Protecting Your Digital Assets: Cybersecurity Lessons for IT and OT

00:00

Tara Holwgener
Welcome back, listeners, to another episode of the Get Smartr podcast, a Life Cycle Engineering series. Today, we’re talking about cybersecurity—something that impacts everything from your personal devices to complex industrial operations.

We’ll explore why defending against cyber threats matters more than ever and how hands-on learning initiatives, like the program we’ll discuss today called HackWarz®, help bridge the gap between theory and real-world practice for both technical and non-technical professionals.

Joining me is Michael Hoyt, Vice President of Enterprise IT Solutions here at Life Cycle Engineering. Michael has spent over 15 years helping people build the skills needed to protect themselves, their organizations, and the critical systems we all rely on. Welcome to the podcast, Michael.

01:00

Michael Hoyt
Thanks, Tara.

Tara Holwegner
Let’s start with a foundational question: why should cybersecurity matter to everyone—professionally and personally?

Michael Hoyt
There are a lot of ways to answer that, but I tend to look at it monetarily because that hits home for most people. Based on a 2025 IBM report on the cost of a cyber incident, an individual can face around $1,200 in direct costs. And that doesn’t include the time you lose dealing with the fallout. If you value your time at an hourly rate, you might quickly be looking at tens of thousands of dollars in total impact.

02:00

Michael Hoyt
On the professional side, the stakes are even higher. According to that same report, the average cost of a single cyber incident for a business is $9.77 million. In healthcare, it’s closer to $10 million per incident, and in manufacturing it averages around $5 million. On average, an individual incident can cost about twelve hundred dollars in direct monetary loss. That doesn’t include the time you spend trying to resolve everything—which, if you put a dollar value to your time—can quickly turn into tens of thousands of dollars. And that’s just the personal impact, right? If you don’t have the kind of security in place or you’re not familiar with best practices, you could ultimately resolve in a large expense for your business. On average, based on the same report, twenty twenty five IBM report, on average and one incident can cost the business nine point seven seven million dollars per year on. Average, right? That’s on average. Now take industries like healthcare. Theirs is around ten ten million dollars on average and manufacturing is about five million, a little over five million dollars per incident, and that’s per incident and that, that includes, you know, payouts that they have to pay for whatever damages were in. Incurred to employees or to, customers, right? Healthcare, when you, when you deal with PII disclosure PII, you’re gonna get fine, you’re gonna have payouts to those. Customers or or. Patients, right?

3:00
Tara Holwegner: Patients, yeah.
Michael Hoyt: Yeah, so I mean it’s it’s a big deal. Understanding cybersecurity, understanding what you need to do to do your best in protecting against it, against any kind of incident is, is critical. And you know, obviously that’s just a monetary outlook. There’s so much more reputation. I mean, it just, just all that is, is.

4:00
Tara Holwegner: Right, it’s cost and just a fear factor. I mean, you know, personally. I’ll I’ll go ahead I’m gonna be vulnerable, I’m gonna tell you Michael. So I, I, I got an email and I opened it. It was a phishing email, I was expecting something, this was how good they were. I was actually expecting something from a certain individual. And so it was no surprise for me that the email said, Click Here and open. What was the surprise for me was that it asked me for my Apple ID password, which I thought was strange, but I went ahead and did it anyway and guess what happened? Crawled through my entire. And it’s such a violation, right? It truly truly is that luckily I had dual factor authentication on my account, so they were not, they were limited in, in what was able to be done, but it was still, like you said, it was my time that I had and my stress levels, my blood pressure went through the roof. And other people getting impacted through it too. And that’s just a very simple, you know, thing, but one of these fishing emails, you know, if it gets into. You know, let’s say a utility a power, you know, a utility, like things can get real serious really fast.

5:00
Tara Holwegner: So I want to talk a little bit more about, I mean, we know what can go wrong. We, we, we hear examples of things that can go wrong on the time from very small things like that will happen to me to very, you know, to very large things. But I, I kind of want to talk about the technology itself. So many people think that like. IT and operational technology are separate. And can you explain why the same security principles need to be applied to, to both, to your IT security and to your operational technologies that you’re using?

