Dave Cain: Welcome to unsuitable on Rea Radio, the awarding winning financial services and business advisory podcast that challenges your old school business practices and their traditional business suit culture. Our guess our industry professionals and the experts, who will challenge you to think beyond the suit and tie, while offering you meaningful modern solutions to help enhance your company’s growth.
Dave: I’m your host, Dave Cain. Back in 2016, more than $1-billion was extorted from individuals in organizations by cyber criminals. When you factor in costs associated with cyber crime, those costs balloon to an estimated $50-billion when you add in remediation, loss productivity, consulting, legal, and on and on and on. That was just two years ago and while we may not have the current numbers for 2018, we can tell you that online criminal activity is as strong as ever.
Dave: After all, with cyber crime being the leading generator of revenue for criminals, we don’t see them hanging up their hats anytime soon. The cash register is open. For this reason, the topic of cyber security has become an essential business conversation, which is why we’re happy to have Mike Moran, co-founder and president of Affiliated Resources and IT Implementation and Professional Services Firm, located in Dublin, Ohio. Mike is back to tell us where the smart guys are investing their IT security dollars and how small to midsize business owners can follow their lead. Welcome back to unsuitable, Mike.
Mike Moran: Thanks, Dave. I appreciate you having me. I always enjoy coming to see you guys.
Dave: This is, you’re a veteran, this is your third time on the show and always a great guest with a lot of really good information.
Mike: Well, I appreciate it. I kind of get told all the time, I’m like a bad penny. I just keep showing back up.
Dave: Keep showing up.
Mike: And showing up.
Dave: That’s okay.
Mike: I appreciate that. Well, thank you.
Dave: So, let’s start with, are we winning the battle?
Mike: The answer is we’re fighting a good fight. The challenge is that you know, criminals today, you can look at it and say, well, depending on where you sit in the spectrum, well war is a crime, and drugs are a crime, and then there’s other. But, when you really look at things like cyber security, it’s really made a major change in how criminals address this opportunity. It used to be that if you wanted to go get money, you had to go to a bank. And then, you had to have a knife, or a gun, or a strong sense of what you wanted. You had to get dirty, sort of speak.
Mike: Well, today, I can sit in my basement and send out 10,000 emails a day, or I can sit in my basement and get something that I got on the dark web, as a program, that runs that goes running and looking for various IP addresses that aren’t secure, and I get access to those things. I can lock them down with something like RansomWare and all of a sudden, I get money. I send out those fishing emails. I could be sitting in my mother’s basement doing some things and I’m going to get some unscrupulous person, who’s going to respond because they’re not smart enough to realize or they’re not aware enough, and all of sudden, I’ve got an opportunity to make a chunk of change.
Mike: If I send out a million of those a year and I get 1/100th of 1% of people to respond, I can make a nice living.
Dave: You win. You win.
Mike: I can make … and so, it’s there. And they’re getting smarter, and they’re getting more organized, and they’re getting more focused. Yeah, there’s a lot of things that are going on. It really does become more than just a nuisance, it’s now a focus on how do we fight this? How do we start, not only protecting ourselves but getting prepared so that if we do get hit, how we can recover as quickly as possible?
Dave: You know, the cyber criminals, we can’t forget, those folks are geniuses. They are just geniuses. They know how to do this and if I step back and look at a lot of business owners, they’re doing a lot of things in their business day to day. They’re not paying a lot of attention to their IT security. They’re paying some attention, but you know, the cyber criminal, that’s what they do 24/7.
Mike: Yeah, there are. Especially, the more organized folks, go out and get this done. A perfect example, in October of 2017, the first day of October, front page of the Dispatch, there was an article about a family got fleeced out of their retirement savings. They sold their home. Well, basically, what happened was is that a scammer if you will, found that a family had sold their house and while it was in escrow to get ready to sell, he spoofed the real estate agent sent them an email. That email said, “When this is done, I want you to write the proceeds of this transaction to my information.”
Mike: He sent it to the title agency. The title agency saw that. Oh, it’s a legitimate email from … well, it appears to be a legitimate email because it talked about the specific information. The transaction is finished, they wired that $215,000 to some sort of an account down in Texas. Guess what? The family had nothing to do about it and a year and a half later, they had to sue both the title agent and the real estate agent because that $215,000 wasn’t there.
