How BlackCloak Protects the 12 Hours Corporate Security Misses | Brian Hill

Russ Fordyce 🏆 (00:01.401) Welcome back to the winner's circle, everybody. I'm here today with Brian Hill from Black Cloak, and they are another big Innovation Award winner. This time on the personal security and executive security front, a very timely conversation with Brian. So Brian, welcome, congratulations, and thanks for joining us. Brian Hill (00:17.612) Yes, thanks, Russ. Thanks for having me on the show. Russ Fordyce 🏆 (00:20.665) Now, for those of us that haven't heard of Black Cloak, give us a little bit of background about the company and kind of your role inside of the company. Brian Hill (00:29.046) Absolutely, thanks Russ. The easiest way to explain it is our mission is to protect the other 12 hours of the family's day. So we bridge the gap between corporate security teams and the personal lives of our executives. So ensuring that their privacy, their homes, and their family don't become the back door to their company that they're in charge of. Russ Fordyce 🏆 (00:58.139) Well, yeah, that's it's super interesting because you never think about that that gap, right? Is we were talking before we started recording a little bit about I've got a little bit of background and exposure to this personal kind of corporate security space. And I actually remember, too, we had a neighbor that was in it was one in the corporation spend lots of money on security, especially for executives who are traveling overseas and everywhere else. But there is there's that they go home and it's like, gloves are off. Brian Hill (00:58.359) So. Russ Fordyce 🏆 (01:28.093) The corporations usually say like, you're not with me. I guess you're on your own. And I remember a house being swept once, which was interesting. that was about it. Brian Hill (01:41.091) Yeah, it really is. They try to have that separation of church and state. Most people don't want their corporate environment into their home. They want to have that separation. When they go home, they want to have the convenience of all the cool technology we have at our fingertips. And they forget about some of those security controls because, let's face it, executives don't just stop when they walk in their door at home. They're still answering emails, they're still answering phone calls, they're still working. It's just the way it is. Russ Fordyce 🏆 (02:14.99) Yeah. Now you've had an interesting career. You're now in this field, CISO role, and you're kind of at this intersection of really personal security and cybersecurity. I you're literally, you're the gate. So tell us about your journey kind of into this role and kind of how you got here. Brian Hill (02:34.934) Yeah, absolutely. know, everyone in cybersecurity kind of has a different, you know, a different role of how they got to where they are. For me, my background was, you know, law enforcement, digital forensics. So I spent my career seeing real world impact of all cyber crimes and the victims out there. Last few years, I was head of security services here at Black Cloak, focused on building that tactical beast. for security operations, know, tiered security operations team, tier one, tier two, escalating to tier three to handling everything from your normal triage tickets to complex threat hunting. Now, the field CSO role allows me to take all those operational lessons learned and actually start going to, you know, bridge that gap of intelligence that's out there on the market. So spending less time in that queue and more time helping peers understand what lies between the professional and the personal risk that we've just been accustomed to. Russ Fordyce 🏆 (03:47.951) Yeah, and so this this new kind of I guess it's kind of a new space. It's got not new but digital executive protection You guys call it DEP You're kind of that barrier between you know the bad guys in that personal space of the executive you're kind of I guess it's almost like concierge security It's kind of almost like what I would think it is. Is that is that kind of the problem that you guys are solving? Brian Hill (04:11.884) Yes, absolutely it is. It's having that concierge service, a lot of our executives, and it could just be high net worth individuals, celebrities, athletes. They're used to having people kind of helping them with everything they need, whether it's in the corporate environment or just in their personal lives. And so we try to help with that. And that DEP that you're talking about, that digital executive protection framework was modeled after NIST just to help organizations bridge that gap. It's easy to look at physical security, right? You have cameras, door locks, bodyguards. Those are easy, tangible things. And everyone kind of forgets about our phones, right? We use them for everything. In law enforcement, I used to call them snitches in our