Today, our host Ted Ritter is joined by Stacey Shepard, the president of Shepard Global Strategies and advisory board member for building cybersecurity, as well as Mark T. Hofmann, a crime and intelligence analyst and business psychologist. Together, they debunk the media's portrayal of hackers and stress the importance of building awareness and training across all levels of an organization to prevent cyber incidents. Through compelling real life case studies, they delve into effective strategies such as cyber assessments and other proactive measures, underlining the urgent need for readiness and education within facility management to confront the escalating complexity of cyber risks.
Today, our host Ted Ritter is joined by Stacey Shepard, the president of Shepard Global Strategies and advisory board member for building cybersecurity, as well as Mark T. Hofmann, a crime and intelligence analyst and business psychologist. Together, they debunk the media's portrayal of hackers and stress the importance of building awareness and training across all levels of an organization to prevent cyber incidents. Through compelling real life case studies, they delve into effective strategies such as cyber assessments and other proactive measures, underlining the urgent need for readiness and education within facility management to confront the escalating complexity of cyber risks.
Resources Mentioned:
Stacey Shepard: [00:00:00] Many organizations don't have the governance and the policy. Everybody, you know, I can't tell you how many times people have said, Oh, well, my CIO is taking care of that. Well, your CIO is not watching your building automation systems or your access control or any of those aspects of it. And then others say, well, we're going to manage it away.
Well, you need to think about your managed services. How are the contracts written? Who has liability? Should there be a hack? And so a lot of people do not delve into this level of detail to understand.
Host: Welcome to Connected FM, a podcast connecting you to the latest insights, tools, and resources to help you succeed in facility management. This podcast is brought to you by IFMA, the leading professional association for facility managers. If you're ready to grow your network and advance in your career, go to IFMA.
org to get started. Today, our host Ted Ritter is joined by Stacey Shepard, the president of Shepard Global Strategies and advisory board member for building [00:01:00] cybersecurity, as well as Mark T. Hofmann, a crime and intelligence analyst and business psychologist. Together, they debunk the media's portrayal of hackers and stress the importance of building awareness and training across all levels of an organization to prevent cyber incidents.
Through compelling real life case studies, they delve into effective strategies such as cyber assessments and other proactive measures, underlining the urgent need for readiness and education within facility management to confront the escalating complexity of cyber Now, let's get into it.
Ted Ritter: My name is Ted Ritter. I'm associated with the technology community of IFMA and I'm thrilled to be talking about cyber safety and security with two renowned experts.
Stacey Shepard: This is Stacey Shepard. I'm president of Shepard Global Strategies and also an advisory board member for building cyber security. [00:02:00] We're a strategic partner with IFMA and really thrilled to be here today to be able to talk about this very pivotal topic.
Mark T. Hofmann: Absolutely. And I'm Mark T. Hofmann. I'm a crime and intelligence analyst and business psychologist.
So to put it in a nutshell, I'm focused on the psychological aspects of cybercrime.
Ted Ritter: Outstanding. So we got to chat a little bit before the podcast just to get to know each other. And you kind of had me at the dark web because you know, you say dark web and people perk up and go, what'd you find? So I think we'd love to hear a little bit about how you go through your process and really look at the human elements of how cybercrime happens.
Mark T. Hofmann: Absolutely. So it's important to understand that many people think that cybercrime is a technical topic because it sounds like a technical topic, but it's not on the side of the perpetrators and also on the side of the victims. It's psychology. So it's actually not computers against computers. It's people against people.
And even if we talk about technical hacks on the side of the perpetrators, there are still people behind it. [00:03:00] Which have motives. And it's also a big question. Like, where do they learn their skills? There's nothing like a bachelor of science and ransomware. So the question is where do these skills come from and what age do they start radicalizing themselves?
By the way, pretty often it starts on YouTube and gaming is also an accelerator. No, not everyone who plays online games will become a hacker, but it can be an accelerator. You can get in touch with people and start ending up on the dark side. Yeah.
Ted Ritter: So what's your approach? You said it really starts with people.
What kind of people do this? What kind of people send us an email saying, click here to see if you want a million dollars. And of course, if you do it, you're in trouble.
Mark T. Hofmann: Right. So my approach is like going to the dark net signal, telegram, Wicca. Or dark or shady parts of the internet because I try to get in touch directly with hackers or threat actors, how we like to call them and learn directly firsthand.
Who are they? Why do they do what they do? There is not something like an average hacker profile because they can be [00:04:00] pretty, pretty different. But to make one thing clear on media and on television, hackers are always presented as 15 year old teenagers with black hoodies sitting in front of a laptop with green texts on the screen.