6:00
Michael Hoyt: Sure, absolutely. So I I’m very much about distilling it down. I’m I’ve been trained in both so I have a background both in IT, which I’ve been doing for thirty years. I’ve been doing IT and OT I’ve been doing for probably about fifteen years or so, as I support the government. And one thing that is common to both and, and you really can’t say that they’re different because they’re the same, same exact thing and that’s networking. And operating system, then every single system, whether it’s IT or OT will have some sort of credentialing, you know, IT sometimes just has like a pin, you would type in. But it’s still some sort of authentication of whether you’re authorized to, to be on that system or not. Now I’m I know a lot of people that, that work in the OT environments, they they’ll probably say, well, he doesn’t know what you’re talking about because they’re very much about, now it’s different than IT. Well, it might be different in the type of systems, but. But it’s not different in the the way it works and it’s connected. It’s still uses TCP IP in a lot of situations. They still uses Linux or Windows as the operating system. And that’s what you need to secure, you know, and with that comes the credentialing and so on. So that’s why I’m a firm believer that IT principles apply to OT as well. They just might not apply apply the exact same way, but they will apply. In an example would be an IT systems, you would have a password that would be fifteen to at least fifteen characters in length that’s complex. Well, some of the T systems don’t have that capability, you know, you’re at a machine, right? Manufacturing machine and you have to type in your, your five, five, numbered PIN to get it started. Well, that’s.

7:00
Tara Holwegner: Employee number or whatever.
Michael Hoyt: Right, whatever it is, right? To to turn it on. So it has some limitations but still some some method of of authenticating who you are. So bottom line, you still need to implement the the same kind of security. You may implement it differently and you might have some compensating controls to, to secure it, right?

8:00
Tara Holwegner: Do you think there’s a resistance to that? Like, oh, it’s not as. Critical or as, like kind of a almost we got this sort of mentality to OT side of things or what, what are your thoughts about that?
Michael Hoyt: Yeah, I I think you you hit it right on right on the the notes there with regards to I think there’s that cockiness of, oh well we’re not really connected to the internet or we’re we’re, we’re behind the Purdue model of security, which is essentially a layered method and a segmentation method of securing your OT systems. But more and more those those mechanisms probably most likely because they’re not implemented correctly are not as effective, right? And, and I hate to say it. Once you plug in a system onto the internet or into a network that has connectivity to the internet, it’s game over. You’re already vulnerable. I’ve. Up there. So and there there are websites out there that will actually scan your online infrastructure and it will determine whether it’s it’s vulnerable or not and how easy it is to get in. So, I mean. It’s a false sense of security that OT professionals have. Oh, well, this is not the same type. It’s still vulnerable.

9:00
Tara Holwegner: Well, and I think it’s a good, it’s a good example of how, you know, cross functional partnerships and having, like governance around how, whatever systems you’re using that you, that you fall in line with a certain governance about security. We say, we say reliability is everyone’s response. And a part of, you know, definitely a part of operation or operating in the reliable way is to make sure that all of your systems are secure. So I mean I would say it’s definitely an opportunity for people to get connected. So I want to switch gears because we mentioned Hackwarz® in the beginning of in in the intro to. To this, to this episode, and it’s such a cool program. I I would like for you to tell our listeners about Hackwarz® that what it is and how it got started and kind of how it evolved from like grassroots, small local gatherings of people trying to learn more about. Cybersecurity and how, how best to protect their, their systems into a large or into larger events with companies getting interested, you know, even even even the the government or federal government getting interested. So tell me more about the program.

10:00
Michael Hoyt: Sure absolutely. So, give you a little bit of background of how it started. Hackwarz® was something that was developed back in two thousand twelve. I created that to address some of the concerns I had with our training programs. We didn’t really have a decent training program that revolved around. Defensive cybersecurity, and as many many people know that are in defensive cybersecurity, they understand that the best way to learn is to learn how the attacker does it so that he can defend against it. So that’s what pack course is all about. Hackwarz® was developed for internal training, and what it is, is a cyber, I. I like to call a cyber range training environment, so cyber range in which cyber professionals can practice their craft in a safe environment. What does that mean? It’s, it’s an environment that’s segregated so that no, no, attacking can be done outside of the environment. Which if it ever did happen, that’s illegal. So this gives them a, a safe environment to do the attacking and learning how that works without getting themselves in trouble by the law. So we started off internally, we had, I don’t know, forty or so participate in our first one, which was. Success for us. We learned a lot from it and and have been refining ever since. Well, as you can imagine, the word got out. Once the word got out.

11:00
Michael Hoyt: It’s a it’s it’s hard. That is true, that is true. So once the once the word got out to our partners here in our Charleston area, we got calls from various companies asking if they could send somebody to participate in the event through several trials of, of getting approvals. We finally did get leadership to, to approve it.

13:00
Michael Hoyt: And we had our first one. About a year after it started and it was hugely successful. We had sixty plus people on it. It was. It went really, really well. We, we learned that there’s a few things we had to fix to make it more enterprise level. And from there, then we started talking to Amazon. As we started taking this on the road and, we were asked by several conferences to, to have it as a, as their hacking event, right? Nice. So first one we ever did was with the Chamber of Commerce here in Charleston. We did we did one for that. And then the CDC, the Charleston defense Contract Association asked us to participate in their yearly summit. At the time it was C five ISR conference. We did it for two or three years. We’ve also attended several other events FCA events, one of them up in Norfolk or or also Norfolk area specifically and it was supporting the maritime IT summit up there, and for the last four, maybe five. Years, we’ve been doing it at the PCDC about metal cyber defense competition with in partnership with Nywick here in Charleston. That’s also an FC event. We’ve also had the event at B sides and a few other side side events. We we got a grant to do it for a an internship program. It ended up being the, the final. Could almost say the final capstone event for the internship to have the Hackwarz® event.

