Cyber Defense: Heather Stratford of Drip7 On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Email security cannot be overlooked. Phishing is a thriving and growing industry and a way that criminals attack all types of businesses. In fact, $43 billion has been stolen through business email compromise alone within the 5 years. (7) Since the majority of businesses have some type of access to the internet, emails, and social media, these are the common vectors for criminals to try to gain access to the company.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Heather Stratford of Drip7.

Heather calls Spokane home and is a national thought-leader in the IT Training and Cybersecurity field. She is the founder and CEO of Stronger International and more recently Drip7 — a microlearning platform for cybersecurity education. She has helped a wide range of clients with cyber and compliance education from General Motors, Stanford, SABIC, MultiCare and Deloitte. Heather has written and been quoted in notable publications such as Forbes, Washington Examiner, WUSA — CBS Affiliate, and Security Technology Executive. She has a passion for including more diversity and women in cybersecurity and entrepreneurial start-ups. Heather is a National Tory Burch fellow, graduate of the Goldman Sachs 10,000 Small Businesses Program, received the Women in Business Leadership Award and is an adjunct professor for Whitworth University’s MBA program.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised in upstate New York. My mother and father were both educated and I was the youngest of a blended family of 6. My summers were on a lake in the Adirondacks surrounded by nature. My schooling was consistent and full of extracurriculars and sports. I excelled and enjoyed competing in sports.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

At the end of college I chose to serve a full time mission for the Church of Jesus Christ of Latter-day Saints. In this capacity I was called as a service missionary and helped set up literacy programs and infrastructure in Central America. I saw the social divide and what a lack of education and having access to technology can do. This inspired me to want to help solve some of the world’s problems through technology. One of those problems is that everyone needs access to cyber education and technology. Technology can improve and connect our world — but must be balanced with cybersecurity, so that it is both accessible but safe for all users. There are nefarious people in every society and culture that will lie and defraud. We must protect the most vulnerable in our society from these bad actors, while providing access to the world through technology.

Can you share the most interesting story that happened to you since you began this fascinating career?

I have been asked to bid on and consult with large metropolitan governments to harden and fortify their defenses against attack. The details of which I won’t share — but to be involved with security of train lines, buses, terminals, subways etc… It helps you realize there really are good guys and bad guys out there. I have more resolve to give resources to the defense of our businesses, and governments.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Hard Work. When you choose to start something from the beginning it requires a dedicated work ethic. Not just when you feel like it, but all of the time. Olympic athletes don’t get to that level without consistent hard work. I can remember coming into my office and thinking — “How do I eat an elephant?” And the answer is always one bite at a time. It is a saying I live by.

Decision Making. Sometimes your day is full of making decisions. As the founder of a company — the last decision often lies with you. Sometimes you will make the ‘wrong’ decision, but the point is to be fearless and look at all the data and information presented. Then, make a decision and stick to it. When you encourage your team members and leaders to make decisions, they will be empowered and feel more valued.

Positive Attitude. No matter the circumstance, your attitude will influence the outcome. It influences the customer, vendors, employees and most importantly, yourself. I have had major accounts fall apart. Legal issues when a customer backs out of a signed agreement. Payment issues with Vendors when they expect payment for a service that was not fully implemented. Each issue was a learning experience and attitude was part of what helped us weather through the storm and put the issues in the past.

Are you working on any exciting new projects now? How do you think that will help people?

Drip7 is the culmination of years of learning about the entire tech industry. We finally built a

platform designed for empowering employees and employers. Gamifying the cybersecurity world is a huge improvement to many of the resources out there. In addition, our ability to allow companies to include their own custom content, easily and quickly is what organizations need and want. We have testimonials from both the players of our platform and the administrators. We are helping to Train, Secure and Engage employees everywhere.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I have been in technology for years, seeing how to improve processes and outcomes through adopting new technologies. I run 2 global cybersecurity firms. Cybersecurity is one of the most important and critical areas for small and large businesses in our lifetime. I have worked with companies from major Utilities, State governments, Oil and Gas, Manufacturing, Higher Education, Health and Financial industries. I continue to learn and lead the right minds together to help secure and train in cybersecurity. I also speak nationally on the subject and encourage other women to join or stay in the industry.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

