When TechInformed first encountered Danny Jenkins last summer at BlackHat USA, the CEO and co-founder of Orlando-based cyber firm ThreatLocker introduced the core principles of Zero Trust through an access analogy, drawing parallels to his own home setup.
“I have a cleaner who comes in once a week and can go into most rooms to clean, but not the safe. The pool guy visits monthly and is only allowed by the pool, not anywhere else in the house. My daughter’s boyfriend can stay in the living room but not in the bedroom!” he explains.
“We basically apply this same rule to software; each program is given access only to what it needs, and everything else is automatically restricted,” he adds.
Applying this type of segmentation, he claims, minimises the damage to your network in the event of a cyber-attack, and it involves treating all software with suspicion.
That Logitech camera app, for instance, that your colleague plugs into his computer to make himself look ten years younger on Zoom? This can see your company’s files, finance data, and network shares.
“I’m not suggesting it’s been stealing data,” adds Jenkins, “but if that software has a vulnerability or a backdoor, it could see and take it. Every software program you run can see your files. You want to block it and limit what it has access to.”
While this sounds simple enough, Jenkins claims that the number of companies who take this approach is not as high as it could be because it involves a technology and mindset overhaul.
Zero Trust strategies require a technology and mindset overhaul
Transitioning to a Zero Trust model requires reviewing existing security infrastructures, and many firms operate on legacy systems that may not seamlessly integrate with these principles.
Adopting the mindset also involves a cultural change from all levels of an organisation and investment in new technology and training.
Zero Trust adoption has seen significant growth over the past few years. In 2021, approximately 24% of organisations had adopted at least one Zero Trust strategy for cyber security. According to Gartner, this figure increased to 63% by the last quarter of 2023.
Jenkins’ Zero Trust platform, ThreatLocker, claims to block unwanted software from running, regardless of administrative privilege. It also offers endpoint security, application control, and ransomware protection solutions. The firm has grown five-fold as Zero Trust has gained traction.
“Zero Trust is going viral — people are talking about it. At the beginning of 2021, we had 25 employees, and now we have 480,” he says.
Making the business case for Zero Trust
For Jenkins, a former ethical hacker, it’s more than just a range of technology solutions; he’s become an enthusiastic advocate for the cause. At any cybersecurity event or trade show, the ThreatLocker booth or logo is hard to miss in a prime spot.
You’ll also likely find Jenkins at tech conferences, where he educates attendees about supply chain security, hacker mindsets, and the latest malware trends — all through the lens of Zero Trust.
Why has the CEO taken the “go big or go home” approach?
“It’s always been my goal to make Zero Trust the norm. Right now, it’s still not the norm. To do that, I need to jump straight in. I can’t just dip my toe in the water,” he explains.
“Every time we are given investment I ask, ‘what’s our goal?’ We want everyone to know what we do and why it’s important. So we go for the biggest booth, get out there in front of people on the biggest scale possible, and hire in groups of 50 people,” he says.
Exploding pagers: Should we be worried?
Evangelising about Zero Trust is easier now that the company partners and protects over 50,000 organisations — its latest Series D fundraiser clocking in at $115M. It was much harder initially when Jenkins first tried to market the technology in 2017.
Knowing he was onto something after a basic version of ThreatLocker running in a local school was able to fend off the worldwide WannaCry ransomware attack in 2017, he tried to get it under the nose of investors.
Jenkins recalls that this was a boom and boost period for his business, which was also focused on several other IT ventures. Sometimes he and his wife (ThreatLocker’s cofounder and COO Sami) would drive around in a nice car, at other periods they’d struggle to pay the groceries.
“Two things stopped us from getting investment,” he recalls. “The first was that people said it was a dumb idea. No one will buy something that asks them to approve everything explicitly. They said it was hard, too complicated, and that it would stop them from running new software.
“The other thing that got us shut down is that my wife and I, plus my brother-in-law, invested in the company, and investors don’t like husband-and-wife teams.”
Jenkins’ big break came when he was able to convince a facilitator of key angel investors in the area that if he could break into his network, run some malware and exfiltrate all his files, he would agree to put him in front of a bunch of Florida angels.
He also hired a guy to make 400 dials a day to companies, which got ThreatLocker in front of a small aerospace contractor, which became the cyber firm’s first paying customer in 2018, providing a valuable proof-of-interest to investors.
“It was still tough. But we got angel investment and were able to do more marketing and work more on the product. It was still buggy, but we were turning it into a business.”
Why do SMEs need Zero Trust?
ThreatLocker’s customers include many mid-sized businesses which span a range of sectors, including the City of Champaign, Redner’s Markets, Stampede Meat, Advanced Medical Transport, Titanium Computing, Aurora InfoTech, Hattiesburg Clinic and, most recently, the NFL team, the Indianapolis Colts.