15:00
Tara Holwegner: Yeah, I think that’s a great idea.
Michael Hoyt: So all in all, we probably had about twenty, twenty five events or so, several internal and the rest were external in various conferences and so on. So it’s been a huge huge success.
Tara Holwegner: Well, I think that’s wonderful, and, you know, for listeners out there, we will be, you know, putting some resources and links in the session notes to learn more about the program and how you can bring Hackwarz® to you. But, but I I think it’s really interesting that you, you’ve created this. You called it defensive cyber security, but in order to be successful at it, you have to think about, you have to get into like the minds of the hacker, right? Or like where like finding the vulnerabilities and, you know, being creative about how to, how to do that. And. What do you think, what have you heard from the people who have attended like what were their big ahs? You know, what do you think, maybe some common themes that you’ve heard from people who have participated? Could you share that with us?
Michael Hoyt: Yeah, absolutely. So one of the things I I didn’t quite mention before that Hackwarz®, when we developed it, we didn’t want to make it. For a specific skill level. We made it so that even somebody that has very little understanding can, can come in and do it, right? And so it really has been a learning experience for a lot, and that’s, that’s probably the number one thing we hear from participants is that they learned a lot and they didn’t realize how easy it was to use those common tools that you can get online to break into a system or to gain access to passwords and, and, and crack. A password. You know, things like that, it’s it’s, that’s mostly what we ever hear is, is how easy it was and how eye opening it was.

17:00
Tara Holwegner: Right, so it’s not just for the IT professional, you know, who is going to become a cybersecurity professional, like this is something that everyone, you know, can benefit from learning about more about how to be. How to protect yourself more, and, and your.
Michael Hoyt: Be aware.
Tara Holwegner: Yeah, I.
Michael Hoyt: Of what your attackers are doing to you. Yes.
Tara Holwegner: Yeah yeah man, I wish I had when I before I opened up that stupid email. So let’s talk about that. Let’s, let’s talk about beyond Hackwarz®, what lessons can, our listeners take away about building cybersecurity skills? And, making responsible decisions. Where they place that digital footprint. So, what are a few less lessons you could tell listen.

18:00
Michael Hoyt: Yeah, I’ll I’ll start off by self education, right? There’s a lot of online resources in in the amount of information and and opportunity to grow your skills is incredible compared to what it was twenty, thirty years ago when I first started my in the industry, right? In the in the IT industry. Resources are available, so there’s no excuse, right? So go out there and watch YouTube videos. There’s, there’s several folks that do YouTube videos that are not only funny and entertaining, but very educational and they’re, they’re, the videos are, are at the level that. Are basic. They’re, they’re not over your head, they’re very layman’s term.
Tara Holwegner: Technical, yeah.
Michael Hoyt: That’s too technical and it’s and it’s really to educate you on. Free, absolutely. I’m I’m all about free, right? So, so that’s, that’s, you know, self educate I think it’s important you, you be aware and understand and and I wouldn’t say just on how to defend, but also understand how it is being done against you, you know, offensively cause that’s, that’s really the best way to understand. And and then overall best practices for cybersecurity that can protect is in your case with emails, right? Sometimes when you see an email from somebody and you think it’s legit, but yet at the same time it’s like, why do they need to know that, call them. Call them.

19:00
Tara Holwegner: Oh yeah.
Michael Hoyt: So, so.
Tara Holwegner: What would we call that, we would call that not offline, but well I guess it is offline, but.
Michael Hoyt: Yeah, verify, right?
Tara Holwegner: Yeah, verify.
Michael Hoyt: Just verify with the the sender that it was intended and and what the purpose is. You know, there’s this concept that’s that’s being pushed now as zero trust and that’s basically the concept of don’t trust anything or anybody. So you should be skeptical of every email you get of everything you receive, even call. Out of the blue. If your bank is calling and they want specific details, most likely not valid. Be very skeptical, right?

