Episode 253: National Cyber Security Awareness Month: Five Tips For A Safer Network

Doug Houser:

From Rea & Associates Studio, this is unsuitable, a management financial services podcast for entrepreneurs, tenured business leaders, and others who are ready to look beyond the suit and tie culture for meaningful, measurable results. I'm Doug Houser On this weekly podcast, thought leaders and business professionals break down complicated and mundane topics and give you the tips and insight you actually need to grow as a leader while helping your organization to grow and thrive. If you haven't already, hit the subscribe button so you don't miss future episodes. And if you want access to even more information, show notes and exclusive content, visit our website at www.reacpa.com/podcast, and sign up for updates.

As the world has become more digital, you can only expect that cyber-criminals are not slowing down. Keeping your systems up-to-date and completing risk assessments annually are a few of the steps that can keep your organization safe. Today, we celebrate National Cybersecurity Awareness Month with Shawn Richardson, Principal and Director of Cybersecurity Services at Rea & Associates, and Conner Mundy, Associate at Rea & Associates to share the importance cybersecurity is to your organization and why you should be implementing these resources into your business. Welcome to unsuitable Shawn and Conner.

Conner Mundy:

Thank you.

Shawn Richardson:

Thank you for having us, appreciate it.

Doug:

So National Cybersecurity Awareness Month. I know, boy, since this COVID thing has hit, it's really ramped up I think the awareness, at least in my client base of cybersecurity. What have you seen change since the beginning of this in February, March, have you really seen awareness ramp up among businesses out there?

Shawn:

Absolutely. Doug, it's gone up so much, that threats and attacks have gone up like 400%.

Doug:

Wow.

Shawn:

It's unreal. What we've done in essence is we've taken the business office space and moved it into our homes, right? And so with that said, that brings now also other lists of complications and or potential challenges that are unknown. Some networks are not secure. In some cases, companies don't know what a virtual private network is, which is basically a tunnel, a secured tunnel to ensure that data is kept safe. And so it's an environment without edges.

Doug:

So, Conner, you're fairly new to the firm. I got to ask you, you're also known as the Terminator. What's the story behind that?

Conner:

So it was actually like my second week starting here, I got LASIK eye surgery. So looking at the screen, being an IT guy, we look at the screens all the time. It was getting tough on my eyes. So I actually was wearing these sunglasses they gave me during the surgery, they're really they had a look. So I was wearing those in a meeting actually. And Shawn there took a screenshot and I was this now on his phone. I even got my column and has me with the sunglasses on. So that was a little fun thing.

Doug:

Nice. I love it. Well, you got a little Arnold thing going on there. So yeah, that could work for you. I love it. So Conner, talk a little bit about remote workers. Obviously, that's become more prevalent overnight and certainly likely to remain in some fashion, certainly more prevalent than it was pre-COVID. So what are some of the things we should be doing and our clients as owner-managed businesses, what should they be doing to keep their information and their workers safe as they work remotely?

Conner:

I would definitely say implementing as we talked about a VPN, so it's like a secure portal to work on work-related things. And then also to make sure they have efficient training on phishing and emails like that, because a lot of the cybercriminals, they pivoted from doing other attacks to more phishing attacks, which is like, Hey, we're going to send you this email and then they'll to try to click a link. But now another thing too, is that with the budget cuts that have happened because of COVID a lot of these small midsize companies had to make budget cuts on IT. And these people at home, they don't really know who to contact now because maybe they furloughed the IT staff. So it's tough too, and you got to make sure that you keep your IT staff good enough so that someone has someone to talk to in the situation.

Doug:

Yeah. It's interesting you say that. I know in dealing with my client base that I'm familiar with, construction companies say between five million and 100 million, most of them say, Oh, I hear this a lot. Well, they're not really that interested in us. We don't have any personal data, things like that. And I hear just the opposite because obviously, their guard is down, and plus some of the clients that they themselves do business with, whether they're utilities or other public entities, that's dangerous stuff. Shawn, talk a little bit about where you see, what types of companies in your experience have been most vulnerable over the past year or so.

Shawn:

So, a lot of what we're seeing, that's a great question, Doug, a lot of what we're seeing is centered around family-owned businesses, small to medium-sized in some cases had hundreds of employees that have been in business for years and are not used to something like this. And so therefore they do their data, they've been doing things business as usual for so long that when something like this happens, they just don't know how to respond. And so what we're seeing is frankly, or a lot of people reacting or overreacting by maybe they just they're cutting corners in trying to allow them to gain access to their home networks and then not putting controls in place. And so some examples there would be using remote RDP sessions. So remote data connections that people are not putting controls behind that. And so they'll connect to local servers back at the home office. And if there are no security controls around it, they can likely get owned and owned meaning hacked or that information compromised.

