Menu

Dylan Evans shares his journey into corporate security, dispelling myths about glamorous hacking narratives and emphasizing the importance of common sense in preventing cybercrime. He breaks down the threats small and medium businesses face and challenges conventional compliance checklists, which often prioritize defensibility over true security.

Dylan advocates for leadership through simplicity: understanding potential vulnerabilities, anticipating risks, and implementing straightforward processes to safeguard against breaches. Craig and Dylan also discuss the human element of cybercrime, exposing the "supply chain" behind scams and the devastating impact of neglected safeguards. With actionable insights on risk assessment and proactive protection, this episode is a masterclass in leadership’s role in resilience.

Want to learn more about Dylan Evans' work? Check out their website at https://www.simple-salt.com/.

Connect with Dylan Evans on LinkedIn at https://www.linkedin.com/in/dylanevans-makesecuritysimple/.

Key Points with Time Stamps

  • 00:01:17 – Introduction of Dylan Evans, founder of Simple Salt, and his mission to rethink cybersecurity.
  • 00:03:11 – Debunking the glamorization of cybersecurity and its real-world implications.
  • 00:04:44 – The ecosystem of cybercrime: supply chains, affiliates, and their impact on small businesses.
  • 00:07:33 – Why small and medium businesses are the primary targets of cybercrime.
  • 00:09:15 – The misconceptions around cyber scams and the media’s role in shaping narratives.
  • 00:14:15 – Social engineering vs. traditional scams: understanding vulnerabilities.
  • 00:17:05 – How different businesses face unique threats and how leadership can mitigate risks.
  • 00:20:18 – Actionable advice: identifying single points of failure and implementing solutions.
  • 00:23:40 – Where to find more about Dylan Evans and Simple Salt’s mission.

Transcript

00:00:00:00 - 00:00:30:16
Craig Andrews
I was in a coma for six weeks while the doctors told my wife I was going to die. When I woke up, she told me the most fantastic story. My team kept running the business without me. Freelancers reached out to my team and said, we will do whatever it takes. As long as Craig's in the hospital. I consider that the greatest accomplishment of my career.

00:00:30:18 - 00:00:51:07
Craig Andrews
My name is Craig Andrews and this is the Leaders and Legacies podcast where we talk to leaders creating an impact beyond themselves. At the end of today's interview, I'll tell you how you can be the next leader featured on the show.

00:00:51:07 - 00:01:17:06
Craig Andrews
Today I want to welcome Dylan Evans. He is the founder of Simple Salt. Interested in learning the origins of that name? Because he's all about stopping cybercrime. Here's the thing. He said that he believes the compliance checklist are the wrong thing, and that the traditional methods of stopping cybercrime are not designed to stop cybercrime. And so interested in learning more about that.

00:01:17:08 - 00:01:41:08
Craig Andrews
Let me just kind of pause and say, I know a lot of businesses that say, oh, wait a minute, this is something that affects businesses other than mine. This is something that affects the big businesses. That is not true. I've seen the data. I've seen it multiple times from multiple people. Overwhelmingly small and medium sized businesses are the most frequent victims of cybercrime.

00:01:41:10 - 00:01:49:14
Craig Andrews
And so if that's you, you want to listen in and figure out what to do for your own business. Dylan, welcome.

00:01:49:16 - 00:01:51:07
Dylan Evans
I'm excited to be here. Craig.

00:01:51:09 - 00:01:56:20
Craig Andrews
Yeah. Glad you're here. So, let's,

00:01:56:20 - 00:02:03:21
Craig Andrews
How did you get into the whole cybercrime business?

00:02:03:23 - 00:02:15:02
Dylan Evans
I did it because it was hard. I think a lot of us are praised early on in our life for doing hard things. You know, your kid, you do the AP, you do the varsity football or whatever.

00:02:15:02 - 00:02:16:17
Dylan Evans
And I just kept doing that.

00:02:16:17 - 00:02:33:04
Dylan Evans
And I finally found something that was hard and, like, kept my attention. But ultimately, also people needed because, like, sitting in a lab all day, it might be hard, but nobody cares.

00:02:34:20 - 00:02:45:02
Craig Andrews
Wow. Interesting. And you know, when did you roughly when did you get started in cybercrime.

