Most businesses rely on some type of software, either for scheduling, payment, banking, customer lists, or something else. It’s important to know where this information is stored and what would happen if that software was hacked or you weren’t able to access it. Today’s guest is Kris Burkhardt. As Accenture’s Chief Information Security Officer, Kris leads a team of over 800 security experts charged with protecting company client and customer data.
“With all of the media we have coming at us these days, we live in this highly connected, super digital society, it’s a lot. You have to have an industrial strength filter that is on all the time.” - Kris Burkhardt Share on XShow Notes:
- [0:49] – Kris describes his role at Accenture and what Accenture is known for in the security industry.
- [2:26] – Part of their program is sending phishing tests and Kris has failed one before as well. It happens, especially when we are in a rush.
- [5:39] – We are so highly connected that when something goes down, it impacts us in ways we never considered.
- [7:10] – Many small businesses rely on software service providers because there is a lot of good about them. But what happens when they go down?
- [9:56] – Defenders have to get it right all the time.
- [11:13] – The last ten years have seen an immense amount of growth in how we store data. We have to stay ahead of change when it comes to security.
- [13:59] – It is hard to understand how much we rely on technology.
- [17:34] – Kris describes a time when the CEO of Accenture was used in a deep fake and the threat actor was very clever.
- [21:17] – Kris believes that advances in technology will make it harder to pretend to be someone else.
- [23:20] – Children are growing up in a technological world and are naturally more skeptical and cautious as a result.
- [25:49] – Safety has always been an afterthought.
- [27:15] – Kris shares what he thinks scams and deep fakes will look like in the near future.
- [30:12] – Pay attention to things that don’t seem consistent.
- [32:57] – People feel like there is a trade off when it comes to efficiency and security.
- [39:37] – Having a plan ahead of time is absolutely beneficial in staying ahead of security problems.
- [44:25] – As deep fakes become more and more of a problem, Kris suggests having code words with family members.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Accenture Website
Transcript:
Kris, thank you so much for coming on the Easy Prey Podcast today.
Hey, Chris. It's my pleasure to be here. Thanks for having me.
You're welcome. Can you give myself and the audience a little bit of background about who you are and what you do?
Sure. So, my name's Kris Burkhardt. I am the Chief Information Security Officer at Accenture. For those of you who don't know Accenture, it's a large global IT strategy digital agency company. We do a lot in that space. We're north of 750,000 employees, coming up on 800,000. It's hard to keep track of the exact number, but we're big. My role, of course, is to try to keep all of those people, our clients, and our clients’ data safe.
That's a big challenge when it's that large of an organization.
Absolutely. Yeah, it really is. A core part of our program is really information security behaviors and ensuring that our people are not paranoid, but that they're ready to spot scams. They do get targeted like everybody gets targeted. We want to make sure that they're able to handle it.
Let's get this question up front and out of the way. You're talking about people being targeted for scams, and whatnot, and phishing attempts. Have you ever clicked on the phishing links? I think we've all been targets. Have you ever gotten down that pathway before you realized it was a scam?
Yeah, absolutely. We run phishing tests like many companies do all the time. I don't know that, to my knowledge, I have been hit with a real one yet, but I have failed our phishing tests before. It's the classic, “I was in a hurry. I was looking at the email on my mobile device.”
I'm a little embarrassed to say that I thought the company was going to buy me a free Fitbit. It turns out they were not. That was the phishing test that my team had devised. They got me on that one, but that's OK.
I think when you fail them, fail is a strong word. When you don't get it right, it's just a good reminder that you need to slow down and pay more attention to what you're actually reading in your email box. It's good to have a healthy sense of skepticism as you look at mails that are not from known correspondence.
Yeah. I want to dig into this for a second, because you said there was a possibility of getting a free Fitbit from the company. I know there are life insurance and health insurance programs, where if you wear a fitness tracker and you get your steps in that you get a discount on your insurance, or it's just to motivate employees to be healthier and more active. Is that what threw your mind on it?
