Mark: Welcome to unsuitable on Rea Radio, the award-winning financial services and business advisory show that challenges your old-school business practices and the traditional business and culture. On the show you’ll hear from industry professionals who will challenge you to think beyond the suit and tie who offer you meaningful money solutions to help you enhance your company’s growth. I’m your host, Mark Van Benschoten.
There are two types of companies; those that have been hacked and those that are about to be hacked. If the threat of malware and ransomware isn’t keeping you up at night, maybe it should be because all it takes is a click of a mouse for the cybercriminal to gain full access to your company’s database. Joe Welker who is a Rea’s IT audit manager is back to talk about the growing threat that cybercriminals have placed on our businesses and what you could do to protect your data. Welcome back to unsuitable, Joe.
Joe: Thanks Mark.
Mark: Did they make you come back?
Joe: No, I live to talk another day.
Mark: For the rest of the episode, can I call Captain Data?
Joe: You can.
Mark: I like that.
Joe: I think you turned me in that on the last show.
Mark: Yes it was as a memorable moment.
Joe: Very memorable.
Mark: That will go down in unsuitable history.
Joe: We’ll find out.
Mark: It was maybe just a few months ago that you were in. We were talking about data and cybercriminals and I’m hoping to hear that you’re going to give us an update that everything is better. We don’t need to worry about it.
Joe: I think as same as I told you back then Mark, things aren’t getting any better but I think there is still ransomware taking place, people losing data. I think more people are becoming aware of it and I think they are putting practices into place to stop it because I think and I may have mentioned this at the last session, the biggest obstacle of this whole process or the biggest weakness or the biggest link that’s the weakness of everything is your people and we’re seeing more and more even of our clients that are putting in training into practice to train people not to open certain types of emails, click on certain types of links, they are incorporating better security, a lot of the IDS and SIM programs are actually incorporating what’s called white listing and black listing so that those types of sites that they keep an updated site listing so that sites that are bad are marked as bad that they know are bad sites are off limits to any of the users.
Mark: So somethings you … IDS and SMS … is that the term you used?
Joe: SIM.
Mark: SIM? What are those? Do I need to worry about those?
Joe: Basically not. They are programs used by companies to monitor their firewalls. Those can either be internal to your IT department or as like in our situation here we actually hire a company called Cerdant and they actually do 24/7 monitoring of our firewalls and they use an IDN system but they are kind of synonyms for each other where they actually do the same job.
Mark: Interesting you pointed to people training. I think IT I think of somebody sitting in Russia in the basement drinking their Vodka, banging away in their computer trying to get into our … but it’s our internal people that are the issue.
Joe: Yes. What we usually find out is … and just to give you an idea of how simple this is I went to a seminar probably in the last three months where a president of security company who used to be a hacker was actually there and he explained the ease of how easy it was to actually hack into someone’s computer and get something loaded on their computer and basically how he explained it, he was actually on the Katie Couric Show explaining this and they took a live audience member and found her name previously had gathered agreed to let this guy try to hack into her home system and basically he researched her, he found out he was an avid Amazon shopper and basically he sent her a fake email from Amazon saying that there was a problem with her last order to click on this order on this site on this number to verify it so she clicked on it. When she clicked on it, he’d designed a fake Amazon site so it took her to the site that then downloaded …
Mark: … so she thought she was going to Amazon?
Joe: Yes because it looked exactly like the Amazon site. Basically then that downloaded the program that he needed on her system to be able to take over her video and her audio and so right there at the Katie Couric show then he showed a video of her living room, her walking around her living room and her daughter sitting at the computer.
Mark: That’s kind of scary.
Joe: It was very scary. She was very scared because as she said, “I usually … I had a person come in and look at my computer once a month because I’m a single mother, I have two daughters and I want to make sure that this computer is safe for them to be on,” but just by this manner he was able to hack into her system …
Mark: … because she clicked on a link.
Joe: … because she clicked on a link.
Mark: … and that’s what the training you’re talking about is like don’t click on links?
Joe: Absolutely. When I go out and I had mentioned earlier that we have some clients that are currently using a firm out of Florida … it’s a company out of Florida called Know Before and they actually do fishing test and provide training for employees.
Mark: … so they’ll send a fishing email to Matt Sanders or something?
Joe: Exactly. What they do is … let’s say for example one of the ones … I was at one of our clients Super Bowl week and the IT manager was telling me that just that day that they had sent out an email that said, “Peyton Manning found comatose in a hotel room,” and so basically he said the whole process or the whole thinking is to change the mindset of the employees. They see that, they’re all curious as to know whether this is true or not. He says, “but you don’t want them clicking on that in your corporate or your company environment.”