That's like the media stereotype. That's not wrong. Yes, there are some script kiddies and 15 year olds. But on an average, and for most companies and also buildings, I would say crime as a service is a much bigger threat. What does that mean? Well, many of these hacker groups, they do not just operate like businesses, they operate more professionally than most businesses do.
They have customer support, they have quality management, you can negotiate with them. And when you end up in a ransomware case, you, in many cases, you can really call them somehow encrypted or anonymously, but you can call them and say like, well, it's my first time being attacked with ransomware. How do I buy Bitcoin?
And yes, the technical support will help you. So it's important to understand. The damage through cybercrime will go up to 10. 5 trillion by [00:05:00] 2025. So this is not a 15 year old teenager. This is a trillion us dollar industry, and they are very professional. So if you think of hackers, you should think of professional business, not 15 year old teenagers in hoodies.
Ted Ritter: Interesting. So this is big business. This is really big business. So, not the anonymous profile, not the 16 year old gamer that just said, oh, I gotta go hack something. How can you help team members? I mean, if you're part of an NFM department, or if you're part of an organization, how can we help our team members?
How do we build, I think you put it earlier, a human firewall?
Mark T. Hofmann: Yeah, absolutely. So the first and most important thing to understand is, in 80 or sometimes even 90 percent of all cases, cybercrime starts with some kind of human error. People clicking on links, people opening attachments, people ordering 1000 USB flash drives on Amazon for 9.
You should think about it. How can this be a good [00:06:00] deal? So pretty often it starts with some kind of human error. So it's very important to include in this awareness process, any, every single person in the company, because if I call you and manipulate you on the phone to give me the password or access.
There's nothing your IT department can do about it. You can have a two million dollar firewall. If I call you and ask you for the login credentials and manipulate you, there's nothing you can do about it. Let me give you a physical metaphor. You can have the best fancy high security door in your building.
The door can be wonderful. But if I manipulate you to give me the key, Your security door is useless. So people are always the weakest link. And that's basically the main angle of factor, which we need to address.
Stacey Shepard: And I think the biggest thing also is having every facility management individual understand that they play a role in this.
And so it doesn't matter whether it's the C suite from the CEO to the [00:07:00] CFO to the CISO, all the way down to facility management. Everybody plays a role in this and there needs to be an appreciation as we're getting into a more connected environment, there needs to be an association of being connected and protected.
And so by doing that, and by being deliberate and getting that education and awareness, that is going to help with advancing. The protections and the ability to optimize technologically enhanced environment.
Ted Ritter: You summed it up really well, Stacey, that Mark's kind of talking about the who and the why and the psychology and the human factors, but what aspect your organization brings to the table is, What do we do about it?
How do we inspire the people to protect, and then, if it does happen to us, how do we recover from it? But, how? You know, what are some best practices in terms of protection and remediation?
Stacey Shepard: Yeah, a hundred percent. And this actually began about a year ago.
Where building cyber security started this relationship with IFMA [00:08:00] and appreciation that with digital transformation, you know, this is only going to grow exponentially, right? And so to be able to do that, how do you a increase awareness, but be provide the tools and resources. And the training to be able to get that foundational baseline and understand those rules and responsibilities.
Many organizations don't have the governance and the policy. Everybody, you know, I can't tell you how many times people have said, Oh, well, my CIO is taking care of that. Well, your CIO is not watching your building automation systems or your access control or any of those aspects of it. And then others say, well, we're going to manage it away.
Well, you need to think about your managed services. How are the contracts written? Who has liability? Should there be a hack? And so a lot of people do not delve into this level of detail to understand. And so even within cybersecurity insurance, it really, because a lot of this is on operational capacities for the facilities [00:09:00] themselves.
So it goes into property and casualty. So, have you looked at your property and casualty insurance to see if you're protected for operational technology cyber hacks? So, it, there's a lot of things to think about, but by taking it in a very methodical way BCS has created a successful, 16 step framework to be able to share and a checklist to start walking through.
So it's not as daunting, but there needs to be a realization of the threat that's out there.
Ted Ritter: FMS are pretty used to having disaster recovery plans, emergency preparedness plans. I don't think they really include cyber right now. I think it's like, what happens if the power goes out? How do we evacuate our people?
What happens if we have a leak on the fifth floor, you know, that impacts the vertical stack underneath it? They probably have that figured out. But, you talked about the 16 step guidelines that's available, I hope we can put that, you know, on the video or share that somehow, but, you know, how do you think, as a team from the human [00:10:00] side and from the technical side, we can enable FM To take those right steps and build good cyber processes into their SOPs.
