Cybersecurity: Anyone Can Be Prey

George Jagodzinski (00:00):

Today, we learn about ransomware negotiation and cybersecurity, why it's not just about data, and it's not just for large enterprises. Our guest is the founder and CEO of GroupSense, Kurtis Minder. He's a leader in the cyberspace, and he's been on the front lines of ransomware negotiations, which really sounds cool. Even though he downplays it, I think it sounds super cool. I encourage you to check out his TED Talk in addition to this conversation. Please, welcome Kurtis Minder.

Announcer (00:27):

You're listening to C-Suite Blueprint, the show for C-suite leaders. Here we discuss no-BS approaches to organizational readiness and digital transformation. Let's start the show.

George Jagodzinski (00:40):

Kurtis, thanks so much for being here.

Kurtis Minder (00:42):

George, it's a pleasure. Thanks for having me.

George Jagodzinski (00:45):

Absolutely. In preparing to speak with you, I know that you've been doing this many, many years. Do you still realize that what you do sounds very cool to everyone on the outside? The whole ransomware negotiator, it sounds like you're some hero swooping in at midnight to save everyone. Does it still feel like that? Or have you just gotten used to it at this point?

Kurtis Minder (01:09):

I don't know if it ever felt cool. And I do recognize that it sounds cool. We actually have people who write in to the company and ask, "What requirements are there to become one of these?" And I try to level-set them. This is probably not a good career choice. But yeah, it is a very unusual profession for sure.

George Jagodzinski (01:32):

So, picking on the choice, how did you get into this? How did it all start?

Kurtis Minder (01:37):

Like most of my professional career, accidentally. I mean, so our core company is a digital risk protection and cyber reconnaissance company. I'll just summarize basically what that is. That's looking for data surfacing in places it shouldn't be and helping companies mitigate or clean that up. The reason why you do that is because bad guys use your data against you. Almost every single cyber breach is sort of fed by corporate data, whether that's credentials, or whatever, that is out in the wild that companies aren't aware of. And so, that's our core business. In order to do that really well, you basically have to be really good at cyber espionage. You have to operate where the bad guys operate. You have to be in all those underground markets and chat rooms and all of those things.


And that puts us squarely in the nexus of the ransomware economy. That's where the initial access brokers operate. Those are the people who sell network access to the ransomware operators. That's where the ransomware as a service platform people operate. We end up seeing a lot of conversations and data related to ransomware work. And in the process of seeing that, we ended up getting pulled into our initial case, where they asked us to be the liaison between the victim and the actual ransomware operators. And we were sort of reluctant in the beginning, but we recognized very quickly after talking to the cyber insurance company and the law firms involved that there weren't very many people who were doing this, and we were uniquely suited since we talk to bad guys all day anyway. And so, we ended up doing our first case, and it was very successful, and we had a knack for it, and it sort of snowballed on us.

George Jagodzinski (03:18):

First, talk about the data side of things. I think a lot of people might just think, "Oh, we could just monitor the dark web if stuff pops up there." But it sounds like it's a lot more than that, where you're truly embedding with these folks. And expand on that a little bit. What's that look like?

Kurtis Minder (03:34):

Yeah. It's funny, I'm writing a piece right now that I call If You Shine a Light, the Roaches Will Run. It certainly is useful to monitor the dark web. I think you should do that. But the threat actors are not stupid. They know that's being monitored, and they're increasingly finding other channels in which they can transact their illicit activities, et cetera. And it's very difficult at the tip of the spear to be able to keep up with that, and that's an art form. It's a discipline all its own. And it is very similar to traditional espionage. You're literally creating assets and personas and sock puppets and speaking their language. So, most of them aren't speaking English. You have to speak their language. And making sure you get invited to the new place, and those places could be chat rooms, it could be What's App groups.


We're writing a piece on activity in the metaverse. So, the bad guys are moving around, so it's not just the dark web. And the other thing I'll say is sometimes it's not bad guys at all. Sometimes it's your employees. You might remember the term shadow IT. That's where somebody would want to do a special project at work, and IT would tell them no, and they'd go to Best Buy and buy a server and put it under their desk, and they would do it anyway. And they'd plug it into the corporate network, and then they wouldn't patch that thing correctly, and then it would cause security vulnerabilities, or they would have corporate data on it.


