SMG Expert Spotlight—Fred Gruhn

Employee Spotlight | Oct 15, 2019 Employee Spotlight 10/15/19

Our new expert spotlight series showcases the great minds of SMG—those who keep us innovating, growing, and driving meaningful change. In honor of National Cybersecurity Month, we sat down with Fred Gruhn, Manager of Security + Compliance, to get the scoop on today’s biggest data security threats and how to best keep cybercriminals at bay.


Fred Gruhn Social


What is your day-to-day like?

One of the best parts of my job is every day is different. I could be working on a security assessment for an RFP, processing data privacy requests, coordinating an external audit, or working on SMG’s security awareness training for our employees. I love the variety.


October is National Cybersecurity Month. Why should this topic be top-of-mind all year long?

The evolution of big data has resulted in cybercriminals targeting all kinds of businesses for their attacks. Whether it’s the submission of fake invoices or attempts to access and extract data assets from companies, the need for a strong cybersecurity program has never been greater.


What are the biggest challenges of your job?

Keeping up with all the fast-paced changes—new tech and capabilities, what’s happening in the industry, new risks/ways people and systems can be compromised. I am charged with evaluating and improving our overall security strategy while also navigating daily developments. I listen to the podcast The CyberWire every day on my commute home so I’m always up-to-speed on global threats, industry best practices, and how other companies are handling regulations.

I never enjoy having to tell someone they’ve violated a policy or they’re continuously failing our regular phishing tests. It’s important not to shame them but to help them understand the increased risk that their actions have caused. We’re all busy and have a ton of emails coming in, and it’s easy to just click on the links without thinking. Phishing emails are by far the number one attack method used by cybercriminals, which is why our employee training efforts have a huge focus on educating our employees about how to recognize and report these fraudulent messages.


In addition to the phishing tests, what else is SMG doing to ensure its security efforts are best-in-class?

SMG has separated themselves from other companies by conducting monthly, video-based training—rather than the dreaded annual PowerPoint presentation. This effort has been crucial in changing SMG’s security culture, as it continuously keeps security topics top-of-mind.

We also hold annual data audits, regularly review and update our security roadmap, and upgrade firewalls for more detection of risked activity. Scott Lavery, SMG’s Director of Network + Infrastructure, and his team play a pivotal role in implementing these security enhancements.

All in all, we’ve seen a significant improvement at SMG. Employees are much more aware. They’re stopping people in the building who don’t have a badge and escorting them back to our reception area. They’re thinking twice before clicking on links. Security requirements are considered in the development phase of new projects. We’ve put security first.


How has data security safety evolved in the last 5 years?

Cybercriminals used to primarily focus on weaknesses with hardware and software, but now it’s the people running the machines that are the targets. It’s too hard for criminals to hack into a firewall these days (they’re too protected), but it’s easier to send a fake email with a link in it and get people to just hand over their passwords to a fake website that looks like something they’re familiar with. The security focus is now on leveraging newer technology to send alerts and keep everyone up-to-speed on their online activity. And to provide constant training so employees are skilled in determining if the content they’re seeing is legitimate.


List the top 3 security best practices every person should follow right now.

  1. Use a unique password for every online service you use. Get a password manager (lots of free options, like LastPass, DashLane, OnePassword, etc.).
  2. Create a passphrase with spaces, not a password. Make it a full sentence. It’s so much harder to crack and much easier to remember.
  3. Enable multifactor authentication for all your logins.
  4. (I know you said 3, but I need 4): Tell your family and friends to do these things, too, especially older relatives. Spread the word!

What is your proudest professional accomplishment?

I just passed the CISSP (Certified Information Systems Security Professional) exam, which is a top tier cyber security certification. It was intense, to say the least!


Fred Gruhn | Manager, Security + Compliance