Shawn:
We can come in for a nominal fee, in comparison to what it would cost them if they were shut down for, in some cases, weeks, possibly even months.
Doug:
From Rea & Associates' remote studio, this is unsuitable on Rea Radio, a management and financial services podcast for entrepreneurs, tenured business leaders and others, who are ready to look beyond the suit and tie culture for meaningful measurable results. I'm Doug Houser. On this weekly podcast, thought leaders and business professionals break down topics and give you the tips and insight you actually need to grow as a leader and help your organization thrive. If you haven't already, hit the subscribe button episodes. And if you want access to even more information, show notes and exclusive content, visit our website at www.reacpa.com/podcast and sign up for updates.
If you've been watching the news lately, you've probably noticed an uptick in reports about cybercrime, as many companies operate with a remote workforce. If you're preparing for reentry, you have a lot to consider, not only from a health and safety standpoint, but your cyber safety concerns don't go away as soon as your team is back in your physical building. In fact, reentry poses a lot of cyber risks to companies. Two of Rea's top cyber security professionals, Shawn Richardson, and Ty Whittenburg, are here today to talk about how to reintegrate your employees and your information systems without adding additional risk to your business. They'll share what threats to look for upon reentry and the most important issues to consider while migrating your workforce back to your company's network. This stuff is critically important, so let's jump right in. Welcome to unsuitable on Rea Radio, Sean and Ty.
Ty:
Good afternoon.
Shawn:
Good afternoon. Thank you. Thanks for having us.
Doug:
Obviously, everybody's world has gotten turned upside down here and cybercrime and cyber security is of always of importance, but even more so during these times. What have you guys been seeing? What have you been working on as we, all of a sudden, were hit with this COVID-19 crisis and the remote work became necessary?
Shawn:
It's a great question, Doug. One of the things that never goes away is, while these companies are reintegrating themselves and their employees and work staff and workforce back into their home network environments and their corporate environments and so on, the risk to the business doesn't go away. In fact, it's escalated because now we've got devices and user accounts and data, all has either left their network or riding a home network, if you will. And bringing all those machines and those devices back into a home network, bodes a lot of risk there, from several angles. To your point, Doug, the cybercrime and the cyber risk in general, overall, is not gone away. In fact, it is heightened greatly.
We have a few things we can talk about today centered around what to look for, but primarily, to answer your question directly, it's this reintegration period is going to be challenging for some, but one of the biggest things that you've got to keep on the forefront is devices that leave the network, employees' identities that leave their home network and they're now migrating themselves back into their home networks.
Doug:
Talk about that a little bit, Shawn. By leaving, we all have laptops and cellphones that connect, are connected to our work lives. Those don't separated, it's all of those things are part of our life. When you talk about being connected to the home network and then back integrated into the work network, what specific risks does that pose? And on an ongoing basis that doesn't really change does it?
Shawn:
No, it doesn't. In fact, a lot of times, it's a status quo. People oftentimes do work at home. What most companies in the small to medium sized business space, 250 employees or less were not used to before COVID-19 is yes, they would go home and work naturally but most of them did not connect through a secure means like a virtual private network and VPNs. And so they were connecting through other means whether it be a third party application, an RMM software, a remote management software, or what have you. And frankly not all of those are safe. Best practice within industry is to connect via a virtual private network or an encrypted tunnel, if you will, so that they can take that asset and connect it safely back to the home network.
Doug:
Gotcha. Yeah. And obviously, if I'm a business owner say, typical, mid, small to midsize business, I don't necessarily have obviously my own IT staff. I know having been in that world when I was a CFO, I was the IT person. And let me tell you, I wasn't qualified. What should somebody be doing? Can we do a quick and dirty assessment for folks to try to pinpoint where their risks are? Those types of things?
Shawn:
Yeah. That's a great question. You want to answer that?
Ty:
I think that's a really great question.
Shawn:
A reentry risk assessment, if you will.
