Tom Kirkham isn’t a lawyer, but he helps lawyers as well as business owners keep their clients’ private data safe from breaches, ransomware attacks, hacking and other cyberthreats. He is a cyber security and defense systems consultant who’s been in the business for over 30 years, and the founder of IronTech Security. Tom gives an easy to understand brief on some of the most common cyberthreats and explains the reasons for most data breaches in companies, as well as why a lot of the enterprise-level antiviruses simply aren’t enough to protect corporate systems from ransomware attacks. In this interview he summarizes a few key principles from his book, The Cyber Pandemic Survival Guide and shares some tips and useful knowledge for law firms and business owners to implement an effective information security protocol.
The Cyber Pandemic Survival Guide: Protecting Yourself From the Coming Worldwide Cyber War
Tom Kirkham, founder and CEO of IronTech Security provides cybersecurity defense systems and focuses on educating and encouraging organizations to establish a security-first environment with cybersecurity training programs for all workers to prevent successful attacks. Kirkham brings more than three decades of software design, network administration, computer security, and cybersecurity knowledge to organizations around the country. Tom recently published a book titled "The Cyber Pandemic Survival Guide: Protecting Yourself From the Coming Worldwide Cyber War".
Audiograms & Transcripts: Paul Roberts
We'd love to hear from you. Send me an email at email@example.com
Please subscribe and listen. Then tell us who you want to hear and what areas of interest you’d like us to cover.
Please rate us and review us on Apple Podcasts.
Attorney at Law
Tom Kirkham - Transcript
Louis Goodman 00:03
Welcome to Love Thy Lawyer. I'm Louis Goodman, and today we're going to do something a bit different, but important to all of us. Tom Kirkham, founder and CEO of IronTech Security provides cyber security defense systems and consulting. Whether your practice involves working for the government, a large law firm, a small law firm, or a solo practice, cybercrime represents a danger, and potentially very expensive problem for all of us. Tom brings more than three decades of computer and network experience to his work. He's recently published a book, The Cyber Pandemic Survival Guide. Tom Kirkham, welcome to Love Thy Lawyer.
Tom Kirkham 00:50
Oh, great. It's nice to be here, Louis.
Louis Goodman 00:53
Thanks so much for joining me. Where are you talking to us from right now?
Tom Kirkham 00:58
I am in Fort Smith, Arkansas.
Louis Goodman 01:02
How long have you been located there for your work?
Tom Kirkham 01:04
Oh, well, I founded the company a little over 20 years ago, and it was right here, and I think I lived here about another 10 years before that and my previous job, I didn't really spend much time here, except on the weekends. I was traveling all over for my job. But you know, once the dot com days, the dot com bust hit, I was laid off for my other tech job.
I was an executive in a software development company and I had really nothing else to do. And Fort Smith, Arkansas is not exactly a hot bed of technology, so I decided just to become, open up an outsourced IT business for small to medium size businesses.
Louis Goodman 01:45
What's the name of your company?
Tom Kirkham 01:47
Louis Goodman 01:49
Where are you from originally?
Tom Kirkham 01:50
Louis Goodman 01:51
Is that where you went to high school and college?
Tom Kirkham 01:54
Well, in high school it was all Arkansas. My dad was a civil engineer, so we moved around a lot when I was younger, but I eventually went to the University of Arkansas three times and then settled here in Fort Smith with the previous software company.
Louis Goodman 02:12
So, even though you came from Louisiana, you became a Razorback?
Tom Kirkham 02:15
Yeah. Yeah. It's funny how you, if you live in a state long enough, you kind of, it kind of gets into your blood.
Louis Goodman 02:21
What was your experience in your education in college that got you interested in the computer and networking world?
Tom Kirkham 02:31
That's a great question. It didn't. I actually attended college for economics. I was a hobbyist in the computers. You know, back in the old dialup internet days, I was on the internet before there was a worldwide web, before there were websites.
Louis Goodman 02:49
So how did that fit into your becoming more interested in the online computer world?
Tom Kirkham 02:57
Well, it started as, you know, I built my own computer, you know, as a hobbyist, and then it was part of the company that I worked for previously. And so the internet wasn't what, no one expected it to be so pervasive throughout our life. And then the worldwide web was created and I got, I started thinking about it strategically and understanding how networking works. And still to this day, I, that's all I do invest in is technology. I look at things from a macroeconomic perspective, but only as it applies to technology. So, if you know anything at all about technology, the pace of change is incredible.