Well, nowadays, the new corporate IT is basically SaaS collaborative tools and things like that. And so, you've got employees who are spinning up a Trello instance and then putting corporate data and not locking it down properly, and IT doesn't, and security doesn't even know that exists. So, you need a company that is looking for that and helping you clean that up.

George Jagodzinski (05:18):

Yeah. There's just so many ways that you need to have that contingency plan, the backup. On the ransomware side of things, we talk to a lot of executives, and they're always trying to balance cybersecurity investments with the things that they really want to do. Most CEOs don't want to say, "Hey, we're the best at cybersecurity." Right? They want to grow. They want to diversify. They want to super optimize. And cybersecurity, I've been kind of thinking about it. It's kind of like flossing. They're like, "Yeah, could I floss after a meal, after every meal? I could. But maybe once a day is fine, or maybe once every other day is fine." And then, every time they go to the dentist, the dentist asks. And like, "Well, I could be doing better," and they're not. Right?


And I think what it comes down to is a lot of them are still just viewing this as a data problem. There's been many data leaks, there'll continue to be data leaks. I can't be perfect in my cybersecurity. So, what does it really even matter? I'll just do the best I possibly can. But from your stories, it's really a lot more than just data, and I'd love you to expand on that.

Kurtis Minder (06:21):

Well, first, I'll tell you having been sort of first boots on the ground to a lot of these cases, both small and large, I've learned a lot about what works in sort of corporate security policy and also sort of incident response and business continuity and what doesn't. And one of the things I observed pretty early on is that the ICP plans or the incident response plans and the business continuity plans were kind of written for cyber incidents from five to 10 years ago because five to 10 years ago, a cyber incident was really annoying. It's just annoying. Right? Somebody took something, it was embarrassing. Probably had to notify somebody, maybe you paid a fine. You might've fired one of your staff for not locking something down. So, you sort of allocated budget to not be annoyed. That's not what this is.

George Jagodzinski (07:15):

This was like a whoops-a-daisy at that point.

Kurtis Minder (07:17):

Exactly. That's not what this is. This is complete business interruption, operational interruption. In a lot of cases, the companies are in a position where if they don't solve this quickly, they go out of business. There's serious financial material harm that occurs. And so, just for the listeners, one of the things that I would suggest is to try to look at it through this new lens of: What other things do you prioritize because if they happen, your business dies? Right? You need to start looking at security operationally as a fundamental part of the business because if you don't, the bad guys are going to teach you a lesson, and it's not a very cheap lesson. As far as impact, I always use the term “the ransomware blast radius.”


So, the initial ... By the way, your metaphor of flossing, I'm also going to steal. That was great. But the blast radius, the initial impact, is what I just discussed. That is sort of operational in nature. It's easy to understand. We can't place orders. Customers can't contact us. Maybe you can't make payroll, that sort of thing. There's sort of rings of impact around that that people don't think about. And sometimes those are actually longer-lasting and more expensive than the initial impact. For example, some of these are obvious, the impact of customer confidence when they try to place orders and the system's down, and they don't know why. Moving further out to the employee rings, so what happens to employee morale when you can't make payroll for three weeks? And what's the attrition rate? And what does it cost for you to rehire and retrain staff?


So, all these things have to be considered as part of the equation both on the prevention side but also on the backend to decide if we're going to pay some threat actor a ransom at all. We need to understand quantitatively to the best of our ability what is the impact, and it's broad. It goes as far as intellectual property, where I think it was last year, I think was actually one of the Christmas attacks that we were talking about before we got on, and we started recording - that after that incident, I try to do sort of a post mortem with the leadership, and the CSO said that this was extremely harmful to our business.


But my biggest concern is that we're a manufacturer, we've been doing this particular product for over 100 years. We have intellectual property and trade secrets that we think were taken as part of this attack, and I don't know what happened to that data. And if that shows up in one of my competitors, in five years, it's going to be a real problem for us. And so, those are things that people don't think about related to these kinds of attacks.

