Episode 301: Cyber Criminals Won’t Back Down. Is Your Organization Safe?

Doug Houser:

From Rea & Associates Studio this is Unsuitable, a management and financial services podcast for entrepreneurs, tenured business leaders and others who are ready to look beyond the suit and tie culture for meaningful measurable results.

               I'm Doug Houser. On this weekly podcast thought leaders and business professionals break down complicated and mundane topics and give you the tips and insight you actually need to grow your business.

               If you haven't already, please hit the subscribe button so you don't miss future episodes. If you want access to even more information, show notes and exclusive content please visit our website at wwww.reacpa.com/podcast and sign up for updates.

               We know that the last few years have changed so many things, the way we work, do business and even interact with each other. In these changing times how can organizations continue to keep their data safe and cyber threats at bay?

               Today we are pleased to be joined by Mark Dowd, chief development officer at InfoGPS, as he discusses what every organization should have in their toolbox to protect themselves from threats. Also, discussing current trends and more.

               Welcome to Unsuitable, Mark.

Mark Dowd:

Thank you so much, Doug. It's a real pleasure to be here.

Doug:

Absolutely. So glad to have you on because this is, obviously, a topic that is germane to all business owners and all of us even individually these days. Talk a little bit about the proliferation and scope of the threats that we've seen over the last just two, three, four years.

Mark:

It's almost immeasurable. It is so fear based. We keep hearing about the very next threat. Corporations, organizations are faced with just a mind-numbing ocean of possible risks. You've got things from malware, ransomware, a lot of ... and ransomware is not always the case but certainly with malware a lot of that comes human error.

               You do not have to be a malicious actor inside. It's almost never the case that that is the root cause. You just click on the wrong email and all of sudden your corporation is held hostage. It is such a frustrating topic and for, I think even more so for the technos that are in the weeds because of course they have a ... they chase this stuff down to the very bottom of the ocean, only to realize there's another problem over here.

               It can really discourage non-technical business officers, oftentimes on the board, a lot of times on the C-suite. You could be a CFO without being a techno specialist and certainly an executive officer. It can be so difficult to have a conversation with your technical staff that doesn't leave you behind and that is one of the, I think, the key areas that I think any organization can do better at, is to help the non-technical business officers start to have conversations with their technical team and advisors that doesn't leave them behind, that allows them to ask the right questions and get to accountability.

               What can who do to reduce our risk? I mean, I think that's the executive challenge in leading this conversation. And oftentimes it's really hard to get to because you're drowning in what I refer to as technobabble, which is really frustrating for those non-technical business officers.

Doug:

That's just a fantastic point that you bring up there, Mark. That runs the gamut obviously so if you're a typical maybe owner managed business that's $20 million in revenue, maybe you've got somebody in-house that's somewhat technically savvy, let's say. How do they raise that awareness and how do they partner with somebody that can really help mitigate that risk for them because they don't ... they're not going to have that capability necessarily in-house-

Mark:

[crosstalk 00:04:57]

Doug:

... so what should they be thinking about and asking themselves as a business owner?

Mark:

So I'm glad you scoped it with a revenue figure. I mean, I would consider someone in the $20 million range as an SMB, right and I find most organizations in that scope, certainly if they're a manufacturer but even if they're a service provider, to probably have someone in-house that is a break/fix, "Hey, I'm having a problem here. My stupid email's not working." That kind of person internally and I think that's a given at that size.

               But then, they are relying on an external source, an advisory source, to come in and help them for maybe high level architecture and for paths to avoid risks. That's where things have gotten tricky. There is a phrase that I think a lot of us know called MSPs. That's the managed service provider.

Doug:

Okay.

Mark:

And the managed service provider is not ... I mean, that is not a commodity term. That doesn't equal you're always going to get X, Y and Z. There are a lot of very small MSPs that have two or three people in it and they can do a great job in helping you set up servers, get your architecture working and really be a go-to resource for a lot of things that that $20 million or even $40 million operation might need.

               But, oftentimes they are not, and this is why a new term has emerged, a managed security service provider. So now we look for MSSPs. So I will use Rea as an example. You guys have a cyber group. That cyber group, which I know very well, is a managed security service provider.

Doug:

Mm-hmm (affirmative).

Mark:

And that's what people need to be on the hunt for and there's a lot of them out there. It's not like these people are hard to find but when you are looking at outsourcing and hopefully, you're outsourcing a pretty penny. This is not an area you should be trying to save a buck on. This is where you need a real partner that's got a lot of subject matter expertise.