You nailed it. Yeah, that was exactly it. The other part of the equation is I had just read about a program that we were doing that did just that. If you led a healthier lifestyle, you could get a discount on your insurance or whatnot. I guess my brain and the background must have connected those two things and thought it was OK to click.
In some sense, that's what our brain is designed to do. It's designed to put things together and make logical connections. “Hey, we were talking about having a healthier company, and here's this thing helping us to do that. Why not?”
Yeah, absolutely. With all of the media that we have coming at us these days, we all live in this highly connected super digital society—it’s a lot. You’ve got to have an industrial strength filter that's always on all the time. No mistakes allowed. Hopefully the mistakes you make are small ones like mine.
Yup. We never like to make mistakes, but hopefully when we do, the impact is as limited as possible. Talking about impacts of issues when we're recording this, this is four or five, six days into the CDK platform being down. Can we talk a little bit about while that's not your product and your service, this concept of we're so reliant on all these interconnected services that when something goes down, it impacts us in ways that consumers don't necessarily expect?
Yeah, I think it's a great one. Not to pick on CDK—there’s plenty of victim-blaming that happens in this industry. I don't want to be part of that. They're a good case to look at because of their broad impact. CDK, I read online, they're in 15,000 car dealerships, I think that's what they claim of maybe 20,000 in the US. I'm speaking about the US here. They have a huge market penetration.
Their customers are not necessarily technologically savvy. Car dealers don't want to be experts at writing car financing software, inventory plans, and service scheduling applications. They rely on a company like CDK for all that.
As we were talking about before, Chris, many small businesses rely on these software-as-a-service providers because there's so much good about them. You don't have to maintain your own equipment. You don't have to think so much about backups; they do all of that for you. It's great. It's a really good thing, except when it goes down. The reliance on these companies, I think, is incredible.
The CDK thing, I think as you were saying, consumers just don't understand how integral now software service providers are to our day-to-day lives all the way from the real obvious ones like Gmail, like Microsoft 365 for many businesses. G Suite is the Google version of that.
CDK provides all those dealership software packages. Without those, you're not going to be able to buy a car—at least not easily—and you're not going to be able to schedule service. You're going to have to call the dealership. I'm sure they'd be happy to see you, but it's not as automatic as it once was and hopefully will be again, as they address their issue.
Dealerships don't have disaster recovery plans. They don't think about business continuity. That is really in the realm of the service provider. I think it just underlines, I guess, how important it is to have those kinds of plans and to ensure that your providers have those kinds of plans for you.
This is not even specific to bigger industries like auto dealerships. Restaurants have OpenTable and things to handle their reservations. If that platform goes down, they don't know who's made a reservation anymore. They don't know who's going to show up. They don't know where to seat people. They've got to go back to the old paper and pen methodology. Maybe for restaurants, that might be a little bit easier, but I can't think of an industry where there probably isn't a reliance on software as a service.
That's right. There really isn't. You can name all the little businesses that you're going to interact with every day. There's very few where you walk up to the counter to buy what you're going to buy, talk to the receptionist, or whatever it is that you're doing, and they're not tapping away into a computer. That computer is almost certainly connected to some software package in a cloud.
As a CISO for both your company, your employees, and the companies you work with, what are some of the things that keep you awake at night?
If we think about cloud service providers in general, we have to get everything right all the time. The defenders have to defend well. -Kris Burkhardt Share on XThat's one of them. If we think about cloud service providers in general, we have to get everything right all the time. The defenders have to defend well. We take a lot of steps to do what's called defense in depth. You have to assume that a layer is gonna have a failure here and there again.
The analogy that gets used a lot, and I'm sure a lot of your listeners have heard it, is the holes in Swiss cheese. You don't want those to line up, but sometimes they do. The more layers you have, the less likely it is to line up. That keeps me awake. It's just defending against all those attacks against assets in the cloud. Whether it's our employees' mailboxes, SharePoint sites that house our confidential documents, or our finance systems, making sure that those are secure all the time.