George Jagodzinski (10:06):

There's many parts that jump out to me in there. I mean, being able to shut down someone's business for gosh knows how long is a huge impact to the bottom and the top line and the brand. But what really jumps out to me is the human impact. If you can't make payroll, or even just people are invested in what they do. They're really invested in what they're building at their company and what that can do to a human and their psyche and their emotions as they're going through that could be so difficult. I think the other part that I always feel for whenever I see one of these issues pop up is whoever that person was that maybe through a little bit of sloppiness, or maybe even no fault of their own, they were the ones that allowed that into the organization. And now they're just carrying the burden of all of that. That's a lot for one person to carry. Right? And it's really up to the organization to have those plans in place, I would think.

Kurtis Minder (11:01):

It is. In order to sort of litigate those things, it really has to be policy-driven on the corporate side. I mean, they need to proactively have sort of the dos and don'ts. And they need to show good diligence on their part that the business is behind those policies both financially and from a reinforcement perspective so that it's not subjective when it happens. It's either your fault and an offense, or it's not. Right? And that also seems to be missing a lot of times in these scenarios. It becomes very subjective, and that's bad.

George Jagodzinski (11:36):

Over the past few decades, I've seen this progress from these types of threats, we really looked at a sovereign nation level, and then enterprise organizations started to face the same threats as a sovereign nation. But now it feels like this is coming all the way down to just mom-and-pop stores. And I'm curious if you have some stories from the trenches or just anecdotes around this isn't just a big company problem, this is really at every level.

Kurtis Minder (12:03):

Right, yeah. I mentioned when we started doing this, it was sort of an accident. After that first case, which was a very large, multinational company, the law firm and the cyber insurance companies contacted us and said, "Hey, you guys are weirdly good at this, and we kind of need some help. There's more of these." And it wasn't our core business, but we decided we'd go ahead and do it. But what we did not do initially is we did not advertise that we did it because we didn't need to. The cyber insurance companies and the law firms would just call us up whenever there was a case.


At one point, one of the cyber breach law firms involved was bringing us a new victim, and they said, "Hey, they went on your website, and it doesn't say you do this anywhere. And they don't have confidence. You've got to put it on your website." And I was like, "Well, fine." So, we put it on the website, and like that, just basically everybody else started showing up. And to your point, we quickly learned that for every one that we hear about on television, there are literally hundreds if not thousands of small businesses that are being hit across the country that aren't reporting it, that are not making the news, and we couldn't handle the volume of that. And frankly, our fees aren't structured in a way that are conducive to helping a local print shop with this problem. Right?


So, initially, I was doing a lot of pro bono work, as many as I could, much to my family's chagrin. But it is different, you were talking about the human part. I'm a human. You're a human. When you're in the large-

George Jagodzinski (13:19):

Last I checked.

Kurtis Minder (13:36):

Last you checked, right. When you're in the large cases, you've got a board room. There's a committee. There's the C-level folks, the CSO, the deputy CSO. You've got internal and external counsel, the CFO, et cetera. And yes, it is very emotional, and yes, those people are very upset. But I've got to tell you, it is night and day difference when you're talking to Mary, who's going to lose the business she's been building for 25 years, the small accounting firm or something in the middle America. She's going to have to lay off her 13 employees, who are like her family, if this isn't solved by Wednesday. And it really had an impact on me. And so, part of what I'm doing is I did launch a nonprofit to try to help the scale of that problem.


And part of it, my theory behind the nonprofit is at this point - I'd love to get your feedback on this - at this point, I think it is unreasonable to expect the average small business owner to understand and mitigate the risks associated with their necessary technology adoption. It's changing so fast that ... I've been in tech for 20-plus years, I do not know how my iPhone works. I have no idea. Right?

George Jagodzinski (14:41):


Kurtis Minder (14:43):

To expect the print shop owner to understand and mitigate it is unreasonable, and so we've got to find another way to protect them.

George Jagodzinski (14:51):

Yeah. It's impossible, and it's also unfair. At some point, I think this starts to become, not to be alarmist, but it starts to become a little bit of a matter of national security. Right? Because these small mom-and-pop businesses are the ones that run all of our communities, and they impact the communities the most. And they're very vulnerable, and once you start really disrupting these communities, it can have a real impact to our country. Right? And there's a lot of resources that are out there - because when you were talking about this earlier, all I kept thinking in my head is, "Well, that sounds expensive. That sounds burdensome." How could anyone on the smaller size be able to keep up with any of this? And it's just not fair, it would seem, that we'd be able to have a little bit of a collective defense and also contingency plans on these types of things. So, what's the name of that nonprofit? I want to make sure we get that out there because that's really important.