Louis Goodman 03:43
Can you explain that a little bit? I mean, I know that there's this rule that says that the chips get faster and faster and faster, exponentially and I imagine that has something to do with that pace of change, but can you just explain a little bit about that pace of change for people who use the technology like me, but are not necessarily aware of, you know, what's going on behind the screen?
Tom Kirkham 04:09
Yeah, so basically Moore's Law, and he was one of the founders of Intel, said the average CPU will double in speed every 18 months. Now, that had started slowing down. You know, they were getting into some subatomic principles about, you know, how small can we make this copper where it will still transmit bits and bites. I mean, just look at how much, how long has the iPhone been out? That's only been out 12 years, maybe? And before that we didn't, we kind of had the internet in our pocket, but now it's, for most people, it's the main interface to the world and their life, really. It's really hard to describe the pace of change. I can't think of another industry that has that incredible pace of change.
Louis Goodman 04:58
Tell me a little bit about IronTech Security and what IronTech Security focuses on.
Tom Kirkham 05:07
Security is job one. It doesn't matter how much more productive and efficient you are, it doesn't matter how IT investment positively affects the P&L each and every day. If you don't secure your firm and secure your client data, secure all the stakeholders to your firm, including yourself, it could all be at risk. And that that's one of the, you know, what creates value in a law firm or with an attorney? It's, you know, you're nothing, if not your reputation in many professional service industries. And if you have a data breach and client data is exposed or employee data is exposed, it could put you out of business.
Louis Goodman 05:53
Yeah, it could put you out of business. And for those of us who are attorneys, it could also put us in a great deal of difficulty with our state bar regulators and the courts.
Tom Kirkham 06:04
Now, what we do with IronTech is we provide enterprise grade, Department of Defense level cyber security defenses to the smallest of law firms. Because people have this, they, they don't think they can afford the same thing that the Department of Defense or Ford Motor Company is implementing. They think it's beyond their affordability, but in fact, it, you can't afford not to put it in, but it's not nearly as expensive as the vast majority of people think, and about half the population doesn't know where to get this level of security defense, and that's one of the reasons why I'm on your podcast, is to help educate that this is available and you can afford it.
Louis Goodman 06:54
There have been some pretty high-profile attacks against systems. I'm thinking of Colonial Pipeline. And I know that you've looked at the Colonial Pipeline case certainly more closely than I have. I'm wondering what you can tell us about that and how understanding what happened with Colonial could affect any of us.
Tom Kirkham 07:14
Colonial Pipeline did not have a Chief Information Security Officer. That was the first thing I noticed as I started, I wasn't involved with the case, but I, you know, it's all over the threat intelligence briefings that we see all the time, and that's the very first thing I thought.
Basically, what happened, they were a victim of a targeted attack, right. So, the hackers knew it was a big target until it made the headlines on CNN and Worldwide News. They had no idea they were attacking petroleum distribution that would affect the entire eastern seaboard. They actually apologized for the attack. So, even though it was targeted, they still didn't know who or what it was. They just knew there were a lot of terminals and a lot of IP addresses, and they had a legacy virtual private network connection that was not protected by multifactor authentication. And they cracked the password on it.
No one was using it inside the company, and that is one of the things that a Security Officer will make sure, is they're gonna button up those things that are unused and turn 'em off or lock 'em down. Now by all reports, their Chief Information Officer was very competent and very capable, did a great job. But you've gotta remember that security is a different skillset. It's a different expertise, and within that there's subcategories. But IT is really about increasing productivity and efficiency and just making sure things work.
Security typically is a secondary, now, if there's anybody involved with IT, I probably just offended someone, but it's my observation as well as others in the security business that this is typically what we find. We go into clients that their IT provider said, "You need this internet protection suite." Symantec, Norton, McAfee, whatever, whatever it is they partnered up with. Well, those are not good protection. Those are not enterprise, they're not enterprise-grade malware prevention.
A modern ransomware attack, which is what everyone has to worry about. Everyone. A modern ransomware attack has no virus to detect. So, it, they just blow right past an antivirus program.
Louis Goodman 09:46
Because those products that you just mentioned are antivirus products.
Tom Kirkham 09:50
Right. And that's 40-year-old technology that has a locally updated, frequently updated virus signature file, or a virus definition file. So, everything that's run on the computer, it has to run it through that signature file to see if this is a virus. And what the modern stuff or this enterprise-class endpoint protection, it's called an EDR, that's what the whole class is called. It uses artificial intelligence in a neural net to look at the behavior of both the user and the computer. And because it understands "story lines", which is a technical term inside of InfoSec, the story line of an attack, it can predict a certain sequence of things that will end up being a ransomware or other type of attack and intercede. It doesn't have to have a virus definition file. It doesn't even have to have a virus.