               You want to vet that group and make sure that you're not just getting a traditional MSP. I'm not trying to take anything away from that group because they work really hard and they do provide a lot of value but if that gap on security is not being filled by a real subject matter expert you've got real problems.

Doug:

And the threats today are just, they're so prevalent. I used to, going back 10, 15 years, it was like well, they're really only after the big, big companies, right, or folks like that. Well, hopefully in the last several years everybody's learned that we're all targets at this point, even individuals certainly. But what we would consider a small business or a middle market business that's closely held, they're ripe for attack and targets, probably because they're pretty easy to get at, right?

Mark:

Yeah. Yeah. I mean, you've got to ask yourself a couple of questions. I mean, what are you holding? Right? I mean, when it comes to a cyber event your only risk is data, right. Data equals risk. Now, if your defenses are low that's a different risk but even if your defenses are high most of the high level data breaches we hear about happen from Fortune 500 organizations that are spending millions and millions and millions of dollars annually for security and they're just trying to build a higher wall, right.

               If you are protecting Fort Knox and you keep coming up to work, you're the person in charge, and somebody comes running up to you every morning and said, "Man, we did a brick count last night and we lost another brick." You're not going to go put another machine gun turret on the wall. At some point you're probably going to want to put a video camera on the gold to see if and when and how that brick is disappearing.

               So understanding your data assets is a critically important thing just to begin the conversation. If you are holding privacy data and you do not have to be a medical billing company to hold that. You do not have to be AT&T to hold that. If you've got 100 employees your HR department is probably carrying a whole lot of privacy data.

               So privacy data comes in essentially three flavors. You've got identity information. You've got credit information and you've got health information. Now, I don't know maybe five years ago it hit the mainstream understanding that health information, what we call PHI, personal health information, trades on the dark web about eight times the value that either personal credit information or personal identity information does and that's why-

Doug:

Really?

Mark:

Yeah.

Doug:

That's unbelievable.

Mark:

Here's why. You steal my credit information and you go buy a Volvo, I know right now and then all of a sudden it's done. If you steal my personal health information you can ... it can be used by bad actors to generate health fraud from a spectrum of people that will pay bills. I'll never find out about it and it's an evergreen asset that could be used for people to bilk money out of fraudulent behavior for a decade and I'll probably never even know.

Doug:

Wow.

Mark:

So because of that, there's an evergreen flavor to it. Just giving you an idea. If you're holding that kind of privacy data, yeah, and if you're smaller you're probably low hanging fruit. Maybe you won't be the biggest theft by the bad actor for that month but that doesn't mean you're not low hanging fruit. I'm going to go get some privacy data. That's fantastic.

               The other data assets that you have to be worried about are assets that have incredible value to you that aren't necessarily public data. So if you've got proprietary intelligence running around your place, if you're full of IP or even if you just have one or two golden nuggets of IP. If you've the KFC formula, well that's worth real money.

Doug:

Yeah.

Mark:

When I advise boards and C-suites about this I say, "What data do you hold that you cannot afford to get out into the wild?" What data, because experience a network breach is usually a short distance from that to a data breach. It doesn't have to be the case, right.

               There are some things you can do to experience one without suffering the other. But you've got to be really sophisticated to be able to pull that off. So I always start with, "What's your nightmare? What data do you have that if it gets out in the open it's either a critical event or it is a existential event."

Doug:

Yeah. Absolutely.

Mark:

If you've got $20 million, if that's your revenue, a data breach can absolutely put you under. I mean, that's been not only articulated but documented to heck and back. If that's your revenue, if you don't have $5 million, $6 million in a bank sitting there for that rainy day moment it could be an existential threat.

Doug:

Yeah. Absolutely. What are the cyber criminals typically seeking to accomplish with say ... I mean, we hear about phishing attacks and these types of things. I mean, what are the more low hanging fruit, I guess, that they're typically trying to get at? Is it-

Mark:

Well, what they're always trying to get at is the data. Now a phishing attack is a methodology to get there, right. I get you to click that link, bam, I've got my malware in there and now I'm able to go ... I can get on one device that's connected to the network. Now I can travel across all the devices.

               So the different methodologies to pull it off are one thing and that's where the techno team is very helpful to you because they are working strategically and tactically against those methodologies. The higher conversation is what are we holding and again, how are we holding it?

