episode 124 – transcript

Dave Cain: Welcome to unsuitable on Rea Radio, the award winning financial services and business advisory podcast that challenges your old-school business practices and the traditional business suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie while offering you meaningful modern solutions to help enhance your company’s growth. I’m your host, Dave Cain.

Cyber crime isn’t just an IT issue, it’s a business issue. One that’s strong enough to hurt even the largest businesses and organizations. Today’s guest is Mike Moran, president of Affiliated Resource Group in Dublin, Ohio. Mike is here today to provide us with a comprehensive overview of the security risk we are facing today. From your basic hacks and data breaches to phishing and ransomware, we’re going to learn what we need to do to protect our companies, our clients and our people. Welcome back to unsuitable Mike.

Mike Moran:   Thanks Dave. I appreciate you tolerating me one more time. This is great.

Dave:  Well, you did such a great job the first time you were here-

Mike:   Thank you. Thank you very much.

Dave:   … we thought we’d have you back.

Mike: Thank you. I appreciate it.

Dave: Great topics. I want to start Mike with a little bit of your resume. You’re a well known speaker in certainly the Columbus area and around the state of Ohio. I want to hit a couple of topics that you’ve been covering with whether they’re white papers or speeches and other articles. I just want to read a couple of these because it fits with today’s topic.

You’ve talked about disaster recovery planning for growing and mid-market organizations, how to successfully select your next ERP system. You speak all the time on CRM or customer relation management, aligning your IT and business goals, and using technology to improve your team success in today’s security risk and essential ways to address them. You’ve been quite busy.

Mike: Yeah. There’s a definite need today to help organizations understand how they can get their IT resources. That’s if you think, think about it, both your IT systems as well as the people that are part of your IT. Get those folks aligned with your company plan so you can achieve your goals faster. Many companies look at IT as a, basically it’s a black hole of expense and they try and avoid it, many times because they don’t understand it.

The reality is, is that if you embrace it and move it forward, we’re all getting more technology driven. I don’t think there’s a single business executive today that doesn’t have some sort of smartphone that they use on a regular basis. That’s one part of an extension of the systems for your organization.

Dave: I know when we get together on a regular basis we usually talk family, sports, politics, business. You’re very passionate when we start that business conversation. You always talk about aligning your IT and business goals, and how that is overlooked in today’s environment by organizations of all sizes.

Mike: It really is. The industry leaders have recognized it and they have moved forward in driving that forward. I was at a session last week out in Phoenix and they were talking about this. They said that the average enterprise level company spends between 450 and $600 a month per user on their overall IT spend.

When you think about how expensive that is, people have got to be looking at, how are we as an organization going to be able to get more out of that return? When you look at a growing business, or a small business if you will, a non-profit organization, they have many of the same challenges. Obviously they don’t have that much in terms of financial resources to spend but they definitely are spending a lot of money in terms of where they go.

Dave: Let’s go back to what you said earlier, you went to Phoenix when it was like zero degrees in Ohio.

Mike: Yes. I got on the plane on Sunday morning, or Sunday afternoon and it was 83, I got off the plane here in Columbus and it was 17. It was quite … I’m glad I wasn’t wearing shorts and flip-flops.

Dave: That’s great. Again, I think that speaks to the visibility of your company and your expertise as you travel around the country and speak to colleagues on this very issue that you’re passionate about.

Today we’re going to talk on a couple different levels. Certainly I wanted to hit that, you know, the IT goals and things. I think that’s very important. It will interplay with what we’re going to talking about today. This email craze, it’s in every business, all around us, and certainly that’s posing more threats that ever before. I think that’s something you shared with the group. What are you seeing as far as email security? That’s a loaded question but let’s start there.

Mike: It is. Yeah, I mean we could spend hours on this. But I think when you look at, I’ll call it the history if you will of these hacks and malicious attacks on organizations, a lot of them maybe started off as something that was … We kind of think of a hacker as a guy, sitting in his parents’ basement just playing around. Whether he’s still in high school or didn’t get through high school or is passed high school and wants to relive it, that’s what we, people originally think of that.

