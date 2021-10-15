MS. SPAULDING: Thank you, Cat. It's great to be here.
MS. ZAKRZEWSKI: Thank you for joining us. And I wanted to dive right in with some of the top news of the week, which is the Facebook whistleblower. Facebook whistleblower Frances Haugen said last week in her Senate testimony that the company's consistent understaffing of its counterespionage unit is a national security issue. What was your reaction to that testimony, and what do you think U.S. lawmakers need to do in response?
MS. SPAULDING: So, I do think that every company needs to understand that they are a potential counterintelligence target. And if the social media platforms like Facebook haven't figured that out yet, we have a real problem. So, I think it is something that Congress needs to pay attention to, and I think it's something that businesses need to--need to really pay attention to. We have seen through a variety of malicious cyber incidents that no company is too big and no company is too small to be targeted, and they need to be beefing up their counterintelligence and cyberdefenses.
MS. ZAKRZEWSKI: And there's been a big focus since the fallout of the 2016 election on how disinformation can undermine public trust in institutions. How do you think that has evolved since the first focus on elections and affected other institutions in the U.S.?
MS. SPAULDING: Yeah, thanks for asking, Cat. I think it's a really important question because there has been so much attention focused on disinformation and its impact on elections, and that's critically important, a vital pillar of our democracy. But really, disinformation is targeting democracy and its institutions more broadly. I've spent the last several years looking at how disinformation targets public trust in our courts, and it is pretty rampant. And we undermine the public's trust in the legitimacy of our courts, like elections, the courts then stop being able to fulfill the role we ask them to play in our society, whether it's for businesses to have certainty and a place to go for independent and objective determinations, or for members of the public who rely on courts' decisions being binding, being viewed as binding. My worry is, for example, that those who attacked the Capitol on January 6th did so in the face of over 60 court decisions that had rejected claims of widescale fraud in the election, and yet these individuals at least did not view those court decisions as legitimate. And I think that's been exacerbated by disinformation, both by foreign nation states and by domestic voices. So, I think it is a very serious concern and one we need to understand as broader than just elections.
MS. ZAKRZEWSKI: So, as a society, what can we do to respond to that threat of lack of trust in our court system? What should the response be?
MS. SPAULDING: So, we need to take a number of responses. We need to do all of the things that people talk about in terms of combatting disinformation through the social media platforms, through improved digital literacy. But I think in order to build public--our most sustainable approach is to be build public resilience against the content of that messaging. So, disinformation is designed to convince us that our system is not just flawed and needing, you know, to change but that it is irrevocably broken. So, we need to teach civics education. We need to reinvigorate civics education in this country. It has atrophied. We need to--Americans to relearn our shared values so that disinformation operations aren't able to divide able to divide us as easily. We need to use civics education to remind us that we are the agents of change, that the beauty of democracy is not its perfection but its capacity to change, but only if we are informed and educated agents of that change through peaceful, constitutional means. So, I think building that public resilience against a message that is designed to promote despair and anger is really one of the most important things we can do.
MS. ZAKRZEWSKI: And so, given that threat, as well as the cybersecurity threats that I also want to get to in this conversation, are we at a point where the U.S. needs a Cabinet-level official focused on cybersecurity issues?
MS. SPAULDING: So, the good news is that this White House takes cybersecurity very seriously. It was really refreshing and great to see the president, even in the State of the Union Address, make several references to cybersecurity. And clearly, we've seen a number of high-level White House presidential-led meetings on cybersecurity, including one that's going on right now with 30 nations from around the world. So that's a good sign.
And as a reflection of that, the administration has appointed a national cybersecurity director to coordinate from the White House our efforts with the private sector, with other countries and across the federal government to make plans to defend against and respond to significant cyber incidents. We also have a deputy national security advisor for cybersecurity, and of course we've strengthened the role of DHS and other agencies across the federal government, including with additional resources. So, yes, we need that White House coordination, and the good news is that we're moving in that direction.