00:02:45:04 - 00:02:52:07
Dylan Evans
I know you don't mean it this way but, but but to all those listeners I am not a cyber criminal. I have not engaged in cybercrime.

00:02:52:07 - 00:03:11:02
Dylan Evans
At least not that I'm willing to admit on a on a podcast. I have been working corporate security for probably 15 years and one, one man or another. One thing you find is everybody gets in because they have this very glamorous picture of security, of cyber.

00:03:11:02 - 00:03:13:22
Dylan Evans
It's like people in balaclavas,

00:03:13:22 - 00:03:53:16
Dylan Evans
typing on laptops, hackers and cyber techno wizards and it's all matrix stuff. And what they soon find after about five years is no, no, it's nothing like that. If you're super lucky, you might get some of that. But the the daily is far more boring than that. And I think this I mean, this is true with any career, but a lot of people, when they hit that five year mark, start realizing it's not as glamorous as I thought it would be.

00:03:53:18 - 00:04:01:01
Craig Andrews
You know, well, one thing I've, I've heard in terms of, you know, the

00:04:01:01 - 00:04:19:18
Craig Andrews
the folks out there intending harm, I'm, I've heard this specifically about the ransomware attacks. It's run as a business. They actually have a team of developers. It's not some, you know, loan wizard. They have a team of developers and they actually license their ransoms, their software.

00:04:19:21 - 00:04:26:23
Craig Andrews
It's like an affiliate program. Oh, yeah. And, you know, and basically you get an affiliate link and they,

00:04:26:23 - 00:04:31:08
Craig Andrews
they your job is to get computers infected.

00:04:31:08 - 00:04:34:14
Craig Andrews
They go back to the central organization that has the,

00:04:34:14 - 00:04:36:00
Craig Andrews
the key to remove,

00:04:36:00 - 00:04:39:14
Craig Andrews
the infection, and then they just pay you a portion.

00:04:39:14 - 00:04:44:00
Craig Andrews
But it's it's from what I've heard, it's a sophisticated business.

00:04:44:02 - 00:05:12:21
Dylan Evans
It's it's more players than that. It is a full blown industry with a supply chain. You've got. Yeah. Those developers making tools. You've got. And there's like a healthy competition. You got to pick and choose. You've got marketplaces to sell and buy, stolen credentials, stolen information. Other people, maybe they run just a real boring operational call center.

00:05:12:23 - 00:05:23:15
Dylan Evans
Right. And that they they get the leads right in these these stolen credentials or, you know, grandmas who are certified to be maybe, maybe a little bit,

00:05:23:15 - 00:05:38:09
Dylan Evans
slower and susceptible to a scam. And they they have their procedures. They call the people, they do whatever they, they do and turn it into money. But that's not the end of it.

00:05:38:09 - 00:05:54:05
Dylan Evans
Like, I have to get the money out of, like, a regulated banking system and into and they have to get it laundered. So you got money, mules? It's a whole thing. It's a it's a it's an ecosystem. It's a supply chain.

00:05:54:07 - 00:06:07:03
Craig Andrews
Yeah. And you know, and I mentioned in the introduction that by far the people that get hit by it most are the small and medium businesses, you know, not the Walmart. You know, target of course, was a big victim.

00:06:07:03 - 00:06:15:03
Craig Andrews
But those are far less frequent victims than the small medium business. Why is that?

00:06:15:05 - 00:06:47:09
Dylan Evans
At least two reasons. The first reason is because of the incentives of the media. They live on eyeballs and clicks because they sell ads. So if they report, you know, another seven plumbers in the greater Atlanta metro area got their life savings stolen. They can't do that story twice a week.

00:06:47:09 - 00:06:51:10
Dylan Evans
Even if they mix it up and say also lawyers also,

00:06:51:10 - 00:06:57:07
Dylan Evans
accountants also I don't know car sales.

00:06:57:09 - 00:07:33:10
Dylan Evans
It doesn't it doesn't work. It gets boring real fast and people just get depressed and they turn off the news. They need to report on the abnormal, the crazy. And so we all have this perception based on the news cycle, that it's mostly these highly sophisticated attacks from Russia and the North Korean military and very fancy people. But it's not it's it's really like I said, you figure out it's boring real fast.

