Heartless Hackers Demanding Gift Cards: Cybersecurity Awareness Month

HOST Clinton Laron Corporate Communications Manager  Eide Bailly

GUEST Michael Nouguier

 

The Transcript

Clinton Larson: Hello and welcome to EB & Flow. I'm your host. Clinton Larson and October is Cybersecurity Awareness Month. So today we will be talking about what businesses need to know about cybersecurity. And joining me to talk about cybersecurity is Michael Nouguier, Director of Cybersecurity at Eide Bailly. Welcome to the podcast, Michael.

Michael Nouguier: Thanks, Clinton. Appreciate it. Glad to be here.

Clinton Larson: And for our listeners who are wondering what is cybersecurity doing at an accounting firm? Can you give us a little overview of what you do here at Eide Bailly?

Michael Nouguier: Yeah, absolutely. So we uh, I'm the Director of Cybersecurity Services at Eide Bailly. And so Eide Bailly actually is more than just an accounting firm. We actually have a whole technology consulting practice that specializes in data analytics, IT management for our clients, as well as CRM, Salesforce implementation and cybersecurity. So we have a very large technology consulting practice to help our client base and just the United States in general.

So, what we are seeing is that cybersecurity is becoming more and more of a focus for all of our clients. And so I decided to jump into Eide Bailly and bring my experience to run some services and help our clients improve their cybersecurity posture.

Clinton Larson: Great, and as I said, it's Cybersecurity Awareness Month, but as you sort of spoke to just now, cybersecurity has become a topic that organizations just can't ignore anymore or can't minimize. It just, it has to be top of mind. So let's just maybe start there. Why is cybersecurity such an important topic now for business owners and organizations?

Michael Nouguier: Yeah, I think the goal of business is to grow and to continually grow and expand and the thing that I always come back to when I do have conversations with anybody about cybersecurity is that, you know, 20 years ago, if you didn't have an internet presence, you weren't going to be successful in business. 10 years ago, if you didn't have a social media presence, you weren't going to be successful in business. And today, if you don't have a cybersecurity plan and strategy to protect your organization and respond to cyber attacks, you're not going to be successful. Your growth is going to be stunted or potentially going to go out of business.

There's two statistics that I come back to here. The first being in the last 12 months, 55 percent of organizations have experienced a cyber attack. And so that's a little over half right. That's a pretty compelling argument to protect your organization. And then the second is the more compelling and it pertains to small and medium size organizations, 60 percent of organizations that experienced a cyber attack, go out of business within 12 months. So that's a pretty large number, so it pays to focus on building your strategy, your vision that involves cybersecurity and creating this culture within your organization to protect your organization's data moving forward, that's going to apply to the growth of your firm.

Clinton Larson: So those are really compelling numbers. I had no idea was that high. In terms of like these businesses who are being or are suffering cyber attacks, I mean, how easy is it to detect or find out like how easy or hard is it to know that you're the victim of a cyber attack?

Michael Nouguier: Yeah, I mean, that's very, very broad question to answer, right? Because it all depends on what your focus has been from an IT cybersecurity perspective, right? If it hasn't been a focus, it's a lot harder to detect until something has happened that you can't access your data. One of your clients is stating that your data is on the internet, right? You finding out from these secondhand resources that happens all the time, right?

The big the big concern out there right now that everybody sees on the news is ransomware. Ransomware is when a malicious actor cyber attacker loads a piece of software into your network that encrypts your data and holds it at ransom. You can't access it, and you can't perform any of your day-to-day functions because that data or your systems are inaccessible, essentially. So we're all seeing ransomware come. We've seen three or four large attacks this year, spanning from $5 million in ransom, all the way up to $70 million in ransom.

Now that's not something that we're seeing in the small business. These are actually large multinational organizations, but right, we are seeing hundreds and thousands of dollars of ransom in the small business world. Um, these cyber attackers are getting into the environment. They live in your environment for up to ninety six days undetected on average, which gives them a whole quarter to understand what's happening in your environment. So they know enough about your environment, if not more about your environment than any single person within your organization because they've had this dwell time.

