with an event?

So, something that people don't necessarily think about is, when you deal with a cybersecurity event, it might be a material event to the organization if they're a publicly traded company. And so there are usually people within the organization that are in the know about a cyber event before it becomes public. And so making decisions as to whether or not those employees can no longer trade stock of their company for some period of time, those are all decisions that companies need to think about. What I haven't yet mentioned are all the IT and the security responsibilities. So the point is, there's just a lot of broad responsibilities and expectations around cybersecurity, particularly from a response perspective, but also from an ongoing security perspective.

Nicci Brown: We mentioned in the introduction that you are a senior vice president and chief technology officer at Mandiant, which helps organizations protect themselves against cybersecurity attacks. Can you tell us a little bit about the company and some of the cyberattacks that you've worked on?

Charles Carmakal: Yeah, absolutely. So, the company was founded back in 2004 by Kevin Mandia, and the premise at the time was that breaches are inevitable and we wanted to help companies respond to those security events. At the time, making a statement like “breaches are inevitable” was a very bold and very different statement to make. Most people were very focused on preventative controls and stopping breaches from happening. Nobody wanted to acknowledge that breaches were inevitable. And so it was a very different message by my company. I wasn't at the company at the time. I joined the company in 2011. But one thing that I tried doing differently when I joined the company was there was so much of an emphasis on responding to security events, but not enough emphasis on helping companies become more resilient to attacks.

And one thing that we recognized at Mandiant is we've just got so much experience and understanding of how threat actors operate, how they break into companies, how they escalate privileges, how they steal data from companies, how they disrupt business operations and we recognized that the methodology that the threat actors were following were very similar. If you know what their methodology is, you could build capabilities to prevent, detect and respond to attacks across the attack life cycle. And so one of the things that we wanted to do, in addition to responding to security events, is we wanted to help companies become more resilient to attacks and we did that by taking what we learned from the real world attacks and just helping companies better prevent, respond and detect to events as they popped up.

Nicci Brown: It's interesting that you note this line of thought, that these kinds of attacks are inevitable because I think that sounds like when people are setting things up, it really has to be part of the formula right from the get-go, when you're setting up your systems, so that if there is an attack, it's not as catastrophic as what it could be.

Charles Carmakal: Yeah. A absolutely. The earlier that an organization or that a team thinks about cybersecurity and bakes it into the application development life cycle or systems development life cycle, the more protected they'll become. One of the challenges, though, that we have, you know, as an example, when you think about, let's just say, the internet of things, the development of a lot of different devices that are out there that are connected to the internet. A lot of times some of these companies that build new tools or applications that are exposed to the internet, they're just rushing to get a product to market that people like. You got to think about a lot of different scenarios, but some of these companies are startup companies and they're looking to get to revenue as quickly as possible. And so cybersecurity, sure, it's important, but for some companies, they think about where does it actually fit into their journey of becoming a viable company?

And so a lot of organizations end up releasing software and products very quickly without baking in cybersecurity, and that's a very prevalent concern when you think about the internet of things and just all these devices and appliances that now have internet connectivity. You think about your home today, a lot of people have smart switches, they have smart light bulbs, they have refrigerators that connect out to the internet, and washers and dryers that connect out. They've got security cameras and baby monitors and a lot of things. Unfortunately, what we find is the security for most of these devices that are internet-exposed today are very insecure right now. They will get more and more secure over time, but a lot of these organizations are just rushing to get new capabilities developed without being able to spend the right amount of time and effort on cybersecurity.

Nicci Brown: So speaking of that ubiquity and the way that really our daily lives are affected, President Biden has said repeatedly in recent weeks that Russia may attempt to carry out cyberattacks against the United States and he's urged the private sector to harden its cyber defenses, making sure they're up-to-date and in place. How do you view the risk right now?

Charles Carmakal: Yeah. So I think the threat is very real. Let me talk about the threat prior to the invasion of Ukraine. So prior to the invasion of Ukraine, we saw a lot of attacks against government entities in the Western world. Those government entities had data that was of strategic interest to the Russian government. And so, we saw them going after ministries of foreign affairs for a lot of different countries. We also saw intrusion activity at commercial entities that supported governments in some capacity. So, they either had data of the government or they had access to the networks of the governments that were of interest to the Russian government.

