Christopher Wright, Co-Founder,
Sullivan Wright Technologies
IRONY OF IRONIES: In celebration of Cybersecurity Awareness Month, we sat down with cybersecurity consultant Chris Wright and learned that true cybersecurity awareness is still a bit of an uphill climb for many of our state’s businesses. Apparently, it’s no easy task to install guardrails around human nature.
Before we get to cybersecurity, tell me about yourself and what put you on this particular path. What kind of kid were you?
[Laughs] That’s a good question. I’ve always been into technology. I tell people I started programming in third grade. It doesn’t sound absurd today, because kids are now programming in younger grades. But this was in 1982, ‘83, so it was a little bit unique back when. I was in the gifted and talented program in my school in North Little Rock, and in third grade I walked in there and saw an Apple II computer and just stuck to that, learning and programming more and more. It was always self-directed learning.
In high school, I went through a very basic computer class, but they didn’t offer formal programming courses. At the same time, my neighbor was an engineer at First Electric Cooperative, and I played a lot of computer games with his son. One day he said, “You really like to play around on the computer, don’t you? Would you want to come do some drafting and CAD work for me?” So in high school, in addition to my grocery sacking job, I got what would almost be a college internship doing CAD. In fact, I even worked with them a little while in college.
I started in computer science at Arkansas Tech, but after a while I decided I would join the military, and the Air Force said, “Okay, we’ll give you some money to go to school.” So I transferred to the U of A and graduated with a Computer Engineering degree.
Tell me about your time in the Air Force.
I started out to be a flier because I always tried to work my way out of being a computer nerd, but I always came back to being a nerd. Anyway, I started flight school at Naval Air Station Pensacola. I was going to be a back-seater, like a bomb dropper in a bomber. But I soon realized, I don’t really like this. It was all about a quick regurgitation of memorized processes, which I hated.
Flight school is all volunteer, so you can leave if you want. They just reassign you if they want to keep you in the service. I got reassigned to be a communications officer, which in the Air Force is all about the radios, networks, computers, even the navigational aids that help aircraft take off and land. So I moved into an engineering role in communications at Keesler Air Force Base in Biloxi, Mississippi.
This was probably my favorite job in the Air Force because it was true engineering. I was breaking down things and rebuilding them however we needed them set up. One of the projects I worked on was with a Navy unit called TACAMO. They fly large 707 airframe airplanes over the oceans, and they string out a long three-mile wire that’s an antenna, so they can broadcast signals into the water to submarines. If you’ve ever seen the Denzel Washington/Gene Hackman movie Crimson Tide where the signal breaks up and they only get half of the message, that’s what that system is. My job was to build a ground terminal into their three locations in the United States that allowed them to talk to one of our satellite systems that’s nuclear-survivable. It was Cold War thinking: If the Russians nuked the United States, the president would get on an airplane and fly around and command the American forces from there, and he would use this constellation of satellites that could take a nuke and still keep going. So the president could talk to the satellites, which could talk to the missile silos, which could talk to the bombers so we could go obliterate the other side of the planet.
I went from Keesler to a base in Germany. My last year there, they said, “Hey, you’ve got a top-secret clearance. We’re going to go put you in this information operations job.” So I got my start in cybersecurity working with people who did military deception and psychological operations.
After active duty, I moved to Colorado Springs and worked for The MITRE Corporation, a nonprofit that operates FFRDCs—federally funded research and development centers. My job was to do vulnerability assessments and penetration testing. I was also working for Air Force Space Command as a reservist doing similar stuff for space launch, space surveillance, and satellite systems. I finally left MITRE and went fulltime for the Air Force Space Command, which was a big mistake. I ended up hating the job. In 2013 I came back to Arkansas and went to work for FIS.
What did you do for them?
I worked in vulnerability management, eventually taking care of the overall vulnerability management program for the entire company. Over my tenure at FIS, we built it up from just being a hodgepodge of different systems to one single system that was controlled centrally from our Little Rock office. By the time I left, we were scanning 300,000 internal computers every three weeks , and assessing about 20,000 IP addresses externally over the Internet and finding the vulnerabilities. Once we scanned them all, then we started over again.
We were the system of record for those specific vulnerabilities. They would get pulled out of our database, married up with asset data and risk data, and then that would become the corporate dashboard that everybody in the company came to. That’s what they used to report to the federal government. That’s what they used to hold both the system owners —the vendors—and the executives accountable.
So when did you decide to go into business for yourself? And why?
That was a hard one. I had never been an entrepreneur, but there were some things happening inside FIS. My team had been going at lightspeed to get things done, and I started running into roadblocks and a lot of silly arguments. There was one I remember where we were trying to do our job better, but that would entail identifying more vulnerabilities that we hadn’t identified before.
And we started getting a lot of pushback from some line-of-business executives because they didn’t want their numbers going up. I was like, “Okay, these vulnerabilities are there, but you just don’t want to see them?” “That’s right,” they said, “they make me look bad.” And I said, “Well, they’re there. It’s going to make you look really bad when somebody exploits one and compromises the company.”