               So I'm going to keep this really non-technical. Every company has got these goodies and usually they've got privacy data and other very special data that they do not ever want to get out. By the way, I always think of law firms. We never talk about law firms. Think of what a law firm holds. Right.

Doug:

Absolutely.

Mark:

I mean, they hold everyone's secrets. So remind me about that because there's actually an interesting caveat. There's something I want to bring up again on that. But a law firm's a great example. We've got all these secrets, right. Now, where are we storing them? Most organizations, especially at the $40 million plus are sophisticated enough to have a Fort Knox somewhere in their network.

               It's referred to as a secure area network, a SAN. And you put all your goodies in that secure area network. It is usually you've got to go through an admin to get to that data. You've got two factor authentication. It is where things are safe. Data breaches don't typically occur in the secure area network.

Doug:

Okay.

Mark:

The problem is, and this is where a law firm or Acme Manufacturing is a great example, the problem is how often is that data taken out so that I can go open a spreadsheet, put it in an email and send to my partner down the hall? [crosstalk 00:15:20] So now all of a sudden that data is no longer in that SAN, what I call a highly structured data.

               It is now loosey goosey, running around these end points, these laptops. So that data is now in what I would refer to as an unstructured or semi-structured data type and that's where the phishers and he ... regardless of the methodology to get in, that's what everyone is trying to find.

               What kind of goodies do you have laying around in unstructured or semi-structured data? That is where the risk is high. I love talking about risk because I think it's unsettling for boards and C-suite managers to be thinking, to remind themselves what risk is, right. Risk is likelihood times impact.

Doug:

Yep. [crosstalk 00:16:13]

Mark:

I live in Ohio, the likelihood of me getting hit by a tornado is incredibly low but if it happens I'm in just as much trouble as I am if I got hit by a tornado in Alabama.

Doug:

Right.

Mark:

So that likelihood understanding has held a lot of SMBs back. It's like, "I don't have a lot of money to spend. I don't think I'm prone to this. I'm feeling pretty safe. I'm just Joe Blow. I'm not a target."

Doug:

Right, who cares, right.

Mark:

You are a target. A lot of people have a false sense of low likelihood, even though they understand the impact would be high. It's trying to get across to SMB, especially ... I mean business owners and SMB C-suites and when there exist SMB boards that you've got to take this likelihood a heck of a lot more seriously.

               And I hate saying that because of course it all sounds like, "Be afraid. Be afraid. Be afraid." That's not what I'm trying to say. I'm saying if you can cross that bridge mentally now you can start spending money in order to become more safe.

Doug:

Right. Be aware of the risk, right. That's the job at any executive level. Be aware of the risk and do the proper things to mitigate it, as best you can. You can never eliminate it but try to mitigate it just so you're prepared.

Mark:

It's almost impossible to reduce your risk by accident. It almost has to be on purpose. So you've got to understand the assets you have and then you do not have to be a high technologist to understand from your team where are these assets located and how are we curating our data? How are we handling our data? And what should our policies be? Do we even know if we're adhering to our policies? What kind of training are we giving our people regarding this data?

               I mean, there are organizations that do phishing schools all the time and they've gotten better. Now, they're like, I didn't even look at that email because I thought it was phishing and it might not even have been but they're now ... they are erring on the side of caution, which is a good thing.

Doug:

Yeah, absolutely.

Mark:

But understanding the assets and then understanding how are we housing them today and what is our operational SOP with these types of data types that we have to be really careful about? How can we reduce our risk by having better procedures to deal with that kind of data? And I come from a legal family. I mean, there are three different law firms in my family right now.

Doug:

Okay.

Mark:

I love using law firms as an example because they've got crazy secrets just like [crosstalk 00:18:57]

Doug:

Absolutely.

Mark:

... here's a PDF, here's a Word doc. Help me Wordsmith this. In that document are things that would ruin people's lives and the cavalier attitude that you guys are taking with this is shocking. So having said all that, going back to the MSP versus the MSSP, you may have a 20 year old relationship with Pete and Ted's IT Shop and you can keep that relationship.

               I'm not suggesting that they don't have enormous amounts of value but if you start to have this conversation and break into this awareness and decide that there may be some gaps that aren't getting filled now's the time to start looking for that MSSP and some of them don't want to be the break/fix guys. A lot of them aren't trying to be everything to everybody.

               Their specialty is to come in here and talk to you about access. Their specialty is to come in here and talk to you about segmentation of your network, access into data, access into end points and keeping that a separate piece. I mean, it's rare for a company that, even the size of a $20 million company ... there are some $20 million companies that ... we threw that number out so I'm sticking with it ... that only have ... they might be a manufacturing firm and they may only have 70 people and there's only 12 of them in the office.