With the changing technology, Chris, when you look at where we were 10 years ago, and you think about the cloud was probably largely made up of virtual machines, you can picture a physical server, and we moved it up into the cloud and said, “OK, now we're in the cloud.” It’s great. Now there's all sorts of variations on that. There are containers, there are what's called native cloud services. Storage, I'll call them. You can loosely call them databases, but storage utilities, there's computer utilities.
All those work a little bit differently. They all have their own vulnerabilities and they all require their own protections. Staying ahead of all that does keep me up at night. I have some sympathy for the CDKs of the world when these things happen, because it is hard to keep it all secure all the time.
It's hard to, on such a wide-ranging platform, to have that resiliency of, “If that goes down, how do we spin it back up again without the issue that caused the problem in an overnight or one cycle?”
Yeah, that's right. I think when I look at it and I look at how we manage our stuff, I think, first you’ve got to have a framework and the right toolkit to measure and correct your vulnerabilities and your exposures. That's super important. You have to understand what technologies you're using, and then you have to have the right tooling to ensure that those are configured properly. You're keeping up to date with patches and all that kind of stuff.
You also have to have a good, as you say, business resilience plan. What happens when you do get hit with ransomware? You have to have an immutable backup somewhere. You should know, “What are your critical systems?” “What am I going to restore first?” “How long is an acceptable timeframe to restore those?”
For a company like us where we report financials to the street once a quarter, depending on when that attack occurs, a few, three, four days down for those might be fine. That might be OK. We're still going to be able to do our work.
For a company like Amazon, if their main website gets hit, that's millions in revenue, I don't know, every minute, probably. What does that look like? Having that restore view and restore plan, I think, is super important.
People don't always understand, which I think is ultimately the point here. They don't always understand their exposure to technology, and they don't understand the outsized impact it can have on what feels like a business that's not relying on technology. In fact, as you and I were discussing, all businesses are now relying on technology, they just really are.
I was working with some people that I know with their small business ones. We're just talking through the simple, “Do you have backups? How do the backups work?” It's funny, I think everyone talks about the back stuff up, but almost nobody knows how to actually recover stuff.
Yeah, you’ve got to practice. You have to practice.
That was the question that I had asked them. Have you ever tried to recover the data and restore it? They're like, “No. In fact, we don't even know how to do that. We've lost the manual for the software. Someone would have to go figure out how to actually do this. How long will it take?” “I don't know.”
Again, it's one of those things. It's like, “Well, someone told us we need to back it up and that made sense. But we didn't think about, well, if we ever had to use it, what would that look like?”
Yeah, super important. You’ve got to do it, you got to practice it. The other, Chris, that keeps me up at night, and I was trying to think about how to say this broadly. I think the best way that I can say it is I worry just in general about people's resistance to social engineering. That has a lot of aspects to it. You can look at that from simple things like email phishing, people trying to get you to give up your credentials, send them some money, or what have you, all the way to change your elections, deep fakes of political candidates in compromising or awkward positions.
I worry about our collective ability to really identify those and be resistant to non-facts. I don't want to get political here, but it's too easy, I think, sometimes to manipulate folks. We spend a lot of time on that in our training. We spend a lot of time on how to identify social engineering in all its forms, how to think about it, how to verify through other channels whether an ask is legitimate or an email is legitimate. That one keeps me up at night.
If we've got a little bit of time for a story, we had an interesting one that happened. We had a threat actor attempt to convince one of our senior finance people to make a payment to them. They created it based on some YouTube video that is out there of our CEO. They created a deep fake of our CEO, Julie Sweet. They used that.
They were quite clever about how they did this. They had somebody pretend to be Julie on WhatsApp and sent a simple text message over WhatsApp, and then they sent a fake voice recording of Julie. They use deep fake software for that to make it seem a little bit more real. The threat actor chose a law firm that we do business with, and that law firm had not registered the United Kingdom version of their domain.