MS. ZAKRZEWSKI: You mentioned the White House meetings that are occurring this week focused on ransomware, and Russia notably was left out of these discussions. Given the role that Russia plays, the fact that many of the criminals responsible for cyberattacks ostensibly seem to be based in Russia, should they be part of the dialogue?
MS. SPAULDING: So, I think it made perfect sense to not have Russia as part of this particular dialogue in this meeting. This was really about likeminded countries coming together to say, look, we all share a common objective here. How can we help improve each other's capabilities and capacities and work more collaboratively together to--through law enforcement actions, through sanctions, through, you know, development of norms so that we can better defend against and respond to these malicious cyber incidents? So, I think it made perfect sense not to have one of the key perpetrators come into that meeting as we talk about how can we regulate cryptocurrencies and look at ransom payments and use our law enforcement more effectively.
I do think it makes sense at some point to have those conversations with Russia and with China. When I was at DHS I was involved in lots of conversations with China around cybersecurity. But this particular meeting I can understand why they were not invited.
MS. ZAKRZEWSKI: A major focus of the Biden administration has been rebuilding America's relationship with allies after years of an America first national security policy. How do you think that has affected the U.S.'s ability to work with other countries to respond to cyberattacks?
MS. SPAULDING: Well, we do need to work with other countries, and we need to have their trust in order to do so. And so, I think the steps the administration has taken are really important. Again, this meeting that's happening now, the executive orders that have focused on not just improving our own capabilities and within our own defenses but on using our resources and capabilities to assist others and to get insights from other countries. So, I'm hopeful that we will continue to strengthen that--our role on the international stage on cybersecurity.
And one of the things, I'm a member of the Cyberspace Solarium Commission. One of our recommendations was to elevate a senior position, create a senior position within the State Department for cybersecurity to ensure that we are giving it the kind of priority in our international discussions, in our representation and standards bodies, et cetera, that it requires.
MS. ZAKRZEWSKI: And I wanted to ask you more about that position with the Cyberspace Solarium. You've said in the past that cybersecurity is not a partisan issue. So, what should be--lawmakers and Congress, what should be their top priority as they're trying to respond to these threats?
MS. SPAULDING: So, yeah, the Cyberspace Solarium Commission was a wonderfully bipartisan group led by a bipartisan team from Congress, Angus King, who is an independent who caucuses with the Democrats; and Congressman Mike Gallagher, a Republican. And we had Jim Langevin from Rhode Island and Ben Sasse from the Senate as well. And it has had remarkable success as a result I think of having reached a bipartisan consensus around the recommendations. And nearly 25 of our recommendations have already been enacted on a bipartisan basis by Congress, but there are a number of provisions that have not yet been acted upon.
One of the ones that I think is particularly important is this Bureau of Cyber Statistics. So, we really--there's a lot of talk about getting information from the private sector, and there's legislation pending on mandatory reporting, which we can talk about. But I think as we get information from across the government and the private sector, then it's incumbent upon us in the government--and I'm no longer in the government but I--my heart is still there--it's incumbent upon the government to take that information and give it some context, analyze it, add value to that information, and then get it back out to the private sector and across the government and to other governments where it can be used to help us defend our networks. Too often I think the private sector feels that that information goes into a black box so that they never see it again. So, I think that's very important.
I do think that the Cyber Diplomacy Act, creating this position in the State Department, is very important. And I think understanding where we have key systemic risks--so there's legislation around identifying systemically important critical infrastructure that I think ought to be prioritized by Congress.
MS. ZAKRZEWSKI: And we have a reader question from you. James from Maryland asks what is the role of government in this beyond protecting the government itself? Or is this primarily a private sector issue?
MS. SPAULDING: Yeah, James, great question. It is a key issue for both government and the private sector, and they have to come together and collaborate and work together.