And so ransomware is just the beginning, right? We're all worried about that. But there's a lot of other concerns around that. It's not just paying a six figure seven figure eight figure ransom, it's the impact that comes after that. The business interruption can you go two to five days or even longer without utilizing any of your systems, your financial systems, your ordering systems, your payment systems? Most organizations can't. And then from there, if it becomes public, do you have the PR inside your firm or inside your organization to respond to that? There's a lot to consider. And so these all have financial implications. And then if data is stolen, there's fines, there's lawsuits, there's a ton of things to consider when it comes to a cyber attack.

Clinton Larson: You know, you mentioned the over 50 percent of the businesses, you know, that are suffering a cyber attack. And you know, you're talking about ransomware. I was curious, like when cyber attackers are looking for a target, are they looking for a low hanging fruit? Are they looking for the easiest route? I mean, what kind of businesses are they targeting? Is there any rhyme or reason to that?

Michael Nouguier: Yeah. So I'll answer that a couple of different ways. The first thing I'll say is that hackers are heartless, right? And I'll say that time and time again, they don't care what your business unit is. For the most part, there are some ransomware as a service and in large threat actor organizations, as you would call them, that live overseas, that that will stay, that they won't go after schools or hospitals. But for the most part, right, they follow the money, they follow what is needed and where there is vulnerability.

The second is that hackers are lazy. Right? So back to your comment about low hanging fruit. Absolutely right. They will scan the open internet to understand where vulnerabilities exist, right? They will try and exploit the human vulnerability, which is the phishing that we're all so frequently getting talked to about within our organizations and trained against in the fake phishing emails that are I.T. department is sending out. But they do that for a reason so that we understand how to respond to those and we understand what's happening in the environment so that we don't fall victim to phishing.

But for the most part, yes, hackers are heartless and hackers are lazy. What we saw during the last 20 months of COVID is that hospitals were targeted by ransomware campaigns because they didn't have the time and resources to focus on cybersecurity as they were overwhelmed, maintaining what needed to be maintained during COVID. And so we saw there was a huge campaign called Ryuk, which was a ransomware campaign that was pushed out and impacted, I think somewhere around 300 hospitals nationwide. And so that's right back to the hackers are heartless. The low hanging fruit are the are the are the industries and the organizations that are overwhelmed with everything else. And so that's the lack of heart in the attacker and also the laziness, right, they're going to find what's easiest to attack because there's a quick turnaround on those.

Clinton Larson: And you mentioned ransomware and you mentioned the phishing attacks that many of us have are used to even seeing in, you know, in our personal email and things like that. What other sort of trends or schemes are you seeing right now that the businesses should be aware of in terms of the cybersecurity space?

Michael Nouguier: Yeah. So ransomware is the big one that we're seeing in the news. And so I'd be remiss if I didn't bring that up. Phishing also, but when we talk phishing as a scam, it rolls up into the concept of social engineering. And so it's not just emails that are coming to your work email. It's also the phone calls that you're getting that they are either robocalls that are scams like, Hey, this is the FBI. And if you don't pay us five hundred dollars in iTunes gift cards we're going to send you in front of a magistrate, which most of the time I don't refer to a judge as a magistrate. So that's a huge selling point for me. And so those are called phishing or voice phishing calls, and they can get really advanced.

One of the services that we offer are phishing calls to organizations to see if people are prepared to respond correctly to protect their environment. So we'll call and pretend to be IT, or we'll call and pretend to be somebody in the finance team or the accounting team and just try and see how much we can get out of that person and make sure that they're responding accordingly, documenting that and then focused on educating and training the environment to fend against those types of attacks.

The third thing that rolls up into social engineering is what we call smishing. We're very unique with names in the cyber division. Phishing bashing and smishing smishing. And this has actually been on the rise, at least on my cell phone in the last month and a half are SMS is the messaging system that cell phones use for text messaging, sending text messages to phones to gain credentials. Gain access to some form of data from a cell phone perspective, right?