Today, it’s just not true. Today this is an organized business. This is something that is designed specifically today not to … Maliciousness is there, but it’s to get and generate revenue for the people that are performing the activities. When you look that, you think about the lowest level of that might be spam. We’ve had spam for years and years and years.

Today what they’re looking at in doing the spam is, they were trying to get a response. Now if you just even glance over it or try and open it, you set yourself up for someone to implant malware, which can cause all different source of problems in your company.

One of the bigger issues that we’re starting to see is an awful lot more phishing. On a simple measure, if you watch MTV or you watch TV at all, they have that show called Catfishing. Those folks that are a little younger than you Dave would get what that is.

Dave: Thank you.

Mike: Where, they impersonate someone else online and get someone to, quote-unquote, I believe there was a linebacker who played for Notre Dame who is probably one of the biggest catches of that. I think the guy plays for San Diego now in terms of where it goes.

But that’s that on a practical level, but on an email level they’re sending you an email and they’re trying to get you to do some sort of action. In many cases it could be as easy as just to respond. Some cases it’s a demand for payment and people aren’t paying attention or aren’t aware, and so they go ahead and process the payment and the money goes off.

In the Columbus Dispatch in October 1st, the headline talked about a family that sold their house, and a year after they sold their house they had not received the proceeds because a person phished their real estate agent, sent the information on to the title company. The title company wired their money down to Houston, where the bad guy was, and the organization, the family had not received, so they had to sue them.

When you think about it, the real estate agent said, “Look, I didn’t do anything wrong. I didn’t send the email.” The title company said, “Hey, I just followed the directions,” and nobody wants to pay. So what happens? These guys are out 215,000 or $216,000 because someone did that. That sort of thing is happening more and more and more. The other thing that you might see is, and with the proliferation of everyone using their mobile devices for their email, it becomes a lot easier for people to send you an email.

For example, I got one probably six, eight weeks ago. It actually said, I’m out of the office and I’m looking at my mobile and it says, “Hey, your American Express card has been locked due to fraudulent activity.” Okay, I kind of did a quick open of the email, thinking, “Okay. I’ve had this happen a couple of different times.” And then I see, “You’ve got do this,” and then it says, “Go here.” Well, I’m kind of a old-school fool and I prefer to call the 800 number, because that’s why they give it to me. It didn’t have one on there.

I’m like, “Okay. Wait a minute, let’s deal with this when I get back to the hotel, and I’ll look on my workstation.” So, open up the laptop and I look at it. It’s like, “Okay. I know how to read an email scenario.” I open it up, it’s in my preview section. … enough, when I look at who it’s from it says American Express, but it says dave.capture@capturex.com. So it was obviously somebody phishing, and then when I looked at it, sure it had the American Express logos and all that stuff and it looked pretty efficient. There was no email, there was no phone number. There was a, “Click here to get started.” What did they want? They wanted to get my information, and it happens all the time to people because they’re not aware of what they need to do.

What does this do? Well, if I give you my information, now they can hack into my systems and gain access to a whole lot of stuff. Now I give you that, they might plant, again, some malware in the company and do that so they can go through my corporate systems and look at things.

So that whole concept of being aware what you’re getting is very important. While it sounds real simple, it’s not because if you get 100, 200 emails a day and you’re going through those pretty quickly, and again if you’re on your mobile phone you wouldn’t have seen all of those things.

So my suggestion in that case, the first one I’ll toss out is that I think that if you get an email from someone that has anything to do with financial or their asking for personal or business information, unless you’re absolutely sure what it is I wouldn’t necessarily respond to it on a mobile phone. I would wait until I got back to my actual workstation, whether it’s a laptop or desktop, and then take a look at it, and I’m going to, in a couple minutes I’ll recommend ways that you can start looking at your email because I’m amazed.