The government has an important responsibility to protect its own networks to make sure that the government is able to deliver the goods and services and functions that the American public relies upon it to deliver. But the government also has an important role in trying to deter activity by these bad actors--incredibly hard to do in cyber, but I think it is a role for the government to both impose consequences and deny benefits to our adversaries. It does have this important role on the--on the international stage, working with our multilateral partners, an important role in law enforcement. Law enforcement has been playing an increasingly important role in going after criminals in cyberspace and in taking down infrastructure and networks. Our intelligence community obviously has a really important role to play both in helping us understand and again in potentially taking action against adversaries. So very important roles that the government can play, and making sure that information that it gets and insights are shared with the private sector, with state and local and territorial and tribal governments, that everyone is getting the benefit of the things that we learn.
But the private sector has a really critical role to play, both in terms of innovation, which you'll hear about, I'm sure, from your next guest from Palo Alto. But they need to continue to innovate technologies and ways in which we can better defend our networks; but also, the private sector is the primary owner of critical infrastructure, those things that provide us with electricity and transportation and water and financial services and health services. And so they've got to be--they're doing the things that they can do to defend their networks. Just as we ask businesses to put locks on their doors--right?--they lock their valuables in safes, they put up sensors and surveillance cameras, they've got to make sure that they're doing everything they can to make it harder for these malicious cyber actors.
[Video plays]
MS. UMOH: Tech's ubiquitous and ever-evolving nature has led to a proliferation of cybersecurity attacks, both in the public and private sectors.
Today, I'll be speaking with Shena Seneca Tharnish, Vice President of Cybersecurity Products at Comcast Business about the need for cybersecurity amid ongoing data breaches.
Welcome, Shena.
MS. THARNISH: Thank you, Ruth.
MS. UMOH: Thank you. Let's jump right into to the topic at hand. The ongoing pandemic has altered virtually every aspect of our lives, and that's especially true when it comes to how businesses and consumers leverage technology.
In what ways has it changed how we think about network security, in particular?
MS. THARNISH: From a security perspective, the pandemic has expanded businesses' networks. Prior to COVID, businesses could contain all of their data and security within their brick-and-mortar infrastructure, but that's not how we're operating anymore. Even though workers are remote, they need to be able to securely access the same data they could previously when they were in an office building. So, to be able to protect this data is a different model for businesses altogether. Some businesses were ahead of the curve and able to respond quickly to the pandemic without much impact to their security posture, but most had their--had employees that would work remotely only on occasion. So, scale and capacity was a big deal for those businesses, and adding additional security on top of that.
MS. UMOH: To your points, businesses are now expanding their data and security beyond brick-and-mortar locations, as employees have pivoted to the virtual realm. Many organizations are now implementing a zero-trust model, which is essentially a security framework requiring all users be continuously validated before receiving access to applications and data. Still, we are repeatedly hearing about new security breaches. Is zero-trust realistic and, perhaps more importantly, does it work?
MS. THARNISH: Zero trust is absolutely realistic, and it works, but achieving it can be a monumental task. It's important that businesses first prioritize the most impactful risks and then continue to build out from there, because there are many layers to it. Only setting up privileges for the things you must connect to requires a lot of administration and planning and organizational alignment, which is why it can take a long time for businesses to fully implement it.
You often hear defense in depth, which is crucial, because there are so many different ways for hackers to come in. And by now, most would agree that zero trust is the future and ultimately the best defense, but it can be daunting for those that don't have a good handle on all of their assets. If that part feels challenging, then everything else likely seems insurmountable. It is a very transformative task for a company.
MS. UMOH: You noted that there are various entry points for hackers, which is really what makes cybersecurity so challenging and complex in many ways. How can we then fix the gaps being targeted by hackers in order to have more resilient systems? In other words, how do we get ahead of those breaks in the system?
MS. THARNISH: Defense in depth is critical, and having a comprehensive security program for your business and understanding the different threat vectors that your business may face is very critical. And you want to prioritize how you're doing risk assessments and vulnerability management and patch management, all of these things that it takes a constant effort to be searching for potential openings for bad actors and closing them quickly.
So, if there is a new vulnerability that is out, it's important to have a program in place to quickly see if you have this vulnerability and then act quickly to close it. The faster you can do this, the better the outcome.
