Episode 12

Don’t miss out on other podcast episodes from Dean Dorton! Listen and subscribe:

Transcription

Justin Hubbard:
Hey, folks. Today, we are joined by Jason Miller, who is the director of the business consulting group at Dean Dorton. So I wanted to have a chat about cybersecurity, and I thought who better than our resident technology expert, Jason Miller? And Jason would only agree to join our merry podcast if he could do so at someplace cool like Ethereal Brewing Public House. And so the folks here at Ethereal were kind enough to let us into their really nice, swanky upstairs dining area. So very appreciative of that, but we’re here to talk about cybersecurity and very excited to be here at Ethereal. So Jason, welcome to the show.

Jason Miller:
Thanks, Justin. I’m glad to be here. Cybersecurity can be a pretty serious topic, so it’s kind of nice that we can step out of the office and go to a casual place and bring down the seriousness over a beer.

Justin:
So before we jump into cybersecurity and you start talking over my head, you’re not an accountant, but you’re at an accounting firm.

Jason:
Correct.

Justin:
And you’ve been there a long time.

Jason:
I have.

Justin:
Connect those crazy dots.

Jason:
I tell people I play an accountant on TV a lot of times. But it was actually kind of interesting and intriguing, back in the early 2000s when I got to the firm, it was kind of a little more of an anomaly for an accounting firm to have technology. It’s a little more common today. And part of that is every business is so reliant on technology, and people trust their CPAs as trusted business advisors. And so the natural progression is to provide technology services as part of that business operations and improvement.

Justin:
Got it. Let’s dive in. So cybersecurity, Dean Dorton is relatively new to the cybersecurity service world from having a niche group. How do you define cybersecurity?

Jason:
So when I think about just even the term security, you really have two components of security. You’ve got physical security, which most people can wrap their mind around. You’re trying to protect physical assets, buildings, that kind of stuff. And you think of your home security system and locking doors and that kind of thing. But then you’ve got cybersecurity, and that one’s a little tougher for people to comprehend some days because, oftentimes, it’s protecting assets that you can’t really see and protecting against threats that you can’t see and you feel like you have less control over.

But cybersecurity, we would say, is protecting all of your digital assets. So your sensitive information, your critical systems that the business operates on, all of those are under constant attack by third party threat actors trying to either profit off of the acquisition of sensitive data or cause a disruption to your business that you might be inclined to pay funds to get out of the disruption.

Justin:
You used the term threat actor. What does that mean?

Jason:
Threat actor would be the person on the other end. So the threat is the issue or the attack type. The threat actor’s typically the hacker or the person who’s facilitating the attack or the breach, compromise.

Justin:
I feel like we could probably reduce hacking if we called them threat actors because it wouldn’t be as cool. You’re not a hacker, you’re a threat actor.

Jason:
Yeah. There is some myth around the whole hacker. The TV has really played it up. And you watch all these TV dramas and crime shows, and they show the people behind the keyboard sitting there doing some big complex thing. And honestly, most hackers really aren’t that cool or that sophisticated. You can actually get on the internet, you can go buy ways to attack other companies pretty cheaply, and execute against organizations. So you really don’t have to be all that sophisticated and cool as they make them out to be on TV.

Justin:
This is an area, and for me, that makes me feel overwhelmed. I don’t think I’m a control freak. I admit that we are on this giant ball of dirt and rock hurling through space, and it’s just a miracle that we don’t fly off into the sun and that I could die any second now from some blood clot. And I admit that, and it doesn’t bother me. I’m not one of these control freaks. But the notion that someone is out there stealing data that I can’t touch just really drives me crazy. Is that common?

Jason:
It actually really is. And I think a lot of people feel so overwhelmed by it they just throw their hands up in the air and just say, “We’re going to accept the risks.” Especially smaller businesses. And so what we’ve seen over the years is the level of complexity, just the sheer magnitude of it, and the cost oftentimes causes a lot of businesses just to say, “We’re just going to take the risk and what happens, happens.” Whereas larger organizations have teams of people and invest a lot in it to deal with the complexity.

