Dave Cain: Welcome to unsuitable on Rea Radio, the award-winning financial services and business advisory podcast that challenges your old school business practices and their traditional business suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie while offering you meaningful, modern solutions to help you enhance your companies growth.
I’m your host, Dave Cain.
They say that a chain is only as strong as the weakest link. In business, one of the weakest links between cyber security and disaster are your employees. How confident are you that you will be able to teach your employees to spot a fraudulent link or malware-laced attachment in their email? Training your employees about the important of IT security is critical. As you’ll hear on today’s episode, you can have the best anti-virus software available but if your employees aren’t properly training, you’re headed for disaster.
Today’s guest is Brian Garland. Brian is a supervisor in the firm’s Dublin office and the firm’s newest certified information systems auditor. Welcome to unsuitable Brian.
Brian Garland: Thanks for having me.
Dave: Congratulations on your new certification.
Brian: eah, thank you.
Dave: As the, I guess it’s the CISA.
Brian: Right. I just took the exam in December and found out last week that I got the good news that I passed, so very excited.
Dave: Wonderful. Wonderful. Many of our guests who come on to the show, they bring a lot of unusual things. They might bring coffee, they might bring a cocktail, they might bring bottled water, they might bring another trinket of some kind. You have something a little bit different, and I’d like you to share that with us at this time.
Brian: Yeah, so I’ve played guitar for about 15 years and hopefully our younger listeners know Led Zeppelin. I’d like to play a little bit for everybody.
Dave: Let’s get after it.
Dave: That was incredible. In fact, I apologize to our listeners for botching that opening. I was so excited, I knew we were going to do some Zeppelin, I wanted to get right to the Zeppelin.
Brian: Right.
Dave: Today we’re going to talk about cyber security and you’re going to take a little different angle towards the topic, but I guess we’re talking about training employees in what to look for. I would tell you I’ve had feedback from many of our listeners on the podcast. Of course, they listen to the podcast and while they’re listening to the podcast, they’re doing a little task-switching and going through their emails as quickly as can, clicking on this, deleting this, and sometimes that’s maybe not the best thing to do. You’ve got to be paying attention to your emails as they’re coming in.
Brian: Yeah. I was just flipping through some stats before you came in for the podcast. Majority of the phishing emails or attacks against employees come through email viruses or malware, so it definitely is a higher risk. A common misconception for employers and employees is that having very strong technical controls, like a strong firewall or intrusion prevention system, will prevent these type of attacks, but really your employees are the largest vulnerability in your chain. Educating your employees, the threats that are out there and the situations that they can find themselves in is key.
Dave: Obviously training is critical and we’ll talk about that here shortly and maybe when in the lifecycle of employee that training happens, but let’s go to what type of vanities are you seeing that are being targeted for attacks?
Brian: I would say on a growing number, it’s small to medium-sized businesses for several reasons. One of them being that these are typically entities with smaller IT budgets, maybe smaller IT staff if they have it internal and are not outsourcing it, so they might not have the strongest controls or may not be educating their employees on the risks that are out there.
One of the big issues with cyber security is that it’s ever-evolving and so the same attach six months ago might be a new flavor, a new strain of, say, Ransomware is a big threat right now. These smaller type entities might not be up to speed on what the current threats are.
Dave: If I get an email with an attachment on an article that says, “Brett Favre is coming out of retirement,” a quarterback of Cleveland Browns, should I go ahead and open that?
Brian: Yeah, you probably should not open that unless you know the sender, so if you are suspicious at all on who’s sending you the email, probably best not to open it. I would even go as far as forwarding it or somehow making your IT department aware because likely in these phishing emails is generally sent out to a large group of people so they’re not just targeting you. They’re targeting a group, and so you’re probably not the only one who’s received the email.
Dave: You don’t think Brett Favre could help the Browns then?
Brian: Looking at the season last year, yeah, he probably could’ve.
Dave: Well, obviously that’s a very obvious phishing attempt and a lot of people would recognize that but there’s some less obvious ones. We’re seeing, I guess the CPA industry is seeing a lot of IRS-related or state department of taxation-related emails. This seems to be the popular one, especially during the tax filing season. Are you seeing an uptick in that area?
Brian: Yeah, definitely at this time of year that’s a risk. I think we’ve even seen where an attacker can pose or masquerade as, let’s say, the CFO or CEO and send an email to somebody involved in disbursement cycle saying, “I’m going to be out of town this weekend. Can you please go ahead and process this $5000 payment? I authorize it through this email.” If you don’t have the right awareness in place and people that are a little skeptical of that, then those type of attacks can be successful.
