Decoding Digital

Jay Kaplan Decodes the Cybersecurity Maze

By Rebecca Muhlenkort / April 25, 2023

AD Blog Jay Kaplan

Jay Kaplan is a world-class security expert and entrepreneur who has served in many high-profile cybersecurity roles throughout his career. What makes Jay and his cybersecurity philosophy so unique? He doesn’t underestimate the role human intelligence plays in the fight against even the most sophisticated cyberattacks.

That’s the premise and mission of Synack, the cybersecurity company he co-founded in 2013. The Synack security platform unites human intelligence and technology to fight advanced cybercrime. It leverages a crowdsourced network of highly vetted security researchers and advanced technology to discover security vulnerabilities before they become exploited. Today Synack is backed by top-tier venture capital firms including Microsoft, Google, Intel, and Kleiner Perkins and the platform protects federal agencies, DoD classified assets, and a growing list of Global 2000 customers.

In this Decoding Digital episode, Jay talks with AppDirect President and Co-founder, Dan Saks about the rise of ransomware and crime syndicates, and he offers simple security strategies organizations, and individuals can apply right now.

Hit play to listen to the podcast episode, or read on to learn more cybersecurity best practices.

> Decoding Cybersecurity: Jay Kaplan on how to protect your business from cyberattacks

‘...People are recognizing that they can actually make money by hacking…’

While the cybersecurity space is complicated regarding the size and scope of threats, the motivations behind cyberattacks are not. Jay asserts that criminals are motivated more by money rather than politics today. And, while cyber gangs can cover the spectrum from being low-level thugs to elite criminal organizations, most hackers have a singular aim: to exploit security gaps to make a profit.

“...I think if you asked me five, 10 years ago, what is our greatest threat to businesses and government agencies? I'd probably tell you state-sponsored attacks. So you know, whether that's Russia, China, North Korea, et cetera. Most sophisticated attacks. They have a lot of resources and money dedicated to stealing intelligence, stealing sensitive information from any corporate network to help advance their strategy. 

"And I think if you look in the past just two to three years, I think our greatest threat right now is much more tied to crime syndicates. So people are recognizing that they can actually make money by hacking into foreign network."

Cybercrime syndicates & wanna-be hackers

Other experts point out that many crime syndicates rely on hacking tools or platforms (as a service) from other criminal organizations to carry out exploits. These platforms are dangerous because they allow less sophisticated criminal groups to carry out cyberattacks. The net is that these wanna-be hackers don’t even need to know how to code to steal your sensitive information. Jay explains:

“Ransomware is well on the rise. I'm sure you guys read about it all the time. Reality is this. If you put down a piece of ransomware inside of a network and you say like, the only way you're gonna unlock this machine or this network, or this data is by paying some sum of money.”

Cyber insurance: A double-edged sword?

Cyber insurance is a specialized insurance policy designed to safeguard organizations from the financial repercussions of cyberattacks and data breaches. The debate about whether cyber insurance helps protect organizations from hackers—or attracts them— is longstanding. Some experts say companies with cyber insurance coverage have a target on their backs, while others believe cyber insurers have raised the bar on fighting cybercrime.

Honestly, most companies are just paying and it's the result of the insurers, cyber reliability insurers are just saying it's a lot easier for us to just pay this money rather than try to remediate and claw back from backups. And so what this has done, it's kind of created this new market where crime syndicates are probably the most prevalent attackers. Whereas before there was no real easy way to make money. And obviously with cryptocurrency, that has only made it more easy, where you can't track the actual funds that are being sent to these syndicates.”

While Jay’s seen cyber liability insurance get a bad reputation at times, he doesn’t buy-in to that narrative. He believes cyber liability insurance is critical for today’s organizations.

“I think it's really important for every company to have liability insurance policy for even peace of mind. But most companies today won't even do business with you unless you have one of those policies in place. It's, you know, it's like DNO or ENO. It's become like table stakes for transacting.

Using an ethical hacking model to identify vulnerabilities

While pen (or penetration) testing is nothing new, Synack applies a novel approach that makes the model much more scalable. Traditionally, companies would hire consulting firms like Deloitte or PWC to conduct pen tests to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. Pen tests evaluate an organization’s ability to protect its network, applications, endpoints, and users from external or internal attempts to circumvent security controls. Jay explains that the Synack platform applies a unique approach.

“...Synack takes a very different approach to neural pen testing problems. So we have a worldwide network of freelance ethical hackers now in over 90 countries, and the goal for us is to create a much higher efficacy version of security assessments that most companies are engaged with…For us, it's “Let's deploy a hundred of the top hackers in the world, obviously ethical hackers, to your environment so that we can understand what are they successful at penetrating and what data are they able to expose?”

3 security basics you shouldn’t ignore

Jay offers simple security strategies organizations and individuals can apply right now to minimize vulnerabilities—focus on your people, endpoints, and sensitive data.

“...When you're a small business, I think you need to think about the people. I think you need to think about your most sensitive data, and I think you need to think about your endpoints. So endpoints can be the machines that your employees are using, and so people, you need to educate them on phishing attacks.”

‘Constant vulnerability assessments’

When securing your most sensitive data, Jay recommends asking yourself these questions:

  1. Where is your data located?

  2. What protections are in place?

  3. And, if you’re using third-party providers, what protections are used?

Don’t assume your data is secured at a level that meets your company’s internal security best practices, he says.

“...Think about the most sensitive data and where that data is housed. So whether that's inside your own networks, inside your own applications that you're building home. Or third party, you know, cloud software solutions. You wanna make sure those solutions are locked down.

“So you should be doing constant, vulnerability assessments on those environments. And you should make sure that you practice kind of least privileged access. So you wanna make sure that people don't have access to the databases and the data unless they absolutely need to.”

Unifying human intelligence + Artificial Intelligence (AI)

While AI's capabilities are tremendous and continue to expand, Jay stresses that we must remember its limitations and focus on using it as a tool rather than seeing it as a magic bullet.

“...From a security standpoint, what we're finding the reality is, is you can’t automate or use AI to solve everything. Like you have to have people as part of this equation. It's how we created the entire business, right? We recognize let's automate as much as we can, and then from a vulnerability identification standpoint, and then let's take kind of the remaining 40, 50 percent of the vulnerabilities you can spot using automation and utilize security researchers who have the talent.”

Listen to the full conversation

To hear more from Jay about AI and security, or about other security best practices, listen to his conversation with Dan on the Decoding Digital podcast.

>> Listen to Jay’s episode now

Check out the Decoding Digital podcast series for more insights from inspirational leaders. You can listen to the podcast on all the major podcasting apps, including Apple Podcasts and Spotify.