So that’s one of the things that I’m most proud of with our current cybersecurity team at Dean Dorton is we’ve got the ability to help that small business understand their risks, understand what they need to do to mitigate those risks, and do it in a way that’s more budget-friendly. Realizing that you can’t be perfect, you can’t fix everything, but let’s at least prioritize it and minimize that risk where we can, versus just sitting and waiting for something to happen. Because it often comes down to it’s not if you’re going to have some sort of compromise or incident, it’s really when. And even large organizations who spend a lot of money on it still have things that happen because it’s a constant evolution. It’s never finished. You’re never fully protected. You’re never done. There’s always a new threat. There’s always something new that you got to be on the watch for and putting additional controls in place or changing the controls that you have to account for these new threats that come up.

Justin:
If you’re a small business and you just flung your hands up that and said, “Alright, they can have whatever they want. I don’t have enough really for them to worry about.” What are they not thinking about or not valuing?

Jason:
So when we deal with cyber incidents, there’s typically a couple of different roads that those take. And one of the most common ones that you hear the most about in the news is data breaches. So sensitive information, either credit card information, healthcare information, or other identity specific information from some large group has been compromised. And now your information is out there. So that’s the first one. And what happens, that information gets sold on the dark web. So that’s how they profit for it.

The second one is attacks on your critical systems and software, and usually in the form of ransomware. And these are the ones that I really get significantly worried about for businesses that they don’t think about. A lot of people will say, “Well, that data is probably out there already from some other breach.” But if you have a ransomware attack, it can take your business down because most businesses rely on probably at least three or four critical technology systems to function. Whether it be your sales order processing, your accounting system, your payable system. You’ve got all these resources. And under a ransomware, it can take down your entire operation.

So we have helped investigate incidents for clients who have been down for up to two weeks with no access to anything. No email, no phones, no files, no client files, no billing system. There’s even been a recent situation where we’ve talked to an organization that was literally down for 10 days with no access to anything. And then even two to three months later, they have not generated an invoice out to their clients. So you can think about the impact to cash flow that has. It really could cripple some businesses. And some businesses could go out of business in that period of time with no access to their ability to serve their clients or execute on their mission.

Justin:
Is there something inherent within ransomware that makes it so detrimental?

Jason:
Well, it’s an encryption. So they’re basically encrypting every file on the system for the ability for it to even boot up or access it. And without that encryption key, you can’t pull it back off. And so your information, your computer just becomes a boat anchor, basically.

Justin:
It’s held hostage.

Jason:
It’s held hostage. And the more recent, in the last couple of years, when ransomware first started, most people would just say, “I’m not paying, we’re just going to restore from backup.” And so, the constant evolution is the threat actors realized that they weren’t really getting the payoff they expected because people would restore from backup. So they said, “Well, how do we attack the backup before we attack the primary system?” So usually most threat actors have been in and are working around the network for days, weeks, even months before anybody knows they’re there. So they’ll go in and either harvest the information they want before they even let you know they’re there, or they’ll attack the backups first and then they’ll encrypt the system. Because most people don’t realize they’re there until they encrypt the primary systems and things stop working. And so at that point, you have no backup, you have no system. What do you do? You pay because most people can’t recreate whatever the missing information is because it could be years of data that’s been impacted.

Justin:
So to use a current buzzword, you could be infected or impacted but be asymptomatic?

Jason:
You could for a period of time. Interestingly, one of the more recent reports we’ve seen show that people are noticing or becoming more aware quicker, which is a good thing. But it’s still way too far out there. And the impact is more devastating because the threat actor’s been in, doing things for a longer period of time. And so I talked about the two different kinds of threats being the harvesting of data or the ransomware. There’s quite a few recently that are a combination of both. So they’ll get in, they’ll take the files they want, and then they’ll ransomware again. So they’re getting you on both sides.

Justin:
Oh, wow.

Jason:
Yeah.

Justin:
When should a company start caring? If I start a business, on day one, do I need to start caring immediately? Or do I need to wait until I’m profitable and really care?

Jason:
It’s generally going to be easier to do it up front and you kind of go in and plan for it. I would argue that no business is really immune to this. So it really comes down to an evaluation of your risk and working that into your business plan. So as I mentioned before, a lot of small businesses get overwhelmed with the complexity or the costs. And they basically say, “We’re just going to take the risk.” Well, that’s become more detrimental than it used to be. So it comes down to what business are you in? Are you going to be collecting sensitive information? Are you regulated? Do you have PCI (payment card industry) concerns? Do you have health, HIPAA information? Could you become liable for being careless with it? So I would say that any business really needs to take it more serious. And then would the business even get off the ground if you’ve got shut down a month in and had access to none of your critical systems?