Mike: Now, the government did arrest the person who did this. He had made $1.4-million running that same scam over and over and over again. If you go back to the mortgage broker, the national mortgage associations website, they actually had been talking about that scam going on, that type of scam, since 2012. The reality is that there is a lot of money for these guys to be made. You’ve just got to be vigilant.
Mike: Yeah.
Dave: You know, that’s a great story. One, it’s a smaller business.
Mike: Exactly.
Dave: It’s actually an individual.
Mike: Yeah.
Dave: We think that this, you know, the cyber criminals and the ransomware, and the ransom page, and the cryptocurrency that’s out there is just reserved for larger companies, but your story, it’s even trickling down to individuals, smaller business. It may even be a greater impact there because of a lack of IT security.
Mike: Exactly. A lot of these guys that have automated systems that are going and doing it, they’re looking for URL’s and they’re looking for IP addresses. Quite frankly, those IP addresses don’t be defined as I’m going go to a fortune 25 company or a company with 2.5 employees. They’re just looking for an open access to get in and do some damage.
Dave: You know, today on lunch, I was reading our script for today, getting ready, and I looked over and I saw this business owner. I knew the individual. He had a cell phone out and I know he was just going through, ripping through emails left and right on his cell phone. I thought, oh boy. How close is he looking at those emails?
Mike: I’ll give you another example of that. This is something that I think that …
Dave: We got to get to the script one of these days.
Mike: Well, we will. We will.
Dave: You know, I mean, you got to tell stories.
Mike: This talks about awareness. This talks about the whole idea of awareness. One of the things that the smart guys are spending their money on is they’re looking at a thing called user awareness or user awareness security training. I’ll talk a little bit more about that, but I’m going to follow through on that. What you’re seeing with mobile phones and that is one of the more growing areas of people getting access, they will send you a fishing email. A fishing email is an email from someone who is trying to get you to either click on something and open it or provide your credentials.
Mike: It can be very targeted, as it was in the case of that mortgage scenario I explained, or it can be just kind of something general where is, we’ve all received them. I am prince sometimes from Nigeria and I’ve just received a whole lot of money and if you’ll help me, that’s an example of a fishing email. Believe it or not, they’re still fairly successful. When you’re on your phone, it’s pretty hard to see who that email is actually originating from. You see that it comes from Dave Cain, but if you were actually on your desktop or your workstation, your laptop, if you will, and you clicked on that email and you saw it in the preview window of your outlook scenario, it might say that it’s from dave.cain@deweychitamenhow.com.
Mike: If that’s the case, well then, you know that hey, that’s not the Dave Cain from Rea and Associates. That’s one of the problems. I had that situation happen to me. I got a note from American Express that my account had been locked. I looked it at it on my phone and I almost hit the button and then I remembered, hey dummy, go home and look at it.
Dave: Take a look.
Mike: I go back to the hotel, I look, and sure enough, there was no phone number. There was nothing. And then, I looked at who it was from and it was from dave.@captureX.com. That one went right to the junk mail. That’s an example of what that it. That’s part of the user awareness training. I’ll take a step back and talk about that. The first part of, is that people are spending money on trying to identify where there are risks, their exposure’s and their treats are.
Mike: They’re going out and doing risk assessments. They’re doing network assessments. Obviously, if you’ve got compliance challenges like HIPAA compliance or NIST, 800, 171, you’re going to go out and do a risk assessment for that scenario. They’re looking at those things to identify, where are our challenges. A perfect example is an organization that has grown over the last five or ten years and they’ve added different functions. Maybe they’re a manufacturer.
Mike: All of a sudden, they have specific components that they use in their manufacturing. Well, those third-party vendors now want to get in and be able to manage it so they can do a better job of maintaining that equipment, keeping it up and running so that you’re satisfied with it. Well, they need access through your network. If your network isn’t designed to segment those things, someone can get into and do this.