Kurtis Minder (15:40):

So, my day job is GroupSense, and the nonprofit is GoodSense, and it's under And we're just getting off the ground, but we've got some good donors and tech partners. We're partnering with some universities to have students do the assessments for these businesses in their local communities and then put in the preventative measures. And one of the things we've learned is most of these attacks are preventative, and it doesn't cost... You don't have to buy the latest tech software to do it necessarily. So, we're at least trying to put in the minimum protections for as many of the small businesses, community by community as we can. And then, the rest of it is the response part. Okay, what do we do if it happens anyway? And putting those resources in place.

George Jagodzinski (16:25):

Yeah. I've even seen where people buy the latest and greatest software, and it does more harm than good because they don't really know what they're doing with it. It's like buying the new golf club rather than working on your swing. It's not going to really help anything. It's going to distract you from the fundamentals that you need.

Kurtis Minder (16:41):

Actually, one of the concerns there is the way that tech companies are sort of subsidized or capitalized. They're building most of these software solutions - well, I should say tools, they're building software tools, marketing them as solutions. But the problem is they're tools, and they need operators. There's a shortage of cybersecurity talent and just supply and demand. The cybersecurity talent is going to the top of the market. They're getting paid a lot of money to work for the larger companies. That leaves nothing for everyone else. And so, that's another problem, is even to your point, just buying the latest software tool isn't going to solve it. You need to be able to operate that tool, and basically daily, effectively. And the number of businesses that can actually do that is actually quite small.

George Jagodzinski (17:24):

Interesting. We've talked a little bit about this abstractly. I'd like to bring it down a little bit to: What does this actually look like when you get called in to do it? My assumption is as much as we all want it to be, it's not get you out of bed in the middle of the night, go to some smoke-filled room, get on the phone and talk very aggressively to someone on the other side, like olden hostage negotiators in movies. What's it look like? Is it in your pajamas on a Slack channel? What's the day actually look like?

Kurtis Minder (17:54):

We have a whole team that works on it now. But just from a one-person perspective, just one person, I can tell you. So first, the victim's perspective is they come into the office, and nothing works, basically nothing. They will find a ransom note somewhere. Either it will get emailed to them in one of the general email boxes, or typically it's showing up on a couple of the machines' desktops, unencrypted, of course. And that ransom note is usually just a text file. The ransom note will say, "All of your files are locked. You've been hit by... " And they usually tell who they are. The bad guys have these brands. The media often calls them gangs. So, you'd be like, "You've been hit by Ragnar Locker." And then they'll tell you some dos and don'ts. They tell you not to shut off your machines or reboot, which is actually a good... That's good advice. The software that they're using, if it's still in the encryption process, if you reboot, you're never getting that machine back, so just let it go.


Unfortunately, we've taught all of our desktop users that the first thing they should do before calling the help desk when something doesn't work is to reboot. That has caused some issues. But the next thing they tell us is sort of a list of dos. If I was going to summarize them, there's usually four or five, but these are very templatized. There's usually four or five bullets. And the dos are... If I could summarize, they are just saying, "Contact us." It's almost like when you find a car you want to buy on the internet, and all they want you to do is come into the dealership to talk to them. I want to buy it on the internet, I don't want to talk to you.

George Jagodzinski (19:26):

Just tell me the price. They're like, "You have to come in."

Kurtis Minder (19:31):

Exactly. So, to that point, the one thing that the ransom notes do not contain, as far as I know ever, is the amount. They'll have a very well-written tutorial on how to get on the dark web onto TOR. It's actually quite good. I can teach my mom how to do it off of one of these. And then, they'll have a TOR website that you need to go to. And so, usually, when I get called, I'm looking at the ransom note. Hopefully, the client or the victim has not gone to that site yet, and I'll tell you why in a second. We will have a discussion about one of the early questions we get asked almost universally is: Should we pay? And the answer is I don't know. That's a business decision. And so, let me just walk you through that really quick.


