Cyber Defense: Kurt Markley of Apricorn On The 5 Things Every American Business Leader Should Do To…

Cyber Defense: Kurt Markley of Apricorn On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Train your people on how to identify a cyber threat and how to avoid it. There are very good security awareness training platforms that exist to not only train your people, but to test their knowledge.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us. As a part of this series, I had the pleasure of interviewing Kurt Markley.

Kurt Markley is the Managing Director, Americas at Apricorn. He is a 25 year technology veteran with specialized focus in storage and cybersecurity. He can be reached at [email protected]

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My dad was a Captain in the Navy so we moved around a bit. I went to high school and college in North Carolina, where I graduated from Eastern Carolina University with a degree in Anthropology. It turns out the world did not need another Indiana Jones, so entered the technology industry about 25 years ago.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve been with my current company, Apricorn, for 22 years this week. We make encrypted hardware storage devices that help organizations — whether they are enterprises, institutions or government agencies — secure their most valuable asset: their data.

My career in cybersecurity has an opportunistic beginning. Apricorn is, at its core, a storage and backup company. Originally, our hardware storage devices were not centered on security and had no data protection features at all. But, because we could see the value of data very early on, we also could see the risk associated with not protecting it. We pivoted our focus to adding heavy encryption to our devices even before customers realized the need for it. We further innovated by removing software from our devices, making them entirely hardware-based, eliminating that particular attack vector.

Much like Volvo improved car safety by pioneering the seat belt, Apricorn led the way in creating encrypted hardware storage devices that protected data and were easy to use.

Can you share the most interesting story that happened to you since you began this fascinating career?

One that stands out to me, and that highlights Apricorn’s commitment to protecting data, was years ago at a tradeshow. Two huge, hulking guys were standing in line, waiting to talk to us about our products. We could tell right away that they were not average customers, both standing 6’5” and cutting pretty imposing figures.

I can’t go into detail, but they worked for a federal government agency that was investigating criminal activity in which evidence had been saved to an Apricorn drive. Because our products do not have any software and are hardware encrypted, without the correct key code, they were not able to access the data on the drive. They wanted our help to find a way into the device, which we were not able to provide.

It was a bit intimidating telling these federal law enforcement professionals that we were not able to help, but it did drive home the fact that Apricorn takes security seriously. If you don’t have the passcode, you aren’t getting into an Apricorn drive — no matter who you work for!

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

I’m too self-deprecating to call myself a successful leader, but I have had good success with my team over the years.

In general, I try to approach our work without ego and foster a supportive environment. We have really smart, sophisticated experts that know much more about encryption, security, hardware, firmware and storage than I do. I try to listen more than I talk and continue to learn along the way. This folds into my management style because I trust my team to do their work and like to see them use their own expertise and skills rather than trying to inject mine.

Most importantly, I like to have an open door policy, to encourage collaboration and to always look at problems through the eyes of our customer.

Are you working on any exciting new projects now? How do you think that will help people?

Always! Apricorn has always been very customer-centric; we exist to make our customer’s lives easier and more secure. So, we have a number of really interesting projects in the pipeline that are ahead of the security curve and will have an impact on how our customers protect their data. I’m just not in position to talk about them just yet.

What I can share is that we continue to innovate and to pursue certifications that matter to our customers. We’re in the process of updating everything to FIPS 140–3, which will put us further ahead of the pack and provide added reassurance to our customers of our commitment to safeguard their data.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

The short answer is that I’m not a cybersecurity expert. I don’t know that anyone can be an expert across all of the categories that make up such a complex and fast-changing field.

But, I’ve been in technology for 25 years and have focused on how to securely store data for more than 15 years. I’ve worked with government agencies and Fortune 500 companies across finance, healthcare, law and other industries and am extremely well versed in how they view their data and what’s needed to protect it. For many of our customers, their needs are very niche. A law firm that needs to protect data during the discovery phase. Finance organizations that have to protect specific information in a specific way.

I like to focus on the customer and think about what they are worried about today and five years down the road so we can fix that problem now — before they are even aware of what they will need.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

Unfortunately, cyber attacks are a “when” not “if” situation. Organizations are going to be attacked eventually and have to put plans in place now for how to deal with that reality. Our work at Apricorn will not prevent a cyber attack, but we are very good at helping organizations recover from one.

Organizations need to be aware of and have action plans in place to prepare for everything from Distributed Denial of Service (DDoS) attacks to highly sophisticated phishing attacks to ransomware attacks. This last one — ransomware — is what I’m most concerned about. Interestingly, ransomware attacks are often delivered via phishing emails that are increasingly advanced and are using AI to make them even more believable.

Ransomware attacks, where an attacker injects malware on an organization’s network that holds data hostage until a ransom is paid, are happening with such regularity now. One of the problems is that organizations with sensitive data like hospitals or health systems may be tempted to pay the ransom. In their case, it would be for a noble cause, to ensure the health and physical safety of their patients, but paying the ransom is the equivalent of giving a schoolyard bully your lunch money. You think it’s going to make the problem go away, but it really emboldens them to keep coming back and taking more or to not give the data back. We saw this with Change Healthcare, which paid a $22 million ransom and still ran the risk of losing valuable patient data in a data leak.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone loses, except the criminal.