Mike: I’ll explain a perfect example. Last week I was down in Southern Ohio speaking to a group of 30 school districts and municipalities about cyber security issues and compliance work that they needed to do. It was a very reasonably well-received thing. Everyone kind of said, “Thank you.” And clapped nicely and we went home. On Monday morning, I get a phone call from one of the attendee’s that they had been hit from ransomware. I asked, “Have you determined where it came from yet?” They said, “Yes. We had a port open for our third-party HVAC maintenance vendor to be able to access our systems and control our HVAC systems to help us drive the cost down of our HVAC systems.”
Mike: That’s how the bad guys got in. They were infected with ransomware and they had a problem. That’s an example of doing that identify my issue. They’re looking at those assessments and that to identify what they need to do and then build a plan to get it fixed.
Dave: Good.
Mike: That’s items number one.
Dave: Let’s continue on a theme of where the smart guys are investing their IT security dollars.
Mike: Sure.
Dave: I think in the past and not so distant past, is that you know, spending dollars on IT security, was not in a strategic plan or not a high budget item. I think the smart guys have figured out, we’ve got to spend more money in that area.
Mike: Yeah. It is. I think, you know, I kind of identified three areas that I think we’re seeing people step up their expenditures and that. The first one, as I said, is getting that assessment. Getting that scenario of understanding where we are. Getting a risk assessment. The second area comes in the idea of the National Institute of Standards and Technology are missed, if you will. They actually published a cyber security framework. It starts with identify.
Mike: So, that idea of following getting a network security risk assessment covers that identification. The secondary is protect. This is where people have traditionally spent their money. They bought a firewall. They get an antivirus. They have malware. They have a spam filter. Those are things to protect you. The third area is in detect and detect is where I put things like user awareness training. Detect are the things that allow you to understand that you’re having an event or a potential event, faster and more effectively.
Mike: They’re spending their money on that. Protection, they’re still keeping their expenses, their investment there, but they’re really investing in this because the issue is the faster I can find that I have a problem, the faster I can fix it and the lesser amount of damage that potentially can be done to my organization. That’s the secondary is tools that can detect. Intrusion detection system. Things like user aware. All of these things are part of that detect. Find out I got a problem faster so that I can work through the other steps.
Dave: Sure. You know, and I want to share with you, I did go to your website, kind of check out some of the blogs and reading material. Well done, good stuff on there. There was a line in there that caught my attention. I wanted to kind of share that with you and get your approach. It says, “Have you outgrown your current approach to IT services and support?” Have you outgrown your current approach? In your experience and your travels, our companies really outgrowing their support, their IT?
Mike: I think in many cases, they have an opportunity to do that. Here’s how I would describe that. They are used to having an IT team or they’re used to having somebody that’s helped them out for years, but they’ve grown. They’ve added facilities. They’ve added offices. Maybe they’re merged with another firm and got more people. They’ve now got additional applications. They’re now using things in the cloud. They have additional responsibilities because now they look at how do I take care of my infrastructure so that instead of having 30 servers, I have three that are virtualized.
Mike: They look at the idea of the onset of people bringing in their own devices to the office. I’ve now got Wi-Fi. I’ve got third-party companies that are trying to access my infrastructure. Yet, they still have the same network topology that they had when they were one-third or one-quarter of the size. They didn’t have any of those things. They’ve never taken the time to go back and do that. That’s part of that identify step. Do a risk assessment and understand those things.
Mike: It’s a big risk. We see that a lot where people have just, I’m so used to doing the day to day stuff, as you said. The owners are like, “Hey, we’re covering this day today. We’re getting, you know, antivirus is there. We got backups.” But, my gosh, we got to do all this support. We got to add new applications. I got to help open a new office. I got to help these people learn … it’s a lot for an IT department. What we’re seeing is a lot of them are kind of raising their hands and saying, “Hey, we’d like some help.” We’ve identified that we have some risks and threats. How can you help us prevent those? How can you help us get that done?
Mike: A lot of third-party company’s today, have the ability to help companies that don’t have an IT staff, but the more experienced and growing ones, see an opportunity to help those with an IT staff start to level the playing field a little bit because they can help them with specific levels of expertise.