pocket, because that's exactly what they were. And are, really. Russ Fordyce 🏆 (04:56.11) Yeah. Yeah. Yeah. And I think we've seen some, some recent revelations or re-revolutions, revelations, think from Edward Snowden about how easy it is for them to listen in on us on those phones, even when you don't think they are. So, I guess what, what now, why is the home and why is that home environment such an attractive target for, you know, for these criminals? Brian Hill (05:23.266) Yeah, it's the lowest hanging fruit, the easy targets. And that's what threat actors, the bad guys, that's what they go after. They don't want to work for it, so to speak. They're going to go after that soft underbelly target. So if you remember the target data breach in 2014, that kind of really set us off down this road of they didn't go after target. The threat actors aren't going to go after the big corporate giants because they invest Russ Fordyce 🏆 (05:42.489) Yeah. Brian Hill (05:52.803) billions into safeguarding their trade secrets, right? So where does that leave them? Easy targets. You do a Google search on somebody, social media, do a social media search, figure out who's their family, their friends. You start to go after them. You think of, you know, so they're gonna go after the human element, that easy target. Then when it comes to our homes, we just don't, we don't protect our homes like, like we should. I saw this across law enforcement of, think of your own wifi. I'll put you on the spot here Russ. When was the last time you changed your home wifi password? Russ Fordyce 🏆 (06:33.498) Well, it was right when I moved in, which was eight years ago. And it's funny because I do change almost every password in my environment every year. So I haven't changed that one in eight years, though. Brian Hill (06:36.438) eight years ago, see? And think of, think of... Brian Hill (06:49.518) So you think about it, in those eight years, how many times have you given that password to somebody that's come over and said, hey, not getting a very good signal, what's your Wi-Fi password? Russ Fordyce 🏆 (07:00.654) Yeah. Brian Hill (07:02.302) And in those eight years, how well do you trust or know those people you've given that password to, which means if they drive by your street today, they still have access to your to your home Wi-Fi. So it really comes down to how well do you trust your neighbors, your friends, relatives, anyone you've given that password to in the last eight years. And that's why it's become all the devices that are connected into your home. If a threat actor gets into one device. So I get into that that thermostat. Right from there I can move laterally across all the devices within your home to your alarms cameras You name it? It Russ Fordyce 🏆 (07:39.631) Yeah, you know, I've been in internet and technology and networking for a long time and, you know, we've been evaluating this threat for decades, right? The IoT threat at home has been, you know, we knew about it, we let it happen, we let it walk right in the door. And these are devices made in other places without very much oversight. And a lot of the times, the routers and the devices inside of our homes too are made by players that we really shouldn't be buying stuff from. So it's 100 % a problem. think I'm hopefully a little bit better at it than most, but eight years is long time. Brian Hill (08:22.286) It really, unfortunately is. And that's where, you know, everyone wants convenience, right? Soon as we have in that high level of convenience, we have to give something up and that tends to be security. Yeah, we buy all these devices from, from Amazon, from Tmoo, from, know, wherever it is. And we want it just to, we want to plug it in and let it, let it go, let it work, which is great. But what, yeah, to your point, what is happening behind the scenes? We have no idea. These are manufactured. What are they? you know, in other countries, what are they reporting back? Is it simply data diagnostics to help them improve their product or is it something more nefarious going on? Russ Fordyce 🏆 (09:00.984) Yeah. So what are the most kind of prolific attacks that you guys are seeing, you know, hitting that executive home front today? Brian Hill (09:09.624) Yeah, really, today it's data brokers. They're really the, I would call it the fuel for a lot of these tacks because they get your personal data. And so if they want to impersonate you, they're gonna go out and get as much information about you as possible. And then look for your voice, your photos, your family's info. So making sure what information is available about you. That's just the data broker side. That's not including what we could find on the dark web where all your information is bought and sold. And so the family vector is now where threat actors are pivoting towards. So even if you do have a high level