Dave: A lot of times with cyber security we think about maybe a hardware issue or a software issue or a firewall crashing or backup, something not happening there, but really after looking at your notes and talking to you, I believe you feel the employees represent the single largest vulnerability in an IT network.
Brian: Yeah. One of the terms that’s thrown around in the cyber security world is “social engineering”, so somebody’s masquerading as a trusted source, so going back to the example I just gave, somebody’s pretending to be or purporting to be the CEO of a company and so that inherently gives them more validity to whatever request. A lot of times these attackers are not always trying to get money or files directly. They might just be doing recognizance of the entity, trying to figure out any type of information that they can for potentially a later attack, later in the timeline, so it’s not necessarily your specific situation that an attack is the end result. It might just be building to something bigger.
Dave: So they’re doing a little scouting and they may not get you now, but they’ll get you later.
Brian: Right.
Dave: We’ll talk about training. Where does it start? You start with senior management?
Brian: Well, I would say in any type of training program, senior, junior managements buy-in is crucial at the beginning, kind of a tone at the top, and any internal control framework is key. If senior management buys in to that security is important and that employees need to follow this culture, then it trickles down to the rest of the employees, but I would say from an employee level that at orientation is key, especially with the workforce that’s coming in now.
It might just be my personal opinion, but I think I’ve heard this spread around is that the younger generation now is a little more willing to try different things to open files to figure … They’re just more comfortable with computer than maybe, say, people were 10, 15 years ago. Educating them on the risks and the potential damage, it can be had from breach is important.
Dave: In a way, it’s somewhat generational. The younger group are just very comfortable with moving around and the amount of devices they have and access to company data, whether it’s your phone, your iPad, your home computer, your laptop, there just seems to be more opportunities to click on stuff or go places you shouldn’t be.
Brian: Right, but I would say that a good training program would start at orientation but it’s a consistent process, whether IT, it’s probably the ones that are staying up on the more current attacks that are out there, but forwarding that information to your employees and letting them know, “Hey, keep an eye out for,” like at this time of year for us, “the IRS scams, spamming emails related to that,” so it starts at orientation but it’s a constant process.
Now depending on the size of the entity, maybe that’s a CP once a year and then just newsletters and emails throughout the year. I understand it varies by entity but definitely constant reminders. The other point to all this too is educating employees is important, but you should also do some level of assessing your employees retention of the information.
That’s sampling a few employees and having IT meet with them or it can even go as sophisticated enough as bringing another firm to do what’s called penetration testing or they could send out bogus phishing emails to gage how many of your employees clicked on links. I believe Rea & Associates has done something similar to that effect, so that just gives valuable feedback to how well our employee is educated about the risks.
Dave: Yes. Obviously, you mentioned that training at orientation but it can’t stop there. It has to be continuous and ongoing. What do you recommend to the clients that you work with as an auditor as you look and you look at their systems, how often do you suggest this training or awareness should occur?
Brian: I would say just keeping up to date on current trends. The FBI puts out information of … there’s a lot of different sources that even people, if they’re just following newsletters. Kaspersky is one that comes to mind. There is a lot of different cyber security newsletters that you can follow and just, if it’s the IT department on a regular basis, once a month or what have you, sending that information out. I would think quarterly, semi-annually, having a training on cyber security as a refresh is definitely beneficial. You can’t do this type of training enough, but like I said, just telling employees is one thing but testing their retention is another big key.
Dave: March Madness is just around the corner and I know in a lot of businesses, the employees have a tendency to check in on the scores, maybe stream some games, etc. Does that present additional risk?
Brian: Yeah. Depending on the websites that they’re going to, if they’re your normal CBS or your trusted website, there’s always a productivity issue and people not sticking with their jobs and contributing but from a cyber security perspective, depending on the sites that they’re going to, I know there’s sites out there where you can stream movies and current shows, and those are the sites that are prone to trojan viruses or other types of malware being embedded in the content that you might not realize is there until you click on it to stream. Now in the background you’re downloading a malware virus.
Dave: Sure. Sure. Well, hey, it just occurred to me, we probably need another tune from you. Are you up for another tune?
Brian: Sure, yeah.
Dave: Okay. A little cyber security, a little rock and roll, or hip hop tune?
Brian: Never hurt anybody.