He says, “People came to me and said “we checked on this but we went on our phones and we did it through our phone,” and that’s how they…” so changing a mindset is what it’s doing.
Mark: Not that we’re worried about employee’s phones but would that malware whatever would that load on their phones so that their phone is compromised?
Joe: It’s possible to do it that way but they weren’t going to the exact same site possibly or they may have just been checking through other sources, Googling it to see if it was really true.
Mark: OK. That’s good that they had that awareness, they created that mindset like, “No, we’re not going to … we’re going to another source and not impact the company resources.”
Joe: Exactly and that’s what the IT manager said to our client. He said, “Hey Joe.” He says, “We just have to retrain these people to know that there is stuff out there and that they can’t just go out to any site that comes up without there maybe being possible consequences to our systems.”
Mark: Is that the last line of defense though is the employee have in their recognition? I would like to think that we have something before that that …
Joe: Like I said that it’s still … we’re getting the IDS and the SIMS that are white listings and black listings. Again, there are actual lists that are updated daily of sites that are known sites to be infected so …
Mark: … so websites, web addresses?
Joe: Exactly, so they are put in this list which the firewalls then say, “Okay. Any of our users that try to get to one of these lists, we’re not going to let them access to this.”
Mark: That would be the link … the pretentious Amazon link would be going to a blacklisted … Okay.
Joe: Exactly or the white list being, “Yes, you can go to those sites.” Yes.
Mark: That’s the step before the employees saying, “No. Even though it came through, somehow it got through the IDNS and the SIMs …” Did I get that right?
Joe: Yeah.
Mark: Look at me go … so that the employee saying, “I still don’t care. It got through that. I’m still not going to click on that.” I guess in the example about the Katie Couric show participant that you mentioned, it would have been better for her to say, “I see this. I’m going to go out to Amazon myself. I’m going to go to my Amazon account and see if there really was a problem.”
Joe: Exactly. Log in and see what that was out there for …
Mark: What it really was and I assume she saw there was not a problem and everything would have been OK.
Joe: Yeah, and that can be very difficult to differentiate between a valid email and an invalid email but that’s one of the things a company like Know Before or your IT department should be stressing to your employees.
Mark: Please don’t click on the links. If you have an issue, go out and verify … Go to the website themselves or the service provider and see.
Joe: … because we always recommend if you may receive an email from the IRS, the post office, you may get it from a client saying …
Mark: A prince in Nigeria?
Joe: Exactly. “Here is the spreadsheet. Take a look,” but if you didn’t request it and you weren’t expecting it then we always recommend, “Hey you better call and contact … make a phone call, contact that person and say, ‘Did you send me something I need to look at?’”
Mark: It was a few years ago when you’d get a client or a friend that would say, “I’m stuck over in England and I’ve lost my passport and my money. Please click here and send me money.” I thought that was the unique one.
Joe: Yeah and that is still out there because I just had a client up in I believe it was the city of Warren was telling me that they said that the lady’s grandmother actually got the phone call and it was about a niece who was stuck in jail and she needed money and it was in the dead of winter so she called this woman to take her to get money out of the bank to wire it to France but they were able to determine it was a fake email.
Mark: Scary stuff. We started out saying is it going to be better. It doesn’t sound like it’s getting any better. There seems to be more awareness.
Joe: It’s getting better because of the awareness. It seems like there is more out there and it seems like what they are doing is more damage but we are taking steps in the right direction as far as making employees aware of it and then I think also for security access as far as rights of your active directories or how have you supply access rights to all your data and I know Microsoft has an application that they now have out there that they recommend implementing which is called AppLocker and I think as I understand it and I don’t know this completely but from the initial indications are that they are trying to implement that into their new operating systems. That would just be standard as part of the operating systems.
Mark: Do you ever think it will go away?
Joe: Absolutely not. It will never go away. A lot of this stuff comes out of Eastern Europe and those organizations in Eastern Europe that are actually performing this type of ransom-ware and that type of breach, those organizations are actually being taxed by their governments so it’s actually a money-maker for the governments of the countries and there is …
Mark: Really? So they’re not going to stop it.
Joe: It’s not going to stop ever. They’re full time events. It’s just like you and I go to work every day. There is people that do this like they’re going to work every day. Yes.
Mark: If we would have to give them a grading on a report card, we’d give them a big D on their report card?
Joe: I think they make a lot of money Mark.
Mark: OK.
Joe: I’m not sure how you classify that. On their report card they get an A. On ours they get a D.
Mark: Big D, we’ll call that. What should a company do … Should they go through … you mentioned like this company that send out the pretentious fishing, should companies do that?