Louis Goodman 10:51
Another kind of high-profile attack was made on the city of Atlanta. Wondering if you could talk about that a little bit?
Tom Kirkham 10:59
The biggest problem we have is humans. Over 90% of successful breaches required an insider. And by an insider, I'm almost always referring to a non-malicious insider. It's just someone trying to do their job.
Louis Goodman 11:17
So, you're talking about someone in an organization who has a computer that they use routinely in their work for the agency or the firm that they work for, and they're using that computer, but they're not being particularly careful about cyber security on that computer?
Tom Kirkham 11:39
Right. So if you look once again, going back to the storyline of a ransomware attack, if this in the typical way to deliver that ransomware attack into inside the network is via email. So, these hackers, the ones that specialize in ransomware attacks have one really, really good skill, and that is their ability to psychologically manipulate, social engineer. Back in the old days, we called it a con job or a scam. That's all it is, but instead of it being a one-to-one street scam, it's a one to many. It's done with automated software, and they will, for example, craft an email, send it to all the email addresses they have in a law firm, and it looks like it's from a vendor. Maybe it's a vendor that provides important research or research, you know, website or whatever it may be. It looks like it's from them and it says something to the effect of, "Hey, this is super urgent. These are the outstanding invoices that are unpaid. We're gonna shut your service off immediately."
Well, bookkeeper gets that, he or she's gonna think, Wait a minute, we're all paid up. It's an automatic deal on my credit card. Let me open this file attachment up and see what they're saying. And typically that may be an Excel spreadsheet, it could be something else. But Excel will call a macro built into spreadsheets, right. The macro calls the Windows disc encryption service and that unleashes the virus. It begins encrypting files, every file I can find on that computer in the entire network.
Nowhere in that storyline is a virus. In fact, it's all built into Microsoft Office and Microsoft Windows. But those steps at good EDR or artificial intelligence can see that that is a very typical storyline and stop it before it begins encrypting files.
Louis Goodman 13:39
How do you foresee the cyber threat landscape changing or evolving over the coming years?
Tom Kirkham 13:46
Well, we've already seen a big change in that these nation-state level offensive cyber warfare, viruses, trojans, whatever you want to call 'em, are available for free on the dark web for use by criminals in other nation states.
The best example I can give of that, for those of you that remember the Stuxnet virus that the US and Israel used to attack Iran's nuclear enrichment facility. The NSA created it and some others. And they deployed it and they knew that it was so dangerous that they carefully made sure it would only execute in that environment. Well, the NSA was breached about five, four or five years ago, and their offensive cyber weapons along with Stuxnet is available to be downloaded by anybody on the dark web, including the source code.
So, that very source code of the original Stuxnet is being used against us each and every single day. So, that's a game changer. You know, you take offensive cyber weapons that Russia has, United States has, Israel, Germany, many, many other players out there, and most of those, they've been hacked, they've been breached. And they're available to be used against us for whatever purpose necessary. So that changed the game a lot.
Louis Goodman 15:19
One of the things that I really took away from reading your book is that it's not a matter of just putting in a technological fix into one system. It involves really being continually vigilant and having the people around you being continually vigilant about things that don't look right, don't sound right, and that feel like there's something sketchy going on.
Tom Kirkham 15:48
Yeah. If you see something, say something. Almost every day one of our clients will send us an email before they open the file attachment and say, "Check this out. Make sure it's clean." That happens to us every day, and we gladly do it. That's why we're there, that's why they've got a security team. You know, on call.
Louis Goodman 16:06
You've written this book, The Cyber Pandemic Survival Guide. Wonder if you could just kind of take us through how you came up with the notion of writing that book and the way in which you put it together. Because it has a very interesting sort of over story that then takes the reader through the process of being hacked, having problems, and then seeing what could have been better done from a security point of view.
Tom Kirkham 16:40
I knew that I didn't want to do just a dry cybersecurity book, and I knew the audience was not people like me. I can't have all this technical jargon in there.
Louis Goodman 16:50
No, the audience is people like me.
Tom Kirkham 16:53
Exactly, exactly. So, I'm looking at that typical small law firm, that typical small business that's, you know, owner of accounting or managing partner of an accounting firm, whatever it may be, and I've got to communicate this is the right thing to do and this is what could happen. So the fictional components of that is what I use to build out that whole thing.