MS. UMOH: It seems as though speed and agility are really key to getting ahead of security threats.
For some context, data breaches in the first half of 2021 exposed some 18.8 billion records, inflicting serious damage on victim organizations. Let's--and by looking ahead, as we look to the future, what are cybersecurity trends that are on the horizon, and what should organizations look out for?
MS. THARNISH: Yeah, it's important to be able to detect and respond. A lot of security up to this point is detection and then telling the customer they need to do something about it. But leveraging automation and intelligence to not only detect but respond on the customers' behalf will be the future. You know, technologies like machine learning and A.I. will allow businesses to quickly respond in an automated fashion. It goes back to speed. We know that acting quickly is important in preventing breaches and infiltration. More data correlation will be key to monitoring logs from everything. And then, using machine learning, businesses will be able to quickly assess the situation and determine risks and automatically close the issue.
MS. UMOH: Absolutely. Very well said. Well, when it comes to cybersecurity, it's quite evident that your best offense is a good defense, especially as attackers seek out new ways to take advantage of the ever-changing tech sector.
So, thank you very much for this informative discussion, Shena. Such a pleasure chatting with you. And now, back to The Washington Post.
[Video plays]
MS. ZAKRZEWSKI: Hi and welcome back. For those of you just tuning in [audio distortion] Kat Zakrzewski, a tech policy reporter here at The Post. My next guest is CEO of Palo Alto Networks--one of the largest cybersecurity companies. Nikesh Arora, welcome to Washington Post Live.
MR. ARORA: Thank you very much for having me, Cat.
MS. ZAKRZEWSKI: Thanks so much for being here. And as you might have heard last discussion, there is a heavy focus right now on ransomwares, and I know that your in-house consulting team has been doing some [audio distortion] on how these trends have evolved over the past year. So in 2021, as we've seen this scourge of ransomware attacks, how has your company found that they're changing?
MR. ARORA: Well, what's been interesting, Cat, you know, I often say that cyberattacks have gone from being a hobby to a profession, and there's no better example I've seen, as we see in ransomware. You know, last year we saw a few big cyberattacks. They were typically caused by supply chain events. So it is an attack on a particular company, but they attacked an infrastructure provider that provided infrastructure to lots of companies and government agencies out there. And when they were able to get into that stream of technology, they were then--the door opened for tens of thousands of enterprises or or government agencies to be compromised. And what the bad actors did was in the case of SolarWinds or in the case of the Exchange server attack, they used--they used that vulnerability to then establish themselves in the infrastructure of companies' enterprises. Actually, you know, part of it was they were offering ransomware as a service, believe it or not, where they said we have this enterprise. If you go, take that access, make something out of it, you're gonna share. So, if they're--on account of their own ransomware as a service on the app store. And what we saw out of a lot of various actors around the world went about getting the structure of companies, of agencies, encrypting their data, extracting the data, locking their systems down, and putting ransomware asks on the table. And the average ransomware ask go to $5.3 million in the last year. This number was smaller a year ago, but you're seeing the proliferation of both ransomware as, you know, I'd say professional ransomware actors come into the game.
MS. ZAKRZEWSKI: And so what are the consequences of businesses of these professional ransomwares entering the game? Should they be thinking about communicating with their employees to secure themselves from attack?
MR. ARORA: Well, you know, you have to do both, not just communicate with their employees. Employees are definitely one of the weaker links in this--in this story, because you can compromise employees a lot easier than you can compromise systems. But you also have to look at the entire [audio distortion] make sure, are you ransomware ready. Are you ready that if you got breached, do you have the protections in place? And ideally, you don't want to get breached so you want to have protection in place protecting your infrastructure. But in the case, God forbid, you actually get breached and you have--you have somebody who is holding you hostage to ransom, you've got [audio distortion] processes in place. You have to make sure that you have an escalation capability in place. You have to make sure you can get your systems back up and start operating if you decide to take the bad actors on and choose not to [audio distortion]. So a lot of work needs to be done by every company. And as you know, a White House summit is going on as we speak which is actually tackling a lot of these issues in terms of what can the government do to help to try and create less incentive for--and actually to penalties and punishment for people who engage in ransomware.