00:07:33:10 - 00:07:49:14
Dylan Evans
It's just. They're scraping the bottom of the barrel and sometimes, I mean, every week there's a bunch of people at the bottom of the barrel who get absolutely nailed, and there's nothing glamorous or newsworthy about it.

00:07:49:16 - 00:07:50:16
Craig Andrews
Yeah.

00:07:50:18 - 00:07:52:06
Dylan Evans
You know, second thing.

00:07:52:08 - 00:07:55:01
Craig Andrews
Go ahead. Go ahead. No no no please.

00:07:55:03 - 00:08:48:08
Dylan Evans
The second thing is think about target and think about Walmart Equifax. They cannot keep secrets. They do not have the capacity to keep secrets. They got tens of thousands of employees. If they lose everybody's credit card numbers there's no way they can keep that out of the papers. But smaller businesses. That is a reasonable expectation. And so many businesses that have lost a lot do not talk about it because they are afraid of the reputational damages from their vendors or their customers who lose faith in them if they learned that they were scammed.

00:08:48:10 - 00:08:58:12
Dylan Evans
And so you might have a business group. You might have some drinking buddies. You might have,

00:08:58:12 - 00:09:10:23
Dylan Evans
any number of business connections, and they've been scammed and they will never tell you. These two factors mean small business.

00:09:10:23 - 00:09:15:03
Dylan Evans
Crime is vastly underreported.

00:09:15:05 - 00:09:17:19
Craig Andrews
Yeah. You know, I,

00:09:17:19 - 00:09:22:13
Craig Andrews
I used to get these emails that said, hey, we,

00:09:22:13 - 00:09:27:15
Craig Andrews
hacked in your webcam, and we saw you doing some naughty things on the internet.

00:09:27:15 - 00:09:28:17
Craig Andrews
If you,

00:09:28:17 - 00:09:33:10
Craig Andrews
if you don't send us this much Bitcoin, we're, you know, we're going to release it. And,

00:09:33:10 - 00:09:35:05
Craig Andrews
my favorite one came,

00:09:35:05 - 00:09:36:07
Craig Andrews
a little over three years ago.

00:09:36:08 - 00:09:40:10
Craig Andrews
I was in a six week coma and they're like, yeah, we, you know, we caught you,

00:09:40:10 - 00:09:45:01
Craig Andrews
you know, on your webcam. I'm like, well, that would have been good because I was in a coma.

00:09:45:01 - 00:10:03:00
Craig Andrews
And yeah, they send these out and, you know, and if and what they're doing is they're preying on fears. If you had ever, you know, been to a questionable website, you know, like, oh, geez, they may have got me and and it's crap.

00:10:03:00 - 00:10:09:02
Craig Andrews
They, they're just making it. They're just, you know, putting it out there.

00:10:09:04 - 00:10:18:16
Dylan Evans
Yeah. This is this is the other major misconception. There's so many misconceptions about this world for almost all of us. Unless you're like a mafioso

00:10:18:16 - 00:10:42:02
Dylan Evans
or a senior government official, nobody knows your name. You are in an entry in a great big spreadsheet. Nobody. Nobody knows. Very few people have these compromising pictures of you. Think about like, what's the click rate on those kinds of,

00:10:42:02 - 00:10:44:08
Dylan Evans
emails?

00:10:44:08 - 00:10:50:07
Dylan Evans
It's it's less than 1%. Most of it gets caught by spam.

00:10:50:09 - 00:11:11:07
Dylan Evans
They're not going to spend a lot of money like and and person hours maintaining the organization of all these compromising videos. And and like talking to the person directly unless this person's loaded. Now, Craig, you might be loaded. I don't know, but,

00:11:11:07 - 00:11:20:15
Dylan Evans
if you're not loaded and you get that kind of email, just just run through the economics from the other side.

00:11:20:17 - 00:11:27:00
Dylan Evans
It's probably not a real thing. And they don't have any idea who you are.