Lawfirm.com was registered, but lawfirm.co.uk was not. The threat actor registered that domain and, as a follow-up, sent a Zoom invite to this senior finance person. They got the senior finance person on the call, got a deep fake video of Julie. Julie introduced the call, set it up, the threat actor pretended to be a lawyer from this law firm. I had a discussion with our person about how they wanted the money sent and all that.
Fortunately, our person was paranoid enough. It didn't quite make sense to them. They asked a few questions and did not ultimately send the payment. Raised it to me and legal, and we handled the situation with them, but the threat actor was convincing. The Julie Sweet deepfake was convincing. It really took, I think, some of the training we gave the person and their innate thoughtfulness about it to prevent that problem.
There were some things that didn't add up. It wasn't a usual course of action for Julie to take. There were some generated urgency there that didn't need to be there and some of the same tricks that we see for social engineering all the time. Between the deepfake and the good email domain, it was well executed.
Kudos to your employee for having the right amount of skepticism.
Yeah, that's right.
We want people to have an appropriate level of skepticism because you don't want to wire money to people you shouldn't be wiring money to. In the back of my mind. I always wonder if we're going to get to some point where unless the boss walks into the room and says, “Do this.” “Oh, I thought it was a deepfake.” I didn't think that was real or that people are just going to push back on absolutely everything, and that is just going to slow business down, slow people's ability. The distrust will become problematic as opposed to a problem preventing.
Yeah. I hear you. I have seen some colleagues get a little bit overly paranoid about stuff. I think I said I grew up doing a lot of technology for the first half of my career. My natural instinct is to go ask for a technological solution to these types of things. I think we'll get there.
I think some of the things that we're seeing Microsoft, Google, Amazon, and others do with identity, identity verification, I think is going to make a difference there. As we roll on into the future through technology, I think we're going to see that it's a lot harder to take on a new identity or pretend to be somebody else online. I think people will get much better using some of those tools at spotting likely deepfakes.
As we roll on into the future through technology, I think we're going to see that it's a lot harder to take on a new identity or pretend to be somebody else online. I think people will get much better using some of those tools at… Share on XI think people get more comfortable at confirming through alternate means. You send me an email, that's great. I'm going to call you at a number I know you own and confirm it's you. I think we'll see more of that. We're clever. We've been around for millions of years. It's not a mistake. I think we'll figure this stuff out.
I have a little healthy, in my mind, skepticism about a technical solution to what I would refer to as a biological problem. People are using psychology and the way our biology works to bump us into a state where no matter how much logic we have, reason that we have, and processes that we have, when we're in a great state, if someone can bump us out of that state by threatening us, scaring us, triggering greed, urgency, any level of emotion, the rules go out the window.
Yeah, it's a great point. It really is. I forgot to mention in my deepfake story, the initial contact happened to catch this finance leader at an airport in between flights. They were distracted, and they were probably more accepting than they would have been. Your point is completely legitimate.
Also, scams have been going on since the beginning of time. I think this is just a new, easier way, soon-to-be AI-powered, that'll get to all of us. Maybe I'm just more optimistic. I also think our kids, growing up with this, are probably more cautious by nature because they've seen so much of this. They've grown up in a technological world in a much different way than the world that I grew up with TRS-80s and old-school tech.
I do think that we have to, we just simply must, hold some of the larger technology companies accountable for making it better. I think they've given us this wonderful gift of this massive digital society, which is great. I think you can argue if that's healthy or not healthy, but I think they owe us some security to go with it. I think they're trying. They may not get there as fast as you or I want, but over time, I think things will definitely improve.
Yeah. I think the guardrails are things that are, I don't want to call them an afterthought, but guardrails usually come later once you realize the technology and the holes in the process, I'm sure old highways never had guardrails. It was when, “Gee, an awful lot of people have gone around this corner and gone off the edge of the road. Maybe we should put something there to keep that from happening.”
Yeah, I think so. I just spent some time with it. There was a very public report from the US government agency, CISA. Their cyber safety review board, in Congress, I think they had a go at Microsoft over one of their recent breaches. They've had some very specific asks for Microsoft and other cloud service providers about identity, about resilience, and about transparency and reporting. I think those guardrails are coming.