MS. ZAKRZEWSKI: [Audio distortion] talk to you a little bit about the relationship right now between the government and the private sector when responding to cyberattacks. At a recent summit President Biden said the sector has the quote "responsibility to raise the bar when it comes to cybersecurity." Do you agree?
MR. ARORA: Well, we've been constantly raising the bar better than most governments around the world use protection from [audio distortion]. So private sector has been innovating and creating the capabilities that allow us to protect enterprises, protect agencies, protect the government.
I suspect that what President Biden means about us having to raise the bar, I think we need to get better at collaborating with the government and having a public private partnership where we can share and see out in the public domain with the government, they can share threat actions back with us and actually try and reduce this mean time to remediating some of these issues.
And a lot of good work happened with the new administration in place, where we've seen a few executive orders where incentives have been for all of us to participate and for all of us to sort of coordinate our activities to make sure we [audio distortion] actors at bay.
MS. ZAKRZEWSKI: What do you think that the Biden administration can learn from the private sector when it comes to responding to these threats?
MR. ARORA: Well, you know, Cat, the problem with cybersecurity is not something that got created [audio distortion] last year or the year before. This is something that has happened in technology over the last 20 years. Think about it, 20 years ago when I started Google, if you searched for a company, you'd be happy if you found information about them. Today, pretty much every company, tech or not, we actually engage with our customers online. We are able to provide [audio distortion] to them, wherever they are. So pretty much you've opened up the sockets to every thing [audio distortion] technology infrastructure in our business. You know, we can pay our bills online. We can go and regulate our temperature of our home online.
Now every one of those connections is a potential attack vector. If you're not careful how you protect that connection, how you protect that service, how you protect that application, you [audio distortion] new attack vector. So what has happened is there's been an explosion of attack vectors. We're relying on a technology infrastructure where half of it was not to be open to the internet. So the ability to protect it is very bad. So in that case, I think what the Biden administration can do actually create an incentive to upgrade and improve our infrastructure as fast as possible. That's one part [audio distortion] which will take a while to solve, but setting us down that path, making sure we are all focused on infrastructure.
Then, on the other hand, we can make sure that we are ready to respond to any of these issues that come upon us, and which is what you're seeing today, the ability of likeminded actors to get together and talk about how to mitigate these things, how to [audio distortion] how to create punishment because today there's not even clear rules of engagement that if you're sitting in a third-party country, how are you going to engage with local governments and get them to stop? This is kind of the new wild west, if you will.
MS. ZAKRZEWSKI: It's a really good point. And I think you make a good point that these attacks aren't new, but it does seem in the past year [audio distortion] has woken up to the new stakes of these attacks with events like the Colonial attack. How do you think that event has changed the dialogue between company owners and Washington?
MR. ARORA: Well, you know, Cat, I don't want to be an alarmist, but if you think about it, if--it is easy for the [audio distortion] sitting in a different country to be able to bring our critical infrastructure down and create chaos. Mild chaos in this case [audio distortion] people lining up at gas pumps and having to pay more for gas. But just extrapolate that and think of all the critical infrastructure we rely on--water, electricity, you know, oil pipelines--a whole bunch of critical infrastructure we rely on. And if it is so easily brought down remotely, I think the next--the next frontier in warfare is going to be through cyber. Most nation states are prepared for offense. They're not as well prepared for defense. We have--we have a real responsibility on our end to make sure we upgrade the infrastructure.
This just doesn't apply to critical infrastructure. It applies to federal systems; it applies to state and local systems who particularly don't get a lot of investment. And most your data and my data is lying in some state database, whether it's your driving license data or your medical data. There's a whole--a whole bunch of data out there [audio distortion] well protected.