Another call-out and what we see is Conner's already touched on it, they've pivoted, as it relates to their phishing attacks, they're using things like terms of COVID and PPP from you being kind of our PPP expert within the firm and helping lead that team and initiative for our clients. You've likely heard that they've seen emails from organizations who they think are valid. Right? So, yeah, it's just been an insurmountable amount of just a harsh undertaking for some of these companies that just don't have the support and the consultancy in place.

Doug:

Yeah. Conner, talk a little bit about the approach that you typically see some of these hackers take. I mean, what's their angle. They're trying to hold the company hostage in essence, is that the typical scenario?

Conner:

Yeah. So if they perform pretty much like a phishing attack and they get in and they get into software, their main right now is to hold like a ransom attack. So they'll kind of just they'll blue screen everybody. They're like, Hey, you got to pay this amount and then we'll unlock, or maybe give your data back, or maybe not. And that's another thing too if you're a small and mid-sized company and you don't have a business continuity plan if all your systems go down, if you don't have backups, an offsite backup, you could be really out of luck. And I mean, it really could shut down your business. If you don't have, say a lot of these companies don't have the money just right now during COVID to put and give 200,000 to this cybercriminal in Bitcoin or whatever he wants his money in. So it's a scary thing, but yeah, I think ransomware is a big thing that is hitting a lot of people.

Doug:

Do we see a lot of these smaller businesses they still have, is their data on their own servers, or what do we see? I mean, is there protection, obviously, if you're operating in a cloud environment, that type of thing? What are some basics that companies can do beyond what you've already mentioned like with VPN, et cetera, that would help?

Conner:

Definitely, to have, they have like a server onsite to actually have backups of that server. So maybe do it nightly, weekly, and then just get like an external drive. You can get them at Best Buy or wherever, and you can put the data on that just to have backups of the data. And then also to make a plan around say, we have no, like IT is down, all the computers are down. Can we still operate? Like pen and paper-like we used to operate. So have a system in place and test that system.

Doug:

Yeah. I know when I was in the private sector, we used to go through that exercise a couple of times a year. I used to kind of chuckle a little bit and we'd move everybody off-site and still try to operate paper, pencil, but it is a worthwhile exercise as certainly as you say. So Shawn, if you can talk a little bit about the types of losses that we typically see. I mean, Conner mentioned that it can be a business killer, but if you're a small to midsize business, what do we typically see when these kinds of things happen?

Shawn:

Sure. So I'll give you a couple of examples. We responded to an event in the fall, or excuse me, in the spring. There was a small locally owned family-owned business, about $2 million in revenue a year. They were hit with ransomware and the very first thing that they went after was their backups and their client database inside their accounting software. And so what ultimately happened is that ransomware event would have cost them in excess of upwards of $100,000. I mean, the average loss for a business for the present day in comparison to where it was three years ago is it's up like 30%. And 2017, the average loss was about 170-120K to a business, present-day it's upwards of over 200,000. And that doesn't include brand awareness, right, or brand degradation, if you will.

And so in this particular case, it would've cost them about 50K in lost revenue, in lost wages, lost time. And our incident response team went in and was able to respond to the event, actually negotiate with the extortionists and reduce their fee exponentially. I mean, they ended up paying, but we also got the data back. And that was the risk that we share with the business that, Hey look, 90 plus percent of the time you don't get your data back. You just don't. But we were able to manipulate, do some manipulations ourselves, and thankfully determined that the data was safe and that exercise ended up costing less than about $10,000 total. And so that's just an event, an example of what people are going through today and that could close the doors of a company, Doug.

Doug:

Oh sure. Yeah. I know we had, I was aware of a case in Northeast Ohio that took place fairly recently where the diocese up there erroneously sent couple of million bucks to a subcontractor that they shouldn't have. It was a phishing exercise and that money was gone, so. And to that end, Conner talks a little bit about, I know we do internally, we have some exercises that we go through, phishing training every quarter. It's not hard to do, right? To set up that kind of thing for your employees to at least be reminded of that stuff?

Conner:

Yeah. Not at all. I mean, you can do like weekly emails, you can do lunch and learns. It's just quick things videos, so you can send videos out. It's just easy things that can really in the long run save you.

Doug:

Yeah. Just those subtle reminders that, again, it becomes more top of mind for folks. It's certainly helpful. I know it helps me. Shawn, talk a little bit about cyber insurance or cyber risk insurance. I know we've got some good friends of the firm here that constantly remind folks that, Hey, you're not as protected as you think on that end. What can that do? And how do our services, you mentioned like our emergency response team, how does that dovetail with maybe what a cyber policy might do?