Unfortunately, a lot of the cloud service providers—in fact, not just them, any vendor—their incentive to get good products out fast and safely for a long, long time has probably always been an afterthought, but we didn't get seatbelts for a long time. We didn't get airbags until even later. I think the same will probably be true here, so I'm looking forward to my airbags.
You and I probably grew up with lawn darts.
Yes.
Anyone younger than us says, what's a lawn dart? You'll have to google that. It'll be very clear as to why they're no longer available.
I too had a set of darts as a child.
Any product has the capability of making it to the market, but not all products can stay on the market.
Right. Very fair.
Do you see deepfakes becoming more prominent over the next few years with just the massive increase in computability coming on?
I do. We haven't talked too much about AI. I'm not sure we're allowed to have a conversation without mentioning AI anymore, so let's talk a little bit about that. First of all, I think there's a lot of things that AI is going to power in a security sense. The initial balance of power is going to be towards the bad guys. I think AI-generated phishing emails that are individually tailored for each of 10,000 recipients versus the generic Viagra ads we all got 10 years ago is going to be pretty powerful.
I think AI-generated phishing emails that are individually tailored for each of 10,000 recipients versus the generic Viagra ads we all got 10 years ago is going to be pretty powerful. -Kris Burkhardt Share on XI think that the AI-generated deepfakes are only going to get better too. I worry about individual tailored AI deepfakes. I've heard a terrible story about a deepfake phone call that a threat actor created allegedly from this couple's child asking for help. He was in trouble, they needed money. I think we'll see more of that.
I also worry about AI power. We were talking about attack surface management earlier and making sure that your cloud stuff is safe all the time. I worry about AI-powered attacks against that. What happens when you give an AI a whole bunch of vulnerabilities to go try against a particular company's set of cloud infrastructure? It can probably pull that off and chain those attacks together in ways that it used to take a human to do it, and now AI can do it.
Coming back to your deepfake question, I think those only get better. I know of several companies who do deepfake detection. A good use case there I heard is a call center for high net worth individuals that a bank has. They're trying out some deepfake detection software with some success. That will turn into a bit of an arms race. How do I outsmart the deepfake detector with a better deepfake?
I think people are really going to have to go back to some social engineering fundamentals and just really think about, “Hey, is this normal behavior for this person who's calling me? How am I going to verify that? If it's a business, I need to follow my normal payment processes. I'm not just going to take a caller's word for it, where I'm going to get my colleague involved.” I think it's going to be tricky for a while. I think it's going to take a while for people to develop their own guardrails and become a little bit more immune to this stuff.
I think you hit on it there when you're talking about the banking industry. As humans, we need to develop a better sense of, “Is this normal?” If something starts to fall outside of normal, even if it doesn't seem scary or concerning, the hairs on the back of our neck start to go off when, “OK, this is not consistent with what I know of this person, or this is not consistent with the way I see a bank operating.” That should help us in most cases to limit, to some extent, the interaction that could happen and the damage that could be caused.
Yeah. I agree. Just to come back to my stronger digital identity or stronger technology stuff, digital identities, I think, are going to be important. I mean that in lots of senses. At Accenture, we recently went passwordless, so most of our employees do not use a password. What they do use is they either use their face, their thumb, or a PIN code that's unique to their device that in turn unlocks. You can call it a digital certificate or a digital secret, that allows them to access Accenture applications.
We're going to see that kind of technology more broadly. Microsoft, Google, Apple, I think, have all released passkeys now. We may see more of that as other countries are in government interactions. We may see more of that in banking and commerce transactions, so different ways to really prove who you are in a trusted digital manner versus, “What's your pet's name? What street did you grow up on?” Those secrets are hard to keep, but the digital secrets are pretty straightforward to keep.