Outlook is so flexible and 90% of the people use Outlook, but it’s so flexible on a desktop that most people just set it up in a default manner instead of setting it up in a way that can help you prevent these things from happening to you.

Dave: You know, you made a good point, you used the word 100, 200 emails, and I would assume in your business you get at least that many a day or …

Mike: Yeah. Some days I get more.

Dave: Yeah, and so how do you manage that volume of email? I would think as you go through, like all of us, we go through and harvest those emails very quickly, just to get through them.

Mike: There’s a fair amount of that. I think the side … to me it starts with how you view your Outlook screen. A number of years ago I got sent to, before we started Affiliated, I got sent to some training of a variety of type for executives. These guys kept sending me stuff.

They all the sudden said, “Here’s a way to get yourself better organized.” So I went to this one day class, I think it was about eight or 10 years ago. One of the first things they talked about was dealing with your email. Most people have their email setup so that they get a ping, they get a preview, they get all this stuff. They said, “Turn it off. It’s a distraction.”

The second thing they did is they said, “Let’s talk about setting up your Outlook screen so that you can be more efficient.” If you think about it, everybody has their folders on the left-hand column, and then typically most people have the rest of their email is this broad list of all the emails that come through. When you look at it, there’s the title of the email and who it’s from, and there might be a little info about date and time, but that’s really about it. You’ve got to open the email to see it.

What they said was is, “Up in the navigation bar there’s a thing called view, and you choose a reading pane.” The reading pane will give you the ability to just click down this thing if you want to see them and you look at them. That way you can see these emails fairly quickly. You can have your mouse on the delete button, boom, boom, boom, boom, boom, or like me you start to know who some of these folks come from because you get them every day, and you just click them together and mass get rid of them.

Yes, you can use junk mail and you can train your system to do that, and Office 365, which is Microsoft’s new Outlook product, gives you the ability to have somethings in a primary and a non-focus capability. But setting up your Outlook screen with that reading pane is a huge benefit.

What we recommend and what we do when we do our user awareness training, is to start at the top. Look at who the email’s from. Yeah, it may say it’s from Dave Cain. Dave Cain doesn’t spell his name, D-A-V-E dot K-A-I-N-E-Y at X-Y-Z dot com. Look at that, because that is something that it is. If you don’t necessarily recognize it or you don’t get it, and someone’s asking for money or asking you for personal company information, look for a phone number and call them. Or worst case, send back an email and say, “Can you clarify what you’re looking for?” That’s the worst case, but give them that shot.

Dave: Let me give you an example, and you’ve seen it. I mean we’ve been out together. You’re sitting in a restaurant and having a conversation, you see people next to you and they’re going through their emails like there’s a race. How quickly I can go through those emails and get rid of them. I think, “Wow, that’s kind of dangerous.” We’re seeing that all over the place.

Mike: For example in my case on the email, I pretty can decide from a preview how much you want to look at them. I don’t think there’s a problem with that because you’re deleting them. It’s the key that people are opening them up and then all of a sudden deciding to respond to some of those things in terms of where it is. You know, again,  my American Express card, it’s been … Well, I’ve gotten three different cards over the last year and a half or two years because unfortunately every time you use American Express at a company that had a breach, like Home Depot, they send you a new card.

My point was, it’s that when they said that they called it fraudulent activity. They don’t say your card’s been locked. That’s what’s the first trigger. Now, had I never had that, I might have had a different response, but again the point was, when I called it up on my workstation and looked at it, boom, it was not what we need to.

It’s all about user awareness training and helping to help their business. Because you can say to IT, “Well this is your job to protect us.” Well, unfortunately in today’s world IT can only do so much. As a user, we have a responsibility to learn how we can also help be a part of the solution as well.

Dave: I’ll give you an example. As you look around the production room, the team here is supposed to be producing this podcast, and three of them are busy on their cellphone looking at their email.

Mike: It’s okay.