Justin:
Yeah. And the reputation risk. If you’re known as someone who gets exposed.

Jason:
Reputation risk is huge. I mean, I think a lot of people fail to think about that. But if you’re the business owner or you’re an executive, do you want your name plastered all over the media for having been compromised? And if you’re a new business, you haven’t built up any goodwill hardly probably. And you’ve lost it all before you start.

Justin:
Yeah. So would you say a business should be thinking about these things just as equally as they’re thinking about supply chain risks, competitors, new markets?

Jason:
It should go into a comprehensive business risk assessment. A lot of people think this is an IT issue, and it really needs to be a business issue. And it needs to go into an overall risk assessment. And that’s what I like about Dean Dorton is we help businesses, not only with just the technology, but the full business risk. And so, organizations should look at what is the risk to the business every year? Whether that be fraud risk, whether that be, as you mentioned, supply chain risk, employee risks, we have a new risk we think about, pandemics, that weren’t part of our scenario planning six months ago. But now it’s a reality. How does your business continue if you have a mandated shutdown? How do your employees continue to work? And cyber is just one more of those that should be part of an overall risk assessment.

Justin:
So what are practical first steps? If I start a business, I’m thinking about these things, I’m trying to do the right things. What do I do?

Jason:
So if you’re a startup, you’re not likely to immediately go out and have one of your first hires be an IT security person on your team, unless you’re in some business that really dictated that.

Justin:
Or you’re really lonely.

Jason:
But align yourself with a proper third party who understands it and who can help you evaluate. And then you go into that risk assessment. So you could spend an endless amount of money and resources and time on all the cool protections and tools and controls, but you have the reality of I have to operate this business and I’ve got limited funds and limited time and focus.

So through that risk assessment, you start to build a cyber roadmap and you prioritize what can I do? And you balance that prioritization with your risk and your budget and determine what can I start to do immediately? What will I do kind of phase two, phase three? And then make continue improvements is really the key. Because if you try to make it perfect out of the gate, it’s going to probably be cost prohibitive, it’s going to be overwhelming, and you probably won’t even get started. You’ll probably stop before you start.

Justin:
Yeah. You said an interesting term a few minutes ago, you said dark web. And that sounds like that place in the dark, dark area in Star Wars where the bad guys went and hung out for a while. What does that mean—dark web?

Jason:
I don’t know a whole lot about it personally. We have people in the team who—

Justin:
You’re a fine, upright contributing member of society.

Jason:
I don’t participate in that very often. You’re trying to bait me into something here, Justin. I see.

Justin:
I’m just trying to educate people.

Jason:
So the team actually has resources where they can go look for information out there. And so, that’s the beauty of our team. We have multiple resources that this is what they do. And so they will actually, as part of our cyber assessment, go look to see is there information easily identifiable out there on an organization? So we can tell them, “Hey, you’ve probably already had a compromise.” And that allows us to take some proactive measures with them around passwords and things. It’s like, “Oh, your list of passwords for all your users are already out there on the dark web. Let’s make sure we’ve done a reset here recently.” But it is a place that it’s hard to trace the activity on it, the way it’s set up. And so that’s how you can have people out there selling sensitive information and not be able to trace it or track them down. So a lot of people think, “Well, why can’t you just follow it?” Well, in the world of Bitcoin and some of those things, you can do more untraceable transactions.

Justin:
So I’ve always heard, and maybe you can explain this, if you do a Google search, why can you not click on the links that say ad? They’re at the top.

Jason:
They’re at the top, but they’re at the top because somebody paid for them to be at the top. And so, the intention of it was good. It was to allow people who really want to get their information moved ahead to do it. But a lot of the problems is the threat actors realized they could pay to get their information moved to the top. And so it moves them ahead of a legitimate site’s search. And so we were talking earlier about a recent incident that we helped investigate, and it was actually a fairly impressive and sophisticated breach. And it’s one that really exemplified the fact that you’re never finished. It’s always a continual battle because just when you get a control in place, there’s somebody out there trying to figure out how to get around that control.

And so this was an example that we’ve kind of gotten comfortable with multifactor authentication. And if we’ve got that, we’re protected. But a threat actor actually mimicked the site of a legitimate bank. So actually a large regional bank. And they created a site that looked just like the bank’s. And they registered a domain that was very similar, that visibly didn’t look off. And they paid for Google AdWords to get their site listed higher than the bank’s site.