I start to think about, and I've had a couple of these conversations in the past, we've worked so hard as a culture, technology, or businesses on reducing friction in transactions of any type, whether I'm handing you something, I'm paying you for something. To me, it's almost time to start adding friction back into experiences. Not to make life difficult, but to intentionally slow things down, where processes become more enforced as opposed to, it's all about how do we get this transaction time from 10 seconds down to eight seconds? Rather than the need for speed, the need for reliability, so to speak.
I think that's a great point. Rightly or wrongly, people feel that there's a trade-off between efficiency and security. I don't know that that has to be there, but I think recognizing that there's a place for security in transactions, and that we shouldn't view that in a negative light just because it might be a little bit more frictional from time to time or might slow it down a little bit. I think that's a great point.
I think about that commercial that was on US TV not too long ago where there's some boppy music going on in the background, everybody's paying with their credit card, and they're just tapping on. There's a record scratch as somebody pulls out cash to slow everything down. I think it's reasonable to slow things down for identity and security if we need to.
I think in human interactions, it's a little bit harder to do. When I think about whether it's an interaction with a professional worker, like a doctor or an interaction with my bank over the phone, I am always happy to take a moment to properly verify, say who I am, and do all that. But if we can do that better with digital identities, and people are willing to accept digital identities—that’s another challenge—many people rightfully have some paranoia about too much government oversight: “They're going to know where I am,” and all that. In the US, we're maybe a little bit behind some other countries on data privacy protections. But if we can get through that, I think we can see the other side and really protect everybody better than we do today.
Yeah. It's going to be an interesting next few years in that space. So many companies with so many different ways of trying to manage that digital identity.
Yeah, it's fascinating. It's a fascinating area. As you say, there are many different ideas, many of them very good. Some of them compatible even; not all of them. I'm sure as consumers and citizens, we're going to experience lots of them.
I'm looking forward to passkeys. Like many people today, I use a password vault. I generate unique passwords for every site that I care about that I visit, and I'm looking forward to using a more of a passkey system to have those one step safer. That's great because once you get rid of a password and you have built in two-factor auth, all of that nervousness can go away and maybe, to your point, even reduce some friction.
Yeah, hopefully it will in a good way. Hopefully, we won't get to the point where we have to prick our thumb and spill blood to open our front doors and things like that just to prove who we are.
What was that movie? Gattaca, I think, was that movie.
Yes.
Yeah. That'd be interesting.
I don't think we're going there. I don't think anybody wants that. We're not going to sequence DNA to open our front doors and get in our cars.
I sure hope not.
Let's take a step back here, and I'll ask an open-ended question. If we as businesses and consumers have to get it right a hundred percent of the time, you and I before recording, we're talking about the 99.99 sounds great, but that still means if it's 99.9% of planes land OK, no one wants to be on that 0.1% of a plane that's not landing safely. What are some of the things that we could do to build in, OK, if someone does get through the front door, if someone does get into a system, we do send someone money, or we do let someone do a bank account, what things can we do to mitigate the damage that can be done?
When we talk about security in a corporate sense—and I think this translates well across the board—there’s prevent, there's detect, and there's respond. Prevent, you can do a lot of defense. You want to have a lot of layers. You don't want the holes in the Swiss cheese to line up. But once you get through there, you really need to be able to detect quickly. That's important.
If you're talking about a company, a lot of companies have very tight monitoring, whether that's agents running on computers or log monitoring. They keep an eye on that, and they have automated alerts set up and maybe even automated responses set up when things happen.
Personally, I think it's important that, as consumers, we regularly monitor the critical accounts we use, whether that's an email account, a bank account, or credit card account. -Kris Burkhardt Share on XPersonally, I think it's important that, as consumers, we regularly monitor the critical accounts we use, whether that's an email account, a bank account, or credit card account. Things that you want to know if something's going wrong, you want to know sooner rather than later. I think that concept of regular monitoring and just keeping an eye on things, I think, is an important one.
