The 1983 movie War Games introduced the concept of “hacking” to the general public.

And in the ensuing four decades, we’ve seen massive online breaches of security involving both personal and business information.

Once considered a unique event, data breaches have become commonplace but many companies still don’t have adequate safeguards to protect their information.

Our guest today says that protecting businesses’ computer networks involves both technological and human defenses.

During this thirty-minute episode, Gary covers effective cybersecurity efforts, how businesses can protect themselves, and the different types of protection methods.

Please take a moment to rate and review Good Morning, HR on Apple Podcasts! 

Slide down the page to claim your HRCI or SHRM recertification credits!

Gary Tonniges

Contact

www.triquesttech.com

Transcript

Gary Tonniges: … is we want to make it as difficult as we can and put as many hurdles and roadblocks in-between the hacker and the money as we can. But this really is, yes, you need a firewall on your network. Yes, you need antivirus and antispam and you need to patch your stuff. Those are all kind of basic rules of the road stuff that if you’re doing, you can rely on the larger companies like Microsoft and Cisco to be watching out for the complex hacking scenarios. What we need to be doing individually as business owners and as HR folks is to be specifically addressing how the business email compromise will affect the end user.

[intro music]

Mike Coffey: Good Morning, HR, I’m Mike Coffey, and this is the podcast where I talk to business leaders about bringing people together to create value for shareholders, customers, and the community.

Please follow, rate and review Good Morning, HR on Apple Podcasts, Stitcher, Spotify, or wherever you get your podcasts. You can also find us on Facebook, Instagram, YouTube, or at goodmorninghr.com.

The 1983 movie WarGames introduced the concept of hacking to the general public and in the ensuing four decades, we’ve seen massive online breaches of security involving both personal and business information.

Once considered a unique event, data breaches have become commonplace, but many companies still don’t have adequate safeguards to protect their information.

Our guest today says that protecting businesses’ computer networks and information involves both technological and human defenses. Gary Tonniges is an entrepreneur, certified public accountant, and owner of TriQuest Technologies, a Fort Worth based IT solutions provider. He will be presenting about how to mitigate the cybersecurity risks facing businesses at Fort Worth HR’s Strategic Mindset Conference on September 17th. Welcome to Good Morning, HR, Gary.

Gary Tonniges: Thank you, Mike.

Mike Coffey: So, how serious is this data breach problem?

Gary Tonniges: Well, if you measure the seriousness of it by the dollars of the impact that the insurance companies are reporting, the losses have gone from several hundred million dollars 10 years ago to this year, $1.9 billion as reported by the FBI in the year 2020 for email-based attacks. So, the dollars are huge and they’re getting bigger. And so, if you use that as a benchmark, I think it’s twice as risky this year as it was last year. But each year it seems like we solve one problem and another one crops up.

Mike Coffey: The bad guys are always one step ahead of us.

Gary Tonniges: Well, they’re making a tremendous amount of money doing cybercrime and in that world, they’re reinvesting that money in their tools and their processes. And just like we invest in our businesses to make our businesses stronger and be able to ship more products with the same number of labor and that kind of thing, they’re buying tools to automate, they’re hiring programmers to write more sophisticated tools. They’re using the internet to share information so that they can take an untrained criminal and train them up to be able to do more, faster. They even have call centers.

Mike Coffey: Wow. And so, yeah, I’ve received those calls from “Microsoft” who want to help me install an update that’s critical and I’ve played along with them and even recorded one and kept the guy on the line for about 40 minutes before he finally hung up on me. I never did give him access to the computers. My IT guys have beat that into my head.

Gary Tonniges: Good. Good.

Mike Coffey: But we hear about these giant breaches, major consumer reporting agencies, major government entities, things like that. If I’m a small business, maybe I have 30, 40 employees or five or six, how much do I need to be worried? Are they really going to target a smaller business or is this just something that big businesses worry about?

Gary Tonniges: Well, that’s a great point. And in your intro, you referenced the WarGames movie, which was a great show. And unfortunately, or fortunately, that’s not what is the risk that small businesses need to be aware of, the Target breach where they stole all the credit cards, the Experian breach where they stole everybody’s email addresses and social security numbers. Just recently, the hackers went after T-Mobile and was able to, I think they downloaded a 100 million records and there’s only 107 million T-Mobile customers. So basically, the entire customer base, all their credit information, everything T-Mobile was in custody of is out on the dark web for criminals to utilize. So, you can pretty much bet that all what we consider to be private or confidential information that’s personal stuff is out there somewhere through one of these larger data breaches.