And so, one of the banks, more than one, but in our situation, one of the client’s employees of the bank searched for the login to their online banking versus having a link. And so the illegitimate site popped up first, they clicked on it. Site looked like they were used to seeing, they put in their user ID, they put in their password, and they entered their seven digit multifactor authentication token code just like they would. And they felt kind of safe that that was what they were trying to do.

But what happened, the threat actor who had the fake site took that information and had a bot behind the scenes that could go log into the bank using that user ID, password, and token before the timeout. Because one form of multifactor authentication is that rolling token code, you get about 30 seconds on average, and then it changes. So I mean, I’m sure everybody’s used one of those and you feel stressed because you see the little dots tick down and you’re like, “Do I wait for the next one or do I try to race the clock?”

And so what happens is they took that and they got logged into the real bank site using that user’s credentials. And they were able to create their own users on that client’s online banking account. And then they started initiating wires. And this one particular client, they had nearly $2 million of wires out of that client’s account before they could get it cut off. And so that’s one of those real examples of evolving threats and an example of why you can’t just click on the ad things that are up there, you need to be a little more skeptical of those.

Justin:
So you had a large organization, but one employee did something relatively innocent. She just overlooked something screwy in a—

Jason:
In the link address.

Justin:
In the link. And it opened up the entire bank’s system.

Jason:
Yeah, it did. It was some of those scary moments where it’s like everybody kind of had some comfort in the security and multifactor authentication, and all of a sudden now that kind of shot a hole in something that the industry had had a lot of faith in before. Now, multifactor authentication is still a really important control. And I often get asked, “What is the one thing?” When I do presentations on cybersecurity, a lot of times the question is what’s that one thing? If I go out of here and I can only do one thing, multifactor authentication will minimize most threats very significantly. And so that’s still my one thing. Multifactor authentication has evolved over the years. And so that you have the old token method, but you also have what they call a push notification where you’ve got an app installed on your phone or smart device. And when you go to log in, you say push. And then it pings you on your phone and you say, “Yes, that’s me.” And so you realize, yes, I tried to do that. And yes, it did it. And so it passes.

So that’s a little more secure than the token based on what we just talked about in that example. But I would also say that there’s no one control that’s by itself perfect. So we go back to the example of the bank. There are some other controls that fell down somewhere along the way, whether it’s the bank’s system or whether it was the client’s configuration of their user security on the bank’s system. But the particular person who could initiate the wire shouldn’t really have been the person who set up new users because now we see that one person, one user could create new users who could initiate wires without any kind of additional layers of approval. So with any part of cybersecurity, you want to look at layered controls. Because at any given time, one could fail, but you should have additional layers at your stop gap to help protect if that control does fail.

Justin:
Oh, goodness. Why shouldn’t we just go unplug everything right now?

Jason:
Just go back to paper, I say. Life was easier. People just robbed banks at that point, right?

Justin:
That was an honest living. Compared to what they’re doing today, that seemed honest.

Jason:
You feel a little less violated. Or there are fewer people violated in that situation. The employees at the bank were probably felt violated during the robbery.

Justin:
Well, at least there’s a police officer there. Now you’re just hoping that somebody three years ago clicked the right button. All right. So let’s wrap it up, end on some fun things. So what’s the most outrageous threat or attack you’ve seen?

Jason:
Well, that bank example probably is the top of my list at this point. Again, because all of us on the group just kind of stood there and scratched our head for a second, letting it sink in of what just happened here. So that’s a big one. And then just the examples that we see of how devastating some of the ransomware can be to a lot of organizations. I mean, we literally have seen good size organizations just literally have their operations come to a standstill for weeks or months at a time. And quite honestly, it’s actually amazing that some have survived it in some of the examples that we’ve seen. I mean, it’s a significant impact. Even with cyber insurance, it’s still a big impact.

Justin:
Now, are these threats domestic, international, all?

Jason:
Most of the time, we can generally trace them back to some international country. But with the way technology is, you can bounce through multiple different servers. And so it’s hard to fully trace it because a lot of times you see a layered attack. And I could come in and I could attack your business’s computers and then use those to attack the next guy. And it looks like it came from you, but I bounced through you to get to the next one. And so it’s a chain reaction. But a lot of times, if they’re able to trace those back, you end up with a fair number of foreign places, and it becomes harder to prosecute those too.

Justin:
I’m going to buy gold tonight. I’m going to buy gold.

