‘If you have access to the internet, then you are a target’

By Mike Lewis
David Nathans is the founder of SOCSoter, a cybersecurity firm based in downtown Hagerstown, Md. He enjoys most any beverage on a coffee break, except tea, “and especially bourbon in the late, late afternoon.”

David Nathans, founder of SOCSoter, a cybersecurity firm based in Hagerstown

By Mike Lewis

Coffee Break

David Nathans cracked a big smile, then said his company delivers “champagne-tasting cybersecurity on a beer budget.”

The company he founded, SOCSoter, is a managed security services provider. The company recently moved into revamped quarters in downtown Hagerstown, Md.

“Good cybersecurity does not have to be expensive,” he said.

Basically, Nathans said, the firm takes lessons learned from some of the largest computer breaches at large companies and boils that down to cost-effective cybersecurity protection for smaller companies.

Nathans is more than familiar with the subject. He’s worked around the world as a cyber-operations officer for the U.S. Air Force, has spoken at numerous conferences and has written — and continues to write — books and articles about cybersecurity. SOCSoter’s offices include what he calls a “lab,” where new malware is constantly tested to see how it works, what it attacks and how it can be stopped.

“The No. 1 mistake people make is not thinking they’re a target for cybercrime. … No one is indemnified from this,” he said.

It’s bad enough that a ransomware or malware attack could cost your company money and customers, he said.

But it might be worse than you think.

A hacker might target your company because he wants access to your customers’ personal information. And that hacker might want your customers’ information to get access to still other people and more information.

Consider some of the people who are listed as contacts on your cellphone, and who might want access to their info. Then think about who those people might have as contacts on their phones.

Then think about six degrees of separation.

“An ounce of prevention is worth more than a pound of cure,” Nathans said.

He said businesses typically hire experts, from attorneys to accountants to mechanics, to help them succeed. These days, it’s no different with cybersecurity and IT.

“Take care of your IT network, no matter how small. Because it will take care of you,” he said.

On a break, do you reach for coffee, tea, soda, water …?

All but tea, and especially bourbon in the late, late afternoon.

We’ve had to learn terms like “ransomware” and “malware” and “breaches.” How do you bring business leaders up to speed with the dangers they might be facing online?

There are enough stories in the news on a daily basis to educate business leaders to the dangers out there. The hard task is getting people to believe they are a target and that they have real risk. Everyone has something hackers want. There is no indemnification for being a small business, non-profit, school, town or county government. You can no longer feel like you don’t have something others want. If you have access to the internet, then you are a target. If nothing else, you could be a gateway to something or someone bigger.

Knowing that this is an ever-changing field, what do you advise business owners and managers about the future of cybersecurity?

Cybersecurity is not a problem you solve. It is an ongoing issue that needs to be managed. Embrace the concept of defense in depth. A castle has more than a moat and stone walls. You need as many security controls as possible. Organizations have the responsibility to protect their customers, their business and their employees. If a business relies on technology for any aspect of its operations, then it needs to monitor that technology for malicious or suspicious activity and also invest in good cyber hygiene, such as patches, updates, technology refreshes and leverage advancements in security controls when available.

For business leaders, cybersecurity can be a multi-faceted challenge that involves training, software, hardware and, often, working with a vendor. What’s your best advice for business leaders looking at these facets?

If you are not in IT or cybersecurity, then don’t go it alone. And keep in mind that IT and cybersecurity are not the same, although they focus on the same or similar technology. If you have an IT company or dedicated IT employee, ask about your cyber risks. And if they tell you that you are good, then get a second opinion. You can and should always work to do better. At the same time, realize that often the most beneficial cybersecurity controls are free, but that paying for an ounce of prevention is cheaper than a pound of cure.

Outside of work, what are your ambitions and aspirations?

None. When I am not working I am tearing apart malware to learn how to stop them, learning about new cybercrimes, and listening to and learning from other security experts.