Ty:
Reentry risk assessment, which is actually part of our probably standard protocol when we do a security risk assessment, you've got your organization's data and intellectual property, which is probably some of the most important things for a business. It's what differentiates them from the competitors. And so for us, our ability to go in and if you're talking about a reentry would be to take a look at doing some form of a scan of the system for data and for shadow IT.
Shawn:
When we talk about, that's a great point, Ty, and when we talk about shadow IT or shadow information technology or applications, if you will, a lot of times, again, just to kind of paint a picture, you're taking company assets into a foreign network. Our home networks. I can't count on both hands, how many conversations that the both of us have had with staff members and even our clients that, "Hey, how do I connect to VPN at home? Or hey, I'm not sure how that all happens, but I still got to do my job." And so typically what happens in that case, foreign applications will get installed on that local machine. Some of them not approved to try to find circumvention and ways of.
Ty:
To make your job easier.
Shawn:
Yeah, to make your job easier because they got a job to do. You combine that with the stress and the anxiety of COVID-19 and what's going on, you still trying to move the ball forward. And oftentimes what happens is a user naturally will find ways just to make it work. They'll connect to like Gmail and G Suite and Dropbox and Box.
Ty:
Box.
Shawn:
Cloud applications that frankly, in some cases, or in most cases are unsanctioned and not approved inside of a corporate or a business network.
Doug:
You mention a little bit there, talking about the cloud and obviously many businesses have moved all of their information into the cloud. It's certainly very cost effective and all of that, but talk a little bit more about some of the risks there. How secure that environment is for your data and some of the risks that that poses for businesses.
Shawn:
Sure. That's a great question.
Ty:
I don't think the cloud makes you any less safer. You're still managing a network. I think when we talk about it, the real keys kind of come into play of, is there process? Is there logical steps that people are taking to ensure that they're not thinking that the cloud is going to secure everything for them? The cloud has a responsibility to their infrastructure, but we have a responsibility to safeguarding our connections and network to it. A lot of that has to do with your security teams or with your IT teams making sure that they're putting policies in place that are limiting access only for the most need to have it, privileged access, keeping that true to the policy. Also making sure that, hear a lot of times where in the news an S3 bucket from Amazon has been compromised and that's because more times than not, it's not necessarily the information security team that's done that, it's been a member of the team that has kind of found a work around for an organization to make it work and has not put the policies in place to ensure that we're safeguarding data and intellectual property.
Shawn:
Additionally, security controls, a framework. And those are all things that most again, 250 and below smaller companies, they don't really have or understand what the importance of a security control framework like NIST Cyber Security Framework, which is something that we use. You've got other frameworks COBIT and then you've got other regulatory frameworks that go from regulatory bodies that go over that. Security rule, PCI DSS. HIPAA is healthcare. PCI DSS is the payment card industry data security standard. That's all things credit cards. And so back to your question, specific to cloud apps, moving data to the cloud, again, it starts with the business process. It starts with assessing the risk and accepting the inherent risk of that particular application or putting controls around that application within the business to protect their intellectual property and company data.
Doug:
Well, it's like anything, and we're as a CPA and consulting firm, a lot of what we do is risk mitigation for our clients across different things. It's no different than if it's their accounting procedures or from a tax perspective. What we're talking about here and what we want folks to be aware of is that cyber is another of those things that they have to mitigate risk around and understand their risk. And they should be investing just as much time and effort in that as they do those other things.
Shawn:
Absolutely.
Ty:
Definitely.
Shawn:
Absolutely. Absolutely.
Doug:
What are some of the biggest risks you see today? I hear a lot of this about phishing and some of these other things where companies send money and they shouldn't. Where do you see the biggest vulnerabilities today?
