Sami Laiho is one of the most respected names in global cyber security. A Finnish expert on Windows systems and security hardening, his career spans back to the mid-1990s. He has been a Microsoft MVP for over a decade and is now a Security MVP. Whether as Chief Research Officer at Adminize, a trainer, or a keynote speaker, he is renowned for making technical risks tangible and practical. His sessions have consistently ranked among the best at major tech conferences – from Ignite 2018, where he claimed the top two session slots out of 1,708, to the Nordic Infrastructure Conference, where his talks regularly top the charts.
I met Sami at CollabDays in Helsinki, where he once again captivated a packed audience. This week, we sat down to go deeper into his specialist subject: the practical realities of cyber defence in a world where attackers are better resourced than most IT departments.
From the hidden dangers of everyday devices like air fryers and doorbells, to the rise of deepfake scams costing companies millions, and the five non-negotiables every IT team must act on now – Sami pulls no punches. But he also shares why inspiration beats fear, and why the secret to his consistently top-rated sessions is storytelling that makes people feel empowered rather than paralysed.
Juliet Stott: In your recent CollabDays talk you said it takes just two hours from initial breach to full compromise. What does that say about the urgency of today’s cyber security landscape?
Sami Laiho: It means we no longer have the luxury of time. Traditional logging and SIEM approaches are too slow – by the time you’ve spotted the bad thing, it’s already happened. Organisations must shift to endpoint detection and response (EDR/XDR), which can stop an attack as it happens. And many already own these tools – Microsoft 365, for example, includes security features most companies never bother to configure. Start by checking your Microsoft Security Score: don’t aim for perfection, and don’t let “perfect” be the enemy of “good.”
Juliet: You also mentioned attackers can sit undetected for 180 days. How do they get in, and how should organisations rethink monitoring?
Sami: The main entry points are services exposed to the internet: VPN gateways, cameras, firewalls, even remote management portals. Remote work and cloud adoption have only widened that attack surface. By default, Microsoft logs give you just 30 days – useless if attackers wait six months to act. Companies must extend logging and patch relentlessly. It’s better to allow an update that might briefly disrupt uptime than suffer a three-month outage controlled by criminals.
Juliet: You warn that devices as ordinary as doorbells and air fryers can be attack vectors. Why are they so dangerous?
Sami: Because they’re all computers now. A washing machine or camera runs Linux, needs updates, and can be hijacked. Usually, criminals don’t care about you personally – they use your gadgets to launch distributed denial-of-service (DDoS) attacks on banks or retailers. For consumers, two golden rules: always enable automatic updates, and buy from reputable brands that take security seriously. For companies, isolate IoT devices on a separate network. A misplaced security camera has already led to a full-scale ransomware attack in Finland.
Juliet: You’ve compared ransomware gangs to the mafia. What trends should IT leaders worry about most?
Sami: Double extortion is the standard now. Attackers don’t just encrypt your files; they steal them first. Even if you recover systems, they’ll threaten to leak sensitive data. And yes, criminals have bigger budgets than most IT departments. The best countermeasure is independent security audits – ideally once a year – to simulate how an attacker would behave and expose your blind spots before criminals do. Cyber insurance helps with recovery, but it’s no safety net: if you cut corners on basics like multi-factor authentication (MFA), you may find your policy won’t pay out.
Juliet: For IT leaders short on time, which threat intelligence sources are worth checking?
Sami: Bleeping Computer is a solid daily read for technical news. Recorded Future is excellent for executives. Patchmanagement.org helps track vulnerabilities that actually matter. And yes, security folk are flocking to Bluesky as a replacement for Twitter/X. Pick one or two sources you trust – don’t drown in data.
Juliet: If you had to give IT departments a non-negotiable checklist, what would be on it?
Sami:
- Immutable backups – isolated and untouchable by attackers.
- MFA for everyone – no exceptions, not even the CEO.