executive, they may have their information locked down because their corporate environment maybe has done a really good job of making them less of a target. But now they're gonna go after, because they're hardened, now they're gonna go after that spouse or the children, the teenager, because they know That's the path of least resistance. I get a lot of executives that say, hey, I'm not on social media, so I don't have to worry about that piece when I get to that. And it's, well, I ask them, is your spouse on social media? Is your kids? Well, yeah, they are, but I'm not. Well, guess what? You are too then, because they've taken pictures of you, pictures of stuff in the background, where they go to school, and with enough work, we call it open source intelligence. Russ Fordyce 🏆 (10:23.513) Yeah. Brian Hill (10:36.652) With enough looking into that, I can find where somebody lives, where they go to school, what vehicles they may drive, and makes them now a target, not just in the digital world, but potentially physically as well. Russ Fordyce 🏆 (10:48.632) Yeah, I... I Googled a phone number the other day that came up on, it was actually my uncle's phone number. It was on my T-Mobile bill. And I tried to figure out making sure it was the right number. And it was so easy just to put a number to a name and from there you're off and running. And I know he's not very secure, he's probably one of the least secure. But it is that easy a lot of times. And what you're talking about, it makes it even easier at scale because you can buy of millions or thousands or hundreds of thousands of these. And I imagine that AI is only accelerating all of this. What are you seeing AI do to this threat? And kind of what are you seeing in terms of sophistication out there? How are they leveraging the new AI tools already? Brian Hill (11:39.043) Yeah, absolutely. AI has become, it's a beast, really. It's being able to take all of that data that we know is available. So they've been collecting this data for years. Well, now they can take all that collected data and they can weaponize it. They can put it into easy format where no longer do they have to send the same email to a thousand people. We've all gotten the, I'm a prince over here in another country. you know, send me some money and I'm gonna make you a millionaire. All those emails, Cookie cutter, they were all the same. Whether you got it or I got it or your mom or your dad, doesn't matter. Now they can take those, yeah, very easy to block. Let's put it at spam market. Well now, they can take with the AI, they can take that same email message, but now put it into more personalized to me based on everything. Russ Fordyce 🏆 (12:17.336) Right. Easy to block. Russ Fordyce 🏆 (12:24.633) Right. Brian Hill (12:35.234) the AI engine has been able to collect about me, make it more personal, make it seem more real, because their whole job is to get you to click on that link, get you to do whatever it is they're asking you for. And it could be as simple as a phone call, knowing, hey, I got enough information about this person, I think they're gonna be susceptible because of their age, because of their income, because of their location. Hey, I see, you you live in this county, now when I call you or send you an email, it's going to be your regionally. specific. You're more likely to click on it like, hey, a sex offender just moved into your area of, you know, whatever town you live in. Are you now going to probably read that email? Right. You will. And you might want to click on that link. Or it could be, hey, they're calling you, you have a warrant for your arrest and they name the county that you live in. A little bit more believable versus them just saying, hey, I'm with the county and they don't give a name. It's more generic. They can be more personal in all their attacks with AI. Russ Fordyce 🏆 (13:38.87) And so now you guys are really almost kind of at the, I guess at the base layer of this. It's almost the foundational framework. You guys have actually developed this framework kind of as an industry standard. Tell us a little bit about kind of what those pillars are and why kind of they matter to companies out there trying to, you know, extend that protection. Brian Hill (13:58.521) Yeah, absolutely. lot of the corporate security teams are focused on, they have a great robust physical security presence, whether it's, like I talked about before, cameras, locks, whatever it may be. They haven't taken a look at the digital side of things. It's still very in an infancy stage. And the pillars are really the privacy side, data broker removal, credit theft monitoring, dark web. Corporations like to look for their own information in the dark web, but they don't think about the individual side. So having that privacy kind of locked down. Their personal devices. What do they have? They don't