00:11:27:02 - 00:11:47:03
Craig Andrews
Yeah, yeah, yeah, it's. And it's just it's the thing that's struck me is over the last year or two, I've noticed that the scams are getting better and better. You know, when it shows up as an email, they're really good. They're very, very persuasive.

00:11:47:03 - 00:12:04:03
Craig Andrews
My wife and I have a friend that just lost $3,000, and there was somebody called up and they again preyed on a fear, got her to give them access to their her bank account, and boom, they just sucked $3,000 out of her bank account straight away.

00:12:04:05 - 00:12:28:05
Dylan Evans
Yeah, I could tell the same story. Except instead of three, it's quarter of a million. Yeah, right. Getting in the middle between, like, sending your best customer invoices and with different deposit information. That is a depressingly boring and damaging threat for a lot of businesses.

00:12:28:07 - 00:12:37:11
Craig Andrews
Well, I would guess in that one that was probably what I've heard is called social engineering, where they they they hired you.

00:12:37:13 - 00:12:40:09
Dylan Evans
You got me on my favorite rant, Craig.

00:12:40:11 - 00:12:41:06
Craig Andrews
Yeah.

00:12:41:08 - 00:13:05:05
Dylan Evans
Social engineering isn't real. Okay. Social engineering is a term because of this vast misconception that most security fixes and problems are technical. They're not. It's just people tricking other people sometimes.

00:13:05:07 - 00:13:26:21
Craig Andrews
But that was my understanding of social engineering, was somebody got some information and they got a real person on the phone and said, hey, there's this invoice that's about to be paid. Yes you should. That's my understand. When social engineering was being explained to me, that's how it was explained, was that it's getting a little bit of information.

00:13:26:21 - 00:13:53:02
Craig Andrews
You know, there's a transaction that's about to take place and you intercept that transaction and say, hey, you know, Joe, your boss just called me and said, it doesn't go to this account. It goes over to this other account. And all of a sudden, that quarter million that you're talking about just went into some bank account somewhere in some dark place in the world.

00:13:53:04 - 00:14:15:19
Dylan Evans
Sure, you're right. And I exaggerate. Those techniques exist, but ultimately, if you are worried about crime, about not getting nailed, that is exactly the sort of situation you should be thinking about.

00:14:15:20 - 00:14:43:15
Dylan Evans
The security industry has a separate term for that because they don't do that as much. That's that's like very fancy for them because they have this strong lineage, the strong DNA in tech and what that industry mostly provides is not crime prevention. It's defense ability to be able to say, oh, I did my job, I did, I did everything reasonable.

00:14:43:15 - 00:14:45:20
Dylan Evans
Please don't fire me.

00:14:45:20 - 00:15:14:12
Dylan Evans
Or defend against the lawsuit. That's what the security industry offers. And it works great for a fortune. Five hundreds. But if you're a small business, all that technobabble, the checklists that provide defense ability, all the fanciest network gear and and laughs and bullhorns don't do much against actual threats that are going to end your business.

00:15:14:14 - 00:15:29:19
Dylan Evans
That's what you say. The social engineering piece. Really, it's just the same scams that we've been doing for the last 5000 years, except, hey, we all use computers now. So I guess it's cyber.

00:15:29:21 - 00:15:50:09
Craig Andrews
Yeah. So what are what are some of the common methods of cybercrime that you see. And then kind of let's pair that with how do you recommend if it's not the checklist. How do you recommend that we prevent against.

00:15:50:11 - 00:15:54:11
Dylan Evans
Yeah.

00:15:54:13 - 00:16:30:21
Dylan Evans
I talked to too many lawyers of lawyers. Favorite phrase usually is it depends. And I sometimes say the same in just. But there is. Everybody wants a top three things top ten signs or something, right. Like the internet is full of these for every industry. And security is no different. But what is going to be most effective for your business depends on what your business does.

00:16:30:23 - 00:17:05:05
Dylan Evans
If you run a second hand toy store, right consignment store for toddler toys, you're the threats that are going to put you out of business are very different than someone who's reselling construction equipment. At half a million a transaction. And so the things that are going to put the the construction equipment reseller out of business are very different than the toy store company.

