Benjamin Ard00:04 — Welcome back to another episode of Content Amplified. Today I'm joined by Jeffrey. Jeffrey, welcome to the show.
Jeffrey Bernstein00:12 — Thanks, Ben. Thanks for having me here today. Like I said before, congratulations on all of your success. I love the platform and I'm grateful for the opportunity to speak with you and your audience today.
Benjamin Ard00:21 — Thank you. Jeffrey, I'm excited. This is going to be a little bit different of an episode, but I think it's one that marketers need to hear everywhere. Sales enablement, anyone in go to market for that matter. I think this will be great. But Jeffrey, before we dive in, let's get to know your work history, background, all that fun stuff. It's super relevant to today's episode.
Jeffrey Bernstein00:39 — Sure. Pre-2000, I was working at a company called CMGI. CMGI was one of the original internet incubators, and they had a huge market cap. It was larger than General Motors at the top, and they had their brand on Foxborough Stadium, the Patriots stadium up in Massachusetts. It was just a crazy time, and I was a hobbyist of security. That's basically how I got into it. There was a point where I decided I really wanted to go work for a security company, and I found one of the original managed security service firms. Now it's part of Verizon Business, but at the time it was a spin-off from the Catholic University in Belgium, and they gave me a job there. It was mostly sales and business development, but I learned security. I worked on investigations and regulatory compliance and security testing and training, and it was an interesting time. This is just before the year 2000. We had to be evangelists. We had to go out and evangelize the reasons why people should do a security penetration test or a security education program, or have an investigative capability, and the customers would always say to us, well, what about privacy rights and civil liberties? They didn't understand why they needed a trusted security partner like our firm. Fast forward to now, and if you look at a lot of the compromises that are happening, they're still the same types of attacks they had back then. But now, if you're not doing these things, shame on you, because you need to do it to secure your infrastructure, and you need to do it to comply with all the different legal and regulatory guidelines that are out there. So that's how I started in the business. Over the 25-year period, I've been doing almost the same thing the entire time. It's very high-end, high-touch consulting, work at the courts, investigations. I work on a lot of ransomware cases, wire fraud, and business email compromise. If you look at the FBI data, they say that wire fraud and business email compromise is about 50 percent of all the dollars that are stolen by cyber criminals. That's a huge area for us. We also investigate matters including HR matters for companies, when somebody has done something internally, maybe something suspicious, went to a competitor, exfiltrated some type of intellectual property or something else. We do security testing, security training, security investigations, and regulatory compliance. I've been doing those things the entire time I'm in this space. When I was younger, I started a little consulting company and I was providing services under a white-label approach to a very high-profile Washington DC firm that was led by former directors from the ATF, the Bureau of Alcohol, Tobacco, Firearms, and Explosives. They had two former directors from the United States Secret Service, one an assistant director and one a director. One of the guys was also a participant from FEMA and the founding director of the TSA after 9/11, the Transportation Security Administration. The company was led by the equivalent of a director of Shin Bet, the Israeli security agency. There was a point where I was helping them deliver services and they asked me to join full-time. So I went to work for them, and it was a great lesson to work alongside those people. I've always had an entrepreneurial streak in me. There was a point, after a few years working for that firm, where I started a company called Critical Defence. Critical Defence is spelled with a C, D-E-F-E-N-C-E, for a couple of reasons. I had this idea of protecting critical infrastructure globally. The work I do is for businesses, their leaders, and VIPs. When you look at the word defence in Canada, where I had an office, and in London where I had an office through a partnership, they use the C. The other reason I went with defence with a C was because I couldn't afford to get defense with an S. The domain was too expensive, so I went with the C, and it's kind of cool. Over my career, I got to work at a couple of really world-class firms. Even recently, I worked as a managing director of cybersecurity strategy for Marcum, one of our nation's largest public accounting firms. They merged recently, so they're part of another firm, but they're top 10 in size. And recently I worked for a firm called Kaufman Rossin, where I directed cybersecurity and data privacy. This is an amazing firm, a 65-year-old firm with a history of excellence, 700 employees based in Miami, a real heavyweight here in South Florida but also globally, and just wonderful people. These are wonderful companies. I don't have a bad word to say about any of them. Sometimes I feel like I'm living in a dream, like I should be paying these companies because I enjoy it so much. But like I said, I have a bit of an entrepreneurial streak, and I fired Critical Defence back up recently, and I've got a great team. I've got a former US government Computer Crimes Division director who prosecuted with the Department of Justice and worked side by side with me. We've been working together since 2004, believe it or not. In 2004, we were the trusted security partner to John Kerry when he ran for president, and we've been together ever since. The guy's brilliant. If anybody needs help with cybersecurity, data privacy, or even law, he's an attorney also. An amazing man, and I've had him for 25 years. He was like having an AI engine for 25 years. Now I don't need him so much because we have AI. We have other former participants from Secret Service and other law enforcement agencies. We're a boutique, but we do a lot of different things. We work in crypto environments, virtual environments, fixed systems, and mobile environments. If there's something happening with cyber, we're a great source. I don't mean to market here, but I just love it. We live and breathe security, and you can call any time of day and get our help.