That’s not really what we’re concerned about. So one of the things that we counsel our customers to focus on is effective cybersecurity, which brings in the concept of risk mitigation. So, what is the largest risk that you will face if you’re a 30-person company, 40-person company doing $25 million, $30 million worth of revenue every year if you’re manufacturing? Who’s coming after you, and in what ways are they going to try to monetize that attack? Because the criminal wants to make money. That’s their goal.

And they’re going to do that in one of two ways, either by tricking you, as you referenced people calling and saying they’re with Microsoft, let me into your computer and where that ends is rerouting your financial information. So, you think you’re paying a vendor and you’re actually wiring it to the criminal organization or they lock your system down, either through those software called ransomware, which is a software program that one way or another, they get installed on your computer and it locks it up so that you can’t use it until you pay some sort of a ransom to get the data back or get the system back.

And that’s something that a lot of small businesses get caught by is that they don’t realize how important some of the secondary systems that reference technology or use technology in their business.

So, let’s say for example, you are a small business that ships once a week, every Thursday, your orders go out. Well, that shipping computer that prints the UPS labels doesn’t really have any data on it that you care about. So you don’t even back it up. So it gets hit with ransomware. Well, what does that do to the business? So they didn’t hijack your data. They hijacked your ability to print UPS labels, which downstream in the process means you can’t ship, which means that two weeks later, you’re going to feel that in your accounts payable stream because you’re not going to have revenue for that period.

And so the larger the scale gets, the worst the impact can be. And 85% of small businesses that get hit with these large-scale ransomware attacks never recover. There’s a big number of companies that get hit with a full attack of ransomware where the system is hijacked, and they never come back because it’s that devastating.

Mike Coffey: So, what are the most common ways that something like ransomware gets on somebody’s computer or on their network?

Gary Tonniges: Well, it’s interesting. One of the reasons that I was excited to talk to you and to HR folks is it’s the people.

Mike Coffey: Of course.

Gary Tonniges: 85% of all inbound attacks start with the email mechanism. That’s the conduit for how they come in.

And then it’s human beings typically like you referenced the Microsoft scam, which is a confidence scan where someone pretends to be from a trusted source like Microsoft or an Amazon customer service representative, or your cable company, your AT&T. And they say, “We notice that you’ve got a problem on your computer and we are concerned about you. We want to log in and help you. And I was able to fix it.” What they’re actually doing is putting probes on your system that allow them to remotely access it later, upload all your data and then use your computer as the origination for other attacks.

Mike Coffey: Right. So, are these emails… I mean, we’ve all seen the Nigerian emails or, “I’m a prince in Nigeria.” Are they that obvious or?

Gary Tonniges: No. As we were talking about how the criminals have reinvested in their systems, they have gotten a lot more sophisticated and they have access to a lot more data than they did back then. So, the, “Hey, I’m a Nigerian prince. I’m coming to America. Can you help me get my money out of this regime to Wells Fargo?” That worked in 1985 over the telephone. Now, people are aware of that and they’re aware of the Microsoft scam. But this podcast that we’re doing is Zencastr is the software that you’re using.

Mike Coffey: Right.

Gary Tonniges: If somebody calls your producer and says, “I’m with Zencastr, I noticed that you had a problem and let me help tune your audio. Here is a patch that we suggest that you install, it’s not going to be released till later,” would they install it? Would they verify it?

Mike Coffey: Okay. Okay, Rob, my producer is shaking his head no, which is comforting.

Gary Tonniges: Yes. But as you expand the number of people that interact with technology in an organization, and some of them are new college graduates, some have never been to college. Some are warehouse workers whose primary focus is to pack boxes or to route things through the system, paperwork and stuff like that. When you get them involved in interacting with email and invoices and inbound receipts and, “By the way, I just got this email from our customer. It’s from Jim, who I know. I’ve talked to him many times on the phone and he’s telling me the new bank that they just moved offices,” which I know they moved offices. So, this makes sense. And I do it. Why do I do it? Because I want to be helpful. I don’t want to bother my boss. I want to just get things done and move on along.