Shawn:
I'll tell you, in our research and how we've interacted with clients over the last eight to 10 weeks during this crisis, we've seen a huge uptick and that the industry has seen a huge uptick in compromise of Office 365. And so Office 365 is the Microsoft's their network in the cloud, if you will. It's all built on Azure. And so that tenant that holds all things email and other applications, data, SharePoint and so on, what's happening is baseline security controls for those tenants in the cloud don't have the recommended control sets that they should.
Doug:
Wow.
Shawn:
And it's a common thing that has been happening. And so the bad actors come in and leverage those known threat vectors to compromise those instances. That's probably one of the biggest ones that we've seen thus far. In fact, we've had several calls and currently engaging with clients and other organizations to help them walk that back. That's also tied to phishing as well. Obviously phishing, everyone's heard that term for several years. It is a way of getting someone to obfuscate bad code or bad activities through social engineering, basically. Someone trying to attempt to prove themselves to be someone that they're not, to convince Doug Houser or Brad, that, that hey, I need you to click on this email or I need you to click on this link or respond to me with some information. And then what happens then is that information is leveraged to go and compromise said instances of Office 365 and there's others, but the common threat vector.
Doug:
If I'm a business owner though, I'm thinking, a lot of it, it comes down to, okay, cost benefit, these types of decisions. And I'm looking through this COVID-19 period, what's my business going to look like post-crisis? Is it the case with cyber that an ounce of prevention is worth a pound of cure? Or is better to just say, "Ah, you know what? I'm going to wait until something happens and then go get the experts to fix it." What kind of a feedback can you give us on that?
Shawn:
The latter.
Ty:
I would say that risk has probability in it without a doubt, but it's worth it to pay upfront what may seem expensive than to spend thousands more than what you may be able to afford. And so one of our peers, one of the our principals here, Paul Hugenberg, always likes to go through this presentation where if you make $5 million in revenue a year, and you go through all of the costs afterwards and you have an event that is 20% of your revenue, which comes out to a million dollars, can you withstand that event? Well, if it's going to cost me $25,000 to do a risk assessment, to help me identify those potential risks and reduce the frequency of the threat and reduce my vulnerabilities, which are things that I, vulnerabilities are the things I can control. Why wouldn't you spend the 25,000 versus taking the million dollar hit and then beyond the monetary factor of it, can you withstand the reputation piece of it?
Doug:
Good point.
Ty:
Your reputation, if we talk about a large retailer, like a Target, they've come out of it okay. But if you think about the credit card scandal that they had where they lost all that credit card data, it took several years for people to feel comfortable and their reputation took a bit of a hit.
Doug:
Yeah, yeah. For many businesses that trust factor and that is of utmost importance, certainly in our business, in the financial services industry. That if you don't have that, you got nothing.
Ty:
And a lot of times people don't take that in the calculation for their secondary loss as a revenue impact.
Shawn:
We had another perfect use case. And it's been made public for several months. Late last year here a Dublin company for over a decade of being in business, they closed their doors after an event.
Doug:
Wow.
Shawn:
Because they couldn't recover. It was catastrophic for them.
Doug:
Yeah. If again, Shawn and Ty, if I'm a business owner, closely held family run business, maybe I'm 10 million in revenue, can I get a risk assessment done fairly reasonably to at least understand where my risk is before I then maybe think about additional engagement? What does that look like?
Ty:
Great question.
Shawn:
Yeah, great question. Yes, a lot of times, oftentimes business owners of that size believe that going back to your statement you made earlier, we're just going to wait until something happens. Well, we've already talked through that. As a trusted advisor, as our team presents ourselves as subject matter experts in identifying risk, we can come in and build a program for them, for nominal fee in comparison to what it would cost them if they were shut down for in some cases, weeks, possibly, even months. And what that looks like, Doug, is we have a couple of different ways we approach it. If they don't have any type of framework in place at all, meaning they don't have any cyber security controls, they don't have any.
Ty:
Policies and procedures.