There's a few gates. One is: Is it against your ethics or values? I know that sounds soft, but it might be a thing, so let's talk about that. Two is: Is it illegal? Is it illegal? So, the Treasury Department, Office of Foreign Asset Control, has a list of entities that thou shalt not transact with. And so, we need to make sure that whoever we're about to talk to is not on that list. And the third question is really more about that blast radius that I talked about. What is the impact from a quantitative perspective to the business? Because we don't want to go into a negotiation not knowing what our number is. We have to have a rough idea of what we're willing to pay if we're going to pay. And so, we help them with that process before we ever engage the bad guys, and we try to do that as quickly as possible.


So, let's say we decide we've got a number. We're going to pay. So, then we go to this dark website. And that URL or that website that they give you is custom to you as a victim. So, when you go there, their little log tells them that you visited the site. They know it's you. You're the only one that has that address.

George Jagodzinski (21:21):

They have better personalization than most major brands that are out there.

Kurtis Minder (21:26):

It looks very professional, too. I mean, the sites look very well done. And when you go there, a lot of the sites will have this clock that starts. And it usually has a threat attached to it, and depending on which group you're talking to, the threats are different. So, sometimes it is: If you do not reach a settlement with us by the time this clock reaches zero, we're doubling the price - or: If you do not reach a settlement with us, we're going to dumb 25 percent of the data. By the way, they take a copy of as much of your data as they can for extortion. So now they're threatening to leak that data if you don't pay. Right?


So, they're going to say, "We're going to dump 25 percent of that data publicly if you don't pay by the time this clock -" So, this clock starts, so it's reason number one not to visit the site until you've talked to a responder. Right? You better have a plan because... By the way, the clock is totally negotiable. I've reset that clock dozens of times. But you've got to have a plan before you show up. And then, on the site, they'll have a tab, usually on the browser. And you can go into this tab, and it's literally an embedded chat room. And that's where you will talk to the bad guys, so you don't see their eyes. You can't hear their voice. That is also very templatized. They tend to have scripts that they paste in there.


We know the game plan for most of these guys at this point on what they expect. And then, all of the sort of back and forth and negotiation and all that stuff happens inside that little chat room on the dark web.

George Jagodzinski (22:51):

Interesting. Man, that moment when you essentially need to balance... You need to figure out what the equation is between your business impact and your values. What a vulnerable moment that must be. After having done this for so many years and been in these moments when people are at their most vulnerable - I know this is a big question, but have you learned much about vulnerability in that? What has it taught you about people?

Kurtis Minder (23:19):

I guess so. I mean, it's definitely different when you're talking to the boardroom and when you're talking to ... I won't overgeneralize, but I would say that if there are attorneys in the room, the values question doesn't really resonate. They just look at the attorneys and go... Most of the time.

George Jagodzinski (23:19):

Aren't you sitting in a law building right now? You've got to be careful what you say.

Kurtis Minder (23:42):

I am, I am. But when you're talking to individuals, some of these people are true patriots, and they say, "Hey, look. Where's this person at?" Well, they're in Russia, and they've got this unofficial amnesty from their government to attack us, and we're never going to get the money back. And they're going to never be arrested. Right? I don't want to use superlatives. It's highly unlikely that there are going to be any negative consequences for this bad guy. And we've had people say, "You know what, we're not going to do it." They'll talk themselves out of it, and that's their choice. And they'll pay a financial consequence and-or go out of business, but some of them choose to take it on the chin, and I respect that.

George Jagodzinski (24:21):

I bet that's inspiring with some of those folks. It must be some of the folks that you're working with. So, through all these years, I always like to connect what I do at work to things I'm passionate about in life. I always compare digital transformation to maybe smoking a good brisket over 14 to 15 hours, or the game of golf. I'm curious. Have you brought this into your life at all? I know you ride motorcycles. Is there a connection between motorcycles and negotiating? Always curious - those human connections.

Kurtis Minder (24:57):

That's fascinating. Yeah. So, I wouldn't say there's a connection between the two other than that motorcycles are a good place to game this out while you're in your helmet. You're hyper-focused when you're on a motorcycle. It is a bit meditative, and so it's good for that. I would also say that I've been doing some version of cybersecurity before there was a career associated with it, 20-plus years. And when I got sort of dropped into this negotiation sort of liaison role, I learned how much of a discipline that was in itself, and it was a good intellectual exercise for me because maybe I'm a little cynical on the cyber thing now. I've been doing it for a long time. Nothing seems new to me.