And we’ve seen examples of this, I guess the name for this type of attack, it starts with this as a BEC or a Business Email Compromise. So, through some mechanism, they are able to look at the Facebook feed of a company or its homepage or the… And send what really would be almost a generic email to get somebody to log in to a fake website, for example, which then gives the criminal somebody’s email. Now they log into the email system as that person. Now they’re in the email system and within the email system, they email the CFO and say, “By the way, I was just talking to Jim because they moved. This is their new address.” And the CFO sees it as authentic because it technically is authentic because all the systems are hopefully in place that protect from spam and antimalware and stuff like that, that people have circumvented it.

Mike Coffey: So it’s like the old horror movie, the call is coming from inside the house. Oh, my God. Okay. Oh, wow!

Gary Tonniges: Yeah. That’s very good. Yes. That’s exactly what I think of that often, that reference, because the systems aren’t designed to watch for that, and they’re able to make money. We would not go out of our way, I don’t think to spend a significant amount of time to make just a couple of hundred dollars each transaction, but the average loss of these Business Email Compromise, then send me some email, “Oh, go to the store and buy iTunes gift cards, scratch off the back, take a picture of it and email it to me.” So they take you for $1,200, $1,500. Those things are not reported very often because people are embarrassed because there’s really no chance to recover from it.

Mike Coffey: Yeah, law enforcement it’s not going to be interested in something like that with that dollar value, I see.

Gary Tonniges: Or the people are just-

Mike Coffey: Embarrassed.

Gary Tonniges: … It’s already embarrassing. It’s already a lesson learned and I’ve heard lots of stories from folks who say, “Yes, that happened and I shouldn’t have done it,” but there’s no culture within the organization to value the concept of getting out of your own head and sharing the wisdom of things like that. And saying, “By the way, everybody, these types of things are happening in the world.” So that the intern who’s just started in marketing hears that that’s a thing that you can’t trust what’s written.

Mike Coffey: And let’s take a quick break.

Good Morning, HR is brought to you by Imperative, premium background checks with fast and friendly service.

If you’re an HRCI or SHRM-certified professional, this episode of Good Morning, HR has been preapproved for one half hour of recertification credit. To obtain the recertification information, visit goodmorninghr.com and click on recert credits, then select episode 10 and enter the keyword Gary. That’s G-A-R-Y.

On Thursday, September 30th, I’ll be hosting a free webinar entitled, Beyond Values: Building an Ethical Business Environment. This free webinar is approved for one professional development credit for SHRM-certified professionals and one hour of business recertification credit for HRCI-certified professionals. You can register for this free webinar at imperativeinfo.com.

And if you’re listening to this program after September 30th, you can still watch the recording of this webinar, as well as our previous webinars on our website for credit, for free.

And now back to my conversation with Gary Tonniges.

So, how do we do that? How do we keep your front-line employee or heaven forbid, president or owner of the company from clicking a link or getting duped by one of those things?

Gary Tonniges: So, security awareness training is one factor or one avenue of creating protection. And what we want to do in all facets of cybersecurity beyond just the business email compromise is we want to make it as difficult as we can and put as many hurdles and roadblocks in between the hacker and the money as we can. But this really is, yes, you need a firewall on your network. Yes, you need antivirus and antispam, and you need to patch your stuff. Those are all kind of basic rules of the road stuff that if you’re doing, you can rely on the larger companies like Microsoft and Cisco to be watching out for the complex hacking scenarios. What we need to be doing individually as business owners and as HR folks is to be specifically addressing how the business email compromise will affect the end user.

And so, security awareness training is one example of a combination of software plus policy where this software tool that you can buy and implement will periodically send emails to all employees as a campaign. If you’ve ever done anything with marketing or sending out emails, it’s very similar to that. So, the folks receive an email and it says, “Your Amazon credit card has expired, click here to put in your new credit card,” and if they click on it, it says, “You were duped, this is a phishing email and here’s the five-minute training video to watch.” So, that’s one facet of it. A second facet of it is the ability for the software to inside of the email programs to allow individual users to say, “I think this is phishing email,” and market as such, and then the individual users get ranked as being really good at identifying phishing and if they mark something from a suspicious sender as phishing, it will remove it from all the employee’s email boxes.

Mike Coffey: So, it’s gamifying kind of the security awareness.