“Most small and medium businesses believe they are not a target, but 95% of ransomware attacks are on small businesses,” he explains.
“Many don’t realise they’re more likely to be hit as part of a broad, indiscriminate campaign. Cybercrime is now a $10bn business.
“These companies will target 1,000 businesses, and of those 1,000, they will get a foothold in 300 of them; of these 300, they will get backups in 150 of them and deploy full ransomware in 20 of them, and that’s their business. It’s a volume game.”
Drawing from his earlier experiences of managing IT for small businesses, he highlights the profound consequences these attacks can have.
Zero Trust customer Indianapolis Colts
“Even if a two-person construction company doesn’t go out of business, being unable to respond to quotes or send invoices can cause significant disruption.”
Windows 10 to end support in 2025: what it means for business
He emphasises that a cyber-attack is now the biggest threat to a company’s survival — more so than traditional risks like a building being destroyed.
For instance, “If you lose all your files as an accountant, what do you do with that?”
Similarly, he adds, if a dental office loses all its patient records, recovery is extremely challenging. Even if businesses bounce back, they will likely lose at least 25% of their clients because “the trust is gone.”
When we meet Jenkins next, it’s in London’s Excel at the Black Hat Europe event in December. True to his word, ThreatLocker secured the largest booth and the prime lunchtime keynote on the first day.
The session focused on debunking common cybersecurity misconceptions, such as the belief that on-premises data storage is inherently safer and the exaggerated fear that North Korean hackers pose the biggest threat to European businesses.
What’s safer, cloud or on-prem?
According to Jenkins, the question of cloud vs. on-prem security isn’t straightforward. He challenges the assumption that on-premises servers are always safer, citing the 2019-2020 SolarWinds Orion breach as proof that even systems without internet exposure can be compromised.
In that attack, hackers injected malicious code into a software update, giving them backdoor access to customer networks without needing open ports.
Jenkins explains that cloud vulnerabilities typically cause less damage than on-prem ones. In the cloud, a breach might expose internal and customer data but is more contained. In contrast, an on-prem attack could compromise the entire network, spread ransomware, and leak sensitive files.
He concludes that security isn’t about choosing cloud or on-prem but understanding each option’s risks. For less sensitive data, the cloud is often the safer choice.
Korean hackers vs. vulnerabilities and exposures
Jenkins also believes that businesses should be more concerned about vulnerabilities than the threat of North Korean hackers because of the difference between perceived risk and actual risk.
He explains that while intentional sabotage — like a North Korean spy infiltrating a company to inject malicious code — is terrifying and grabs the board’s attention, the likelihood of it happening is quite low.
“These scenarios are rare but have a high fear factor because of the idea of someone deliberately targeting a business,” he adds.
In contrast, vulnerabilities in software are far more common and pose a much greater threat. For example, over 21,000 Common Vulnerabilities and Exposures (CVEs) were published in 2022 alone, and similar numbers are reported yearly.
Cyber firm launches free tool to weed out hackers in hiring process
“These vulnerabilities aren’t intentionally malicious but can be exploited by attackers to cause significant damage,” he explains.
Additionally, Jenkins adds that there’s a rising trend of weaponising legitimate software features, with many modern ransomware attacks using common tools like PowerShell and WinRAR, which tend to be overlooked as security risks.
Why it’s a Zero Trust World
With the number of large language models (LLMs) increasing in size and scope, Jenkins believes that AI chatbots also give attackers a big advantage. AI itself isn’t inherently a threat, he adds; rather, it’s the misuse of AI that leads to harmful outcomes.
“AI can effectively generate malware, including undetected variants. In the past, creating malware required programming skills and could take hours, with the creator fully aware of the risks involved.
“Now, tools like ChatGPT make it accessible to those with minimal stakes, effectively arming individuals without significant consequences with the ability to generate malware.”
Cheque, please? Money back for cyber heroes who gain their certificates
As a result, Jenkins predicts that we will see an uptick in coordinated ransomware. “It’s not going to go down. It won’t go down until it gets easier to prosecute people,” he adds.
All these issues and more are discussed at ThreatLocker’s event, Zero Trust World, held near its headquarters in Orlando every February.
Under the warm bask of the Florida sunshine, IT professionals can learn how to secure their networks and their software programs, as well as how to think like a hacker and how to prepare and get used to cyber-attacks through interactive sessions and tabletops.
There’s also an opportunity to take ThreatLocker’s Cyber Hero Certification Exam. Those who pass will have their registration fees refunded.
To conclude, Jenkins emphasises that all companies should assume they have been breached and recommends hardening systems.
For those on a tight budget, he suggests implementing two-factor authentication, not something the firm sells, but a simple yet effective measure to thwart attacks quietly. In short, trust no one!