Organizations risk their brand reputation if they are breached and it’s made public, and also stand to lose significant money if they pay the ransom. They could also risk having to pay compliance fines, too.

In the healthcare example above, consumers have to be concerned that they may not get the critical care they need at the time they need it.

Speaking just about data, though, consumers are impacted when their personally identifiable information (PII) is stolen and sold or released on the dark web. Honestly, at this point there have been so many data breaches across health, credit, and banking that it’s very probable a criminal could put together a robust personal profile on any of us by aggregating that data.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Beyond notifying internal resources to start identifying what happened and stop the attack, the first call should be to the FBI. Many of the criminal gangs responsible for data breaches and ransomware attacks are global entities that have attacked before. Federal authorities will have the greatest knowledge about how to proceed, what has been successful and what hasn’t, and the rules of engagement for these types of criminals. They need to be tracking these groups to try to shut them down.

There are also specialized groups that can help organizations negotiate to retrieve their data. The FBI does not recommend paying a ransom, but if an organization decides to do so, these consultants can help them through the process.

Also, one thing to think about here is who to call before an attack like this happens. Your team needs to be thinking about data resiliency before you’re attacked. If someone steals your data, do you have robust, clean and complete backups that you can use to recover it?

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Unfortunately, being on the receiving end of a cyber attack is an inevitability. But, worrying about having access to your data doesn’t have to be. At this point, it’s irresponsible for organizations to not have a holistic cyber resilience program in place. You simply must have multiple copies of your data backed up very frequently in order to ensure you always have access to it.

A lot of businesses think that doing regular backups to the cloud is enough, but it’s not. OVHcloud, a French cloud provider knows this all too well. In March 2023, the company had to pay two customers more than $270,000 because a fire at its SBG2 data center destroyed not only the servers storing data for hundreds of organizations, but the backup servers which were housed in the same facility.

We strongly advise organizations to follow the 3–2–1 rule which counts on three core principles:

• Keep at least 3 copies of your data,
• In 2 different storage media,
• With 1 copy stored offsite.

By following the 3–2–1 Rule, and making sure that you’re backing up your data very regularly, you ensure that you always have clean copies of it. So, if someone steals your data from one of the two different storage media, you can rely on the other one to access and restore it.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

I don’t think there’s much we can do about the frequency of attacks. They are going to keep happening and I think we are going to see more of them.

Since we can’t stop them or lessen the number of them, we can prepare. Not only should organizations put cyber resilience programs — like those defined above — in place, but they should invest in training their users on how to avoid cyber threats.

Again and again, it’s proven to us that employees are an organization’s weakest security link. Research from Tessian and Stanford University show that 88% of data breaches are caused by employee mistakes. Our own research from earlier this year cites that 63% of surveyed UK and U.S. IT security division makers expect their mobile/remote workers to expose their organization to the risk of a data breach.

We must limit the amount of risk our employees expose our organizations to. IT departments have to create or enforce a training policy and stick to it, while working to build cybersecurity into the culture of the organization. It’s important that employees feel like part of the solution, not just part of the problem.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

1. Plan for a cyber attack — we have to anticipate being attacked and put defenses in place to identify when it happens. Security and IT teams need to work together to put tools in place that work offensively to detect and prevent an attack, while also defensively planning for what to do if an attack becomes a successful breach. There should be no asking, “what do we do next?” Now is the time to sort that out.
2. Create a strong cyber resilience plan — we recommend the 3–2–1 Rule that we outlined above. Simply stated, you cannot NOT have a cyber resilience program implemented.
3. Train your people on how to identify a cyber threat and how to avoid it. There are very good security awareness training platforms that exist to not only train your people, but to test their knowledge.
4. Commit to backup programs that are right for your business. Decide now how often you are going to back up your data, what data will be backed up, where will you back up to, and who can access what files. Having backups of your data means that a threat actor cannot leave you without it.
5. Implement a USB whitelist. Encrypted hardware storage is an extremely effective way to keep offline copies of your data. By putting a whitelist program in place, your organization can control vetting hardware that can be whitelisted down to the serial number or product ID. This lets you not only control which pieces of hardware are being used, but also give specific permissions on specific machines for specific people/roles.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂

I would never say I’m a person of influence, but I would like to be someone that is helpful and held in high regard. I actually have two thoughts on this question to share:

1) I notice that we live in a world where “disagreement” seems to mean “argument” and I would like to see that change. I think we should be able to disagree respectfully, listen to one another openly and have the freedom to change our minds. And,

2) For me, the best way to make sure that I’m in the mindset for openness is to get outside. If I can climb up a rock, walk in the grass or surf a wave, I’m immediately put into a better headspace. So, I’d advise people to get outside, put their toes in the grass and enjoy some nature so they can be more grounded for the differing opinions they are bound to hear.

How can our readers further follow your work online?

They can email me at [email protected] or find me on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Cyber Defense: Kurt Markley of Apricorn On The 5 Things Every American Business Leader Should Do To… was originally published in Authority Magazine on Medium, where people are continuing the conversation by highlighting and responding to this story.