MS. ZAKRZEWSKI: So given those stakes and the changing nature, how should executives be thinking about this when they might be facing threats from state actors as you just mentioned?
MR. ARORA: That's a great question, Cat. And I think just like we do in our personal life, you have to--you know, security comes at a cost. Every time you and I go through the airport, we have to take off our belt and put our laptops. So it comes at a cost. Whether the cost is inconvenience or the cost is real money, there's a cost. So we all have to figure out what is the right balance of how much cost are we paying or how much money are we willing to invest in protecting ourselves. And on the other hand, you know, how secure do we need to be to be able to withstand these. All I would say is that on a scale of 1 to 10, we're probably at a 3, and I think 6 to 7 [audio distortion] be. And I'm saying that generically across federal agencies, across state-level agencies, across enterprises. And we have climbed from 3 to 7. But you know, with the current administration, some of the recent unfortunate attacks, we're seeing awareness across enterprises, across governments where at least is causing people [audio distortion] and try and take action.
MS. ZAKRZEWSKI: And given that, do you think that the government needs to mandate specific parameters around private sector cybersecurity networks?
MR. ARORA: Well, that's an interesting question. Look, I think cybersecurity could benefit with some consistency and some higher [audio distortion] in terms of what we all need to aspire to. Yesterday President Biden said that the private sector needs [audio distortion] the bar higher. We all have to have a bar to aspire to. And depending on the category you're responsible for, if it's critical infrastructure, if it's essential services, I think the bar needs to be higher because essential services and critical infrastructure, them being down as we've caused chaos and can cause a whole amount of disruption in any nation state [audio distortion] perspective, I think the bar needs to be higher. The government needs to have very clear guidelines as to what their expectations are from people who are entrusted with providing us essential services. Every corporation, every enterprise needs to also be held accountable. You know, today we have SEC that holds us financially accountable, and they do a good job of monitoring and scrutinizing us so that we all play [audio distortion]. And I'm pretty sure there is a version of that we can think of in the cybersecurity realm which would [audio distortion] all of us. Today we're talking about ESG. I think similarly, there should be a concept of having guidelines for cybersecurity.
MS. ZAKRZEWSKI: And so just to clarify, you think there should be [audio distortion] new government agency tasked with overseeing the cybersecurity sector?
MR. ARORA: Well, I think there is already enough agencies. We don't need more agencies to govern the private sector. But I think having some sort of guidelines and rules which, to some degree having them out there for all of us to understand--look, the good news is enterprises are very [audio distortion]. They understand the commercial cost of a cyberattack. They understand the business [audio distortion] which will be caused by cyberattacks. So, you know, we serve 85,000 customers around the world. Seeing that there's heightened awareness and a willingness to engage and get cybersecurity [audio distortion] so I don't think there's a lack of will in the--in the [audio distortion]. I think having some consistency in terms of guidelines and what does good look like would be helpful. [Audio distortion] fashion. That can be done by public-private partnership. There are many, many ways to get that.
MS. ZAKRZEWSKI: There's been some discussion around what role the industry could play in standardizing cybersecurity practices just like you need fire alarms in a house to have, you know, a certain rate on your insurance, what sort of cyber hygiene do you need. Do you see a role for the insurance industry here?
MR. ARORA: Well, you know, there are various insurance agencies around companies which will give you cyber insurance. Look, the challenge, as you know with [audio distortion] is that there is such a disparity in the technical infrastructure around every company, every agency that without that consistency it's very hard for a third party outside in to judge how secure your infrastructure is. And clearly, if you're in any [audio distortion] want some degree of assessment of your infrastructure security capabilities [audio distortion] giving you the insurance.
So, yes, they're all working hard towards that scale. I think it's going to take some time. It's going to take some time for us to create some degree of a [audio distortion] so we can assess each company in a common framework and say, okay, you're a 1 on a scale of 1 to 10 and you're a 5. So everyone, depending on when you're ranked, your premium's going to be slightly different. But I think their consistency of framework in that evaluation is not out there.