So, we saw a number of intrusions prior to the invasion in Ukraine. Those intrusions typically resulted in espionage activity, so the theft of information, again, that's strategically important to Russia. Actually, prior to and then during the time of the invasion of Ukraine, we saw a significant amount of disruptive and destructive attacks against Ukrainian organizations, both government sector organizations and commercial organizations. The idea was to create as much disruption, from a cyber perspective, to help facilitate a physical intrusion of the country.

We saw a lot of what is in the capability of the Russian government. And by the way, the one thing I'll also say is most governments have cyber offense capabilities and they use it for a variety of means. When you think about countries like United States, the UK, Australia and India and Pakistan, China, Russia, North Korea, Iran, everybody's got offensive capabilities, and they choose to use it for certain reasons. There's military reasons why it to use, there's national defense reasons, there's economic reasons, but Russia chose to use their cyber capability in concert with a physical intrusion into the country.

What we are now preparing for and bracing for is the inevitability of offensive attacks against Western organizations by the Russian government, likely in retaliation for heavy sanctions. And so there's a number of sectors that will likely be targeted. So when we think about the financial sectors or perhaps energy sectors in the U.S., there's a lot of organizations that could potentially be in the crosshairs of either intelligence officers operating in Russia or commercial entities that are directed by the Russian government to cause some kind of cyber retaliation against the U.S. in response to sanctions.

Nicci Brown: Can you give us a little more detail about what likely targets might be? So are we talking public utility infrastructures? Are we talking our financial system?

Charles Carmakal: Yeah. I think the expectation is that the financial system and the energy system, and then probably the critical infrastructure, to some extent, may be targeted. I don't know how far will the attacks go, how to disruptive will they be, will it lead to a kinetic consequence? So if you think back to last year, and you think back to the attack of Colonial Pipeline and the impact that had, from our perspective that was a criminally orchestrated intrusion operation that had an unintended consequence of disrupting the gas flow to the East Coast of the United States. I think the threat actors behind that — although there is definitely some connectivity back to Russia, we don't believe that Putin himself directed the intrusion against Colonial Pipeline.

We saw attacks that were very similar to this across a lot of different organizations for a lot of different reasons. But when you think about what happened at Colonial Pipeline, the organization themselves decided to shut down the pipeline as a preventative measure to ensure that there was no harm to human lives or to environmental safety. There was a lot of unknown around what was going on at the time, so they shut off the pipeline and they were able to turn it back online and things were able to get back to normal, sort of. But the normal became a new normal, where we're all thinking about, what is the potential impact of another Colonial Pipeline-like attack, but something that's actually directed by a foreign leader for a purpose of causing chaos or disruption in other parts of the world?

I think the big fear that we all have is this at what point in time does a cyber event become an escalation that warrants a kinetic response, a response where missiles are shot at each other or perhaps a different kind of cyberattack gets launched at another country, which might have a kinetic consequence? And so there's a lot of unknowns and we're seeing it all play out right now for the first time ever at this scale.

Nicci Brown: I've got to a imagine that those are the kinds of things that you and your colleagues are talking a lot about right now.

Charles Carmakal: We talk about it every single day. We've been preparing for the Russian invasion for the last several months. At the second half of 2021, we all knew that this was inevitable. We all knew that there was going to be a cyber element here. From my company's perspective, we are front and center of all things cyber. We're helping organizations in Ukraine right now, we've got people on the ground, we've got people remotely supporting them. We're trying to help organizations that have been disrupted, figure out what happened, help them get their networks back online. But in the process, we're learning a lot about the intrusion activity. I think the assumption, not that I think, the assumption is there are a few hotbeds or hot zones in the world. Ukraine is a testbed for all things evil that come out of Russia from a cyber intrusion perspective. The Kingdom of Saudi Arabia is the hot zone for all things evil from a cyber offensive perspective coming out of the middle east.