There are many different types of cyber attacks. But all of them have common threads that we can learn about and defend against. Malware is the main word used to describe many types of attacks. It means an infection or attack. One of the most prevalent types of malware attacks currently is called ransomware. This type of attack is when a personal computer or company computer is held at ransom for a certain amount of money. The computer is encrypted and the attackers promise a decoding key if you pay the sum of money. There are cases where the decryption key is given to the victim, but not always. The ransom is normally requested in the form of crypto currency. The average person might not have or know how to use crypto currency. The attackers are aware of this, and for some larger cyber criminal groups, they have 1–800 numbers routed to outsourced countries to walk people through how to pay the ransom. This is one type of attack in a sea of malware and attack methods. The prevention of attacks is more uniform. Be aware of all emails and attachments. Are you expecting this and does it seem right? Don’t fall for urgent pleas and requests for information about yourself. This is called ‘Social Engineering’ and it works. Those in authority or leadership at a company are often ‘Spear-Phished’ which are more targeted because they hold access to passwords and credentials that can lead to deeper attacks and more information for the criminals. Update and patch your computer regularly. Have backups of your data. Don’t fill out surveys on social media sites asking about your high school name, marriage date and other personal information. Don’t use the same passwords — make unique passwords for your accounts. And if you are in leadership at an organization, promote and encourage consistent training and education of your workforce.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone should be aware of and concerned about cybersecurity. The premise is the same for both a company or an individual. Do you have money or resources that someone could steal or hold you random for? The answer is yes. With businesses, the amount of money is often much higher. The largest Ransom I was personally aware of was a 7-digit figure ransomed to a large oil and gas company- And yes, they paid it. It is not if you will be attacked as a business, but when. All individuals are at risk, but individuals with large amounts of financial wealth are at increased risk for being targeted.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

A business should have a 72-hour incident response plan to know what to do in the case of an incident or breach. The first thing to do is stop the intrusion and breach. Call in IT and cyber experts to help contain and control the damage. Once the active breach is contained, appropriate authorities can be alerted. For a hospital, this might include reporting the HIPAA violation, for each industry the requirements of reporting will be different. A business will also immediately contact their cyber insurance provider. The Insurance company will have resources and protocols for helping walk through the steps of a breach, including notifications and legal requirements. The FBI and other foreign government agencies have reporting areas to track and manage breach trends and can provide additional resources.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The number one mistake is to assume that it won’t happen to them. Denial that it is a serious threat is the number one problem we see. And once they are breached they increase their risk of subsequent breaches and attacks. The other most common mistake is to not train employees. Ninety percent of cyber crime can be traced back to human error. Training is essential to combat the ever changing threat. Training an employee once a year to meet a low level of compliance is not going to secure an organization. Consistent and engaging training will help secure an organization and lower the risk of a breach.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Give resources to education and training. Simplify and coordinate the standards. The CMMC standard is a good step in the right direction for companies that interface with the Federal governemnet. The standard has been modified and changed multiple times and is confusing to the average business. Establish a national privacy standard. We are lagging behind the rest of the world in establishing a federal privacy standard.

Ok, thank you. Here is the main question of our interview. What are the “Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

The rate of change in technology has continued to increase and sculpt our world in incredible ways. Every 18 months the processing power of the modern computer is doubling. (1) The increased capacity of the computer enables more uses for technology. We now see computers in refrigerators, cars, coffee makers and doorbells. The average car has over 50 computers in it and a high end automobile can have 100 to 200 computers in it. All facets of modern life revolve around an interconnected and monitored life. Businesses that can adapt and pivot to new processes and technologies grow quickly and can capitalize on the modernization of all parts of daily life. But many of these companies are more concerned about cybersecurity and the problems that complete technology advancements can bring. In the last 3 years, cyber attacks have increased and record numbers of industries and businesses have been impacted or closed their doors.

The World Has Changed — and Cyber is more important than ever.

In the year 1997, an employee would often drive to work, use an in-office computer and phone, and then leave work and drive home. That computer and office could be protected both from physical and virtual attacks and was often isolated in its own network. Just 25 years later — a modern employee has multiple devices, multiple offices and even sometimes multiple jobs. The Cloud has enabled huge shifts in how we work and where we work. As of 2021, 94 percent of the internet workload is being processed in the Cloud. (2)

With so much information being held online, all businesses have become more vulnerable to breaches and attacks. Cybercrime has continued to rise through the Pandemic and the recovery, because it is a crime with low barriers to entry. Larger organizations have more staff and resources to “harden” or secure their core business processes. Small to medium-sized businesses are often scrambling to find the right external help or hire the right internal staff to successfully combat the onslaught of attacks that continually try to access financial and network data. There is no company or organization that is immune to cyber risks. Small businesses need to focus on 4 areas to reduce the risk of a crippling cyber attack.

5 Basic Standards for Cybersecurity in a Small Business:

1. Train Employees
2. Data Backups
3. Password and Access Management
4. Antivirus Software
5. Email Security

Training your employees is the first and highest priority for any business. Ninety percent of data breaches occur because of human error. (3) Training staff is the biggest area of impact and often takes the least amount of capital resources. Training should include phishing identification, password creation, wifi security, working from home, and physical security. Training in core areas of cybersecurity and compliance needs to happen on a weekly basis. Yes — Weekly. Staff work on computers and in sensitive areas on a daily basis — so training needs to be consistent and top of mind to be effective. Many employees now work from home or away from a traditional office and training needs to be accessible from anywhere, on demand. Microlearning is the new way to give a 1 or 2 minute education reinforcement each day or multiple times a week. Training needs to be a continual process, emphasized, monitored, rewarded and focused on. If you feel that your employees are not valuable enough to train, then you should rethink having them as employees.

