Back to videos
How I Got on an ISIS Kill List
You never know when you might be a target… Watch this interview to learn how Tom Kirkham, CEO & Founder of IronTech Security was put on an ISIS kill list and what’s done to stay safe.
Prefer to read? (Transcription)
Tom Kirkham: I have this interest in thinking like a criminal. You know, it’s not like I want to be one, like any good attorney knows how to bribe a jury. But they don’t do it right. That’s what makes them a really good attorney that’s being able to think like that. And so I was always thinking about how would I get away with robbing the bank across the street? Or how would I penetrate this company from a technology perspective, so I always had that neck. So I was driving our company to get more and more into security. And then, in 2015, I was visited by an FBI agent that walked into the office and said, I’m looking for Tom Kirkham. I’m so and so with the FBI held his badge up, and he says you’re in trouble. But it’s not with us. And he began to tell me that I am named on an ISIS kill list. Now, you may remember around 2015, there were a number of ISIS kill list that came out. Most of them were politicians, law enforcement, military, New York City, metro area, Washington, right. There was one list during that time, that was random across the whole nation. And it was because of a data breach. And American. And Georgia Augusta had breached this data base, she had breached that database, and she was part of the United United cyber caliphate, which is at the time was ISIS is National Security Administration or US Cyber Command. And they were highly skilled. But she sent that in and said make this a new kill list. And so that’s what they did. Okay, so it really increased my passion for going into cybersecurity.
No kidding. Just a little bit. Tom, take me to that. That moment. So you’re just it’s like another day at work. You’re in the office not expecting this at all. And an FBI agent walks in the door, the rush in their badge? What are you thinking initially in that moment? I mean, can you remember like, You’re the first thing like what happened right there in that? Right, right.
It was in July, I may have said it, but it was it was actually happened in July. And it was right around July 4, and I can’t remember what day of the week it fell on that year, it might have been a Saturday, and the whole office was closed, except for me and one other person who is our president now. And it was just me and him. So you know, it would have been nobody would have believed me if I didn’t have an eyewitness to all this stuff. But he comes in and he’s going Yeah, and he’s in a polo shirt and blue jeans. And he’s like, 30 ish, you know? Yeah. But say it didn’t really click, it didn’t begin clicking until about 30 or 45 minutes into the discussion. And so I said, Hey, I’ve never met an FBI. Can I look at your badge? And you know, and see all that again, you know, because I knew I had the right to write so Oh, yeah, sure. So I said it, and I handed it back. And we’re just kind of, you know, what, what’s the name of this caliphate thing and all that. And so finally, I said, so what does this mean that they’re going to, you know, try to hack into my bank account or whatever. And he goes, No, they’ve designated you to be killed, they want you assassinated, murdered. And that’s when the gravity of the situation really sunk in. And of course, when you really start thinking about it, not only you have personal protection, but you got to think anybody around, you could become a possible target. So immediately, I said, Well, I’ve got to notify family and friends and colleagues, that I’m on an ISIS kill list and just understand that the likelihood of anything happening to me, is extremely slim. And it’s not like I gotta worry about someone coming over from the Middle East to kill me what they really were doing. One of the things they were doing was recruiting lone wolves, other Americans that are sympathetic, they want to be a part of ISIS, and we just happen to have a couple living here in my town. And they eventually ended up getting arrested just before what I think was an imminent attack on the shopping mall. So I had to worry about that, you know, and so I didn’t talk to anybody except those that needed to know for a couple of years.
Would you describe that relationship that you shared with me earlier? And why it’s, you know, ultimately the leaders responsibility to protect the organization when it comes to these cybersecurity issues?
Yeah, okay. It’s, first of all, the vast majority of the population vastly underestimates their risk of being attacked. And some of these attacks are catastrophic, you know, that can put your firm out of business. And what I frequently see is, you know, it’s really easy to make a management decision to say Okay, I’m convinced we do need to up our cybersecurity game, but then in certain industries, because we cover more than engineering and certain industries. I see the head guy or the the top three partners in an engineering firm, they just exempt themselves. They’re exceptions to the security rules. And they’re not setting the tone at the top, they’re going through the motions. So that was a great management decision. And this is where companies, they really don’t end up implementing halfway measures. But when you realize that over 90% of the breaches is because of a non malicious employee, let the hackers into the organization, it’s not a technical problem to be solved, you know, we can put all these wonderful new technologies on there to get you to where it’s a, you know, point, zero 0% chance you’ll have an attack, and everybody’s got their own risk profile. But when you understand that 90% of breaches are a people problem, and you’re not setting the tone at the top, you’re not really addressing what the vulnerability is. It’s not do it yourself any longer. Yeah, I mean, it’s just not you’ve got to go to the experts to really understand it, and you can just engaging with advice, you can get a vulnerability scan done on your network, you can cut your risk in half, to your entire firm. If you implement continuous cybersecurity awareness for everyone in the firm that will cut your risk in half these guys that do the psychological manipulation. They’re good, you know, the days of broken English misspelled words, bad graphics on these emails, I get a chuckle when I see one because they’re so rare anymore. I mean, they can fool me that, you know, we simulate phishing attacks on our company every week. And there’s only one person that’s got 100% score, and I’m not him. I’ve been fooled. And it’s something that just, I’ll be working on my Google security settings. And it just so happens that I get one of these simulated phishing emails that say and how your Google security settings changed. And I’ll click on it and the next thing I’ve got a two minute training video on why I fell for it.
Oh my goodness.