Holton, 48, spoke with Staff Reporter Lindsay VanHulle about the cybersecurity landscape heading into 2022. Here are edited excerpts.On cyber threats in 2022:
Ransomware is not going away. Business email compromise is not going away. If anything, these guys are constantly evolving and just trying different techniques. These guys are building out automated platforms. When it does get into an email inbox, it will actually automatically dump all of the contents of the inbox. It'll dump all the contacts. It'll dump all the recent conversations, and then it will start responding to all your recent conversations from different email servers.
On how automated platforms work:
Let's say a controller emails a finance manager about a recent deal. If that controller's email account gets compromised through one of the automated detect platforms, the first thing it does is dump all of those conversations and then replies to the most recent conversation. So the finance manager, whose email was not compromised, gets an email that looks like it came from the controller and looks like a previous conversation they've had [with] the actual subject line and text from a previous conversation. So he instantly clicks on it, assumes it's from the controller because it not only has the controller's fake email address spoofed but actually has legitimate information he previously typed that has an extremely authentic feel to it. So when he opens that, he then clicks on an attachment on it and boom: He's now infected.
It can repeat the process through all of his email contacts, and, simultaneously, it's crawling his network, looking for ways to steal data and encrypt data. And all of this is [through] fully automated platforms managed out of Eastern Europe. It's not the guy in the hoodie who's specifically targeting and attacking. Because they're getting so automated, they can now afford to attack hundreds of thousands of potential targets very quickly, in a matter of a day.
You're going to see a continued, massive uptick as these guys get more and more automated. My No. 1 point for 2022 is: As they become more focused and automated in their techniques, they're also learning what works well. So they're always improving their attacks. Dealers are just going to have to be even more vigilant and more focused.
On state privacy and security legislation:
I expect to see a lot of the states' legislation that's been kind of dangling out there get a little more energy now that the FTC has passed the Safeguards [Rule] update. You're going to see a lot more states coming out with specific mandates for data security that mirror the FTC and mirror the California Consumer Privacy Act.
On following the framework required by the FTC and cyber insurers:
If they're checking off all the boxes in the FTC [rule] and they're checking off all the boxes on their cyber insurance requirement, they're in pretty good shape. They're the 90th-percentile secure. They're going to survive ransomware. Things are not going to be a big deal. If they're not checking off all those boxes, then they need to ask themselves why, because [it's] just basic business practice in today's world. You've got to be aware of cyber and you've got to be paying attention. You've got to be doing it. And if you're not, then you're leaving yourself a pretty big exposure point.