necessarily want to monitor their executives personal devices, spouses, kids, but what kind of protections are in place? Are they just getting off the shelf kind of protection? That's a big part. The home networks. Most companies will do a penetration test. on their work environment once, maybe twice a year, but nobody ever does a penetration test on their home network. You you talked about not changing your password for eight years. I guarantee you've never done a full on penetration test to see what vulnerabilities do you have in your home network? What is open? What's closed? Nobody does that, but yet. Russ Fordyce 🏆 (15:03.46) Right. Dope. Russ Fordyce 🏆 (15:14.234) It is amazing that this gap exists. It really is because the amount of money that I know is spent by corporations to do this type of work is astounding. And you're right. The home is the big fat white underbelly of the whole beast. And the way we work now, I mean, I've been working at home for a decade. I didn't have a lot of proprietary data on my computer or anything, but I certainly had access through my computer to systems that were pretty proprietary. This is really a very interesting space. And now you guys have seen a lot of growth and kind of partnerships with some of the bigger consulting firms and technology providers out there. Tell us a little bit about those wins and kind of those new partnerships. Brian Hill (16:04.43) Yeah, getting a partnership with, you know, the worldwide technology group, right? WWT, um, to really, you know, branch out and get into areas that maybe we weren't a focus. Um, I know when I, when I first started here three and a half years ago, we'd go to a conference and people would walk up. What is black look? Tell me about it. Now it's when people walk up, Hey, I heard of you through a partner. Talk to me, tell me more. What's going on. So these partnerships are just a testament to what, you know, Black Cloak has built over the last going on eight years now. Russ Fordyce 🏆 (16:41.112) And what's, know, WWT's great, I think, in the enterprise, and kind of, you know, kind of mid-market, large-market companies. What's driving their adoption now? Brian Hill (16:55.766) Market share, think is kind of the, they're seeing a need as they, know, when we developed the digital executive protection framework, that DEP framework, they're seeing a huge gap in that protection because they're very good, like you're talking about, it's easy to sell products to the corporate side to bolster their corporate security because we're hearing about data breaches all the time on the corporate environment. And nobody now they're starting to see hey, no the executives are under attack at home And it is the soft underbelly. We need to get in on that so I think it's just about getting into new markets and this is Granted like said, we've been around for eight years, but really picked up traction in the last three to four Russ Fordyce 🏆 (17:39.866) When somebody comes on board as a new customer and you do your work, after six months, what's that change look like in their life and what's their kind of reaction? Brian Hill (17:53.657) think, yeah, from day one, their eyes get opened. That initial call we have with them and we kind of show them the exposure of what they have out there. And then six months later, they get more hungry for the knowledge, right? They've learned a lot, whether it's password management, their home network, when they get a new device, immediately it's, I gotta call Black Cloak and get this device set up to make sure that I'm doing things properly. We become that. the bat phone, so to speak, for them to call us when something happens or before something happens, like I said, when they get a new device or, hey, I want to purchase this device, but what do you guys think? Just having that partner, that extra second of, you know. Knowledge so, you know, it could be as simple as they get an email. Hey black look I got this email before I click on this link. What do you guys think? It's sometimes just that extra second Russ Fordyce 🏆 (18:54.318) Yeah, it is, a lot of it is training. I've been through a lot of them and failed a lot them. I got caught in the honey pot once in a corporate honey pot. Luckily it was a good internal, but I had to go do some more training. I'm sure you see all sorts of stuff. I mean, you know, I was talking to somebody the other day about a book I read. was a small book. think was called Stories of a New York City locksmith or something about that. Brian Hill (19:08.418) Well, that's... Russ Fordyce 🏆 (19:22.87) And it was a locksmith who had been around for 30 years and he just kind of walked you through like how people got locked out and all the fun that, you know, he uncovered. I imagine you guys see some interesting things too. Tell us kind of maybe the most surprising pattern that you've seen