00:17:05:10 - 00:17:27:20
Dylan Evans
Toy store probably has low margins. Rent is probably their biggest pain. And after that maybe employees. So they're going to be really susceptible to does the check get to the landlord without getting stolen. And do my employees,

00:17:27:20 - 00:17:31:16
Dylan Evans
stay safe? Like, do they get,

00:17:31:16 - 00:17:43:05
Dylan Evans
defrauded? Because because of my I have information about them, about their personal identities, their socials, their tax filings.

00:17:43:07 - 00:18:07:22
Dylan Evans
Whereas the large construction reseller, any one of those payments, they're making one 4% margin per resale. If their bank account gets emptied in the wrong week of the month, they might be really hosed, right? They might be emptied for 3 or 4 million between when the checks drop and hit.

00:18:08:00 - 00:18:09:08
Craig Andrews
Yeah.

00:18:09:10 - 00:18:40:02
Dylan Evans
So the easiest thing, I think, and this is what we coach people through, is what would really end you if someone bad got control over some person in your firm's job, like took over their email. Took over their what, our phone or something for a week. What would happen? What's the worst that could happen and what would you do about it?

00:18:40:04 - 00:18:49:04
Dylan Evans
You can do this with your business coach. You can do this with like anybody with with a lick of sense.

00:18:49:04 - 00:18:59:16
Dylan Evans
We have practice, but this is not hard to do. That goes a long way. And the security, the cyber industry calls this,

00:18:59:16 - 00:19:12:09
Dylan Evans
risk and threat analysis. And and usually you need, like, someone 120 150 K to to coordinate these with you.

00:19:12:11 - 00:19:16:01
Dylan Evans
But you can do it much easier than that.

00:19:16:03 - 00:19:19:01
Craig Andrews
Then how would somebody go about doing that?

00:19:19:03 - 00:19:53:05
Dylan Evans
Let's find a friend who's smart and start thinking. All right. Deb, the office manager. Her email was was taken over for a week. What would happen? Could someone run off with all our money? What would happen to us? Could someone. Make changes to the website? What would happen to us? What if it was? We've closed down. Please go to our nearest competitor.

00:19:53:07 - 00:20:18:09
Dylan Evans
Maybe a bunch of Nazi stuff. I don't know, like what would happen to you if this person. This. We call it a single point of failure. One thing in your system, the system that is your business breaks is taken over by a criminal. What happens? Take you two hours, tops for, like a 20 person company,

00:20:18:11 - 00:20:19:00
Craig Andrews
That's at least.

00:20:19:00 - 00:20:20:05
Dylan Evans
For the first pass.

00:20:20:07 - 00:20:25:19
Craig Andrews
Yeah. Well, and there's, like, common sense in that there's a

00:20:25:19 - 00:20:42:21
Craig Andrews
lot of common sense, and it's just identifying the things that would, you know, the, you know, the biggest points of failure and just saying, how would this play out. And then and then presumably next, once you had that, what do you do to protect against it?

00:20:42:23 - 00:21:09:04
Dylan Evans
Exactly right. And often the fixes immediately suggest themselves. We get a lot of mileage out of simple process changes. How do you pay invoices? How do you send invoices? Do they all come from the same thing, or do just whoever wants grabs the template off the drive and send it as a PDF and then mail it off to whoever they want?

00:21:09:07 - 00:21:14:08
Dylan Evans
Like a depressing number of businesses, that is exactly how they send invoices.

00:21:14:10 - 00:21:15:07
Craig Andrews
Yeah.

00:21:15:09 - 00:21:21:08
Dylan Evans
It does it. Like it's not even more expensive to have a central invoicing system.

00:21:21:08 - 00:21:23:01
Dylan Evans
And, and your accountant will,

00:21:23:01 - 00:21:35:22
Dylan Evans
will really like that, that that will make their day. And I mean, think of the high trust professions if, like I. So,

00:21:35:22 - 00:21:41:04
Dylan Evans
Craig, how many, how many letters have you gotten in the last year saying,

00:21:41:04 - 00:21:41:16
Dylan Evans
sorry.

00:21:41:16 - 00:21:46:12
Dylan Evans
We care a lot about security, but we lost your personal information, right?