Shawn:
Yeah, policies and procedures, no one's looked at what's critical to the business. Our approach is where is your most critical data? Where's your most critical systems? By the way, what are you doing from a policies and procedures perspective, internal to the business, tying that all back to controls? With not just not having a technical conversation, but a business conversation, what are your business goals over the next two, three, five years? And all those business objectives that you have, we can tie a technical control to that. Oftentimes what happens is owners get frustrated by a bunch of jargon and statements.
Ty:
Sales lingo.
Shawn:
And hackers and sales lingo. And as trusted advisors, we just cut directly to the chase. And that is where's your risk lies. What is most important to you as a business owner? To your point, family owned business, been in business for a couple decades. They're only doing 10, 12, $15 million a year, maybe. And let's simplify that conversation all centered around business risk versus a technical conversation.
Doug:
Yeah, no, I think that's great approach too. I think it's something for folks to think about as ultimately they look to transition their business to some degree, whether it's internally within the family.
Shawn:
Absolutely.
Doug:
Or ESOP or third party sale or anything like that. If you don't have this kind of a hole buttoned up as best you can, you're greatly reducing the value of your business. I'm sure that's.
Shawn:
We're going through right now with one of our clients that exact scenario. They were just a regular LLC. They transferred over to an ESOP. And one of the very first things post audit was we identified some risks as it related to cyber and immediately they engaged us and we're building a program for them as we speak. And so to your point, as that business grows and the objectives change, we can tie that all back to the risk from a cyber-perspective.
Doug:
Yeah. That's great stuff. Shawn, I got to ask you one last question since you've got a military background, give us a cool military story that you've got, that you could share. Whether it's cyber related or not, anything come to mind?
Shawn:
Yeah, so I like to share this one. It is cyber related. I managed a team of about 400 hackers, all males and females, all walks of life, all with a special set of skills as Liam Neeson would say.
Doug:
I love it.
Shawn:
But our job was to, and most of the activities that we did were in a specialized space, that was off-grid, what we like to call, and you'd have to have a clearance to be involved if you will and read on at a certain level. And so our job was to take these missions to come in and build teams based upon capabilities. And so in this particular case, we built a small team to go off and do what they do best. And in this particular case, it was to just gather some information.
And one of the soldiers that was on that team was responsibility was for all the equipment to carry all the equipment that we used, specialized equipment. We'll just call it that. And one of the particular scanners and software tied to that scanner and in some countries are considered either not safe or unauthorized or what have you.
Ty:
Illegal.
Shawn:
And a long story short, they got to their destination. And this young man was pulled aside and interrogated for hours. And we had to make some phone calls and needless to say, we still tease him to this day. While during that event, he was likely, and we as well, we want to make sure that we're doing due diligence as a country and during that mission. But no, just several, I appreciate you asking that question, several situations like that. All for the most part, all off grid and doing good things.
Doug:
Very cool. That's some spy level stuff there we'll have to converse more over some adult beverages of choice perhaps. There we go. Shawn and Ty, this has been super great, very informative for me. I will definitely have you guys back on, because we could do a 2.0, 3.0, a number of versions of this.
Shawn:
Absolutely, well we appreciate it very much. It's really important to us to just, we want to have a conversation with anybody during this reentry, if you're not comfortable, just pick up the phone. Those three most important things, bringing those devices back into those home networks, analyzing potential foreign softwares and stuff like that. Determining if company data has left your network, which it has in some cases.
Ty:
Or if new applications have been added to the machine after it left the office.
Doug:
Yeah. Good stuff for sure. Well, if you want more business tips and insight or to hear previous episodes of unsuitable on Rea Radio, visit our podcast page at www.raecpa.com/podcast. And while you're there, sign up for exclusive content and show notes. Thanks for listening to this week show, be sure to subscribe to unsuitable on Rea Radio on Apple podcasts or wherever you're listening to us right now, including YouTube. I'm Doug Houser. Join us next week for another unsuitable on Rea Radio interview from an industry professional.
Speaker 4:
The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation so they can expertly guide you to the best solution for your specific circumstance.