And so those are two countries that we keep a very close eye on because the things that happen there will inevitably happen in the rest of the world. And so we want to get as advanced knowledge and learning about countries' capabilities by monitoring what's going on there so we could help not only defend the companies and the entities there, but really defend the rest of the world.

Nicci Brown: What about these ransomware attacks? Are you seeing more and more of those as well? We talked a little bit about them before, but can you go into that a little more for us?

Charles Carmakal: So ransomware and multifaceted extortion, it is the No. 1 cybersecurity threat out there. It's something that impacts all organizations, irrespective of their size, irrespective of their sector. The reason for that is because within a very short operation, criminals can make a lot of money. Gone are the days where criminals break into companies and they just steal credit card data. Think back to the big breaches at the Home Depot and Target and you name it, whatever retailer had a big credit card acceptance process, they likely had some extent of a security incident where credit cards were stolen. But if you think about that process, the time that it takes to steal enough credit card data to make millions of dollars or tens of millions of dollars, we're talking about months and months of data collection.

You've also got to go through the effort of selling the data on markets. Just . . . it’s very hard to do. Now, nowadays, most criminals, they choose to monetize their intrusions by disrupting business operations, by threatening to publish sensitive data that was stolen and extort the organizations that these operations are conducted against. What we find is these criminals, they're easily able to make six figures, very easily, but they often make seven figures, so between say $1 million and $9 million or so. But we also see victim organizations paying $10 million to 40 million. Sometimes these intrusion operations are 24 hours in duration from the point in which the company gets hacked to the point in which data stolen and the business is disrupted. It could go on for longer than 24 hours. Sometimes it's a few days, sometimes it's a few weeks.

But the number of organizations that choose to pay — it’s probably surprising to people, but about half of the clients that my company work with choose to pay. Nobody wants to pay, but they feel like they have no better option. When you think about the problem today, it's much more than just ransomware. It's what we call multifaceted extortion. So these threat actors apply so much pressure to victim organizations. They try to embarrass them, they try to disrupt current business operations, they end up impacting future business operations. They ask for a lot of money and, quite frankly, they get paid very often.

Nicci Brown: How easy is it to catch them? We've seen some cases.

Charles Carmakal: It can be difficult. Most of these folks operate in countries that are outside of North America. So a lot of times, many of these individuals are operating in Eastern European countries, sometimes it's Russia, sometimes it's Ukraine, but it's . . . sometimes it's the Latvias, the Estonias, the Romanias, lots of other countries. Some of these countries don't have extradition laws with the United States, some of them don't want to take action on these criminals. And so, in a way, these criminals feel like they're operating without any real risks or repercussions.

Now, with that said, there have been a number of wins from a law enforcement perspective. We've seen Ukraine arrest a number of people, we've seen the Russian government arrest a number of people in recent time. And so it's pretty interesting to see some of the outcomes and some of the law enforcement wins. These intrusion operations will continue, but what is good is each time a criminal gets arrested and each time law enforcement does things like seizes computer infrastructure, takes over websites and says that it's been seized by the government or reclaims/steals money from threat actors, it creates more fear and uncertainty with threat actors.

You got to think about how the operation occurred. A lot of these people that are threat actors, to them, this feels like a 9 to 5 job for them. So they've got families, they've got kids. When the risk to them of potentially getting arrested and potentially getting taken away from their families becomes more and more realized, you'll start to have — we are already seeing it — some of these threat actors no longer want to do what they maybe had done for a long time because they felt that it was safe. They're getting scared.

Now, there's always going to be the brazen threat actors out there that don't care, will be very brazen, and will speak out against governments and law enforcement and antagonize law enforcement. But over time, many of these folks will be caught. By the way, we know who a lot of these folks are — you just can't touch them because they're in countries that won't do anything to them. But when you can't touch them, one thing you can do is you can indict them. That means that you can get their name and their photo out there. You can sanction them, so that it makes it harder for them to acquire money and to do anything with the money that they have.

I'll tell you, it is incredibly frustrating to be a 28-year-old with $50 million or access to $50 million, but you can't do anything with that $50 million. And so the indictments and the sanctions help.