Having a response set up and having a rational response set up like, OK, when I see a problem with my bank account, the rational response is, “Oh, I'm going to call the bank or a credit card account; I'm going to call that.” For businesses, I think you need to have that response set up. We were talking about that before. You need to know what you're going to do when you do have a ransomware event so you can ideally respond, mitigate the spread, and recover quickly. Having that plan ahead of time and doing practices of that plan.
Even if it's just a tabletop exercise, like you don't have to necessarily plan out and practice how you're going to restore every single system. You're going to want to restore some to know your technology works, but practicing with the people in your company or your third-party providers, your partners. A lot of these things happen these days. Since we're so interconnected, they happen across firms. They don't happen to a single firm.
Do you know the people at the third-party provider you're going to work with in case of an event? Have you maybe had lunch with them or had a conference call with them and talked through this stuff? I think planning ahead for those scenarios is super important because you're not going to stop everything.
We had a very public event at Accenture about three years ago. While the actual damage to us was really nil, and our customers were also practically nil, talking with everybody and communicating that was challenged, because there were so many people we had to talk to. We learned from that experience. Now we have the guardrail since we went over the cliff once, and we have a really strong communications plan, for example. I think thinking through those scenarios for people is really important.
Yeah, it was a part of an organization that they were working for through a disaster recovery plan. We were thinking of like, “OK, if there's a major earthquake and stuff's down from Southern California, if there are internet problems, you have to have a hard copy of how to get ahold of employees. Someone needs to have a paper copy of these things and valuable customers and partners. We need paper contact information in order to be able to call them and say, ‘Hey, we're down. We’re not going to be doing X, Y, or Z,’ or customers being able to communicate with them.” It was really interesting to have to think through some of the analog aspects of the communication of it like, “OK, so if that doesn't work, how do we communicate?”
Yeah, right. The basic things, you have to think about. I think generally speaking, in my experience at least with us and with our clients, it's rare that all your systems get ransomed at the same time and you lose everything, but it's important, I think, to think about what you're going to do in the case of your critical systems. You may have different answers depending on different systems, and that's OK, but figuring that out, I'm thinking ahead.
To your point, “Hey, we’ve got to go get analog again.” You better have a phone tree. You better have your key contacts either already in your phone or on a piece of paper somewhere. You can print; printing is easy. All that kind of stuff.
I think the other thing, though—and it's funny you said it—I think the general view of disaster recovery and discontinuity plans, while we still think about weather events, earthquakes, and fires, I think many of my peers, at least, have really shifted their thinking. The primary event is now a ransomware event, because that's the one that we actually see all the time. Fortunately, not each individual company sees it all the time, but it's an industry. We see them enough. It was probably three or four years ago when people started to really mentally make that switch like, “OK, we’ve got to get ready for this because it's going to happen, and here's what it's going to look like.”
Technology is an incident or an event now, not just a hurricane, an earthquake, or things like that. As we wrap up here, any parting words of advice for either businesses or the general public?
I'll say a couple of things that I think are important. We hit on business resilience and all that. I'm just going to say two pieces of advice that I've heard that I'll share with the audience. As deepfakes become more popular, I have heard families using a code word strategy. I think that seems like a pretty good idea to me. I would suggest—don’t choose a pet's name. Choose something people are not going to guess, and choose a code where you can say that, “Yeah, it's really me. I'm not stuck in Thailand with no money.” Your loved ones know that.
I think the other thing I'd suggest as I'm living through this personally, make sure that you're talking to your parents, especially if they're elderly, about scams, deepfakes, and how real things can be. Help them understand and take control of their critical accounts, make sure that they're thinking about it the right way, and support them however they need to be supported. Trust is, I'm sure you've discussed on your show, is a difficult thing for older people. There was a lot more trust they feel, like 50 years ago, than there is today. There's not that natural skepticism that we have now.
Yes, absolutely. If people want to connect with you, how can they find you?
I'm on LinkedIn. My email address is kristianburkhardt@accenture.com. If you google that, you'll find me.
Awesome. Thank you so much for coming on the podcast today.
All right. Super. Thanks for having me, Chris.
You're welcome.