Dave: You think that’s okay?

Mike: That’s okay. They’re engaged. They’re listening to you give me grief, and at the same point in time they’re multitasking as some would say, and that’s the way the new … that’s the way people do it.

Dave: You know, as we go forward, do you see a situation where company are going to exclude or prohibit employees from getting office emails on their cellphone, on their person cellphone?

Mike: No. I think that the direction is that it’s going to, the use of the mobile phone, the mobile device to do more business is going to expand. It’s not going to contract. It is up to IT as well as the user to become as effective as they can at protecting.

Those are some of the tools. At a simple level you’ve got your antivirus and those kind of things, and user awareness is a focus of protecting. The second level is a detect. Once something comes in, how can I determine that it’s hit us faster than it used to be? I’ll explain that in a second. Then the last level is, what’s our response? How quickly you can respond.

So when you think about that, let’s talk about that email that we just said. Let’s just said that all of a sudden they decide that they are going to plant some ransomware, because unfortunately that’s where the real money’s being made today. You know, the Equifax breach that everybody heard about last year, that’s great. But somebody may get $2 to 500 or $1,000 for a big group of those people’s information. If I lock down your systems, I can get a heck of a lot more money, and it’s a lot cleaner and a lot faster because it’s a one shot deal.

So that’s where, if you look at the criminal element they’re really focused on the ransomware issue. My point to this is, it’s that, protect. I’ve got to have the tools that can help me try and keep it out. I can’t keep them all out because inevitably it’s going to happen, either from good nature user trying to do something, or the guys are just going to break through.

But then I’ve got to have a system that detects, because today what they’re doing is, is they’re planting their malware if you will, they’re planting their bad stuff, and it may take anywhere from one hour to a couple of weeks for it actually to kick in. You may find it initially, and then all of a sudden clean things up, and then it comes back and it hits you a couple weeks later.

What happens then? Well, we kind of forgot about it, we weren’t paying attention. Where, boom, that’s one of the things that you’ve got to do. The key also is, is being able to have a solid set of backups, that are tested and organized, and be able then to use that to help recover for.

Dave: This conversation goes back to really where we started the podcast, is the IT goals and the business goals must align because this is internal control, security breach, keeping your data secure. So it is all about IT goals and business goals.

Mike: It is unfortunate that companies today, organization if you will, are having to spend more money on security as opposed to being able to provide tools that truly help advance the organization’s productivity and help them achieve their goals. The reality is, is if you’re not investing that money and you get hit it becomes fairly damaging in terms of where that goes.

Dave: Are we winning the battle?

Mike:   I don’t know that that’s a fair question for me to answer. I think that every time an issue is thwarted, there appears to be three to five people that are coming up with a new issue that has to be thwarted. So I think that as, I’m going to call them the bad guys for lack of a gender specific firm. But as the bad guys realize that there’s money to be made at this, they’re going to continue doing it because it’s realistically, it’s gone beyond that concept of, “Well, I’m just joshing with you and I’m showing you I’m smarter than you are because I can prevent you from getting access to your screen.” But you can get that access, it’s not that big a deal.

These guys are in it for the money, and when you have governments that are involved with what they’re doing on an official way, part of what they’re trying to do is they are looking at stealing intellectual property secrets, whether that’s from other governments or whether that’s from commercial businesses, to help advance their own country’s interest. It’s the way it is.

Dave: That’s a good point. When we think of a data breach, you think social security numbers, addresses, birthdays, that type of data being stolen. But intellectual property, that’s getting bigger and bigger, the theft of plans, blueprints, top secret.

Mike: Yeah. I mean, it’s as simple as … For years the old thing was, is that a salesperson left the company and they took the customer list with them. Even though they had a non-compete, they took the customer list. That’s the simplest of that intellectual property.

On the other hand, it does go up to as detailed as, “Hey, I’m building something and I’ve got two competitors, and Lord knows I may have what we need to do, but I haven’t yet secured the patent.” These guys can steal that information. They can build it up before I can get the patent, they can beat us to market.