               We're doing an event coming up at the end of September. Rea is actually one of the sponsors and so am I, over at Walsh University, which is focused on the DOD supply chain and all the manufacturers. There's 300,000 manufacturers in that supply chain. And heretofore, they have just been vouched for by the primes and the DOD kind of leapfrogged. Instead of trying to gradually increase they said, "Okay, we're going to make a major shift and it is going to be [tychonic 00:21:09]."

               It is throwing a lot of those manufacturers into almost a frenzy because they will have to go get certified at this level and if they are not they will lose access to the contracts they already have and they won't be able to bid on new ones. I mean, It's game over and there's a fairly short window to get this done and it's a significant change management. That $20 million, 70 employee, 12 people in the office describes a whole lot of people in that bucket [inaudible 00:21:40].

Doug:

We're telling our government contractors the same thing. Even if they deal with stuff that they would consider unclassified, they still have to adhere to those standards.

Mark:

The main data, in the classified world there's top secret, secret, classified, right. The CMMC requirements don't even deal with that. That's off to another piece. What CMMC is requiring is for you to know where every single piece of data is that is specified as controlled unclassified information.

               So it's unclassified to begin with but they want to control it. So to give you an example you could be an aluminum stamper in Michigan and you might be sending out some part that winds up in a sub-assembly that goes into the tail wing of an F-16. You, my friend, are holding a lot of CUI. You don't intend to but you are. You're getting drawings. This is how we need it. So you now have to jump through a variety of hoops that you don't have the skillset for.

               Not only do you not have anyone in-house, the MSP and even the MSSP that you might be working with has to be certified. They're called RPOs, registered practitioner organization. You've got to get an RPO to come in and get you ready to be certified. It could take you six months to be ready because it's not [crosstalk 00:23:13]. In this particular case, for this particular certification, it is not a checklist.

               You have to prove that you have been doing the right things for a period of time, minimum 90 days and it's going to take you 90 days just to be ready to start that and get 90 days worth of history out of it. I mean, it's a heavy lift.

Doug:

Yeah, I know we're spending a lot of time trying to get our clients educated just to get them aware of the requirements and so that they can begin the assessment and process because like you said, if you don't get ahead of it, before long you'll be absent a big chunk of your business and that's not good for anybody, obviously.

Mark:

In that particular case of the CMMC, this is a great example. I mean, and this is a wonderful topic to think about all of cybersecurity from. In that particular case they are looking at CUI from two perspectives. The first is digital. Where is it in your computers? So you may have 30 computers. Is your CUI only in 10? I mean, how are you going to figure that out?

               But then the other one is three dimensional CUI, meaning it's printed on a job order. It's a drawing that's been printed. It's in a folder out on the job floor. All of that, if you've got a device that's got digital CUI, it's got to be segmented away from the rest of the network and if you've got files that are on the plant floor it's got to be locked down and it's got to be separated from all the other work.

               I mean, it is a colossal change management project. So that's why we are holding this event at Walsh and you guys are sponsoring it because we want to get ... a lot of people don't know what to think about it. There's a lot of misinformation. A lot of people are just flat out angry about it and then they're afraid of it and they don't know where to begin.

               It feels like a murky topic and you try to go read about it online and it's like reading an insurance policy [inaudible 00:25:13]. So what we're doing for that event and Rea is having a big part of that, is breaking that down for those business owners so that they can understand what's the beginning, middle and end. How do I scope this project? What does proof certification look like? What does the certification process look like? What does post-certification life look like afterwards?

               And trying to break that down, again we're going to have a lot of non-technical business owners and other representatives from those manufacturers in the room. So we've got to break it down for them so that they can understand it, they can mentally get their arms around what these chapters mean to them and it really does break down into good chapters that if you're a high level thinker you can get this organized.

               Then it becomes a lot less scary and in that event we're going to actually ... we've got the CEO of the CMMC accreditation board locked in as our keynote speaker. So that's huge-

Doug:

Yeah, that's fantastic.

Mark:

So the attendees can come and listen. I mean, they can drink right from the fire hose on these regulations and the current process and the evolution. There are going to be a lot of other CMMC subject matter experts based in Ohio in the room as well.

Doug:

That's fantastic.

