Mark: Welcome to Unsuitable on Rea Radio, the unique financial services and business advisory show that challenges your old school business practices and the traditional business in culture. You'll hear from industry professionals who think beyond the suit and tie to offer meaningful, modern solutions to help you enhance your company's growth. I'm your host, Mark Van Benschoten.
In business, you have to be ready for anything, from natural disasters to hardware meltdowns. Failure to take the necessary precautions in advance could cost you everything. Your IT department isn't immune to disaster either, which is why I wanted to bring in our guest today who is going to give us more insight into what types of red flags we should be on the lookout for and how we could protect our businesses from becoming a statistic. As a certified information systems auditor and an IT audit manager at Rea, Joe works closely with our clients to help identify strengths and weaknesses in the organizations networks. He's going to give us a little insight into what we can do to protect ourselves and our businesses from potential attacks and other disasters.
Joe, welcome. Glad you're here.
Joe: Thanks, Mark. I'm glad to be here today.
Mark: Certified information systems auditor. How do you say that? CISA?
Joe: CISA.
Mark: CISA. Thank you. Had to clarify that one for me. Joe, been to any concerts lately?
Joe: I think the last one I did was Pop Evil.
Mark: Pop Evil?
Joe: Pop Evil. Yes.
Mark: I'm not quite familiar with that type of music, Joe.
Joe: It's just a little loud. It's off the beaten path, but it was a good concert. We were right up front and I actually got my first guitar pick at this concert. It was cool thing.
Mark: Over the years, you've shared some great concert stories with me. Does Pop Evil have anything memorable besides the guitar pick? Sorry.
Joe: Basically the guitar pick. I tend to do a lot of concerts with people I work with. It's just a good way for us to bond together.
Mark: That's very nice of you. Did you take your shirt off to get that guitar pick?
Joe: I did not. Actually, it was just [crosstalk 00:01:58] into the crowd and landed on my arm.
Mark: You didn't like knock anybody over for it?
Joe: Didn't knock anyone over. No.
Mark: Glad to hear that. You said that I was correct and that's the first time today. As soon as we're done here, wrapping up, I got my one correct answer.
I think people think of IT departments, they think of these large groups, network engineers, so forth and so on. I think any organization has an IT department and could be at risk.
Joe: I think that's very true. Even though there are those IT departments that have very large staff, we have a lot of small businesses that are a lot of our clients that have one person or a vendor provided support staff.
Mark: Operating as the IT department.
Joe: As the IT department. That's correct.
Mark: What does your certified information systems auditor ... A lot of nice words there. What does that mean? What's that qualify you to do?
Joe: That basically means that I've taken testing to achieve the certification, but also that I have a good idea of best practices that are used in the industry and that should be used by people during their IT or about their IT procedures and processes.
Mark: Is there like three glaring things you see that most clients don't do or correctly or maybe only two?
Joe: The biggest thing that a lot of people, companies, businesses, organizations, nonprofits, the biggest thing is that they take for granted that their data is protected. Right now, the most important thing to most groups is their data. It's the most valuable and it keeps them operating effectively and efficiently.
Mark: What do you mean by data protected?
Joe: There's so many things out there now, Mark, that can hamper your data or destroy it. It used to be all we had to worry about was disasters. I've actually worked with clients that have experienced an explosion in their building, which completely destroyed their building, to I think as you stated in our beginning monologue, companies that have experienced hardware failure. Even though those two things are out there, a disaster's not going to happen very often. We've started to experience things though such as malware. There's an actual malware out there called ransomware, which actually will encrypt your data files that you can not use any of the applications associated with that data.
Mark: I assume by ransom, they want money back to release it?
Joe: Exactly. They want you to pay a ransom if you want your actual data files back. It's important that you have backups, offsite backups, that you can go to so that you don't have to pay that ransom.
Mark: If I have a back up and it sits right next to my computer, that's probably not the right way to handle it.
Joe: Well, you want to make sure that the access to both of those is not available to everyone. That's part of the things that I look at when I go in is that not everyone has access to that back up or offsite data.
