There are a lot of parallels between web design and cybersecurity, and keeping your website secure may be the first step to making sure your business is safe from threats from bad actors. Mary Putnam, the CEO at DesignYourSite.net, straddles this intersection by providing comprehensive web services for businesses that include security audits and secure web design. Mary tells us how WordPress can be your superpower in making sure you’re putting checks in place and effectively shielding your business from what she calls “not-friendly actors”. Tune in to find out more about their services and Mary’s profound insight into the larger subject of cyber risk and cybersecurity.
Watch the episode here
Navigating The Intersection Between Web Design And Cybersecurity With Mary Putnam, DesignYourSite
In this episode, our amazing guest is Mary Putnam. Mary, thank you for joining us.
Thank you for having me.
I’m glad to have you. We’re excited to have you all. We look forward to this discussion because we have quite a few things in common with Mary, historically. We’re here to talk about all kinds of different cyber risks as well. We hope that you get some value out of this episode. Let’s get started here. Mary, the most important question that we like to ask is tied around what essentially is the cybersecurity and cyber risk issue but a brief background first.
You built a business-class internet service company in Oklahoma. That included a data center. You’re doing some web programming in a variety of different areas. Sounds like WordPress is a superpower in terms of understanding how that works and the securities within but you’re the Chief Executive Officer at DesignYourSite.net. We can dive into that first question. How would you explain the difference between cybersecurity and cyber risk?
When I talk to clients, I like to come down to their level. I would boil this down for a client and say that cyber risk, depending on what assets you have in the world, is where you are liable to get attacked. Cybersecurity is the tools that you put in place to ameliorate that probability.
That’s a common discussion amongst executives and boardrooms as well. Small-business owners probably struggle with this a little bit because perhaps the default thinking is that it’s all cybersecurity. Thanks for your clarification on that.
I also think that many people look at those items and think that the tools are reducing cyber risk but they think that’s all there is to the cyber risk industry or cybersecurity. If I throw enough tools at it, it will go away or go down to almost nothing. It’s not quite the case. There’s been more to it than the technology.
It’s evolving all the time. It’s a race to stay ahead of the not-friendly actors. That’s what I want to call them.
It’s a more positive way to talk about it. Perhaps this helps us understand a little bit more about these not-so-friendly folks. In that realm, what do you think is the most significant cybersecurity threat facing companies?
I’ve spent a good bit of time thinking about it. There are so many people doing it. When we look at ransomware, which has been around for a while and has been managed very well, the brilliance of these hackers is they took their hack and franchised it. They got so many people helping them with it that it made it many more times destructive than it should have been. The question that we have to ask ourselves is, what do they do next?
Which vulnerabilities? How are they going to get in? They made it a business and something very profitable.
They certainly did make some money off of that but lots of people are more aware. As we know, education is a good part of being protected. Where are the risks going to come from? I’m not sure I know. I do know that websites are at risk and a lot of things are at risk. People could be doing business and more to protect their digital assets.
Business always has a leader. How do you think perhaps the leader, the CEO, or the owner should prioritize cyber risk specifically?
It should be a high priority, especially with the government regulations. They’re going to come out. Some of them are already been released so we can expect to see more. If you’re not being a good corporate citizen with your data, you don’t want to say you allow it, but through not ameliorating that risk, somebody gets access to data. Can I tell you guys a great story for when I knew that somebody had been hacked?
Yes, we love stories.
This is a great story. I got a spam phone call and this guy says he’s with Visa. They were going to take all my Visa debt. It was too good to be true. They would cut it in half and reduce my interest rate to 6% or something like that. I was like, “I don’t see how you can do that.” He started quoting to me the last four digits of my credit card that I have active, my balances, and my last payment. That was his believability.
He had me on the phone for a while before I said, “I’m getting off the phone with you.” When I got off the phone, I called all my credit cards and canceled them. I had new cards issued. I know that that probably came out of the hack of one of the credit bureaus. We heard that later. In the meantime, how many people made transactions with them as a result of that loss of information?
I don’t think there’s a technology tool per se that could have prevented that interaction or direct call.