Dave: You know, that’s a good point. I think the smart guys have recognized, “Hey, we have an IT department, but even if we have an IT department, we occasionally need an outsider, an outside IT auditor, if you will, to look to see if we’re, you know, we’re on pace. Does this make sense?”
Mike: Right. We see that as kind of that first step. The second step is those detection tools. We’re involved in a lot of that with our customers. They want us to follow that because we have more sophisticated systems. We actually have processes and procedures that won’t allow things to fall through the cracks. Again. If I’m the one or two-person IT staff supporting a couple of hundred people, I’m going to be doing an awful lot of user support. I’m going to be doing an awful lot of add hawk work that just magically pops up.
Mike: Well, a lot of times, I don’t have time to focus on making sure that I can cycle back and get all my antivirus updated. I don’t have time to recognize that Dave Cain, who leaves every day at 5:00 and never logs into his system, has started to log into his system at 8:00, 9:00, 10:00 at night. Nobody is there to follow up and say, “Hey, Dave, What’s going on?” Well, Dave may have some new things that he’s trying to get prepared for and he wants to do that, but then again, maybe Dave’s not doing it at all, but they don’t have the time or the bandwidth to do that.
Dave: Or detection.
Mike: That’s where they come to company’s like us and say, “Help us out.” I’m not saying that we’re alone in that. There are others that do it.
Dave: Right.
Mike: I’m just saying that they look at where, hey, can we find a solid third-party organization to help us out.
Dave: But, whatever, we were talking about how IT departments are stretched where some of the IT departments are now in charge of the computer, the phone system, the loudspeaker that plays the music throughout the office, you know? Maybe the lighting outside in the lobby.
Mike: The video conferencing, the security, and all the applications.
Dave: Yes.
Mike: Yeah.
Dave: Again, how are the smart guys investing their dollars to offset that?
Mike: In some cases, they’ve looked at this and said, “I’ve done my assessment and I understand where my risks are. I have developed an IT strategy to understand where we are as an organization. I’m putting my tools in from a security perspective, but I’m also looking at saying, hey, I had a network that I found out was a little outdated and my switches, which I never think about, were five or six years old. We need to upgrade our network to be able to support those things. Oh, by the way, we did a Wi-Fi system five years ago and it seemed to work fine, but today, we have twice as many employees and every one of those employees has a mobile phone that they want to try and suck our Wi-Fi out. We bring guests in all the time and they want to use the Wi-Fi. Oh, by the way, we have many people who use laptops and walk around in our conference rooms. Is the Wi-Fi overdone?”
Mike: They’re looking at how do they upgrade their infrastructure. How do they look at being in a position to do strategic investments in their technology to move things forward. There’s big discussions among folks in the SMB world is, do I keep it onsite, or do I move it to the cloud? In many cases, in fact, I noticed in your newsletter that I receive, they talked about QuickBooks. Do you do QuickBooks onsite or do you do QuickBooks in the cloud?
Mike: Again, it depends on the organization. It depends on the culture. It depends on a lot of that. It comes back to the business strategy. We have customers that they’re perfect fits for going to something like Microsoft Office 365, but the executives in the company say, “No, we’re not. We’re going to keep that on house. We’re going to keep that in the premise.” Yet, we have other customers who maybe it’s not the smartest thing in the world for them to do, but for whatever reason, they’re sold on the cloud and everything has to go there.
Mike: We as a company, are really good at helping our customers go through and make those decisions, giving them the options to make those decisions, and then working with them on what about your infrastructure? Do you need an upgrade? What about your applications need an upgrade? What about your security do you need upgraded? How can we help you help your team be more productive and their efforts to accomplish or organizations mission?
Dave: Okay, let’s play true or false.
Mike: Okay.
Dave: Do you like that game?
Mike: Depends.
Dave: Okay. All right. I’m putting everything on the cloud. Do I have a greater risk or less risk?
Mike: It depends.
Dave: Well, that’s not a true or false answer.
Mike: That’s the truth. It depends. It depends on again, how you set up your processes. It depends on how you set up your structure. It depends on how you, as an organization, and you as an individual, care about those things. The cloud can be as secure, your application in the cloud can be as secure as they are onsite. Your applications and your systems onsite can be as insecure as they potentially could be in the cloud, depending on how you set those things up and how you get organized in terms of where it is. There is a lot about policies and procedures that matter.