Nicci Brown: In the meantime, what can companies do and organizations? What are the measure they can adopt to protect their operations?

Charles Carmakal: There's a lot of things that companies can do and should be doing. Most companies have cybersecurity programs. I'll tell you, there's a few things that I think companies can probably do a better job of. Number one, it's always good to get the good folks out there to do ethical hacking and what's known as red teaming, which is basically you pay the good folks to do an authorized test to try to hack into the company. The idea is to try to figure out, are there vulnerabilities that exist that could be exploited that allow the testers to get in? Because if it allows the testers to get in, it's probably going to allow the bad actors to get in. So let's try to do that, so that you're doing it in a controlled way. You can identify things that need to be fixed and you can fix them in a short period of time. That's incredibly important.

The second thing that I encourage people to do is conduct incident response tabletop exercises. So pretend that the company was hacked today. Figure out how would you actually respond to it? And what's useful about that is you start to engage in conversations that you may not have otherwise. A lot of people today think that a security incident is the responsibility of the IT or the security leadership team, but they forget all the other people that are actually involved in a response. The CEO is probably involved in a response.

For example, the CEO of Colonial Pipeline had to testify before Congress multiple times about the security incident. There are people from the legal team, HR, communications. Again, a variety of people that tend to have some level of responsibility in a security event. And so it's good to exercise that and try to think about what would a company do? How would they coordinate in the event of a security event? There's usually a lot of learnings that come out of that process.

And then the third thing I'd recommend people do is try to learn from the organizations that have had security events because there is a lot of things that those organizations probably were doing before the event, but maybe they weren't doing it so well or maybe there were things that they just . . . maybe they knew they needed to do, but didn't do it or maybe they thought they were doing it well, but didn't do it well enough.

Those learnings are so invaluable, not only to the victims to get better, but for everybody else. There's a lot of different organizations that share information about security events and those are great things for companies to read and to study and to implement learnings from just to become a little bit harder for attackers to break into them.

Nicci Brown: What about members of the general public? What can we do?

Charles Carmakal: Yeah. There's a few things that I think average, everyday people should be doing. Number one, we should all be using a password manager and storing that password manager in a safe location and using a different password for every website that we use. When I say every website, I literally mean every single website you use. There's no way that you can memorize every single password for every single website that you connect to. But if you use a password manager, it becomes a lot easier. Google has a password manager that's built into Chrome, there's LastPass, there's 1Password. There's a lot out there, but just use one of them and try that their security will be better than any individual's security.

The reason why using a password manager and a unique password everywhere is so important is because when websites get hacked, threat actors will download the encrypted passwords from those websites and they'll try to crack them, and they'll try to figure out what the actual password is. And then they will attempt to use that username and that password across a thousand other websites, and there's a very good chance that that same username and password is used across a lot of different websites. Most people use the same password across all the websites they use. Threat actors know that and that's actually one of the most prevalent ways in which threat actors get access to company networks, but also get access to everyday people's social media accounts, communication accounts, bank accounts, things like that.

Number two, leverage multifactor authentication everywhere that it's available. By the way, any kind of multifactor authentication is better than no multifactor authentication. So if you could do SMS-based multifactor authentication, that's great.

Nicci Brown: What does that mean, Charles?

Charles Carmakal: Yeah. So multifactor authentication basically mean when you log into a website, you provide your username, your password and then something else, and that something else is what's known as multifactor authentication. That's something else is sometimes a code that gets emailed to you or sometimes it's a code that gets sent to you over SMS or sometimes it's a random number that is shown on your phone when you click like on an application, like an authenticator application. What it does is it just makes it very hard for somebody that might have stolen your username and password to be able to log into the application as you.

Now, there's a lot of ways in which threat actors will socially engineer, convince somebody to give up that code and then allow the attacker to log into that person's account, but it just makes it harder and harder when you enable multifactor authentication. Again, it's also called multi-step verification on certain websites. So it's really important to do that on your banking sites, which by the way, it's more or less default nowadays. But for social media sites, for your email accounts, it's really important to do that.