MS. ZAKRZEWSKI: Got it. And I want to take a moment to bring in a question. David from Virginia asks, "Can digital systems ever be entirely secure or only relatively, and how do we know where we stand?"
MR. ARORA: That's a great question, David. You know, David's right. It's very hard to know how secure you are. And it's kind of like if we live in our homes--you know, we think about our homes and how secure are we, you know, if you have metal doors, do you have glass, you have a strong lock? Do you have many windows? So we all have a sense of, you know, what our vulnerability is. All I'll say in the technology world, the more recent your infra, the more likely it has more security built into it, the more legacy your infra is the more it wasn't designed for security. Now of course there are people who have done--you know, ringfenced that and put security around it. But generally, as a rule of thumb, a good way to think about it--and really depends on how critical the operation is where the data that you have and how the management [audio distortion] public [audio distortion] or the agency feels about making sure the data needs to be secured.
MS. ZAKRZEWSKI: And I wanted to ask you too, obviously we're about 18 months into the pandemic. There's been a lot of cybersecurity concerns for companies like The Post. We're working from home in a lot of instances. How have you seen cybersecurity threats evolve during the pandemic with people working from home, and how has that changed how you do things at Palo Alto Networks?
MR. ARORA: That's an amazing question. I think you've hit the nail on the head, because what we've discovered is as people have started [audio distortion] home, effectively you have created an extension of your office to your home, because you're dialing in. You're logging into the infrastructure. You're checking your email. You're checking your [audio distortion].
You're basically--you know, Palo Alto Networks, for example, now has 12,000 [audio distortion] which are the 12,000 employees of ours which work from different parts of the world. We have to protect the entire 12,000 employee network. So from that perspective, the threat vector [audio distortion] by magnitude given everyone's working remote, we think the threats out there actually targeted to people working from home or systems that allow working from home, it is a recent phenomenon people have had to rush out, make it happen. So clearly, people who are not well prepared [audio distortion] in perspective, have left the door open and run the risk of an attack from [audio distortion] remote working solution. And you know, we've seen a lot of success that follows from being able to provide many of our customers that secure capability to allow their employees to work [audio distortion] gone out publicly and said they are going to sort of [audio distortion] who work from home, because they feel that the infrastructure has been secured by us and is working for them.
MS. ZAKRZEWSKI: And because it is Cybersecurity Awareness Month in October, I wanted to ask you what are some simple steps our viewers could take to ensure they're improving their own cybersecurity?
MR. ARORA: That's a great question. Before I joined Palo Alto Networks, I actually realized that my accounts had been compromised because I had the habit of trying to use the same password in multiple places. And what happened is that somebody got access to some password dump and, right, used the password and this email address, they tried that across 20 or 30 services, they compromised 4 or 5 of those. My Spotify was gone. Somebody had access to some other services that I had.
I think the most important part that our viewers can do is make sure that you are using some sort of password manager, you are using some sort of mechanism, whether it's using Google prepared passwords, or Microsoft, or a third-party password manager. Make sure the passwords are distinct. Make sure you have multifactor authentication across some of your most important that is your bank accounts or your social media accounts, if you so care, and your email especially, because you'll be surprised how much information there is in your email that once instance can be used to--I've seen people's money being extracted from their bank accounts because they had access. So you just have to maintain hygiene around access to our capabilities. You know, an interesting study we did that a third of the people don't know whether--what their WiFi router password is. That's one of the easiest attack vectors. If your WiFi router is open, then bad actors [audio distortion] your router and access all the traffic that is going in and out of your home.
MS. ZAKRZEWSKI: Well, it is always amazing to think about how simple some of the changes are that make a big difference. Thank you so much for joining us today. That's all the time that we have.
MR. ARORA: Thank you for having me, Cat.
MS. ZAKRZEWSKI: I’m Cat Zakrzewski. As always, thank you for joining us at Washington Post Live. To get more information [audio distortion] interviews we have coming up, please head to WashingtonPostLive.com to find out more.
[End recorded session]