Mark: You talk about data protection and access to data and you're hearing everything going to the cloud, cloud services, cloud accounting packages, Dropbox, things of that sort. Does that cause you concern or is that a good thing?
Joe: It causes me concern because as we find solutions to the current ransomware, we're also hearing in the industry that the soon-to-be ransomware will be going to the cloud environments also. We need to make sure that our cloud solutions are also providing backup of their data, which is our data.
Mark: That's a good point. If we were going out there selecting a cloud vendor, I assume there's some questions we should be asking them.
Joe: Absolutely. One of the primary things, Mark, is that you look at what's called their SOC 1 report. That's basically where an accounting firm will go in and actually complete an assessment, a risk security assessment, of the cloud provider of the host out there. What they will do is do all the prevalent tests, look for any holes in security on that side of it. They'll also provide security parameters that clients should have in place also.
Mark: That would be a normal course. "Hey, Mr. Cloud Vendor. We're going to select you," and if I ask for a SOC 1 report, they should be familiar with that and be able to provide that?
Joe: Absolutely. Most will have that type of report available.
Mark: If they don't, that might be a red flag right there that says we don't want to be dealing with this person.
Joe: Absolutely.
Mark: Not to put you on the spot, but would you recommend ... Let's say a client comes to you and says, "Joe, we have a solution A is in house storage. Solution B is cloud storage." Let's say that B, the cloud storage has your SOC 1, a favorable SOC 1 report. Would you be comfortable with that or would you recommend that ...
Joe: Well, Mark, I have recommended that some of our clients go to a cloud environment. It depends on your IT staff, the level that you have, the number of people you have, the level of expertise. Basically, if you have a small staff, then you don't have to worry about that hardware part of it anymore. They take care of all your hardware upgrades, any system problems that may be experienced. That's all taken care of by the provider. If they're credible, it just makes it easier for the company to operate in that manner.
Mark: On the ransomware that you mentioned before, before I think would be localized to an individual machine. Now, you're saying that could actually go up into the cloud and corrupt the data.
Joe: Well, they're starting to predict that. I haven't seen an instance of that yet. I have seen it where we actually worked with a company that had received ransomware. It hit their local work station. Then, that person had open access to the server also and ended up encrypting all the files on the file server as well. When it came down to it, they had no backup of the data. They were actually using tape at the time. When they went back to the tape files, there was no backups there.
Mark: They were putting them in every night, taking them out, labeling.
Joe: Exactly. Exactly.
Mark: What should they do there?
Joe: One of the most important things with your backup and I see that a lot of people don't do this and it's absolutely a best practice is to verify that your data is accurate and complete, which means actually reviewing it. We usually recommend once a year you take a day, review that data for accuracy as well as completeness, which means restoring it somewhere, taking a look at it, verifying totals, and making sure that you have everything you need to be operational if something would happen.
Mark: It's a good recommendation. How can somebody protect themselves from the ransomware?
Joe: It's very difficult. Employee education is a primary one, which I see a lot of people that do not educate their employees well enough, a lot of companies, organizations. There's three basic entry points for the ransomware. Number one is open an attachment. People that open attachments that they think it's from somebody they work with or in business with and here it's not. It's from a separate email address. We kind of recently had that within our firm. We received a phishing attack. Was supposed to be from our CFO, but it was not. It had his name assigned to it. Attachments and then the second thing is bad URLs or websites. If you click on the wrong website, it's possible that there can be ransomware associated with that. A third way is flash advertising. The advertising you see when you go to Yahoo that appears on the right. If you've been out to eBay or Amazon, it will show items that you were looking at. Sometimes those can get snuck in as ransomware. I know Yahoo got infected at one point this summer and was passing out ransomware. It didn't happen long, but it did happen. Those are basically the three entry points that you can receive ransomware.
Mark: Correct me if I'm wrong. You would encourage employee education on those three areas.
Joe: Absolutely. Yes.