I mean, we're, you know, as a profession, very process driven, which is, we haven't had this in our playbook.
Stacey Shepard: Absolutely. I'll start just by saying, like, look, you have to develop safe plans of action anyways, right? And so whether it's a natural disaster, God forbid, a You know, an active shooter or something like that.
These are things that need to be in, you know, draw inherent awareness. And so I think by having those mechanisms in place there was one company that got hacked and when they were going into the response and recovery, their way of letting everybody know was by email. Well, the email was what was hacked, so they had no ability, no backup, no contingency aspects of it.
So it's thinking through ways that you can be impacted negatively and finding other ways and [00:11:00] discovering ways and partnering with others to be able to counter and to be able to anticipate to be able to deal with those types of situations.
Ted Ritter: Really good point. How can we help from a human factors perspective?
How can we help engage the FM's? You know to go through those processes take advantage of some of the resources Stacey was just talking about What do you think is it? Persuasion is it? This could happen to you, you know, is it, what do you think, Mark?
Mark T. Hofmann: My recommendation would be train cyber attacks like a fire drill.
So, the number one risk for most businesses nowadays, small and also very big companies, is ransomware. So basically there is a red screen and it says, We encrypted all your data. You can't access your bank account. You can't send an email. You can't call someone, or sometimes you cannot even access the building and production stands still for many companies.
It costs like a few hundred thousand a minute or even a second, whatever the size of the company is. So this can be quite a huge. Damage also reputational damage. The point is [00:12:00] when this happens, when you see this red screen and pretty often it says your data has been encrypted, sometimes more rude, you are fucked.
When this happens, the time is running and tick tocking away. They say we encrypted all your data. And if you want to. Get your data back, you need to pay a ransom, and the amount of the ransom is adapted to the company's size. So you need to have an action plan in place before that.
Prevention is good. And also in my keynote today, I will talk about prevention. Like, what can we do, how can we build a human firewall to prevent? But it would be naive not to prepare for the worst case scenario. So what do you do in this case? Many people say, yeah, first I would inform top management. We would call the CEO.
When, well, when do cybercrime typically happen? Well, Friday, 10 p. m. Or Christmas or holiday season. What if you don't reach the CEO? Do you wait until Monday? So these are very practical questions and you should have an action plan what you do. Like, who has the right to do a controlled shutdown, to shut down the production to prevent further damage?
Who [00:13:00] has? The license to pull the plug and shut down everything. So questions like this should be trained, not just in theory, but really like a fire drill, you should train. I mean, most facility managers don't like to hear that but I would say, like, in a fire drill kind of scenario, what's there to train?
If there was a fire, what's there to train? Leave the building. Don't use the elevator. There's not much to train once a year from my perspective, but in they have no idea what they do in case of a cyber attack,
Stacey Shepard: and I'll add on. So you look at a case study. So last year bad actors attacked the casino.
Industry. And so specifically, it was Caesar's Palace and MGM Graham took two different methods of replying. So Caesar took the 30 million ransomware, negotiated it down to 10 and it quote unquote went away. MGM said, Forget you. We're not paying this. We don't negotiate with bad actors. Well, it shut down all of their systems, all their access controls, so [00:14:00] in a world where you don't have actual slot machines, but you have access control cards, which is how people do their bedding.
It's also how they got into their hotel rooms. All of that was shut down. It was costing them, I believe, somewhere along the lines of a million and a half to 1. 8 million dollars a day, hemorrhaging until they could get things back online. So the key is. You know, in terms of looking at that response and recovery, you need a lot of contingencies and make sure that you know what you're doing when you make a decision on how you're going to be dealing with the situation for operational continuity.
I mean, we were talking earlier about hospitals, right? Hospitals have become a huge target and how do they get through? Not necessarily just through, through emails or other phishing type things, it'll actually be through imaging equipment. Because there's a wifi capacity, so they're able to access that through the equipment through the cyber physical equipment itself, not just through the operational technology [00:15:00] and then to be able to hold them ransom.
I mean, think about how do you evacuate? And then what if it's down for 90 plus days and then how do you think about not only revenue loss but impact to life and other situations?
Host: Are you ready to elevate your career to new heights? Join us this October at IFMA's World Workplace Conference and Expo in San Antonio, Texas. Enjoy three action packed days of inspiring keynotes, educational sessions, and networking with leading industry experts. Discover cutting edge technologies and innovative strategies that will revolutionize your organization's productivity.