Dave:  In the next few minutes we have before we wrap up let’s talk about next steps.

Mike:  Okay.

Dave:  What are maybe three, two or three next steps that a business owner that’s listening to the podcast can do this afternoon?

Mike: Sure. I think that if you’re a business leader, some of the questions that you might want to look at in terms of just at a simple level. Getting together with your team, whether it’s all of your management team or part of your management team and IT, and ask, “What are the threats that potentially face us? What is it that we’re really trying to protect?” Because some companies are trying to protect a lot more than others. Some companies have compliance responsibilities that they have to protect. But what are we trying to protect? How are we doing it today? What potential do we have for exposure?

And then the next part of that goes is, is that, “Okay, do we have a plan to get it resolved? If we don’t, what do we need to do? Is this a serious enough … ” in other words, I kind of draw a X and Y axis with the likelihood on the top line and the impact to the business on the bottom line. A lot of IT people think you’ve got to protect everything. The reality is, is that some of those issues aren’t material.

But when you start looking at higher the likelihood, the bigger the impact, you’ve got to put that in and you’ve got to do something about it. So that becomes, “How do we get a plan?” To me, I would ask that, if I were a business leader I would say, “Okay. Do we have the skills to do it internally? If not, do we have an outside resource that we can use?”

I’ll give a plug. Obviously they can call their Rea & Associates resource, their CPA or their business partner. They can come back and potentially recommend some people or some approaches. Obviously we do that. But my point is that you’ve got have people help you.

We’re seeing more and more companies reach out and say, “Help us with that, protect, detect and respond.” They’re knowing they’ve got to do these things, and what are the various pieces to those pieces so that they’re protected? It’s not just one thing. People spent tons and tons of money on antivirus for years. Then they had a problem and they realized their backups weren’t very good. Or, they spent tons of money here but they didn’t when to detect that they had an issue and it went on for a while. So they’ve got to actually start allocating, how does that work in terms of …

Dave:  Right. Now a note to our listeners, obviously Mike is very talented, knowledgeable in this area. If our listeners want to get ahold of you to talk more, certainly they can contact us at Rea & Associates but give a plug. How would we get ahold of you? What would be the best way?

Mike: Sure. The simplest way is they can call the office, it’s 614.889.6555. They can ask for me or they can ask for Amanda. One of the two of us will be happy to at least start coordinating a conversation with them. They can go online to www.aresgrp.com, that’s our website. There’s information and opportunities there to at least say, “Hey, I’d like to have a chat.”

Dave: To our listeners, we can help you find Mike. His office is right across from the studios of Rea Radio in Dublin, Ohio.

Mike: Yeah, and Dave just so you know, I’m surely not the only person that can do this. Really good solid competent IT people can help. We’re always out there and looking to be able to help do that as well. The reality is, is we need the whole community if you will to work together to help reduce these risks.

Dave:  But in addition, you can talk very intelligently about sports and politics and business.

Mike:  Unfortunately, not all the people that we talk to want to talk about those things, so we’ll just keep it to business.

Dave: There you go. Our guest today has been Mike Moran, president of Affiliated Resource Group located in Dublin, Ohio. Thanks again for joining us on unsuitable today. Great job.

Mike:Thank you.

Dave: We’ve talked about cyber threats before but I really think you provided us with some great insight into what we can do to help to help others become champions of data security as well.

Listeners, we’ve got a wealth of information about cyber crime and data security on our website. Check it out at reacpa.com. You can also reach us at podcast@reacpa with your questions. If you haven’t already, don’t forget to subscribe to unsuitable on iTunes or check out video from today’s episode on Rea’s YouTube channel. Thanks for listening. Until next time, I’m Dave Cain, encouraging you to loosen up your tie and think outside the box.

Disclaimer: The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation so they can expertly guide you to the best solution for your specific circumstance.