And then I would say other good practices for people are to apply security patches on your devices, whether it's your laptop or your desktop or your phone. For the most part, most software nowadays will automatically update. Sometimes it'll prompt you, do you want to install the update? I know a lot of times we click on, let's wait for another day or so. Let's just try to get into a good habit of applying the patches. By the way, the one thing that could be tricky is, sometimes hackers will change websites so that it makes it look like you need a security patch and trick you into installing a patch, when it's not actually a real one. I know it's hard to be mindful and to be aware of what the fake sites look like, but to the extent possible, try to become comfortable with what the authentic patching prompts are so that you can spot the ones that are fake.

Nicci Brown: Do you have any clues for us about what are some of the things that the fake ones tend to use as opposed to the real ones?

Charles Carmakal: Yeah. So a pretty common fake update prompt is if you go to a website, you'll see a page that says your Adobe Acrobat or your Adobe Flash is out of date and it'll give you a prompt to install an updated version of the software. But if you look at the URL bar, it doesn't say adobe.com, it might say some random company name .com, or just some random website. So you want to be, keep a look at for what's giving you the prompt. If you see something that looks like an operating system prompt, perhaps on the bottom righthand side of the Windows operating system, where you normally get the pop up saying, you've got a patch, your computer wants to restart, just try to figure out the difference between what is real, maybe ask somebody for help, versus what's not real.

Nicci Brown: Speaking of banks, should we all be making sure that we've got more cash on hand right now? You hear all these dramatic kind of things that people are doing.

Charles Carmakal: Look, our banking system, from a cyber perspective, is very resilient. When I think about the sectors that are actually the most secure out there, they're the defense contractors and the banks. The defense contractors are very secure because they've been hacked over and over and over again by foreign governments.

But every time they get hacked, they learn, they get better and better and better and they do everything they can to defend themselves from the next advanced attack. But I look at banks, they also spend a lot of time and money on cybersecurity because they're regulated very heavily by a variety of standards. And so they tend to spend a lot of money on cybersecurity. They've got good talent, they have good processes, they've got a lot of security technology. So, I believe they're pretty resilient from a cyberattack perspective. But they may not be as resilient around as . . . just think about 2008, that, potentially, could happen.

So, certainly, that is a real risk. There's an inflation risk right now. I wouldn't encourage people to necessarily go to the bank and take all your money out because they can protect your money better than you probably could protect your money by leaving it under your mattress. That's, obviously, a very real physical risk of the money being stolen if you do something like that. I have a decent amount of cash on hand if I need it, but I have a lot of faith in our banking system. I'm not too concerned about a crash.

Nicci Brown: Any other words that you can share with us that might give us a bit more reassurance with regard to cybersecurity in the situation that we're in now?

Charles Carmakal: Look, the most important thing is for folks that are listening to this to try to do your part to better protect yourself. There is a downstream and an upstream impact that you protecting yourself has on companies and organizations that you may be affiliated with. And so when you think about the three things that I mentioned, use a different password on every website, use multifactor, multi-step authentication and then patch your systems, that'll actually get you pretty far. It's those first two things that really impact a lot of people. By doing that, you'll help yourself and you'll help a lot of organizations. But there is definitely risks of foreign governments hacking into organizations in the Western world.

The Western world heavily leverages this internet infrastructure and connectivity and so that increases the exposure to ourselves. But there is a decent amount of resiliency in place and there also is a certain amount of fear in causing an attack against the Western world that might lead to a kinetic consequence. Nobody wants to start World War III. And so people are very mindful of what kind of attacks may result in an escalation, which may inevitably result in a physical retaliation?

Nicci Brown: Charles, thank you so much for joining us today. It is very good to know that there are people like you who are out there and guarding our best interests.

Charles Carmakal: Absolutely. Thanks for your time.

Nicci Brown: Listeners, thank you for joining us for another episode From Florida. Our executive producer is Brooke Adams and our technical producer is James Sullivan. I'm your host, Nicci Brown. I hope you'll tune in next week.