Everything but my Social Security number, they did not have that. That’s where I got them. I said, “If your Visa, then you have my Social Security number so you tell me what it is,” and he couldn’t do it.
Often, the cybersecurity incident or an attempt by a not-so-nice person isn’t always targeting just the CEO but other parts of the organization as well. The CEO does like to delegate or even the business owner might delegate some of these things to some of his or her senior staff. Let’s talk about the person who’s in charge of finance. What do you think of the person in charge of finance? How should they handle cybersecurity and cyber risk budgeting if they’re tasked with their leader to keep the reins on cost but at the same time keep it secured?
I’m pretty sure the CFO has a budget for risk for all kinds of risk. This has to be a part of that. They need to look at the ROI and the risk that they’re willing to take and put a budgetary dollar figure, which is going to vary from very large corporations that have a lot of data to smaller groups that have smaller amounts of data. They need to do something comparable to minimizing that risk.
We don’t want to say how bad it is for people whose data gets distributed out there. There’s almost an attitude like, “They have all our data anyway so why do we care?” I’ve seen this attitude from time to time with people. I don’t think that’s the point. We’re asking people to erase the data. You’ve got people’s data so erase it, let it go, and put some controls in place that won’t happen again. Corporations are going to have to budget for that.
That is the word right there, putting controls in place. That is where a lot of companies see that and squeam away from that. They get squeamish when you talk about putting controls on data because they’re like, “I don’t want to have controls on that. I want to be freer with it or use it the way that I want to.” That’s one of the issues that’s being pushed with legislation and other things. You don’t own that data and it’s not necessarily yours to do with what you want.
We see evidence of that everywhere, too. What’s interesting is a lot of folks that control is tech. Granted that’s true but, in a situation, where you have even the banking industry, you have a large transaction. A good bank gets on the phone with you and says, “Is that real? We haven’t seen anything like this. This doesn’t look right.” Not all banks are perfect. They have controls in place as well but perhaps more aggressively because of the regulations they have to follow.
Ultimately, if everyone already has the data, I can understand why the perception would be, “They got it anyway.” The reality is that these emerging technologies are coming out that we think are great. The not-so-nice guys are also looking at that saying, “How can I use that?” What emerging trends do you believe will have a profound impact on cybersecurity as we move forward with the cybersecurity problem?
When you say emerging trends, for me, that means something that we haven’t seen yet. I haven’t spent a lot of time thinking about it but I can tell you this, I’m very concerned about anybody who’s got access to large sums of money. There’s data that has value in marketing and selling to other companies but then there’s that actual ability to permeate the infrastructure, let’s say, of a bank and remove money from people’s accounts.
That’s one I’ve been worried about for a very long time. I’m watching it for signs of that. Maybe some things have happened that we haven’t heard about because they don’t want to freak people out. Maybe that’s a good word but so far so good. I have some friends in the banking industry. I haven’t heard of anything so far. What have you guys heard?
There’s one trend that I’ve heard about. Let’s call them the bad guys. They’re learning these lessons. If they go after big targets, that’s a lot of big press they probably don’t want. We’re seeing emerging trends where hackers are targeting smaller targets that have lots of exposure, like smaller law firms, for example. The American Bar Association talks about how there are different kinds of attacks that are more focused on a large volume of smaller businesses. You get one and it doesn’t necessarily trigger the media or get a lot of attention to the bad guy, which is what they want.
If I can get a bunch of small companies, we’re going to be able to bring a little bit of money. If I go after a little small law firm and get all their case data, I can extort them because that’s case data. Something the American Bar Association has been tracking is how many attorneys have had this problem. There are some stats out there that would be rather shocking. Going after different target industries impacts you because you chose a vendor like an attorney who doesn’t quite have their house right.
Beyond that, you talk about the finance. There has been a fairly large rolling issue in the banking industry with something called the MOVEit ransomware virus that has been affecting several financial institutions, bringing them down, and different things. Also, what happened to the US government and some other ones, it was a piece of software that caused some issues but you’re right. They do keep it down. Nobody’s lost anything that we’re aware of. How’s that? It is happening to a certain degree. We do need that confidence though and the banking industry to continue.