And so I actually got one the other day that said, click here to track your package and it came from a ten digit phone number. You know, FedEx usually uses a five digit phone number when they text people. And so I looked at it and I was like, Well, one, I'm not expecting a package and two, right? This is coming from like a seven two zero Colorado number. Why would I click on the link? Or, you know, I've gotten a lot from like, Hey, your receipt was chosen from Costco. You just won five hundred dollars. Click on the link. Who doesn't want to win $500? Also, we're all not that lucky, so let's just let's take a step back and think like it's not your lucky day. You didn't win five hundred dollars from Costco, from whoever's cell phone texted you that. So it's smishing is one of the big trends.

And I think what I pivot to from that social engineering aspect is that a lot of what I talk about is the attack surface, which is basically the area, the surface of attack that a threat actor has read that a malicious actor cyber attacker has. We call that the attack surface, you know, 20 years ago, the attack surface was your desktop computer. Maybe you were fortunate enough in your organization to get a laptop. Um, but you weren't allowed to work from home. Working from home was few and far between 20 or so years ago. And then over the last two decades, we've transformed the way that we do business to not just doing it on laptops and desktops, but doing it on our personal devices like our cell phones, our work, our home computers, right? And that extends the attack surface of your organization, specifically your cell phones, right, if you were to get one of those smishing texts and click the link and they asked for your email and password and you did your work email and password, you just gave away your passwords.

So our tech services is over doubled. It's probably tripled or quadrupled in the last two decades, and it's getting even. I don't want to say worse, but it is. It's getting even worse, right? Like one of the things I do when I'm talking to a group of people is I ask people to raise their hand and say, who can change the temperature of their house from their cell phone? Right? That is another internet connected device. It's at your house. We all transitioned to work from home in the last 20 months, or a lot of us did at least. And so we brought our laptops from work home, connected to our home network, the same home network that our kids laptop and our kids Xbox or PlayStation is connected to. And this opens up our attack surface. The vulnerabilities that exist across all of the different technologies in our house is tremendous.

And so right from a trends perspective, our attack surface has increased significantly, giving way to attackers to find new, greater avenues to attack us. And then that leads to my last trend, which is sophistication. You know, my first ever ransomware, I was working with the state government at the time and we got a ransomware on one of our computers that one of the departments that we were managing and it was five hundred dollars and we were all worried. Oh no, we got ransomware. Let's stop it before it spread. But it was only five hundred dollars. So let's not spend too much time trying to decrypt the data. We can spend five hundred dollars, right?

The last ransomware I worked on was almost $400,000, right? So at that point, like, that's a completely different conversation to have with your CFO or your controller to say, where do we get this kind of money to pay for this kind of ransom? Maybe we should do something about it instead and try and pull from backups. And so the sophistication has gotten a lot more intense, right? Several years ago, when it was five hundred dollars, somebody got a link from a YouTube page, clicked it, downloaded the file, ran it and then they got encrypted, right?

The $400,000 ransomware was a hacker that had exposed or exploited the human factor gotten into the environment, sat for several weeks to months, understood the environment, found out where the most critical data was and then and then encrypted that data. Encrypted the databases, encrypted the backups and basically ruined this this organization.

So right when we see when we talk about ransomware and phishing, smishing, social engineering, the attack surface, what is most compelling in all of these arguments is the sophistication that's going into it. It's not luck based anymore. It's specific targeting of individuals to find a way into your organization and then attack in the most sophisticated and most impactful manner.

Clinton Larson: Yeah, that sophistication you're talking about is the thing that seems the most scary, I would think, to many of our listeners because as you just went through like, you know, every we have so many devices now that are connected to the internet, and there's so many entry points now. You know, like you said, there's the if you have a work network, there's that. If you have a home network, you know, there's that, you have your phone, you have your, you know, text messaging, you have your laptops. I mean, there's just a lot of vulnerabilities now. And if hackers can get in and then just sit there and watch what you're doing and figure out the, you know, the best way to hurt you so to say, you know, that's a scary thing.