But if you notice, it just hammered it home that the biggest failure in that fictional scenario was failure of management and leadership. The mayor of the town's first knee-jerk reaction was to blame the IT guy. And that's not, that wasn't the problem. The problem is the, is the people making the decisions are not recognizing and acknowledging and addressing their risk and taking care of it. That's good management, and good leadership is represented by making a strategic decision to protect the very viability of the firm and everyone that works there in the event of a cyber-attack.
I wanted to illustrate the human component and what better way to do it than to show the failures in management and leadership, as is often the case in modern warfare or well, all warfare for that matter.
Louis Goodman 18:21
What do you like about doing this kind of work?
Tom Kirkham 18:24
Oh, it's just, it's exciting. I love thinking about. you know, I love investigating anomalies.
Louis Goodman 18:32
What keeps you up at night?
Tom Kirkham 18:33
I've got clients and if we have a breach, all of our clients potentially have a breach.
Louis Goodman 18:41
Let's say you came into some real money, a few billion dollars. What, if anything, would you do differently in your life?
Tom Kirkham 18:49
You know, that's always the question you're sitting around with your buddies at the bar and the lottery is up to whatever it was recently, 1.5 billion or whatever it was. And then, but then you start reflecting on, oh, I would buy everybody here, a brand new Ferrari or whatever. And then you start reflecting on that and you start imagining what would you really do? And I have, I have yet to come to a conclusion on that. I remember reading a biography or a book about Bill Gates and Warren Buffet telling him, this was in the earlier days of Microsoft, he could already afford a jet. But one word of advice, Warren Buffet said, "Wait until you're 50 to buy a private jet." Well, that was ridiculous. Gates needed it when he was 30 and he did buy it early. But the other one is, you know, the other one is you know, when you've got this level of money, you can't eat any better. You know, cars are just gonna get you from point A to point B. You gotta keep it all in perspective.
I would do the same thing I'm doing now just in different places around the world, you know. Because, you know, our Chief Information Officer lives in Egypt. Our Chief Marketing Officer lives in Honolulu, and I frequently do things like this from, you know, all over the place because I travel, and for various reasons. And I, Yeah, I think I would continue to do the very same thing, maybe a little less.
Louis Goodman 20:22
Tom, if someone listening to this wants to contact you about their own cybersecurity needs, what's the best way to do that?
Tom Kirkham 20:31
IronTechsecurity.com. My personal website is tomkirkham.com. There's contact forms that'll will all get to me no matter what. Buy the book, it's available on Amazon, on Kindle, and a hard back copy or soft cover. Those will all get to me one way or the other. And if you've got any questions, anyone in our companies would be happy to talk to you. We understand who our audience is, and our job is to, you know, it's not your job as a CEO or a business owner to understand it at this depth.
And so the number one thing is to go to a security specialist, not IT, it's not in their wheelhouse.
Louis Goodman 21:16
So, it's really important to understand that IT is one thing, but internet security is something very different?
Tom Kirkham 21:24
Right. And security needs to be job one. That trumps everything.
Louis Goodman 21:28
Yeah. I wanna just mention one more time your book, which is The Cyber Pandemic Survival Guide, and it's written by you, Tom Kirkham. And Tom, is there anything that you wanted to talk about, to mention that we haven't gotten to?
Tom Kirkham 21:46
Well, yeah, the, the name of the book comes from a phrase that Klaus Schwab talked about. What we witnessed with COVID is it took weeks and months to go around the globe. A cyber pandemic can travel around the planet in minutes or hours, and his objective with that talk is to imagine what would happen if we don't have ourselves properly protected, because we already saw what happened when we didn't have ourselves protected against COVID, and it could be much, much worse. In fact, he says it will be compared to COVID, COVID will look like a speed bump compared to a global cyber pandemic. And yeah, that's what the name is based on. And hopefully it never happens, but it's certainly possible right now.
Louis Goodman 22:37
Tom Kirkham, thank you so much for joining me on the Love Thy Lawyer podcast.
I've certainly learned some things this afternoon and I've learned some things from reading your book, so thank you so much for being so generous with your time and so informative.
Tom Kirkham 22:51
No, it's been my pleasure. Thank you for very much for having me on.
Louis Goodman 22:55
That's it for today's episode of Love Thy Lawyer. If you enjoyed listening, please share it with a friend and follow the podcast. If you have comments or suggestions, send me an email. Take a look at our website at lovethylawyer.com, where you can find all of our episodes, transcripts, photographs and information.
Thanks to my guests and to Joel Katz from music, Bryan Matheson for technical support, Paul Robert for social media and Tracy Harvey. I'm Louis Goodman.
Tom Kirkham 23:33
A lot of people don't realize it, but the internet was invented in the United States. The worldwide web was actually invented in Geneva, Switzerland.