They’re always going to go after something that has either notoriety because there is a segment of that population that notoriety is why they’re doing it or money. Those are the two reasons they do it. I remember when I had the ISP. I had quite a few banking customers and that was at a time when banking customers were getting ready to adopt online banking. They weren’t doing it at that time and meeting with the board of directors.
I told them I would not build a website for them for their banking industry but I would help them evaluate other players in the market. The chairman of the board looked across the room at me and said, “If we get this software, can you guarantee me that I’m not ever going to get hacked?” I said, “As long as they’re hacking the CIA, nobody can make you that promise.” It’s a risk. That was the question. He was saying, “What risk do I have?” We didn’t formulate it that way. Hopefully, all the banks are asking themselves, “What risks do I have?”
That is the case in heavily regulated industries. They’re subject to more stringent regulations than the average business owner, CEO, or business owner. All of them have that fear of that phone call that starts as a disaster. There’s a disaster journey that they go on and have never been on before. What do you think that that journey looks like for one of those business owners or CEOs?
The journey would be, “We’ve been hacked. I’m going to go throw up. Now what?” Depending on whether or not they have a cool head and how much they know about it, they’ll navigate it better. If they have some advice in advance or a plan in place where they know what their steps are going to be, if and when that call ever happens, they’re going to navigate it much more easily. If they’ve done their risk and regulatory compliance, they’re going to minimize the cost of the corporation. It’s an education thing for small-medium businesses at this point.
One exercise that I did years ago was to write a letter to my customers as an exercise as the CEO explained to them that we got hacked. That exercise was about writing the letter and explaining it. Even though it was an exercise, there was a lot of anxiety involved in this writing. That’s probably a good exercise for every leader to go through, considering that situation and what that might look like. That’s going to help you understand where some of your concerns might be.
We all know that there’s no such thing as 100% secure in any capacity, physical or digital security. There’s always going to be bad guys out there. We know that by being prepared, perhaps you can do a better job of understanding what your real challenges might be. Why don’t you tell us a little bit about your journey and who you are? Let’s change gears a bit here. How’d you get here? Tell us a little bit about your organization in the process.
I’ll be happy to do that. I started in the internet industry when it was in its infancy. That was ’97. I left Corporate America and I wanted to have my business. I went out and bought myself a Cisco router, got a data center, and started selling. We were doing business only. We were helping businesses have a better connection to the internet. There are a lot of stories through that period of managing that data center and the data that was coming through there where you did start to see these actors infiltrating the network.
I used to say hackers, attackers, and pornographers. They had to be dealt with. There were no rules. We made those rules up as we navigated them. The things that were happening and the money that was transacting, those things were letting your core values show up. Your sense of the character of right and wrong came to the foreplay. It was fun to watch the internet community step up with integrity across the board when you’re dealing with your backbone provider or someone else.
Even customers call and say, “We’ve got someone who’s doing something wrong in our office. Can you help us by capturing things and sending them a test?” They’re the customer. It’s their data so we would help them. I’ve had phone calls from the FBI wanting to get access to client servers. We had this pornographer.
We had a smart building, which meant that if you got office space in our building, you were on the backbone. He rented office space and bought the internet access from us. One of the developers came out one day and said, “We have a problem with the guy in the office.” I go, “What’s going on?” “We think he’s doing pornography.” I go, “What do you mean you think?” They go, “We looked at some of it.” I go, “It’s pornography.” I call the guy and I’m like, “What you’re doing down there that’s against our contract?” He said, “That must have been a mistake. Somebody was spamming me. No, that’s not me.”
Within the same day, he’s at it again. It was so simple. We walk into the data center and unplug his connection to the internet. He decided to sue me for breach of contract. I wish I could say that he packed our stuff up and moved off. I don’t like going to court. Nobody likes going to court but he took me to small claims court. Thank goodness. It was just that. I stayed up half the night before.