So what are some fundamentals that people can maybe take back with them to, to look at their cybersecurity efforts and say, OK, what are the things here that I'm doing that are good? What are some things that I definitely need to upgrade? You know what are just some fundamentals of good cybersecurity at an organization?

Michael Nouguier: Yeah. You know, the number one thing I always go back to is right don't start throwing different product sets at your environment, right? Don't start just right. They say that I need this to protect against this threat and they say I need this to protect against this threat. The number one thing that I think every organization needs to do is take a step back and try and gain the vision and visibility that they need to build an actual roadmap for increasing the security within their organization.

Do an assessment, understand where your greatest risks are and do a penetration test to prioritize where your vulnerabilities are so that you have that visibility to understand what needs to be attacked first. Because if you just start buying software, what we've seen and I've done this for almost 20 years, what we tend to see is things get purchased and then they get put up on the shelf and they don't get configured correctly, and they don't have the resources to make sure that everything is effective in their environment.

And so instead of instead of just throwing money at the wrong resources, take a step back and understand where you need to go, where you currently are, what's your current state and then what should your future state be from a protection perspective. Align with your trusted advisers and build that strategy for cybersecurity. That's the number one thing I would say that most organizations need to do. Some organizations have that strategy in place already, and that's key. That's vital. And then they can act upon that.

They'll probably have things on that list, like enabling multifactor authentication on everything, right? We all hate to enter in the six digit code or select the application and approve it, but ultimately passwords are and have proven over the last 20 or 30 years to be the most insecure portion of IT. Right. We need another factor so that when your password, which is just text is stolen, there's another approval approving factor whether it's your fingerprint, whether it's a face scan, whether it's approving an app. I tend not to say text messages like, I don't like that route anymore. I think pushing it into an app that requires your physical device and access into your physical device, that actually makes it more multifactor than just approving it right. You need to face time or put your fingerprint in on your device to get into that particular app to just select Approve. And so it creates more of a more of a protection mechanism for that.

So most organizations, I think, and what we're seeing from the cybersecurity insurance realm are focused on making sure that you have multifactor authentication on everything specifically, not specifically, but tied mostly to your external resources because those are the ones that are easy to attack. And so if you can access like your email remotely or you have a web portal for your work that you can log into if multifactor authentication isn't turned on those cyber insurance is likely to either raise your premiums or not cover you. So that's that multifactor authentication is probably number one that most firms are focused on.

And then some of the other best practices are making sure that you have a vulnerability management program. A lot of people hate when they're at the most critical portion of their day, and the computer says you have 15 minutes before it restarts because we have to push updates. Everybody hates that right. Cybersecurity is not kind to people when it comes to usability. There's always a give and take to some extent, right? Postponing those till night is easy, but right. Those patches that need to be pushed to those updates that need to be pushed to your system are to patch security holes that are known right and having a vulnerability management program that calls out those patches that are needed and also understand other technical vulnerabilities within your environment. So that you know where your weakest, your biggest security weaknesses are is very important.

Those are another big call out, right? You know, going back to the attack surface, right? When we talk about our expanding attack surface, knowing what assets you have in your environment is right up there with multifactor authentication and probably even higher. And I should have talked about that one first. But knowing what assets you have to protect is critical, right? If you don't know what's in your environment and you don't know what to protect, you're not going to. And so a detailed asset management program is and software solution is necessary in order to protect your environment.

And a lot of frameworks, right? There's a lot of cybersecurity frameworks out there that'll organize these right? One of the big ones is the CIS the Center for Internet Security has 18 things to focus on or 18 different controls to focus on. The top two are asset inventory like hardware asset inventory and then software asset inventory. Hardware has vulnerabilities and software has vulnerabilities, and they're continually increasing in vulnerabilities as we create new versions of Windows or new versions of the software, vulnerabilities are inevitably going to be written into those software because things are changing in the way that we're creating features as vulnerabilities, inevitably.