But when I learned that this was in itself a very serious discipline, and there's a science behind it, and - now, the first few cases, I was drinking from the fire hose, but since then, we've collaborated with universities and had some of the greatest negotiators in the world contact us and offer to help. And we built frameworks, and I've just learned a ton about how this works. I always joke, though, it only works on bad guys on the internet. I paid too much for my pickup truck.

George Jagodzinski (26:19):

Yeah, those car dealers, you'll never win with them. So, that makes sense, though, I mean, because even what you said to people, step number one is you need to stop and think and get a plan together. That's you on your motorcycle. That's me, probably, on a hike. You need to stop and think, come up with a plan. And I also remember there is science beneath all of this, and everything probably will be okay if you kind of plan it out and leverage the right resources to move through it because in that moment, that human fight or flight, I would imagine, comes into play, and you're freaking out. And you think that everything's just going to implode on you, especially for those smaller people, smaller organizations.

Kurtis Minder (26:56):

Yeah, that part of it I guess is-

George Jagodzinski (26:56):

So, I definitely see the connection.

Kurtis Minder (26:57):

Yeah, that part of it, I guess, is also what's interesting to me, too, because as difficult as it is to deal with the bad guys, a lot of times we're playing a bit of a sort of therapist role, or advisor role to the victim. Again, on the larger side, it tends to be a little bit of a committee. But as we get into the medium to smaller businesses, it's really a human-to-human conversation, and you have to talk people off the ledge, figuratively, off the ledge a bit and get them to focus on what's important. And that's hard to do because of what you said, the fight or flight's taking a hold of them, and they need someone. So, one of the things I say is, "Look, don't try to do this on your own."


So, we brought into play recovery for a number of cases where people tried to do this on their own. They say, "Hey, look, I read Getting to Yes, the great negotiation book. And I can do this as good as anybody." These bad guys know what they're doing, and they are quite good. And it's important to understand the psychology of the bad guys, which most people don't, and what motivates them. And so, you need someone who understands that, but you also need an objective party so that you can have somebody that is looking at this through a third lens that doesn't involve them going out of business, and so the desperation part. And so, there's value there, and it's also sort of cathartic to help people through that.

George Jagodzinski (28:21):

Yet another argument for why therapy's good for everyone. You need to bring in an expert to solve all your problems.

Kurtis Minder (28:26):

It's just healthcare. It's just healthcare. Yeah.

George Jagodzinski (28:30):

Well, Kurtis, this has been great. I love to always... First of all, thanks for everything you're doing because it's not just your day job, but what you're doing in the nonprofit world, really helping those small and mid-sized businesses get to a point where they can fight fair a little bit here, get to the same point that these enterprises are at I think is a really noble cause, so thanks for your time, and thanks for everything you're doing there. I always like to finish these, though, with: What's the best advice that you've ever received?

Kurtis Minder (28:56):

I can't put it into words concisely, but I do think that I've been lucky to have some older mentors back from when I was very, very young. And they impressed on me very early the importance of self-awareness and self-reflection. Some people would say I do it to a fault today. When you get in these positions of influence where I'm talking to audiences in these big talks that I do, or if I'm in one of these incidents and I'm actually impacting the outcome of a business, sometimes it's easy for you to become sort of God in your own mind, or like I'm the expert. But you also have to check yourself in the moment because you're going to make mistakes, too. And these mistakes impact a lot of people. I think it keeps you grounded, and it makes you realize you're just a person like everybody else. You might have a little bit more information, but that doesn't make you infallible. And I think that is some form of advice I got when I was really young, building internet companies.

George Jagodzinski (30:04):

That's fantastic advice. I think the world needs more of it. And maybe I'm showing my age, but I believe a great poet once said, "You need to check yourself before you wreck yourself."

Kurtis Minder (30:12):

I love it. Yeah, I love it.

George Jagodzinski (30:18):

Kurtis, thanks so much again. I really appreciate it.

Kurtis Minder (30:21):

Thank you for your time.

Announcer (30:22):

You've been listening to C-Suite Blueprint. If you like what you've heard, be sure to hit subscribe wherever you get your podcasts to make sure you never miss a new episode. And while you're there, we'd love it if you could leave a rating. Just give us however many stars you think we deserve. Until next time.