Scott McCrady's path to becoming CEO of SolCyber started in the server rooms of the early 2000s. Back then, he was installing Nokia security appliances and building some of the first security operations centers for major corporations. McCrady spent years at companies like Symantec and FireEye, where he learned that keeping businesses safe requires more than just technical know-how. He built Symantec's security services across Asia Pacific, managing teams in multiple countries and learning how different businesses approach security challenges. Later at FireEye, he helped launch their partner strategy during the rise of nation-state attacks. Today, he runs SolCyber with a simple mission: help companies protect themselves from identity-based attacks that bypass traditional security tools.

McCrady explained something that might surprise you: hackers don't break into networks the way they used to. Twenty years ago, they looked for open ports and vulnerable servers. Ten years ago, they targeted employee laptops and phones. Today? They steal usernames and passwords, especially administrative accounts. Insurance companies tell McCrady that nine out of ten breaches happen because someone's login credentials got compromised. The problem gets worse because IT teams often give employees more system access than they need. Why? Because it's easier than figuring out the exact permissions each person requires. McCrady shared a real example: a company with 500 employees had over 70 administrative accounts. Some hadn't been used in nine months, then suddenly started browsing the internet—a clear sign that hackers had taken control.

McCrady works with organizations that can't answer simple questions like "Where are all our security logs stored?" or "Who can access our customer data?" These aren't startups or small businesses—these are established companies with IT departments and security budgets. They have data scattered across different systems, some going to one security vendor, some to another, and some not being monitored at all. While vendors push artificial intelligence and machine learning solutions, most businesses just need help organizing what they already have. As McCrady put it, they need to get their house in order before worrying about advanced threats.

So what actually works? McCrady keeps it simple with five must-haves. First, turn on multi-factor authentication everywhere, even though software companies charge extra for it. Second, add email security beyond what Microsoft or Google provides because business email compromise is how most attacks start. Third, install endpoint detection software that catches modern malware. Fourth, run security awareness training so employees recognize phishing emails (and to keep your cyber insurance valid). Fifth, buy cyber insurance now while it's affordable. McCrady's company, SolCyber, packages these essentials into what they call "foundational coverage"—basically, outsourced security for businesses that need protection but can't afford a full security team. For larger companies, they handle the complex stuff like managing security logs from dozens of systems and responding to attacks in real-time.

LinkedIn Profile: https://www.linkedin.com/in/scottmccrady/

SolCyber Website: https://solcyber.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

This Kitecast episode features Chris Pogue, Director of Digital Forensics at CyberCX, a cybersecurity veteran with 25 years of experience. Chris brings unique insights from his extensive background spanning penetration testing, executive leadership, and military instruction. As an adjunct professor at Oklahoma State University, he teaches both international business and digital forensics, emphasizing the critical importance of communication between technical and non-technical stakeholders.

Chris introduces CyberCX as "the biggest cybersecurity company you've never heard of"—a pure-play security firm with 1,500 professionals globally. Founded in Australia through the acquisition of 24 boutique security firms, CyberCX stands apart by focusing exclusively on cybersecurity expertise without the distractions of hardware sales or software development. With specialized teams including 200 penetration testers and 40 incident responders, they offer comprehensive security solutions tailored to each client's unique risk profile.

The conversation reveals alarming trends in the threat landscape, including the surprising resurgence of SQL injection attacks targeting forgotten systems and unpatched vulnerabilities. Chris explains that once an exploit is announced, threat actors typically begin targeting it within 24 to 48 hours, yet organizations often take 60 to 90 days to implement patches. The podcast also explores how ransomware tactics are evolving from simple data encryption to targeting operational technology and critical infrastructure, creating more leverage by disrupting business continuity rather than just threatening data exposure.

Third-party risk management emerges as a critical concern, with Chris noting that the traditional "castle and moat" security model has become obsolete in today's interconnected business environment. He describes how Business Email Compromise attacks frequently move laterally across supply chains, with compromised trusted partners becoming vectors for invoice fraud and malware distribution. The conversation also touches on the emerging role of AI in creating more convincing phishing campaigns and voice synthesis attacks.

Drawing on decades of experience, Chris offers this compelling perspective on security investment: "In my career, I have yet to find an organization who under-invested in cybersecurity and was thankful that they did later." With data breach costs averaging $4.5 million globally and $9 million in the United States, the economic argument for proactive security becomes increasingly clear. Don't miss this eye-opening discussion on the frontlines of cybersecurity defense.

LinkedIn Profile: https://www.linkedin.com/in/christopher-pogue-msis-6148441/

CyberCX: https://cybercx.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

In this insightful episode, cybersecurity experts Mike Crandall and Arun DeSouza join host Patrick Spencer to analyze Kiteworks' Top 11 Data Breaches in 2024 Report. Rather than just focusing on the number of records breached, the report introduces a sophisticated algorithm with seven key factors to score breaches on a scale of 1-10. This method provides a more comprehensive understanding of breach severity by evaluating financial impact, data sensitivity, regulatory compliance implications, ransomware involvement, supply chain impact, and attack vector sophistication. National Public Data topped the list with a score of 8.93, followed by Change Healthcare and Ticketmaster, both scoring 8.7.

A significant finding discussed by the experts is the shift in industry targeting patterns, with financial services overtaking healthcare as the most breached sector. The conversation emphasizes how credential theft continues to plague organizations despite sophisticated controls. Five of the top 11 breaches resulted from credential compromises, including attacks that bypassed multifactor authentication. Arun highlights that despite years of security awareness training, approximately 25% of incidents remain attributable to human error. He warns of the growing sophistication of social engineering with AI-generated phishing that will soon include voice modulation and deepfakes, making attacks increasingly difficult to detect. Mike recommends leveraging AI defensively to detect anomalous behaviors that humans might miss.

Both experts stress the critical importance of data protection and classification. Arun advocates for AI-powered data characterization and governance platforms that can proactively identify sensitive information requiring protection. Mike emphasizes the need for proper data classification, noting that organizations often struggle to differentiate between critical and non-critical data. He recommends data minimization strategies including cold storage for inactive data to reduce the potential attack surface. The experts agree that building enterprise-wide risk awareness requires collaboration across departments rather than treating security as an isolated IT function.

The panel concludes that organizations must prioritize zero-trust architecture implementation, adopt data minimization strategies, and enhance incident response capabilities. Arun frames this as a comprehensive coalition of "people, process, and technology safeguards all working together." Mike adds a sobering perspective for businesses that might not see themselves as targets: "These weren't the 11 hacks of 2024. These were the top hacks... there are literally hundreds of thousands, if not millions more. And that's you."

Top 11 Data Breaches in 2024 Report: https://www.kiteworks.com/top-data-breaches-report

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Mike Crandall LinkedIn: https://www.linkedin.com/in/crandallmike/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.