I’m not an attorney. I’m not Perry Mason. I don’t know how judges make their decisions but somehow, I have to help this judge understand, who’s not a technical guy at all, how we knew what that guy was doing. I managed to do that. The guy lost his case and went on about his business. That was another example. We had a simple way to mitigate the risk. We could unplug him but then the risk of a lawsuit from cutting that off comes back at you.
That was a very real risk for me and I was gratified. It was $4,000 that he was suing me for. From there, things continue to move forward. We the wireless backbone and extended our pipe out to other buildings in the downtown area. I’m going to tell myself a little bit because we had a hot product and everybody wanted it. We were signing people up all over the city and growing rapidly.
I got a phone call from a woman who identified herself as the person at Southwestern Bell, which is one of the baby bells, Orbach. She’d been tasked with the responsibility to build an ISP for them and wanted to know if I would help her. I said no. I would tell my younger self that you couldn’t stop them. They were coming after the market. I didn’t know. I just knew that my clients loved me. We provided a great service.
My ego got the best of me. I thought I was smart enough that I could stay the course. There was no way because they began selling products for less than we could buy them for. They took the market. This is where I’m trying to mentor younger businesswomen. When someone comes after your market share, graciously offer to help them. They will buy your business out and you’ll go do whatever you do next.
Maybe they’ll hire you. You don’t know. Whatever the trajectory that you want. That is the nature of business and how aggregation occurs when a new industry is evolving into the market. I love every minute of it. I wouldn’t trade any of it. People helped me. I love to tell women this too because there seems to be this thought that men make it hard for women.
I was one woman in the internet industry. There were no other women. At one time, I ran across a woman at Cisco who helped me with a technical problem. Other than that, it was all men. Every one of them helped me along the process. I want to say thank you to all of them for all the help that they offered me in my growth and building my business. It was amazing.
I can understand a situation where another business comes after you but I can also relate to a very large business. Let’s face it. A phone company is a big company. For those of you who don’t understand, there are all these kinds of 3-letter, 4-letter, or 5-letter acronyms that are out there. The internet is pretty much in private hands. It’s these large carriers that have those connections.
That’s still relevant in a lot of capacities, not just with telephone companies. You have big search engine companies and social network companies that are impacting security but that create innovation, new ideas, and things of all. I imagine that you have similar ideas. What are you working on? What are you innovating that you’re most excited about?
I kept the programming, the programmers, and the data center. We moved our data center out of the building that we were in. We moved it into someone else’s data center where you can rent space. We started building applications. We built an application for a guy who had a business idea for Africa and helped him take that to Africa. It was a lot of fun. I got to go there and meet with the head of Algérie Télécom.
Being in the internet industry has opened a lot of doors for me. I’ve installed the internet in Costa Rica. That was fun. With a lot of programming going on behind that, we focused our attention on our content management system, which we’ve evolved over the years. During COVID, we decided to productize it. People were withdrawing and nervous. We productized our content management system. We don’t deliver websites anymore without a content management system. We had several goals.
The first one was to make a content management system where people in the office could manage their website. It’s not super complicated. It’s a custom website. We build the integration into the pages for them. We give them a dashboard where they can log in and take care of all. That is a secure multirole dashboard. I have a strong background in search engine optimization. We know what all the rules are.
We decided, “Let’s build the search engine optimization in the content management system.” People know their keywords. They can either hire us to do it or do it themselves. If everything’s in the right place and you’re consistent with your messaging, you’re going to rank. There’s a dependence on the complexity of competition for it but you’re going to rank. Google said, “Speed is a factor.” We built the speed into it.
They said securities are a factor but the only thing that they’re checking for is SSL certificates. I don’t think they’re validating anything else. There’s this broad range of things that could be solved. With our content management system, we’ve taken away their ability to click jack phishing on your website and things like that. We’re looking forward to seeing what else is out there.
As it becomes available, we solve it. When somebody signs up with us, they get our framework. When those upgrades to the framework become available, that becomes a part of their website. It keeps their website evolving. That’s a good thing because, usually, in 3 to 5 years, people are redesigning their website. The technology has fallen behind.