across kind of executives that we should, you know, kind of alert them to. Brian Hill (19:41.635) Yeah, the biggest one is password reuse. I always joke with the password fluffybunny1234, like, I found this password on the dark web. But when I've told executives, hey, I found this password out on the dark web, and it could be as simple as fluffybunny1234. And they'll always look at me like, well, I don't use that password anymore, but I use that password with an exclamation point at the end. Or. The response I get is, it bad I'm using that password in my corporate domain? And that's where we really become a good sounding board, because I look at it like I have two teenage daughters. I've done this, I've been in law enforcement, military, cyber for 26 years. To them, I don't know anything about it. They're not gonna listen to me, but if I tell the neighbor, hey, John, go. you know, tell my daughter that this is what she needs to do. All of a sudden, she'll come home and be like, Dad, did you know we should be managing our passwords this way? Yeah, I've said that for years. Well, why all of sudden now? Well, because so and so told me so. And that's where we become the corporate partner or hey, whether it's social media training for kids, what the do's and don'ts. Parents will tell their kids until they're blue in the face. They're not going to listen. But Blacklow comes in and says, hey, this is really what you should be doing and not doing. And they're going to listen to it. just, again, that that resonating voice. Russ Fordyce 🏆 (21:13.242) Yeah, now, you know, it is a team effort at home, because if you have, again, if you have a weak spot, they're gonna find it, right? I imagine, you you guys find stuff, you know, through iPads and iPhones and iPods and everything else. What does it take to build a product like this inside a black cloak? Tell us a little bit about your team. Brian Hill (21:35.245) Yeah, absolutely. It's, you know, with this, our, our secret sauce, so to speak, is, team and culture, right? Technology is great. but security is ultimately a human problem. So our philosophy has always been building the team that grows, you know, not having a flat support structure, but more of that tiered model of. I want people to grow within their career in cybersecurity. You're not good. We're not just a, you know, a help desk where you call somebody and they're going to run through a script. No, it's about mentorship, building internal learning systems so that team members can have a clear career path. And we've been able to mentor folks, bring them in, entry level. You'll see across the cyber environment landscape, it's hard to get in the door. Every entry level position says one to two to three years experience. It's just so we've taken, we've taken that approach of, let's, let's bring in these entry level folks and build them up. so they have that career path. What certifications do they want to get? Let's help them achieve that. And rather than maybe going elsewhere, let's, you know, I've built a lot of, you know, internal training. So whether it's, Hey, I send someone to, you know, a training class, come back and now teach it to everybody else. I think it drives a lot more. Russ Fordyce 🏆 (22:31.716) Yeah. Brian Hill (23:01.536) Value when not only can you learn something but if you can come back and actually teach it because Russ Fordyce 🏆 (23:06.169) Right. That's when you know you've won, right? It's sunk in. Well, that's great. mean, as somebody with a few 20-year-olds, it's good to hear that people are trusting the younger kids because the younger people, all you need is a chance. And given an opportunity, people succeed. So I'm glad you guys are doing that. Brian Hill (23:12.865) Exactly. Brian Hill (23:33.295) Yeah, absolutely. It's, you know, I come, you know, I also teach cybersecurity at a local university here in Minnesota. And so it's kind of everywhere I've gone, I've, you know, I've embraced that part of it and I've brought that into the, into the cyber world that I think is really lacking in our industry. Unfortunately, we're seeing it. We're seeing it come around. Um, but it's definitely, it all translates to that customer experience in the end too, where if they feel like they're valued, where they're working, that's gonna present itself to our clients, especially in those high touch, white glove, concierge service that we offer. Russ Fordyce 🏆 (24:07.674) Yeah. As you look at the kind of trends heading out in the next 12 months, what concerns you the most on our kind of home front? Brian Hill (24:17.218) Yeah, the biggest one would be the deep fake threat. We're entering that era of faked to perfection, so to speak. The FBI has issued warnings around campaigns about impersonating officials. There's a phenom report that we helped put together that shows over 40 % of executives have