And so knowing that you have those software is the first step, right? Knowing where you are and then understanding where those weaknesses are and fixing them in that future state from a software and hardware perspective.

Clinton Larson: You know as you've been talking about all the different things that you have to think about with cybersecurity, you know, you talked about the ransomware and, you know, sometimes having to get like a CFO involved, you talk about cybersecurity strategy. You know, that's organization wide. Is it fair to say that that cybersecurity is no longer just like an IT problem? Is it fair to say that this is something that everyone in the organization needs to beware of, you know, like your phishing test emails and things like that? Is this just is it no longer an IT issue?

Michael Nouguier: I appreciate you bringing that up. I think that cybersecurity was never just an IT issue. And right, and so the fact that you're not the only person most people thought that it was always an IT issue, but right, cybersecurity is an every person issue. It's an every employee issue within the organization. It impacts everybody and everybody has a responsibility within that.

You get emails, you access certain types of data within your organization, you have certain privileges within your organization. And so you are responsible for making sure that you don't accidentally get impacted from a phishing email. So you have a responsibility to go through that education and understand how to review those phishing emails when they come in and make sure that you're not falling victim to it.

You have a responsibility to make sure that the data that you have isn't being managed improperly. Right. And so I would say that, yes, cybersecurity is everybody's responsibility, and what drives that is the culture of the organization. So if that's not being pushed from the top down from the C-suite, from the board, from the partners, whoever runs the organization, if they're not pushing that, there's a responsibility for cybersecurity, for the protection of the data that you handle as an organization because it's not just your data, it's people that are impacted outside of the organization, your customers, your clients, so whatever that is, that isn't coming from the top. And there's not this culture of cybersecurity as a part of the organizational culture. Then that would probably be a great place to start for most organizations.

Clinton Larson: So related to this idea of creating a culture of cybersecurity and creating a strategy around your cybersecurity, how should organizations go about doing that? Is that something that you know, involves all senior leadership? Is there a best practice there? What should organizations, how can they start having those conversations?

Michael Nouguier: Yeah. So that needs to be a priority for all organizations. I think if you don't have the confidence or the resources within your environment, utilizing a trusted partner, coming to Eide Bailly and saying, Hey, can you help us with this? We want to make sure that, we have processes from our professional services to build that strategy, understand the current state and build the future state.

And that involves more than just your IT team. We want to meet across the organization to make sure that we're getting the entirety of the culture and the entirety of the goals and growth plans of the organization so that we can help tie in that strategy. The cybersecurity strategy into the business strategy moving forward. So I'd say leveraging your trusted partners, right? If you don't if you don't have a trusted partner in this arena or you want to talk more, please feel free to reach out. I think that we can probably put my information on this podcast somehow. I'd be happy to talk through any concerns or issues that anybody has. Yeah. And you know, I appreciate the question.

Clinton Larson: And we will definitely not ask you to pay in Apple Store gift cards.

Michael Nouguier: Yeah, Apple Store and I don't use iTunes anyway, so that would be great.

Clinton Larson: Well, thank you very much, Michael. This has been an awesome conversation, and obviously we think we've proven very, very much so that even though it's cybersecurity awareness month now, this is a topic that businesses need to have top of mind all year round.

Michael Nouguier: Absolutely. And I think, you know, I appreciate you bringing up the cybersecurity awareness month once again. One of the things. A lot of organizations have resources out there that can be downloaded and you can walk through. Eide Bailly has built a book that you can walk through that talks about the fundamentals of cybersecurity and where to focus, right? And not uncommon, not unlike what we talked about today, but also StaySafeOnline.org is a joint program run by a lot of different federal organizations and has a ton of resources on there as well. And so, you know, I'd be remiss if I didn't plug that a little bit during Cybersecurity Awareness Month.

Clinton Larson: Awesome, well, thank you so much for being on the podcast, Michael. I really appreciate our conversation today.

Michael Nouguier: Thank you so much, Clinton. I appreciate it and thanks for having me on.