Benjamin Ard07:09 — I love it, and that's incredible. What's so cool is you can hear the passion. Your whole career, like you said, it's almost like you've been gifted this opportunity to learn all this stuff that you love. I love the passion that comes from that. Jeffrey, I'm excited, because I think this is a discussion that everyone needs to hear. I think this is going to be valuable information, especially now that we're entering this day and age of artificial intelligence. There's so many things you can do with it, including building your own tool sets and doing all sorts of stuff. Marketers are now creating these powerful internal tools that they've never had before. But I do think there's an opportunity for us to talk about the security side. Even though you can build everything and do all this cool stuff, there are probably some things we should keep an eye out for. Jeffrey, to kick it off, what are some of the top security concerns a business should be focused on nowadays, especially with AI? And maybe a few steps to protect themselves as we're entering this day and age where anyone can be a builder.
Jeffrey Bernstein08:12 — Yeah, for sure. Let's frame this out first by saying that, in my mind, the internet is the ultimate attack platform. You have an endless amount of targets for the attackers. You can hit banks, whatever you want, consumers. There's an endless list of targets. The internet provides the attackers with anonymity. It's very hard to fingerprint somebody that's behind an attack. And even when you can fingerprint that person or that source, it's hard to know who's in the seat of the computer or the device that's delivering the attack. And even if you can do that, there are international components, and it's very hard to get any legal recourse out of any kind of response. So it's very difficult. The other thing is you don't have to be sophisticated to be a criminal online. There's ransomware as a service, there are tools that are plug and play. Any person with any level of internet savvy can be a successful criminal online. It's really crazy. The tools out there are easily accessible, there are tutorials everywhere, so it makes it really easy. In my opinion, most crime has moved online. When I was a kid, it was smash-and-grab robberies. You have someone come in, steal jewelry, or come into a bank under the camera, with the security guard, with people watching you. To rob a bank, you'd have to go in and expose yourself terribly, and they'd know who you are, you'd get caught. Now you don't need that. It's a click of a mouse. For that reason, I feel like almost all crime has moved online. So what can we do to protect ourselves? I talked about some of the things we investigate. One of the first things I said was that the most dominant type of attack where money goes missing is business email compromise or wire fraud, and we see it over and over. It's sick, because these attackers prey on the elderly, they prey on kids, everybody in between, businesses, anybody with any kind of wealth that's connected. Those business email compromises and wire fraud, over and over when we investigate them, we see one commonality, which is that there's no multi-factor authentication enabled. So if you can enable multi-factor authentication anywhere you have it, it's a little bit of a burden, but on any account, any app, any system, you're going to avoid a lot of this stuff. It's not going to be perfect, but you're going to avoid probably 99 percent of it. So multi-factor authentication is huge. The other thing is everything's connected now and running over internet protocol, they call it IP. Limit your attack surface. If you have apps on your phone you're not using, delete them. If you have systems at home you're not using, shut them off. Put encryption on everything. Give your devices and your systems time-outs. These are very basic practices that could be adopted, and they're going to make a big difference. If you do have any kind of infrastructure, update your software. The software updates are important. They usually include security components, so if you're not updating the software on your systems, you're leaving yourself terribly exposed. The biggest thing I could say is just exercise common sense. Don't be promiscuous with your device. Be skeptical of everything. Treat your communications, especially your email, like you would treat your home. You wouldn't leave your home's front door open if you went away for the weekend. You wouldn't leave the windows open when you go to sleep. If someone knocked on your door at 4 a.m., you wouldn't just open it, you'd want to verify who it is. So be skeptical of everything when you're online, but mostly your communications, because these attacks are more often than not targeting email, text messaging, and your communications channels. I started this over 25 years ago. It was that way then, it's that way now, and they're getting much more sophisticated with deepfakes and some of these sophisticated AI attacks, but they're still coming at communication. So just exercise common sense, be skeptical. There are a bunch of other things. If anybody's interested, please reach out. We've got great reference points. We're not looking to monetize this, but if we can help any of your audience, let us know.
Benjamin Ard12:38 — Yeah, I love that. So how is this all changing with artificial intelligence? As we communicate more now with agents than with people, what are some of the trends you're seeing that maybe we should keep our eyes out for as we move forward into this crazy, adventurous new future that we're all looking at and wondering what's going to happen?