Dave: Never hurt anybody. Let’s go for it.
Brian: Here’s one by, I think it’s Wild Cherry.
Dave: Wild Cherry. All right. A little different version. The production crew is up and on their feet on that one. You got them going on that one.
Brian: These are all my versions.
Dave: You have a name for that guitar?
Brian: This is my own personal. It’s a Martin guitar I’ve had for, I don’t know, probably 10 years now, just a Martin acoustic.
Dave: Trigger two is maybe a different name for it?
Brian: Yeah, I don’t go to that level on musical instruments, just focus on the writing and just enjoying it.
Dave: I understand you also write your own tunes.
Brian: Yeah, not as much as I did before but yeah, I’ve always enjoyed trying to write new songs and played with different groups over the years. I think in my older age now, it’s gotten a little lighter music. I used to play some more aggressive music but I definitely enjoy it.
Dave: See, I want to hire you to audit my financial statements. You’re a top-talented auditor. You can come in, you can look at my financial statements, you can look at my cyber security, and then we can take a break and go to the break room and do a little jam session.
Brian: Oh, sure. Yeah, definitely.
Dave: You have to start offering that as a service offering?
Brian: Yeah, it’s all about client service at Rea.
Dave: You got it. You got it. This evolution of Ransomware, and it’s beginning to exploit human behavior to gain access to internal networks. You have any tips or ideas there, maybe stories?
Brian: Yeah. A Ransomware is definitely a hot topic because in the last few years, it’s definitely grown significantly. Threw down a couple statistics before I came in here, just in the first quarter of 2016, there was about $209 million of Ransomware attacks reported and that’s up about 600% from the prior year. The issue with Ransomware is it preys on both the human component of an IT system and the technical component, so similar to going back to a simple phishing email.
If you click on a link that you shouldn’t and it downloads the Ransomware and you don’t have the technical controls, IT, anti-virus monitoring, or anything that can prevent that software from loading and running, now the Ransomware can spread across your whole network and encrypt all of your data, so the risk there is significant and obviously businesses across the US are paying the fines. Attackers are benefiting from this, so it’s only going to continue.
Dave: Somewhat out of control in certain areas and certain industries I suspect.
Brian: Yeah, and you talk about industries, big risks come into place and fines when you get into the healthcare sector and even the financial sector as well under different regulations but healthcare, now it varies, the fines vary depending on if you were willfully neglecting your responsibilities to protect your information, but the highest fine now currently on the books is 1.5 million annually for a breach. Like I said, there’s definitely levels below that, but Ransomware is definitely an issue.
Dave: Give me two things I can do as I leave this podcast to protect the data. Give me two tips as I manage my emails in my computer.
Brian: In the IT world, we talk about preventative controls and corrective controls, so preventative control for Ransomware and really any other type of attack is just this awareness process, second guessing emails coming from sources that you don’t recognize. If something doesn’t look right, investigate. Don’t just pursue as normal. Then corrective controls would be like data backups. This falls more on the IT staff, but cyber security, the risk that something’s going to happen to the network, is growing so having good processes in place to have your data act up and be able to recover timely enough to where there isn’t a big interruption in your business is key because that could cause a big problem.
Dave: It occurs to me, we may be going back to old school. Instead of you emailing me, I’ll have to call you on the phone and talk about, “Did you send me documents,” and secure that. Maybe that’s coming back into play, which wouldn’t be all that bad.
Brian: No, that would be a good … validating and trying to confirm that it was the identity of the sender, that’s definitely a good process.
Dave: Our guest today is Brian Garland. Brian Garland is a supervisor, an auditor with Rea & Associates in Dublin, Ohio. Also a CISA which is a fantastic designation for cyber security auditing, I guess in my terms, so again, congratulations, and a renowned musician. We usually have a question but I think we got to close this down with a little Michael Jackson. Do you have a little Michael Jackson in there?
Brian: Yeah, I think I could put something together. This is Billie Jean.
Dave: Thank you very much. Cyber security is not going away. It’s a threat to all of us and we’ve included a ton of information and insight on our website at www.ReaCPA. Give us a look, and look up Brian’s bio. If you have any questions regarding cyber security, maybe not send him an email. It might be cyber security issue. Just give him a call and we can talk through that. Don’t forget to subscribe to unsuitable on Rea Radio on iTunes and SoundCloud. Until next time, I’m Dave Cain encouraging you to loosen up your tie, and think outside the box, and never stop learning.