- No admin rights – 85% of vulnerabilities vanish if users log in without admin privileges.
- Separate environments – don’t browse emails on the same device you use to manage servers.
- Continuous logging – so you can see what really happened when something goes wrong.
These are not “once a month” tasks – they must run continuously.
Juliet: We’ve seen ransomware evolve into fake ‘wipers’ and now deepfakes. What’s next?
Sami: Wipers pretend to ransom your data but actually destroy it, often for a trivial fee. Only good backups save you there. Deepfakes, meanwhile, are the new CEO scam – except now the fake boss appears on a video call. One UK company lost £10m this way. Today, you can still catch deepfakes by asking someone to turn their head or show a watch – AI stumbles on that – but the window is closing. Looking forward, I expect mobile phones to become prime targets. With billions more in circulation than PCs, and app ecosystems that allow side-loading, it’s inevitable.
Juliet: Your sessions are consistently rated the best at conferences. What’s your “secret sauce”?
Sami: First and foremost, I genuinely love what I do. That passion is impossible to fake, and audiences sense it immediately. If I were just reading out a technical manual, they’d know. But when you love the subject, the energy carries through.
The other part is storytelling. People don’t remember a bullet-point list of technical controls; they remember the story about a washing machine being hijacked, or the “mafia-style” structure of ransomware gangs. Stories make complex risks relatable and memorable.
Security is often framed in such a negative way — finger-pointing, blaming users, painting worst-case scenarios. I try to reframe it. Instead of saying, “Don’t use admin rights because you’ll get hacked,” I say, “Drop admin rights and your computer will run faster.” The same truth, but framed as a benefit.
Language really matters. Words like “difficult passwords” make people switch off — who wants something difficult? Say “strong passwords” and suddenly it feels achievable. That small shift changes how people perceive security. I’ve learned over time that a little psychology goes a long way.
And finally, I never show up with the goal of terrifying people. My aim is to give them practical hope — clear, doable actions that will make them safer. When people leave a session feeling they can do something, not just that they’re doomed, that’s when you’ve made an impact.
Juliet: Finally, ransom demands are now in the millions. How can IT leaders communicate risk without scaring colleagues into apathy?
Sami: This is one of the hardest but most important skills for IT leaders. Fear on its own doesn’t drive sustainable action — it paralyses. If you tell staff or a board “we could be hacked tomorrow and lose everything,” they either panic or tune out. What works better is context, relevance, and positive framing.
For executives, data and local examples are key. Senior leaders are often highly data-driven, so bring hard statistics they can trust. Show them case studies from your country or industry — a local hospital brought down by ransomware, a retailer losing millions, or a manufacturer forced to shut down production. And explain that what makes the headlines is only a fraction: in reality, perhaps only five per cent of incidents go public. That hidden scale helps boards grasp the real risk without hype.
For staff, emotion resonates more. People may not care deeply about “protecting the bank’s servers,” but if you tell them their poorly secured home router could be hijacked and used to attack Ukraine, that hits a nerve. It turns an abstract IT rule into a moral responsibility. Parents respond to the idea that their kids’ devices could be impacted. Different audiences require different triggers — the art is finding the angle that matters to them personally.
And always bring solutions, not just problems. Instead of saying, “If you don’t enable MFA, we’ll be hacked,” say, “Enabling MFA makes you 99% less likely to be compromised.” Inspire action by showing that there are straightforward ways to make a huge difference. Fear closes people down; hope and clarity open them up.
From awareness to action, what to do next
Sami Laiho and his team conduct security audits internationally – often remotely – that simulate how attackers would probe your systems, and they remain one of the most effective ways to strengthen defences. You can follow his insights via his LinkedIn profile and newsletter, and catch him on stage at the upcoming Nordic Infrastructure Conference. For organisations serious about closing their gaps before criminals exploit them, his message is simple: don’t wait until it’s too late.
Want help devising a comms strategy?