Mark: I assume it's not just the first day of orientation, don't do these things, and consistent and ongoing.
Joe: Education to employees should be a continuous item. Yes.
Mark: I find it interesting you didn't say anything from a hardware or soft ... I thought you were going to say, "Buy this program and you'll be all set."
Joe: There's really nothing that's catching it right now. The FBI is out there pushing out alerts that, "Hey, these things are out there." As far as industry as a whole, they're finding a few areas you can try. There's a few programs from Microsoft that they recommend. As a whole, your weakest point is your end users.
Mark: That's a good point. That's why you guys send out those emails.
Joe: We send out the emails and a lot of companies now perform their own phishing campaigns where they actually try to get their users to click on a site or do something that would be bad. They run it against their entire company. There are a lot of good companies out there that do this as a service so that they can see whether we've got a problem with users try and do this where they try and win a free iPad if it comes in through their email, whatever the method is that they try to get them to click.
Mark: Interesting. Turning to a little subject that bothers me is that I have to change my password all the time.
Joe: Oh, Mark.
Mark: Why?
Joe: The old days are gone. You know, back in the days when we could use 123456, those days are gone, Mark. It's imperative that passwords be used, that they change routinely. It's important that you're able to sign ownership, to use logs to track what your employees are doing. Changing passwords is the only way you can do that. You know over a period time if someone works together, if it's just by instance or chance, you can actually pick up on somebody's passwords and figure out what they're using. At that point, you can no longer assign ownership to transactions.
Mark: That brings up a good point about the logs and the tracking. Here, I thought it was just security to get ... You're saying security to get into my machine. That's why I need to change that. For some reason, I thought it was something with a software issue related to vulnerability from some sort of virus attack.
Joe: A lot places too, your log in credentials are tied right to what access you have, which is another reason. Basically, let's say if I get ransomware on my system using my log in credentials, I may only have access to my shared drive, my area. If I get the malware, the ransomware, I don't infect your area. Those rights actually separate what I have access to and what I don't.
Mark: Okay. If somebody gets attacked, what should they do? They'll pretty know what they'll do because they can't do anything.
Joe: Cry.
Mark: Pack it up. Go home for the day.
Joe: You want to contact your IT person, vendor, department, whoever's in charge of IT and let them proceed from there. You never want to do anything with a system. I know in some instances, I know ransomware's quite often now it's not considered something that the FBI wants to get involved in. There are some instances where the FBI actually wants to be involved or you contact local law enforcement.
Mark: It's pretty serious.
Joe: It's all very serious. Again, know the world moves forward with the data we have. We've gone to that point. That's where we are.
Mark: Protecting the data is key.
Joe: Absolutely.
Mark: What about these password programs? You have password for your home computer, your work computer, your bank account, your credit card, so forth and so on. Probably keeping track of them in your Outlook is probably not the best thing.
Joe: It's not because it's not secured. I don't have a lot of experience with the password manager programs, I feel personally just, this is my personal opinion, that as long as these programs are encrypted and maintained securely, that they're better than writing them down on a piece of paper and keeping them in your desk drawer.
Mark: Good point. Trying to predict the future, do you ever think we'll get away from ransomware or attacks or we'll ever be one step ahead of the bad guys?
Joe: Ransomware is tied to eastern Europe, which is actually tied to a lot of countries in eastern Europe's economy. Governments actually tax countries, I guess, businesses or entities over there that are putting out such spyware or malware, ransomware. I don't see it going away anytime soon. As a matter of fact, what happens now is we find a solution for one instance of ransomware and you'll see several weeks later it will just progress to a different version and it will be back to the same part it is. The US government's been working with other foreign governments to try and cut down on the number of ransomware attacks. I think they're getting somewhat to that point. I don't think it's ever going to go away. If it does evolve into the cloud environment too, it's just going to bring on additional headaches for our IT departments.