Mark:

Some of those will be from Rea. Some of those will be ... Rea is itself a, you guys are an RPO. There will be other RPOs in the room. There will be a number of software manufacturers in the room, InfoGPS, my company, will be one of them. We'll have vendors there as well. So the show is, the effort is two-prong and I like when we think about cybersecurity it's how I like to think about it in general.

               What are the ideas and principles? What do I need to know? What's my understanding? And then where do I go get this? How do I go source this? So all the attendees are going to walk away learning a whole lot and getting it broke down into understandable chapters so they can start to be ... how do I put this into an A to Z linear process? Learn how to figure that out.

               And then the other thing we're going to do is we're going to have a room full of providers so if you want to start ... the vendor floor and I'm helping to set that up. The sponsors that are there that will be on the vendors floor are only there because they have a very direct and pristine value prop to the CMMC process.

               So I'll give you an example. I said, I mentioned, we're going to be sponsored there, maybe ask me what our pristine value prop to CMMC is.

Doug:

Yeah. It's a great event and we're certainly looking forward to it. So that is awesome stuff and hopefully our folks sign up for the event, reach out to Mark or certainly our cyber team and get signed up for it because you will learn a lot and you'll become aware of a lot and ultimately this can give you a competitive advantage I think. And that's what we're trying to tell some of our government contractors that do even if they feel like it's fairly mundane construction work, for example but it's at government related facilities, can give you a competitive advantage if you get ahead of it.

Mark:

If you're an early adopter you'll be able to compete for more business. There's levels to it and I don't want to get into too much complexity but a lot of people are going to need to be at level three. If you're an early adopter and get to level three within the next year, you're going to be able to compete on bids that didn't come your way before because you got there in part of the first wave.

               So not only is that true but let me also say that I'm of the firm belief and it's one of the things we're going to focus a little bit on at the event is for anyone who's looking at this, it's not just to get across that finish line. It would be impossible for you to accomplish this and not increase the valuation of your company. It couldn't be. You couldn't attain this level of awareness and protection that doesn't get represented in the valuation of your company. It'll get represented in the cybersecurity insurance you decide that makes sense for you.

               I mean, it'll ripple through a variety of areas. But, Doug, I'm not sure if you heard me earlier. I invited you to ask me a question as an example of the kind of vendors we're going to have. Ask me what our value prop is to the CMMC ... the company who needs to get certified?

Doug:

What's that value prop?

Mark:

Thanks for asking, Doug. What InfoGPS does is it finds all of that CUI. So it's a data discovery tool. So our place in that is in the very beginning. Our place is how big of a scope is this project going to be. I mean, I've got 100 computers, maybe I've got 50. We come in and day two we can tell you all of your CUI is on one server and 12 laptops or 12 devices.

               So at that point we can decide, do you need them on all 12 or can you live with them just on seven. And then that's the scope for your digital segmentation for those end points. So now all of a sudden you can hit the ground running. We've got people coming that are in the encryption business. We've got people coming that play different roles inside this process. There's no one who's there who shouldn't be. Everyone will have a very clean value prop.

Doug:

That's awesome.

Mark:

Those who attend will be able to network. And that's all from Walsh. I've been privileged to be on the board of advisors for the Walsh School of Business for about a decade and we've been working at Walsh to become more and more of a U2B kind of platform, driving value out to our corporate partners across the state.

               InfoGPS led an event with Walsh with Rea & Associates in the spring of 2020 called Cybersecurity for the Board. And a lot of first part of this conversation was centered on that. How do we help these non-technical business officers figure this out?

Doug:

Yeah.

Mark:

So this seemed like it was a natural follow-up cyber event, this CMMC challenge and I love the CMMC story because you can be a dentist and take from that some learning curve.

Doug:

Absolutely. Very cool stuff and we thank Mark. This is awesome and we look forward to that event. And there's so much more for all of us to learn when it comes to this and certainly want to make sure we educate ourselves, our clients have the opportunity and other important centers of influence. So thanks again for coming on today and look forward to hearing you and seeing you at the event upcoming. So appreciate that.

Mark:

Thanks so much, Doug. It's been an absolute pleasure.

Doug:

Absolutely. And if you want more business tips and insight or to hear previous episodes of Unsuitable please visit our podcast page at www.reacpa.com/podcast and while you're there sign up for exclusive content and show notes.

               Thanks for listening to this week's show. Be sure to subscribe to Unsuitable on Apple Podcasts, Google Podcasts or wherever you're listening to us right now, including YouTube. I'm Doug Houser. Join us next week for another Unsuitable interview from an industry professional.