But that didn’t seem to work. And it started to get more and more confrontational. Okay, I thought, it’s probably time for me to do something else.
You were obviously doing too good a job.
I guess so. But I’ve seen a lot of people say they want security, but they only want it so long as it’s not going to inconvenience them. When it starts to inconvenience them, it becomes the villain instead of the attackers, so they’ll start to fight against that. We got to that point at FIS.
So I started looking around. At MITRE, we worked with a lot of government contractors, and some of them were brilliant programmers but they didn’t know jack squat about system administration or cybersecurity. That stuck in my head. Was there a niche for me to offer services and help educate owners of small businesses in Arkansas who don’t know any better? My first thought was to start by just freelancing and building my own little business up from there.
Then a couple years after that, I met my current business partner, Michael Sullivan, who does IT, and I was like, “Hey, these kind of go together. Let’s try to build something where it’s integrated.” So that’s what we’ve done the last two years.
Your story about once the numbers get so big, then you’re the bad guy instead of the hacker—do you still run into that?
Oh, yeah. A lot of times people are like, “Do the security for me and make me secure.” And I tell them, “I can do only so much in the background, but a good portion of this security work is going to take your involvement. It’s not just IT, it’s also processes. It’s physical security. It’s mindset. It’s even how you run your business. If you’re a business owner and you’re badmouthing security all day long, do you think your employees are going to take any kind of security seriously? So you have to come in and you have to put that face on. You have to tell your employees, ‘This is important. When you’re going through your email, I want you to think before you click on things or send sensitive information.’ If you do that, then your employees are going to be a lot more amenable to doing those things that you ask. But if you’re coming in and just lambasting everything and making fun of it, they’re probably going to do the same.”
Cybersecurity has this kind of James Bond/CIA aura. Does that sometimes make people in small business say, “You know, that’s big stuff that’s not going to happen to me.”
Absolutely. You hit the nail on the head there. It’s the idea that, yes, this is something bad, but it’s not my problem. It’s the problem of Bank of America. It’s the problem of the federal government. It’s the problem of Microsoft or Google, but it’s not the problem of XYZ cardiologist or some specialty clinic in the middle of nowhere in Arkansas. But we’re seeing it trickle down. In reality, it is the problem of these small clients.
In every report I send out, I include a section on why we do what we do, and I throw in numbers related to small business. The last number I had was something like $250 per record for a breach—so if you lost one record, it would cost your organization $250. But how many breaches do you see where only one record is stolen? Also, you can have a ransomware breach and there’s no records stolen. But hey, you could go out of business because you can’t afford to get everything back. We see those quite often. Fortunately, we’ve only had one client that had to deal with ransomware. He was one of our cheapskate clients who didn’t want to spring for a whole lot of security. He just wanted to do bare-bones stuff.
Most of our clients are here in central Arkansas. We have a heavy focus in healthcare just because of HIPAA [the Health Insurance Portability and Accountability Act, the 1996 federal law that restricts access to individuals’ private medical information]. So our healthcare clients have had a long time to understand that they do need to do certain things, and yet it seems they’re slow to realize that the federal government can come and basically just take tons of money away from them because they’ve done a sloppy job of protecting healthcare records. And not just that they can; they will.
We also work with financial clients, which is a little better because there’s not such a rigid set of things that they have to do, so we can give them more leeway to design a program that fits within their business.
What kinds of attacks do you run into with your small business clients?
One of the biggest ones that we run into is phishing. If we’ve got the company in our full ecosystem, we can monitor for different activities and usually pinpoint things fairly early and go clean up before any damage is really done. But in cases where we’re not in there, it could be months, and we really can’t find out what happened because the logs aren’t maintained for that long.
We see a lot of attempts at fraudulent attacks. A real estate company that wasn’t previously a client was put in touch with us, and they’d been duped into changing some banking information for one of their business partners. Turns out their business partner had been compromised, and that attacker was sitting in that email box watching the conversations come and go and finally had enough information to craft a note saying, “Hey, we changed our banking account information. Can you send that $100,000 payment to this new bank instead because we had some trouble at the last bank?” And the real estate company fell for it. After they figured out what had happened, we got a call: “Can you do something?”
Fortunately, Michael and I both have contacts in federal law enforcement, and we can call those people in. But we told the real estate company, “Don’t hold your breath, though—there’s very little chance you’ll get anything back.” As it turned out, the federal law enforcement folks were able to get them their money back. So it’s great in the short term—it’s winning the battle. But I think they’re still losing the war because they didn’t change any of their ways.
Why don’t these business owners get it? Is it all about money? Or their time and effort?
The biggest reason they don’t get it is that the companies they see in the news are the large, large companies. They don’t see that their neighbors are getting hit. They don’t see that businesses their size and in their industry are getting hit, because these small businesses don’t have a legal requirement to disclose it. They’re not publicly traded businesses. They don’t have to report to the SEC or anything like that.