Jason:
You going to dig a hole and put it in the backyard?

Justin:
Well, I’m not going to tell you, Mr. Dark Web Navigator. So tell us about what Dean Dorton does in this space. And practically, what does that look like when we work with clients?

Jason:
Yeah. So you mentioned earlier, it’s a relatively new dedicated service. We’ve dealt with cybersecurity for a number of years, but two years ago, we realized that this service is desperately needed and it’s not likely to go away anytime soon. So we’ve assembled a team that has done a fantastic job in doing one of my main goals, which was let’s make sure we’re business-focused and focused on the cyber versus just a bunch of tech heads who just say, “You got to go do all these things because this is what you should do.” And so, one of the biggest examples of that is, as I mentioned earlier, cybersecurity assessments can be fairly expensive. And so a lot of businesses just threw their hands up in the air and said, “We’re just not going to worry about it.”

So one of the goals I had was how do we create a small business-focused cyber product, something that we can get to a small business that’s more budget friendly? But I was very adamant that when we did that, that we could not sacrifice the substance of it. It wasn’t let’s pull the price down so low that we’re really doing some lipstick on a pig, no value. It had to deliver value. And so, it took some time. We actually had a lot of back and forth on that’s too expensive or we went too low and we’re not delivering the value. So I was really proud of the team that we compiled, that they were able to meet that challenge. And so we have a product now called Cybersecurity Scorecard for Small Business. And that allows us to do an assessment that meets two things: it’s budget friendly, but it’s also not designed for an overly technical presentation.

So that was the second issue with a historical or a more sophisticated cyber assessment. And a lot of businesses still need those levels. We’re dealing with complex organizations that have IT departments and even cyber resources in house so we need the more advanced assessments. But your smaller business doesn’t need that level, and they don’t need 130 page report talking over their head. They need something that says, “What can I do to make a difference?” And so the Cybersecurity Scorecard delivers an end result product that a business owner can understand. We actually look in four key areas and we assign a grade, A, B, C, D, or F, which most people can resonate with. And nobody wants an F, everybody wants to try to get an A. And then we give a composite of the four of those together. What’s your overall rating?

And so in each one of those areas, when we do find a rating where there’s a lot of vulnerabilities, we will list, “Here’s the things that you can get the biggest impact on that score.” And then that starts to build a roadmap for them to go work on, and then we can come back and do the assessment again. And then hopefully, you can see measured improvement. So if your average was a D, and you go implement some remediation tasks and we do it the next quarter, semi-annual, or annual, hopefully you’ve moved that up to a C, B, or A. And so that’s gone over really well with our clients. That’s just one component.

We do a lot of the more advanced assessments. So we do those for regulatory governed clients like banks and healthcare organizations for HIPAA. The other thing we do is we do an outsourced information security office. So if you don’t have your own cybersecurity resources on staff, we can become your cyber team on a more ongoing and proactive basis. And that can be a small business all the way up to an international business. So we’ve got a team that can handle organizations of all sizes.

And then the fourth service that that group does is incident response. So I suspect something that’s happened, I need somebody to help figure it out. And so we can come in and mobilize in a quick fashion a team to figure out what’s going on, plug the hole so that we can get whatever the incident is stopped, investigate it to determine what the extent of that was, and even go into forensics of what was the extent of the situation? And then from there, go into remediation to help protect into the future. So it’s a dedicated team. It’s one of the largest cybersecurity teams located in the state of Kentucky. And we continue to grow that team every year.

Justin:
Yeah. Is there any reason to think, if you’re outside the state of Kentucky, that you can’t use a firm from Kentucky? Are there any geographical limitations?

Jason:
No. We can do a lot of our assessments remotely. And we proved that we had to do that in our current pandemic state. We continued doing assessments even when the client wasn’t at their office. We can ship a device in that can be plugged into the network, and we can facilitate that remotely. We do travel for some clients, depending on the engagement, the type of service. But yeah, we’ve got clients all over the country that we can service in this area.

Justin:
All right. That’s a lot. Any last words to the community regarding cybersecurity?

Jason:
Don’t succumb to the feeling of being overwhelmed. Ask for help. And it can be brought down to anybody’s level, even Justin’s level.

Justin:
Yeah. To be continued. All right. Thanks for being on.

Jason:
Thank you.

Justin:
Thanks, guys.

Your Host

With Guest

Listen to all episodes