been targeted by deep fakes. so AI tools are only going to become cheaper. and more accessible and the amount of data that's already out there, this podcast for example, right, my voice, my picture, your voice, your picture, which means we're going to be susceptible, our family members to getting a fake phone call from us if we become on that target list. So it's that education piece of trust but verify. So almost like everyone calls zero trust, that's great, but trust but verify. Right, let me take that extra second to verify nothing is that important or that crucial that I have to act upon it right now because they're gonna play on that. All threat actors are gonna play on that perceived threat and hey, I want you to do something and I want you to do it quickly to get you under that stress or duress, to get you really ramped up. Russ Fordyce 🏆 (25:42.37) And if you were to give us three tips that everybody takes home and implements tomorrow, other than go change your router password and all your other passwords, what would you recommend? Brian Hill (25:55.597) Yeah, take number one, take a look at what your digital footprint is. What information is there about you? Simple Google search. What information can you take down? What information can you do about it? Number two, password management. Password hygiene is huge. So whether you use a password manager, that is great. Whether you use, if you use the internal iOS, so Apple's key chain, or if you use Google's, great, but use a third party one. is always gonna be better. Broaden your attack surface is going to be key as well. So one data broker, two passwords. And in addition to passwords, I would say dual authentication. Don't rely on text messaging for your dual factor authentication. Use a third party authenticator like Google Authenticator, Microsoft Authenticator, Authy Authenticator, something other than your phone number. Let's get away from phone numbers because I could go into a whole, we could have another whole chat just about SIMS, exactly, spoof, SIM swap attacks, you name it. And the third area would be, I had it and now I lost it. for, yeah, that would, you well, yeah, so the third one would be harden your accounts. When was the last time we get new devices every year? Russ Fordyce 🏆 (26:57.28) They're easy to spoof. Russ Fordyce 🏆 (27:11.864) I think you gave us a third. Brian Hill (27:22.284) you're logging into your Gmail, your bank accounts, when was the last time you took a look at what devices are still logged into those accounts? If you went into your Google and went into your security settings and looked at all your devices, you probably have iPhones that are logged in there from years ago. Probably not gonna cause a problem, but potentially a malicious device could get lost in that noise. So go in there and log out all your devices. Worst case scenario, you have to log back in from your iPad if you accidentally log it up. Russ Fordyce 🏆 (27:56.921) Yeah, well great advice, great tips. I will be going around and changing some passwords this afternoon. So I appreciate that. Now that you've pointed out the whole flaw in my security system, I appreciate it. But super interesting. We really are going to keep an eye on you guys. Very interesting technology, great program. I love the concierge angle to it. And you're only going to have more consumers. So great product market fit. So congratulations. Brian Hill (28:05.134) you Brian Hill (28:23.616) Absolutely, really appreciate it and yeah, I'm looking forward to just continuing to be the pioneer in this market and continuing to lead the way. Russ Fordyce 🏆 (28:30.958) Yeah. Thanks, Brian, and have a great afternoon. Brian Hill (28:33.826) Thanks, you too. Appreciate it Russ. Russ Fordyce 🏆 (28:41.302) side. I'm going to end it for all of us. I will send you a link shortly with all the information. It'll come to you. You can forward it to your folks and then they get it from there. Does it say that it's uploaded on your side or anything? Brian Hill (28:57.998) It says 99 % uploading. It's outside of my end. Russ Fordyce 🏆 (29:00.684) Okay, okay, so if you let that go to a hundred that would be good My VPN kicked on right as we were in the middle of it and that screws it up. So I can't stop it But I will Brian Hill (29:10.846) Okay, yeah, just as when the recording is done you may need to stick around a little to upload your high quality recording Russ Fordyce 🏆 (29:18.2) Yeah, this one's pretty interesting. in the background, records everything. And so we're having like a zoom and it's doing all the work in the background to record. And so it then uploads it. yeah. All right, I will end it and I appreciate the time and we'll send you guys an email. Have a good one. Thanks, Brian. Brian Hill (29:33.089) Okay. Brian Hill (29:39.234) Sounds good, I appreciate it. Thanks again, Russ. You too, bye.