Dave: Good point.
Mike: There is a lot about training.
Dave: Great point. We’ve had discussions, again, non-IT, related folks, that oh, we’re in the cloud, we’re safe. That’s like you said, it depends. You could be, but buyer beware.
Mike: Here’s a perfect example of that in terms of where this plays. I go to Google or I go to Microsoft and I go to an Office 365 or Google’s Suite for business. Most people don’t realize those systems aren’t backed up. Yeah, but it’s in the cloud, it’ll always be there. It’ll always be there until one of your employees makes a mistake and deletes their file, or until one of your employees knows they’re going to get terminated and deletes all their information from their files and then you find out you need to have that because you don’t have the contacts stored anywhere other than in that spot.
Dave: Sure.
Mike: You need to have the backup. Same thing with many of your applications that are in the cloud. They provide redundancy, but if you have a human error or somehow that data gets corrupted, you could have some challenges there. We work with many of our customers that have a low tolerance for risk, or they have a compliance requirement, or it’s just corporate culture, we help them get those things, make me aware of those, and then help them with solutions to protect those things so that their applications are in the cloud.
Mike: We also talk to them about, how do you deal with your password policies and those things, and access policies because those are important as well.
Dave: Yeah. Well, that brings a conclusion to the official podcast and just like any great band, they come out for an encore. Are you ready for an encore question?
Mike: Hit me with your best shot.
Dave: You talked about, you could step back and say, “Hey, these smart guys, these are large companies, large organizations, large budgets, large revenue items.” What about the small business community? How can that community benefit from some of the things you’ve talked about?
Mike: Sure. I think everyone could benefit from a risk assessment. Based on the size of your organization, determines in many cases what that costs and how thorough it needs to be. For example, a risk assessment for Rea and Associates would be significantly more expensive than that for an organization with one office and 25 employees. I think the second thing to look at is that the cost of some of these technologies, have scaled way down for the small business, where years ago, you couldn’t do it. Well, now you do.
Mike: Office 365, everybody says, “Well, it’s $20.00 a user.” Not necessarily. In a small business, it’s $12.50 and you can just have an email for certain people. There’s two examples. A third example just comes back to the idea of using a third party. If I go to hire a staff person, I could be spending $50, $60, $70, $80,000 plus benefits and a whole lot else because I don’t manage them. I don’t give them, you know, a number of things because that’s not my job. My job is to do what I do. It might be to manufacture something or it might be to provide a professional service.
Mike: A third party can provide a team of people with processes, with procedures, with tools that can help you do that in a cost-effective manner.
Dave: Good point. Good point. Now, you know, I want to go back to something you said earlier about when we had beers over at the local tavern, was that on your expense account or mine?
Mike: I honestly don’t remember.
Dave: Okay. We got to do that again sometime soon and dig into this.
Mike: I would be happy to. And by the way, it’s almost football season, so we can have a good time talking about football.
Dave: You notice I haven’t talked, asked you any questions about football? Do you notice that?
Mike: It is outstanding. It is outstanding.
Dave: Our guest today has been Mike Moran, president of Affiliated Resources, located in Dublin, Ohio. Mike, can you shout out your website. There’s a lot of good stuff on there.
Mike: Sure. I’m going to say it slow, www.aresg, as in George, rp.com.
Dave: Great. Thanks for joining us, Mike. The stories we hear about cyber criminals successfully infiltrating the company database and financial information is really unnerving. A little bit scary. We’re making some headway, but we got a lot of work to do. I hope our listeners will follow up on some of the tips you provided today. We’ve included some great articles, tips, and other resources on this episode on our website at reacpa.com. If you enjoyed today’s episode, let us know. Like it, comment on it, or share it, and don’t forget to check out videos of today’s podcast on YouTube. Until next time, I’m Dave Cain, encouraging you to loosen up your tie and think outside the box.
Disclaimer: The view’s expressed on unsuitable on Rea Radio, are our own and do not necessarily reflect the views of Rea and Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation, so they can expertly guide you to the best solution for your specific circumstance.