Don't miss this opportunity to transform your career and shape the future of Register today at worldworkplace. ifma. org
Mark T. Hofmann: And these are questions you can think about it beforehand, like also this ethical [00:16:00] question. Do you generally say we will never ever Pay a ransom to criminals.
That's a strong perspective, but you better have a damn good backup and you better prepare for some additional threats. Because pretty often, they try to increase pressure. They have like different levels of threats at the same time. First, they say, if you don't pay, you don't get your data back. If you have a backup, you might say, I don't care.
I have a backup, we just restart. One week after this, we are back to business. But the second threat is if you don't pay, we publish your data on the darknet. Well, for some industries, if your customer's data ends up on the darknet, this can be another threat where, I mean, your backup doesn't help against that.
Pretty often they additionally threatened that they will shut down your website with the DDoS attack for something like a city management. If the city's website is down, nothing works anymore. People can register their cars and nothing works anymore. And sometimes that's ridiculous, but sometimes.
Sometimes they even make a complaint against the victims by informing police [00:17:00] or the regulative authorities. So there was a case in November 2033, last year, where hackers actually made a complaint like we hacked this victim and they were supposed to report that they have been hacked, but they didn't do it.
This was against the law. Please name one other group of criminals in the world that would be brazen enough to make a complaint or inform police that the victims did not follow the rules. That's ridiculous. But that's where we are.
Stacey Shepard: So on a positive note, though, because we don't want everybody to be just intransigent because they're thinking, Oh my gosh, what the heck do I do?
You know, there, there are things that can be taken. We talked about, and by the way, you can get the 16 steps if you just go to www dot building cybersecurity. org. But within that, it's like, okay. Right. You can do cyber assessments. So you understand what your vulnerabilities are. You can do cyber commissioning for new construction as well as for renovations.
You can get expertise to [00:18:00] create verbiage for your managed services plans or to be working with your insurance providers where that's been another area where we tried to incentivize positive behavior. Right. So one of the founding members of BCS is Aon. And saying, okay, how do you get people to proactively take steps so that then it actually reduces your premium.
So it creates a win and then they are undergoing the right steps and the right initiatives to make them more cyber safe, cyber secure.
Ted Ritter: You know, I think that's great. We're just about out of time. I'm glad you ended with a positive because there's so much negative news out there. But, you know, what I'm hearing is if you take proactive steps and Think about the human side of this, the psychology of who's doing this.
And I think you just gave us a great portal of wisdom, Mark, which is this is a business. This is a crime business. I was thinking about one instance we were talking about earlier, which affected a whole country and some of the physical infrastructure [00:19:00] and the banking infrastructure there's resources that are readily available to help the profession.
So,
Stacey Shepard: I want to pile onto that because we worked with BCS and IFMA partnered together to do our first ever. Cyber security training. It's like a cyber one on one starting with just the vernacular, starting at the baseline and starting to understand some of the challenges and things to be thinking about.
And then we're going to be doing micro sessions, like 15 minutes that align to these 16 steps. And then additional training as people get more aware and are looking for more advanced knowledge. There's other certifications and things that are coming along. So, so there's a positive way for.
facility managers to, to take action and to be proactive because this also helps them in their professional development as they grow in their career.
Ted Ritter: That's great. Mark, anything to add? If we have
Mark T. Hofmann: one last minute, let me also share one positive thing. That's a funny joke. Like there were two people, bar feet in a forest and a big [00:20:00] bear shows up.
They both start slowly walking backwards and one starts slowly putting shoes on. And one man says to the other one, like, even if you put your shoes on, you will never be faster than the bear. And he said, well, I do not need to be faster than the bear. I just need to be faster than you. So that's a little bit hard, but as a matter of fact, you don't need to be unhackable, but you should belong to the 10 percent of hardest to be hacked target, so to say, and then you're definitely safe because hackers pretty often go for the easy targets.
And I also, I started a free podcast, which is on Spotify and Apple, which is called the psychology of cybercrime. And what I try to do is I try to get hacker. To speak on the podcast quite openly. And one of them is a founding member of anonymous, Mike Jones, the FBI got him. He made a deal with the FBI. So like you work for us and then you avoid prison.
And he talked quite openly about the psychology behind it, how he got involved. And if people are interested to deep dive a little bit more into the [00:21:00] psychological aspects, also the podcast is free.
Ted Ritter: Thank you both so much. Looking forward to your closing keynote.
Looking forward to your session tomorrow. This has been a great conversation.
Stacey Shepard: Thank you.
Host: Thank you so much for listening. I hope you really enjoyed this episode. And as always, please don't forget to rate, review, and subscribe to the podcast for more incredible content.