Data backups are a critical antidote to a ransomware attack. Ransomware attacks encrypt a computer or network and prevent the business or users from accessing the very documents and information that are used to run the business, and was named the top cyber threat type in 2021. (4) When a ransomware attack occurs there are 2 main solutions. A business can pay the ransom and hope that the encryption key will be given to them upon payment and/or they can rely on their backups that were set up ahead of the attack. Preparation in this case is key and gives the business the ability to not be forced into paying a ransom for survival. Backups of a business’ essential data should be stored and isolated away from the main regular network. Backups need to be updated regularly and checked to ensure that they are running and storing properly. If the businesses’ main network is cloud-based, and the backup network is also cloud-based, then make sure they are completely isolated from each other. Backups only work if they are separated.

Passwords and access management is another core area of security for any small business. Passwords are literally the keys to unlock data within the business. Unfortunately, 57 percent of people who have been subjected to a phishing attack still use the same compromised password across other websites. (5) Training employees on how to create secure passwords and not reuse passwords is essential. Many organizations still have admin and password as default credentials to make logging in by different users easy and streamlined. It also allows criminals easy access — because it is giving them the keys. If passwords are the keys — then two-factor authentication (2FA) where a code or second form of identification is required would be comparable to a deadbolt. If the information and data is financial in nature or critical to the very core of your business — then setting up two-factor authentication would be a clear way to reduce risk. (6) Only give passwords and access to the people who need the data. Not everyone needs to access everything. Limit access and when people move positions and responsibilities — carefully monitor old access. When employees leave a company or are let go, immediate access needs to be revoked to ensure data is not maliciously tampered with or taken to new employment.

Email security cannot be overlooked. Phishing is a thriving and growing industry and a way that criminals attack all types of businesses. In fact, $43 billion has been stolen through business email compromise alone within the 5 years. (7) Since the majority of businesses have some type of access to the internet, emails, and social media, these are the common vectors for criminals to try to gain access to the company.

Antivirus software is the basic blocking mechanism that can screen and eliminate many threats that attempt to enter your employees device. This is an important tool that should be on every computer. Patching and updating the security is essential so that it will run properly and be the most effective. If you don’t have an internal IT team to manage regular monitoring and patching with updates, then hiring a third-party to automatically do this for your small business is well worth the money. It is important to be consistent. If your business is detail oriented and can be consistent — add this to someone’s regular tasks.

Many businesses fought to stay alive and in business during the Pandemic. Now that we have gone into a longer recovery phase it is time for businesses to focus on other areas that became more prevalent over the past few years. Those include increased cyber attacks on small businesses. There are 5 areas that are critical for any small or medium sized business to prepare for and defend against unwanted intruders and people and organizations that would steal money, destroy data and take over areas while holding the company ransom for monetary payments. Just like businesses install fire alarms and smoke detectors as a form of prevention, these 4 basic cybersecurity areas can help ensure a lower risk profile and better chance of avoiding a breach or incident impact on the business.

Our journey through the pandemic has been challenging and life-altering. Technology has permanently affected how we adapt to new circumstances. Training is seeing new innovations, specifically in cybersecurity — changes that are both desperately needed and innovative. The way to safety will include doing things differently — and that means improving training, being aware of backups, passwords and antivirus software. No matter where you’re starting, the point is to start now — and prepare.

1. Is Technology Evolving Faster Than Our Ability to Adapt? (linkedin.com)
2. 94 workload to be processed by cloud in 21 — Businesses move from On-Prem to Cloud — SG Analytics
3. 7 Data Breach Case Studies Caused by Human Error | Venafi
4. 73 Ransomware Statistics Vital for Security in 2022 — Panda Security Mediacenter
5. 59+ Password Statistics in 2022 That Are Important To Know (webhostingprof.com)
6. What Is Two-factor Authentication (2FA)? | Fortinet
7. $43 billion stolen through Business Email Compromise since 2016 (tripwire.com)

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Support a woman to get involved with technology. Whether it’s a relative or a friend, support women of all ages to get more involved in learning about business and technology. Our whole world is dependent on technology, and women need to be involved in the creation of new solutions that will help solve our world’s problems. Ask a young woman about a career in technology.

How can our readers further follow your work online?

Your readers can find me at HeatherStratford.com and on LinkedIn ( https://www.linkedin.com/in/strongerceo/ ). Or if they prefer me coming to them, they can sign up for Stronger’s newsletter — there’s a box at the bottom of the homepage at Stronger.tech.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!