Shawn:

So that's a great question. So a lot of cyber policies, and in fact, our trusted partner there, and we have something coming up with a construction event and where we talk about this, is you have to identify what is the true risk to the business and call that out in the policy, right? Just a blanket cyber policy in some cases or I would be in all cases is just not going to cover specific business data that potentially could leave the organization or what have you. So it's got to be clearly defined.

And those policies are helpful, but it all goes back and starts with having an assessment, a business assessment, or what we like to call within our organization, the segment of Rea Cyber Services, that is an information security risk assessment. And we lead with that by not having a technical conversation, but a business conversation, what's most important to your business? And that is your client data and your accounting data and your backups. And so if those don't have controls then the cyber policy may or may not cover that. And so, it's important to walk that through. We'll walk that back by starting with an exercise, like an information security risk assessments, and doing data analysis. Where is your data? Where does your client data sit? As Conner mentioned earlier, if you've got client data in a database somewhere on the local server, is it protected? Are there controls around? Are those databases or that information, is that information protected and encrypted? So.

Doug:

So, Conner, I want to get each of your last thoughts on this, where do you see cyber going forward? I mean, obviously, the world has changed so much just in the last six months. It's certainly hard to predict, but if you had to offer some sage wisdom in terms of where you think we're headed, where the biggest risks might be over the next six to 12 months, what's your best guess? We'll start with you, Conner.

Conner:

I think just the continued transition from in the office workplace to the remote workplace, just the continued concern of attacks like phishing attacks that are going to keep happening. Also, bringing back the IT staff, or even potentially, which is another thing is if you were going to bring everybody back in the office, how are you going to do that? Is all those devices that you just had off the network on these home networks that share the same system as an X-Box, your kid's X-Box, your home, your smart fridge is on the same as your work computer. How has that data, and how has that computer going to get back on the network? Are you to do it have like a separate network and kind of test the computers to make sure they're all clean without viruses and other malware embedded in them?

That's the big thing. And also brute force attacks, which is like, when you have said a user, so maybe they're trying to get in, Doug, into your computer. So they'll keep trying passwords. And if there's no password lockout, for example, they'll keep doing it until they get the password and they're in the system. And we've seen that a lot of clients too. So just putting controls around user credentials is big. Yeah. That's probably the big thing.

Doug:

It's scary stuff when you bring up the technology in our homes, right, like the smart fridge and all that stuff. And those are potentially all access points, correct?

Conner:

Oh yeah.

Doug:

Frightening. So Shawn, what's your Nostradamus outlook here for the next six to 12 months in cyber? What should we be thinking about? What should be most aware of here?

Shawn:

Yeah, absolutely. So great transition there. Building off of what Conner shared, one of the things that's important to us is identity, identity from a user perspective, but also how do you protect those identities? And with the transition back in, bringing that workforce back into the office, what ultimately needs to happen. And so a few wise steps would be if you don't have multi-factor authentication set up within your environment. And basically in layman's terms, what that means is two forms of gaining access to a resource. So username and password coupled with a phone call or an email, or some sort of authenticator code or a text message to validate that person, that identifies who they are.

And so that right there is the first wise advice that people should be taking moving forward. And then couple that with revitalizing your disaster recovery plans, your emergency response plan. Go through tabletop exercises where if your IT manager or a member of your executive team is taken out whatever the case may be because while that's a morbid way to approach it, the whole beer truck analogy if you will, if in fact that person, he or she is removed from the equation, how do you respond? How are you communicating within your own executive team, your own business unit leadership to respond to that appropriately?

And I would debate and argue that oftentimes we're seeing a lot more reactionary response and hair on fire, playing firemen.

Doug:

Yeah, absolutely.

Shawn:

No pun intended there, but playing firemen by reacting versus having a plan and a process in place. And then lastly, I said it before, and I think this is really one of the tops, it's one of our top fives is you start knowing where your company's data is, start knowing and identifying that risk through having a trusted advisor come in and perform a risk assessment and having those business conversations versus feeding a bunch of technical jargon in or trying to sell you a security tool.

Doug:

Right. Absolutely. That's wise advice. I think we should do this episode on Halloween next time because this is frightening stuff. Scares the hell out of me, I can tell you that, but it's great to visit with you guys. And again, it is a National Cybersecurity Awareness Month. So you should talk to our experts for more advice. Well, thank you, Shawn and Conner. Great to have you on. And if you want more business tips and insight, or to hear previous episodes of Unsuitable, visit our podcast page at www.reacpa.com/podcast. And while you're there, sign up for exclusive content and show notes.

Thanks for listening to this week's show. Be sure to subscribe to unsuitable on Apple Podcasts, Google Podcasts, or wherever you're listening to us right now, including YouTube. I'm Doug Houser. Join us next week for another unsuitable interview with an industry professional.

Disclaimer:

The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation, so they can expertly guide you to the best solution for your specific circumstance.