Also, people think it’s this evil person in a basement eating pizza and drinking Mountain Dew with the lights off trying to hack them, and it’s not. Generally, it’s very opportunistic. The attackers will cast a wide net and see who they catch in that net, and then they’ll start targeting them. They throw the wide net, they pull it in a little bit, they see who’s in there, and then they start spear phishing those individual ones. That’s the terminology we’ve adopted in cybersecurity. There’s the phishing, and then there’s the spear phishing.
Business owners don’t see a lot of this stuff because they’re not in that world. But it’s stuff that my peers and I keep up with on a regular basis. We know how it works, and I take every opportunity I can to go speak to groups and tell them, “Hey, it’s not what you think it is. It’s not that the attackers are just going after these large people and companies, and it’s not some guy working for months trying to get in to some particular system. This is some ragtag group of people in Albania somewhere, and all they need to do is get a little bit of money. They could live on $100 a week, whereas you can’t live on $2,000 a week. If they can get a little bit of money out of you and some more out of the next guy and some more out of the next guy, they’re living like kings back there.”
And whenever something is very successful, the costs go up and up. Take ransomware, which went from being a couple hundred bucks to get your files unlocked, to hundreds of thousands of dollars, and then to millions. The ransomware attackers are targeting very specific industries, but they’re not going after the big fishes. You don’t see the banks being targeted, you see municipalities. You see utilities. You see school districts. You see small financial management companies and Little Rock-sized towns. You see things like that getting hit because these folks know, “Hey, if I can get ten of these small to midsize guys, that’s just as good as getting a large, nationally accredited bank.”
What about employees? Do you recommend training for them?
In larger businesses, we have a lot more flexibility, a lot more money to install systems, so the manager can say to the employees, “Look, you’re not going to do this. You can’t go to your Gmail page from your work computer. It’s just blocked. I’m sorry. We are a big company, and if you don’t like that, there’s the door.”
In smaller companies, they’re a lot less inclined to do that. I’m working with another client, a law firm, and they work with lots of banks doing a certain kind of law. And the banks are telling them, “Hey, we want you to do all of this compliance stuff, and you need to answer back and give us evidence you’re doing this.” One of the things the banks want is for the law firm to block Gmail and Yahoo Mail and all that kind of stuff. And the principals at the law firm said, “Well, we don’t want to block that for the attorneys. We can block it for everybody else.”
And I’m like, “That’s the kind of poor attitude that gets you in trouble. Your attorneys are not any smarter than your legal assistants and your paralegals, and frankly, lots of times they’re dumber. Because they’ve been propped up on a pedestal for so long because they’re attorneys that they think they know everything.” Some people, attorneys and doctors especially, are so full of themselves. We had the same thing in the Air Force with fighter pilots. You put fighter pilots in a cockpit, and they’re awesome up there. You take them out of the cockpit and they are completely out of their element.
That’s a very negative thing when we’re trying to explain the intricacies of what these attackers are doing, and what it looks like, and how they’re going about it. I do a lot of small-group training with my clients. We talk about things like, what’s the psychology behind this? When you’re looking at an email, if someone is trying to rush you into judgment, if it’s trying to feign some sort of authority there, or it gives you some sort of horrid consequences if you don’t do something now, those are three huge indicators that this is some kind of social engineering message. You might be a little nervous because they said they’re the IRS, but stop and think a minute. The IRS never sends you an email or a text message. It’s a certified letter. So you have to start thinking about that instead of what the attacker is saying to throw you off balance. Don’t let that fear overcome you.
We do a lot of training with employees, and there’s a crucial difference between large and small businesses when it comes to their employees. In a large business, you’re a cog in a machine. You’re a number, and you can be kicked out and replaced any day. In the Air Force, I had a moniker. I was a 33S3A. That was my job description. That just meant that my butt could fill that seat, or somebody else’s butt could fill that seat, too.
But in small businesses, one of the things we find is that even though the employees don’t have any ownership stake, the company is still their lifeblood. They’re associated with that small business because they’ve been there for a decade, two decades, or since it started. When I go talk to some of my small businesses, it’s very much a family kind of feeling that you don’t get in a large business. And as long as they have the buy-in from the ownership or the leadership, then they’re not going to blow cybersecurity off as something stupid and a waste of their time.
When I go in person to teach these folks, I tell the business owner that it’s going to be about an hour. But I could be there for two hours or more because the employees want to go, “How do you solve this?” What do you think about this?” Or “Hey, I had that similar situation before. Let me tell you that story.” And I just let them talk, because not only does it help them understand what’s going on, it also brings credence to what I’m saying in the minds of everybody else in the room.
So while small businesses may get a lot of attacks, and while they generally have fewer built-in protections, on the flip side of that are employees who’re that much more motivated and dedicated to doing what’s right in the company. Because that company is part of them.