It becomes too open, honestly. If you’re looking at other ones where you’ve got plugins that are being written by thousands or hundreds of thousands of people and maybe aren’t necessarily being tested, there are bad ones that are out there that can open you up to more risk. Everything that you add in and the more complexity that you have, the more there’s that chance of having a home.
I’ve talked to a lot of WordPress developers. We’re talking to them about looking at our product and seeing how that fits in their product mix. They’re very concerned about security issues. They’ve limited the number of plugins that they’re willing to utilize in their development because of it. They don’t have time, as a developer, to test all those plugins. There’s no agency with WordPress. It’s a free and open platform. There’s no agency verifying what’s secure and what’s not. Do you guys remember when GoDaddy had their big WordPress debacle? That was a nightmare.
Web Design And Cybersecurity: WordPress is a free and open platform. There’s no agency verifying what’s secure and what’s not. You want to know that your website is secure.
If you had a bad actor in one of your plugins, they blow it out of your website. You had to deal with the fallout. Those are things that you don’t want to wake up to in the middle of the night on Sunday night. You want to know that your website’s secure. A lot of people will do security audits. Our company will do a security audit of your website. We’ll tell you how you rank, what you need to look at, and what you need to solve.
There’s a lot to process for business owners who have websites and are struggling with those things. A lot of the time, we don’t necessarily think about what got people to where they are, what it is they love, and what things they do that encourage them and drive their passion. Let’s talk a little bit about that dynamic for you. What makes you tick? I want to learn a little bit more about you and how you got to where you are. First off, we know that you’re located in the Tulsa area. I’m sure there are wonderful things to do there but tell us a little bit about you and that journey on how that started prior to the ISP. What’s your why?
My why is I love learning. I don’t think that there would be any other industry that I could be in that would challenge my mind as much as this industry has. That’s one reason I love it. I love helping people and learning. That is what drives me forward. I do B2B businesses primarily because I have a manufacturing background. I spent several years in aerospace manufacturing in the engineering department. I understand their lingo and problems. I can help them and I like doing that. I get a great sense of satisfaction out of it.
Somebody can confuse me with a workaholic once. When you’re a business owner, that’s probably a pretty common thing but I do like to go and have fun. I’ve got a group of friends. One of my friends said, “That’s not a group of girls. That’s a sorority.” We go on these trips together and dance together. I love to dance. I love music. I love to dance to live music. I spent some time helping some of the local musicians with their websites and helping them get what they needed.
I love the outdoors hiking. It’s something I discovered late in life. I would never have said, “I’ll love hiking,” but somebody took me hiking and I caught the passion of being out in nature in some of the most beautiful places that we don’t get to see when we’re locked in a data center or an office somewhere. There’s that beauty of nature.
I picked up kayaking. It was something I just said, “I want to kayak.” My son lives out in Phoenix. He has a friend who can teach you to rock climb and kayak. Whatever you want to do, he’s the guy. I went out there and he had Travis lined up. We took kayaks. We went out for the day and kayaked around. That’s like kayaking. Have either of you been kayaking?
Yes.
Lake, river, or ocean?
Lake and river.
We come from a place where whitewater rafting is more than the bigger things. There are some kayakers that go do that as well but there are some Class 3 and Class 4 around where we grew up. We would go out there and watch those people come down.
I’m not doing the Class 5 Rapids. I want to be clear about that.
I’m not doing that either.
My father also went rafting down the Green River a couple of times. With that wrath or both, he was by himself with the gear for other people. I’m somewhat familiar with the concept of rivers and lakes.
Lake kayaking is great. I could go every Wednesday night. Where I live in Oklahoma, I can be at 3 or 4 different lakes within a 30-minute drive. There’s a guy, an expert kayaker. He wants to teach me to flip my kayak, go underwater, and come back up. I’m like, “No, I’m going to stay up here.” That’s like kayaking. There’s not a lot of moving water close by. The moving water is a thrill. It’s the real deal. First of all, you don’t have to work as hard. You get that little adrenaline rush when you get in some light rapids.
Earlier in 2023, my friend Romy said, “We’re going to go down to Broken Bow. There’s a river down there called Mountain Fork. It’s got a waterfall. We’re going to kayak off a waterfall.” I wasn’t sure. I had to google it and see some pictures of it. I thought, “You’re a strong swimmer. What the heck? What if you fall out of the boat?” We went down there.