Jeffrey Bernstein13:00 — It's crazy, Ben. I almost feel like I'm being set up here, because I don't know when this happened. It feels like it happened almost overnight. All of a sudden you turn on the news and we're talking about extraterrestrial and UFO disclosure. At any time I'm expecting to see robots in construction, and you're seeing autonomous vehicles, and the stuff that's happening with AI is ridiculous. Only a few years ago I was fascinated by robotic process automation. I thought that was a big thing. In the snap of a finger, the world's going to change, and there are entire industries that are exposed. I have a relative who was a printer, by the way. In 2000, when the internet was really coming on the scene, it changed entire industries. Printing, everything's digital now. If you needed a plane ticket, you had to go into a travel agency back then, you couldn't buy it online. If you wanted to do a stock trade, you had to call your broker. Everything's quick and online now. There was a drastic change in society 25, 26 years ago, and I think it's happening again. This, to me, seems much more profound. So I'm using the AI tools to enhance the experience. But to me, trust moves faster than technology. Companies and people, they're not afraid of adopting technology sometimes, they're afraid of the people offering the technology. So trust is always going to be important. It's part of why I started this business up again. I felt terribly exposed as a consultant. You have 100 hours of consulting time, and you get a request from a customer, a five-page list of questions, and that 100 hours is now a few hours because you have AI, you can output the information. You need to verify it, of course, re-verify it, take it and make it your own, reformat it, but it's really scary. So I think the world's going to change really quickly. The reason I bring up trust is there's a lot happening with AI now, and everybody's an AI expert, too. Overnight, everybody's an AI expert. But to me, the companies in that space that are going to be the most successful are going to be the ones that earn trust. Right now there's a lot of sketchy activity and people out there in that space, so you want to be careful. You asked about some of the ways you can protect yourself. Third-party exposures are also very important. About 10 years ago, NIST, the National Institute of Standards and Technology, started to include third-party vendor governance in their security framework that everybody uses, the NIST cybersecurity framework. This has been going on for 10 years, but the idea behind it is you're only as secure as your weakest partner that has access to your data. We've seen terrible breaches. When you look at the news, you see big brands being compromised. They could have all the security controls in the world, but if they're using a partner that has access to their systems or their data, and that partner is not going through the same diligence with their security controls, they're just as exposed as if they didn't have those controls in place. So you have to know who you're doing business with and vet those partners. AI really introduces a lot of new components. It's usually not just one firm. There are a lot of different components and a lot of different businesses and producers that come into any kind of AI feed or AI platform. So third-party exposures, knowing who you're doing business with, and performing security assessments and privacy assessments keeps data really safe. A lot of the security questions around AI remain unresolved. We have an AI assessment that we deliver, but we're learning every day, and there are a lot of new findings every day. It's scary. It's a little bit like the wild west. And if you lose consumer data, it used to be that healthcare or finance and banking were these very highly regulated industries. You have the SEC, you have HIPAA for healthcare, you've got a lot of different regulators. New York has DFS. It used to be that the highly regulated industries were really the ones that needed to protect the data. But now you have all these consumer privacy laws coming on. There are over a dozen states, you have GDPR in Europe. If you lose consumer data now, everybody's regulated. It's any business of any size in any sector. If you're connected to the internet, if you're taking private data, you're terribly exposed. So we joke around sometimes that you can hire us now, proactively, to secure yourself and understand what the threats are, and you can protect your reputation, your productivity, your dollars, your staff, and your customers, or you can pass, and after the breach occurs, it's debilitating. You've lost your brand and your reputation, and the damage list goes on and on. So if you do a little bit to improve your security posture, it goes a long way. If you look at a lot of the exposures, by the way, they involve human error. These attackers prey on people. They get you to give up your username and password, they phish you, they deliver something with a payload, you download it. Over and over, for instance here in South Florida, there's an older community. I get so many calls from people where somebody, like my father, gets phished and something goes on his computer, but then he gets a call from Microsoft or Google. They say, hey, we see there's a problem with your computer, we want to help you. He says, oh, that's great, I'm getting help from Microsoft. They're talking to him, and they put remote access software onto his computer, and they're helping him. He thinks he's getting help, and then that night he goes to sleep and a million dollars in his Marcus by Goldman Sachs account goes missing. It wasn't Microsoft. It was the attacker pretending to be Microsoft. They put remote access software on the computer, they steal the money. That didn't happen with my father, by the way, but we get those calls all the time. The other one is that they prey on children and younger people with these sextortion schemes, and it's just scary. So again, you have to be very skeptical of everything, and not just in business, but at home. Let's teach the kids the importance of being skeptical and not being promiscuous with their devices and their computers, and the elderly too, obviously.
Benjamin Ard20:09 — No, that was great, I love it. Well, Jeffrey, we are out of time. This was such a cool reminder about how to keep ourselves protected, how to use the internet properly as we're building all these kinds of things. The great advice of two-factor authentication, using trust, making sure that as we're working with third-party vendors that they're vetted, that they have the security that we need, or else it compromises our own systems. Jeffrey, this is so cool. For anyone who wants to reach out and continue the conversation online, how and where can they find you?
Jeffrey Bernstein20:42 — Well, you can find Critical Defence online, and you can connect with me on LinkedIn. Just do a search and you'll find us everywhere. I do a lot of writing, I've written for Gannett, and I've got a real estate publication. Just do a search, you'll find us. And let me finish on this note. Number one, Ben, thank you so much. You're amazing, and I can't wait to see what you do moving forward. You're already a wild success, and I feel so grateful to be a part of this platform and this show today. If I leave everybody with one thought, it's that it doesn't take much to secure yourself. Do some of those basic things, enable MFA, have good backups, have a good trusted advisor like our firm, and just remember that the fastest network in the world is still slower than human doubt. So be skeptical of everything when you're online. And thank you, Ben.
Benjamin Ard21:55 — I love it. Jeffrey, again, thank you for the time. I really do appreciate it today.