20:00
Tara Holwegner: I think that’s excellent advice especially with people getting phone calls and, you know, they’ll sound legitimate. I mean, I I think I got one that they told me I had a parking ticket that I hadn’t paid and I needed to go and I needed to pay immediately or my car was gonna be. Towed or something, and I was like, who is this? What? Yeah.
Michael Hoyt: I don’t know. Don’t.
Tara Holwegner: Trust.
Michael Hoyt: Contra and verify and yeah unlike trust and verify now don’t trust Exactly. No, but I I would also say I think it’s good practice that you get used to maintaining your your accounts. You know, have a list of all the accounts that you have. And change passwords and by. All means do not use the same password across all of them. Number one flaw, people do that. It is good practice to have your passwords be fifteen characters. I know some some sites are limiting you to eight characters. I understand that, but you know, it’s it’s important to change them regularly. If you change them every ninety days, there’s a good chance your, you’re safe.

21:00
Michael Hoyt: And I say this because you can’t guarantee a hundred percent, you’ll be safe. I mean if a hacker wants to get in, they’re gonna find a way they’ll spend the energy to do so. But all you need to do is just be more secure than the next person because human nature people take the the easiest path. So if you if you put up. Some resistance, guess what? They’ll probably say it’s not worth my energy, I’ll move on somewhere else. Yes.
Tara Holwegner: Right, so. Ah, that’s excellent.
Michael Hoyt: And you know, so if you just keep those things in mind, you know, maintain your accounts, keep your systems updated, make sure they’re patched Whenever new patch comes out for your Windows system patch it. There are two, two schools of thought on that. Some say wait a week or two to patch in case there was some sort of bug or something in the patch. That they had to fix. I’m of the opinion of you should just probably patch it. You can always reverse the patch if you need to, typically there’s a way to do that. But you know patch Tuesdays especially if they’re security patches, very critical you do it sooner than later.

22:00
Tara Holwegner: I wanna forget, you know, if you say oh I’ll update this in a week and then I mean life happens. So, you know, if you’re taking that action now, well I think that is wonderful. I think that’s, that’s so great. I think you’ve definitely. Given our listeners a lot to, to think about. We are going to have some of those resources in our episode notes, but, but I did, and, and I appreciate you talking about Hackwarz®. It’s such a, a great program that really helps people, get out of. Just thinking and more doing. So it’s application based. It’s, it’s working through problems and like you said, the biggest takeaway was just, just how easy it is and how vulnerable we are out there, but a few simple things can make you. Less of a desirable target, I guess. And your organization. Less of a desirable target.
Michael Hoyt: I mean I will say if you’re the government or you’re a big manufacturing company that’s has lots of dollars unfortunately, you’re gonna be a target no matter what you do, but.
Tara Holwegner: Exactly. So, so have the governance, take it seriously, get IT and OT on board and learn more about those best practices and work with the experts to make sure that you have a good security posture. So that’s what I would say. Let’s go here then. So.

24:00
Tara Holwegner: If someone remembers just one thing from today’s episode, Michael, what would you want that to be?
Michael Hoyt: So there’s so much to take away, but I I think you can summarize all of it is by saying, an incident will cost you a lot of money.
Tara Holwegner: And I’ll.
Michael Hoyt: Be prepared to protect yourself to to lower the costs basically.
Tara Holwegner: On on and on so many levels, the costs are emotional and and and money. But I I’m gonna say I liked my don’t trust and.
Michael Hoyt: There we go.
Tara Holwegner: But I like that is I like that as a good tagline too, but but I mean so many other things to take away cybersecurity matters to everyone. It and OT are connected and the, you know, the, the, the ways that you can secure IT maybe a little different from OT, but the principles, you know, are, are, are the same.

25:00
Tara Holwegner: A few tips about specifically about maintaining the accounts. So don’t do like I do and have, you know, one or two passwords that I use across the site because I think it’s making it easier on me, no, have fifteen character passwords, change them up every ninety days. You know, utilize now, we’ve got. So much help already there, now a lot of your phone will help you build strong passwords and keep them. You know or or, there are password service creation services out there too, you know, like apps or whatever that’ll help you keep, keep more, keep more safe that way. Educate yourself. Educate yours. On the best practices. I can’t wait to check out some of these YouTube videos. They’re funny and engaging and they’re free, but they’ll give you some things that you can do to be proactive in managing your risk. So, I just want to thank you so much Michael, for joining us on the podcast today. It’s been.
Tara Holwegner: Delightful and I think we’ve learned so much already and I mean it’s only been like twenty eight minutes. Look at what you’ve shared.
Tara Holwegner: No, so thanks again Michael, I’d love to have you on the show another time to.
Michael Hoyt: Maybe.
Tara Holwegner: Dig into some other cybersecurity things or learn more about how Hackwarz® is, is taking over and helping people be more managing their risk.
Tara Holwegner: But, it’s just been, it’s just been a delight, so thanks a lot.
Michael Hoyt: Absolutely. Thank you.

Tara Holwegner:
Okay, until next time my listeners, let’s stay smarter, people.