Joe: Well Mark, as Captain Data said before you basically got to make sure that you have backups of your data. That’s the number one item for anything and that’s for anybody. It’s not just major corporations. It’s you and I who have pictures at home basically right now.
Mark: I’ve seen some of your pictures.
Joe: Well, we can talk about in a session. Our backups at home, we need to make sure we have backup of our pictures, of our quick books, anything we use at home that is essential that we use routinely and make sure that those backups are kept on offsite location; that they’re not stored … that they are connected on a USB drive right to your hard drive. It doesn’t matter if you’re a large company or a large corporation or you’re an individual user, those backups are a lifeline or you’re going to be paying $300-$1,000 or as like the hospital in California $17,000 …
Mark: … to get their data back.
Joe: … to get their data back and the hospital had backups of their data. It would have just taken them so long to get everything back up and running that the 17,000 was worth being paid so that they eliminated all that time.
Mark: Wow. It’s fascinating to me … useful backup so you can have … we’ve all had this like “I’ll have make a backup,” but nobody ever tests it to make sure that it actually can be restored but you’re saying in the hospital it could have been restored but they just chose this was the path of least resistance. We’re going to just go ahead and pay this $17,000.
Joe: That’s exactly right. In a hospital environment, anything that has to do with hospital records or medical offices, practices, dental offices no matter who it is, they’ve got all that client information out there. They’re usually doing transmitting data to Medicare, that type of thing. It’s just a matter of time, getting it back up and then regulations involved in all of that so to them it was worth it to pay the ransom and to continue operations.
Mark: I know it’s not the topic of our conversation here but I want say they probably would have paid some part of it. I mean it similarly would have been cyber violation in your example like this information is out there to somebody or … I don’t know how that works. Maybe they just didn’t have access to the … the perpetrators didn’t have the data, they just … the hospital couldn’t use the data.
Joe: Yeah. I don’t know. I’ve had very little information about the type of requirements or what was their problem as far as how the breach happened. That usually doesn’t come out until usually months after the event takes place and I haven’t seen anything further on that yet.
Mark: Do you … A lot of companies, everything is IT, everything is up on the Cloud and I just get the sense that they really don’t know where they’re exposed that they … As long as people can do their jobs IT is working but I think it’s probably more than that.
Joe: That happens in a lot of instances. I think we’ve run into several situations and we may have discussed it last time where your IT departments have taken on more significant roles in every area of your company or your organization. IT now is responsible for phone systems with voice-over IP, security; usually we have IP cameras that are up and monitoring your locations, copiers are now used as fax machines and printers. This has all been thrust upon IT and also in the same run, you have increased your employees, you may have decreased by a single or several people so you’ve taken on more workload and with less people and sometimes things just get overlooked and that’s happened several times now to clients of ours where their backups pay the price and that’s why Captain Data says that should be a primary area no matter what else you have to do and that’s why when I go out I usually stress I know doing a disaster recovery test is really difficult. It’s hard. I’ve heard cities before that have actually shut down the city for a day …
Mark: … to do the test?
Joe: … and shut it down to do a test. Yeah. They tell every department …
Mark: That’s impressive.
Joe: It’s very impressive.
Mark: … to make that commitment.
Joe: Yes. It’s very impressive but then I have others that just ignore their backup messages and again just this past year Mark, we’ve had two separate clients I could tell you about where they thought their backups were going through and they were not backing up correctly and they lost data and in one instance the one client had to re-enter complete months-worth of work.
Mark: I can’t imagine what an aggravation and frustration and probably if they’d done something simple in the beginning; beginning to check, to monitor throughout, they wouldn’t had to gone through into do that.
Joe: Exactly.
Mark: Scary stuff. I was hoping you were going to tell us something good here Joe but once again you did not. Our last question here, since we already know what your superpower would be Captain Data, we want to know if you could be someone else for day who would it be and why?
Joe: I would want to be you Mark. You just sit around and ask all these questions for these sessions and get all this valuable information.
Mark: I do enjoy this aspect and I do learn a lot and just to see the talent that we have at Rea and how deep it is and how compassionate people are, I do enjoy that quite a bit and since I like your answer, I’m not going to let you answer again so thank you for joining us on unsuitable today Joe and thank you to our listeners for tuning in.
We have a wealth of information on our website to help you combat cybercrime. Visit www.reacpa.com/podcast for these resources and more. I would also want to encourage you to subscribe to unsuitable on iTunes or on SoundCloud and never miss an episode again. Until next time, I’m Mark Van Benschoten for Unsuitable on Rea Radio encouraging you to loosen up your tie and think outside the box.