Mark: There was a recent thing I think over in the European Union about data had to be stored over there. If you were Apple, I couldn't send my data. If I was doing business in France and I was a French person, my data had to be stored, the physical server, had to be in France. That seemed a little archaic to me. That didn't seem like really true cloud.
Joe: Yeah. I don't know anything about it. I'd have to have more information to be able ... It's nothing I'm familiar with right off the bat.
Mark: On the security and the protection of the data, I'm an accountant and I think, "Oh, we got to protect the accounting data," but it's probably personnel data, it's for us our clients' data.
Joe: It goes from what they turn out big data with companies maintaining years and years and years of data. I been in the industry since 1983 and I know a lot of places have been maintaining data since that time. Databases and storage have grown huge in that period of time. At the same thought, you probably have pictures on your computer at home that you think, "I got all these pictures of my life, my family, all thought the years." If you get ransomware on that computer, it would wipe out those pictures. Now, you might have a USB hard drive connected to that system and say, "Well, I copy them over there so I have a second copy." Well, you have access to that USB hard drive and if it's connected to your computer, it's going to jump right over there and encrypt those files also. At this point, both your main set of pictures and your backup pictures are both encrypted. You're going to basically have to pay the fee to get your encryption key back.
Mark: Federal government pushed to electronic health records and I assume that there would be grave concerns about that information getting corrupted.
Joe: That's a lot of what's going on. I mean, you see that with Target and Home Depot. A lot of them are having their sensitive information stolen, credit cards. The health industry is, I think, the number one industry right now that's got to watch for data breaches. There's things that they can do to protect themselves from those breaches. They just to make sure, and I think a lot of them do that.
Mark: Such as?
Joe: One of my primary recommendations, usually, is to use some type of IDS system, which is an intrusion detection system, or SIM, which is a security information management system, which actually monitors the data that's coming in and out of your network. What happens is we actually have a solution provider for that. They provide a service to us. What happens is if we start transmitting data out of our network here at Rea Associates, they actually contact our IT department immediately. They get notified. They're monitoring our logs on a 24/7 basis. If they start seeing data being transmitted out of our systems, they automatically contact the Rea Associates IT department an tell them what workstation it is because they can identify it. Our IT department will go and remove that system from the network and then re-image it or set it back up so that it's no longer infected.
Mark: Would that be appropriate for a home use also?
Joe: It's no so much home use as much as we're looking at data that you really want to secure, credit card, healthcare information. That type of data. A lot of larger organizations use that type of systems. I know Target was using that, but they were getting some false alarms. They didn't respond to them and thus they experienced the breach they did. I think after the Target breach ... I believe the Target breach as a whole was a wake up call to our entire country to know that we've got to be on the lookout for this. It was really the very first big breach that we had. I think now a lot of people are looking at those IDS systems and SIM systems and saying, "You guys need to watch these, monitor them, and make sure that nothing is leaving our boundaries for our data."
Mark: Good point. Joe, before we wrap up, there's one question we ask every guest: If you could have one super power, what would it be?
Joe: Oh, boy. I guess it would be to save everybody's data. I hate the fact that people can destroy people's data, whether it be home data in your pictures and memories, work that you've done. I hate to redo work. If that's the one thing in the world I could do is save people to have to redo their work, I guess that would be it.
Mark: Would you be called Super Data or Data Saver? What would you like to be called?
Joe: Data Saver sounds good.
Mark: Data Saver. I like that.
Joe: Get a big DS on the chest and I'm good to go.
Mark: I'm sure there's a few jokes there, but we'll move on. Thank you for joining us today, Joe. Thank you to our listeners for tuning in.
If you want to learn more about disaster recovery planning, we have some great information on our website, which you can get to by visiting our podcast page at www.reacpa.com/podcast. Don't forget to subscribe to Unsuitable on iTunes or SoundCloud. Remember to share the wealth with your friends and colleagues. Until next time, I'm Mark Van Benschoten for Unsuitable on Rea Radio, encouraging you to loosen up your tie and think outside the box.
I was going to say something about having a big D on your chest.
Joe: Rock on, Mark.