First of all, I always fall out of the kayak as soon as I put my boat in the water. I don’t know why I do it but I do. I got past that and the water was pretty rapid. It was shallow so I could get on my feet but it was rapid. I got back to my boat. There were rocks jutting up everywhere. It was the 4th of July weekend. There’s a ton of people on the river. Not only do you have rocks for obstacles but also moving obstacles like other people in kayaks that you had to navigate around.
We got to this place in the river where the water got broad and smooth. There are 3 or 4 of us there looking, trying to figure out if the river is going this way or that way. I said, “I’m going to paddle up here and see what that looks like.” You couldn’t see around the bend. They’re like, “You go ahead and let us know what it is.” I get up there. I feel the water get hold of my kayak so it’s moving. I said, “Yipee Kayey. I’m going.”
I go down this shoot. It was a great ride. It’s downhill. It was smooth. There were no rocks. I get down to the bottom. Another kayak comes by me without the person. I’m trying to catch their kayak and push it back over to some people on the shore that we’re capturing the roving kayaks. I had my back to the river. I could hear running water. I thought, “I think that’s a waterfall.”
I turned my kayak around and gave all my focus to the bow of the boat. I let the water do the work. I didn’t fight it. It took me right over that waterfall without any problems. It was great. I was the first one over. One of my friends came down without her kayak but she had the spirit. She goes, “Let’s do it again.” It’s very exhilarating. I can tell you that it builds your energy up in a way that you don’t expect but you have that energy with you for days afterward. I highly recommend it. I love it.
The empty kayak that you noticed before you went over the waterfall, was that your friend’s kayak?
Yes, it was. We rode back to town together. We’re best friends now.
You probably gave her the confidence, “You made it. Let’s do it again. Maybe you’ll stay on the kayak.” That is what a helper is about, too. There’s some relation there. There are different kinds of journeys in business, cybersecurity, cyber risk, building sites, and whatever it is that you may be doing. There’s always a helper there to help the other ones that are falling out of the kayak so to speak. That’s what gives them the confidence to build their business.
Whenever somebody’s doing something for the first time, in my experience, they see a Class 5 Rapid, even though it may be relatively trivial to somebody more experienced. Sometimes, it’s about finding the right helper who can help you through things. It was a great story. It resonates with me in the sense that you’re helping. That has value to a lot of business owners out there. It’s a wonderful story to hear.
Thanks.
Mary, can you tell us a little bit about where people can find you, especially the helper?
We love helping people and we do have a website. We’re on LinkedIn. We rebranded our company. We got a new logo, DY Site. Our customers are writing it on the checks instead of writing out the whole company name. We rebranded but the website URL is still DesignYourSite.net. You can find me on LinkedIn as Mary Putnam. I’m pretty easy to find. I love helping people. If you have some problems you want to talk about, you can schedule a meeting with me through my Calendly. Let me know what your problems are and I’ll see if I can point you in the right direction and get your kayak in the flow.
I’ve got one more question before we wrap up. We like to give our audience a final action item that they can go do. If you were to give one piece of advice or tip for reducing the regulatory and cyber risk to customers, what would that tip be?
I’m going to focus on the web design aspect of it but there is a broader thing that they need to think about and that is to get an assessment. Find out what your risks are with your digital properties and then make a plan to put yourself on Terra Firma so that you don’t have to lay awake at night wondering what could be happening. We do offer security audits for websites. You can find that on our website as well.
Thank you so much for taking the time to join our show. We appreciate your stories, directives, and advice but most importantly, for sharing your journey, as we believe it helps our audience understand how they can handle cybersecurity and cyber risk. Thank you to the audience. For those of you reading, if you did learn something, please do tell somebody about our show. Mary, thank you so much. It wraps up this edition and it’s been another great episode. We will see you next time. Thank you so much.
Important Links
- DesignYourSite.net
- LinkedIn – Design Your Site
- Mary Putnam – LinkedIn
Mary Putnam