00:21:46:12 - 00:21:53:18
Craig Andrews
Yeah. Of course. Yeah. Well, and I think that just, go ahead.

00:21:53:20 - 00:22:21:10
Dylan Evans
How many do you recall? You probably just chuck them in the trash, right? Yeah. Yeah, and I do too, because it doesn't matter. But, man, if my divorce lawyer loses my file and someone mails me and says, I'm going to post that thing to Facebook, and unless I get, as you say, Bitcoin or 50,000 or however much they can milk me for, this is me at my worst moment.

00:22:21:12 - 00:22:28:02
Dylan Evans
I'm going to stab that guy. This is my life. It's different for every every company.

00:22:28:04 - 00:22:55:09
Craig Andrews
Yeah. Well, I, I think what you said a couple minutes ago, I can't think of a better place to kind of wrap with that is the common sense approach. This is what I really love about what you presented was. It's it's really a common sense approach of looking at points of failure and saying, what if? And that when you go through that exercise,

00:22:55:09 - 00:22:58:08
Craig Andrews
all of a sudden the answers start becoming apparent.

00:22:58:10 - 00:23:04:03
Craig Andrews
And so you help people walk through this and, and do this, how,

00:23:04:03 - 00:23:07:21
Craig Andrews
how should people reach out and contact you?

00:23:07:23 - 00:23:09:07
Dylan Evans
I'm going to be straight with you, Craig.

00:23:09:07 - 00:23:13:05
Dylan Evans
I chose our name because I'm kind of a salty guy.

00:23:13:05 - 00:23:15:18
Dylan Evans
But if. But it makes the

00:23:15:18 - 00:23:26:06
Dylan Evans
SEO very hard because, like, the first three pages on Google, if you, if you search for simple salt, are like people companies selling actual wholesale salt, like in bags.

00:23:26:06 - 00:23:29:15
Dylan Evans
So we're a lot easier to find on social,

00:23:29:15 - 00:23:34:01
Dylan Evans
LinkedIn, Instagram, not so much Twitter.

00:23:34:03 - 00:23:35:04
Dylan Evans
But but,

00:23:35:04 - 00:23:40:13
Dylan Evans
places like that, we do. We even have a TikTok. I'm so proud.

00:23:40:13 - 00:23:55:11
Dylan Evans
So search for simple salt on those platforms. You might find us. You might find some of our other content. We are big believers in lots of free content. More all the time. More how tos. We got a blog and we're here to answer the questions.

00:23:55:11 - 00:24:01:00
Dylan Evans
We're here to make it easy. It's easier than you probably think it is.

00:24:01:02 - 00:24:02:12
Craig Andrews
Well. Excellent. Well,

00:24:02:12 - 00:24:05:02
Craig Andrews
Dylan, I hope people do reach out to you. And thank you for

00:24:05:02 - 00:24:07:16
Craig Andrews
sharing all this on leaders and legacies.

00:24:07:17 - 00:24:12:15
Dylan Evans
Awesome. It's been fun. Craig.

00:24:12:15 - 00:24:39:10
Craig Andrews
This is Craig Andrews. I want to thank you for listening to the Leaders and Legacies podcast. We're looking for leaders to share how they're making the impact beyond themselves. If that's you, please go to Alize for me.com/guest and sign up there. If you got something out of this interview, we would love you to share this

00:24:39:10 - 00:24:41:05
Craig Andrews
episode on social media.

00:24:41:07 - 00:25:04:15
Craig Andrews
Just do a quick screenshot with your phone and text it to a friend, or posted on the socials. If you know someone who would be a great guest, tag them on social media and let them know about the show, including the hashtag leaders and legacies. I love seeing your posts and suggestions. We are regularly putting out new episodes and content to make sure you don't miss anything.

00:25:04:17 - 00:25:12:21
Craig Andrews
Please go ahead and subscribe your thumbs up! Ratings and reviews go a long way to help promote the show. It means a lot to me.

00:25:12:21 - 00:27:14:22
Craig Andrews
It means a lot to my team. If you want to know more, please go to Alize for me.com. or follow me on LinkedIn. Thanks for listening. We'll see you next time.

Listen

Be a Guest on Leaders & Legacies

Apply Here

Recent Episodes