Gary Tonniges: A little bit and it’s also leveraging, it’s making it quick and easy because one of the things with security, it’s kind of like a teeter-totter where the more secure you make something, the less convenient it is. The more convenient, the less secure. Well, finding that right balance is how do you get the people, win the hearts and minds and get the people to participate in the security program is to make it relatively easy. So, if all I have to do is click a button. I think this is fishing in that creates an awareness of this is something that’s good. It also creates the opportunity for people to talk about it on a regular basis.

Mike Coffey: So things like that would just be an outlook plugin of some sort?

Gary Tonniges: That’s exactly right. It’s an outlook plugin that would sit alongside of this. So you have security awareness training, you have threat protection for the email, you have the ability to mark it as phishing and then you have password management.

Mike Coffey: Talk about that. Yeah.

Gary Tonniges: Yeah. Password management is interesting because-

Mike Coffey: Changeme1 shouldn’t be my password?

Gary Tonniges: No, no. And a lot of people will, because they don’t want to remember what their passwords are, they have one password and they use it in multiple places. And even though the IT industry has been talking for 10 years now about have unique passwords, the statistic is 55% of people use one password for all their logins.

Mike Coffey: Wow.

Gary Tonniges: So, what happens is somebody comes to work at a new company and they create their new log-in into their office email, as their… Say, their password is Christmas1993. They use that everywhere. Well, their security on the email server to make sure that unauthorized attempts get locked out after five times or something like that. So, the person thinks, “Well, Christmas1993, that’s pretty complicated. Nobody’s going to be able to guess that.” But they also used it on their child’s soccer team’s website sign up for who’s bringing oranges on the next game. And that server was not secure and was hacked. So, now they have the person’s name and Christmas1993 as a code to start trying to hack into this person’s email.

Mike Coffey: Wow. But if we don’t want to keep track of all these complex passwords are things like Dashlane or Keeper, those kinds of password managers, are those safe?

Gary Tonniges: Yes. Well, as long as whichever password manager you are using has a vault or a key that only you know. The trick is if it stored in the cloud or a stored on your computer, it needs to be encrypted with AES-256 encryption. If it is, then that code. So, yeah.

Mike Coffey: So, it’s just really locked down is what you’re saying, right?

Gary Tonniges: Yes, that anybody that has it, it will specifically say those letters AES-256.

Mike Coffey: Okay. Okay.

Gary Tonniges: And that’s just mathematically… Modern computers, the time that it would take to decrypt or to make it to where it was in a human-readable form would be beyond the lifetime of people. And so, the cloud services that do that are safe, the ones that do not have encryption… So, the way that it works is like you put a password in locally and then what’s uploaded to the internet is all encrypted. So, but where it helps is that if you have 75 different cloud services that you log into, one of which is your company, then you can have 75 different passwords because these services will help facilitate, I’m going to Amazon and it will provide the Amazon login. Now I’m going to the soccer team, I’m providing that soccer team.

You can still use generic login and one login for everything, for stuff that doesn’t matter. But I have found that people have a hard time determining what matters and what doesn’t. And if somebody is investigating you, if you think about a world in which people, criminals are actively taking two hours of their day to search everything they can find to build a database about you and your company, who are your direct reports, who are your employees, who are your key vendors, who are your customers? And then they’re sending emails into your junior people to try to get them to change the routing of the finance payments, then what information is important or not.

Mike Coffey: Right.

Gary Tonniges: Right.

Mike Coffey: Yes. So, we’ve got password managers and those are great. I’ve heard for 20 plus years, biometrics is coming. All our logins will be based on our thumbprint or mission impossible, our iris or something. Where are we on that? That seems like that would be really secure to have just some biometrics, but it doesn’t seem like that’s happening.

Gary Tonniges: So, that’s a great question and I’m glad that you brought that up because to step back from biometrics for just a second, multifactor authentication is really what that’s about.

Mike Coffey: Okay.

Gary Tonniges: So, multifactor authentication is something you know, something you are and something you have. So, something you know is your password.

Mike Coffey: Okay.

Gary Tonniges: By using a password manager, we make this something that you know more complicated to guess. Something that you are is your biometrics. Theoretically, my fingerprints are still unique to me. And then something that you have could be my cell phone and the SIM card in it that has a unique number. It could be the location where I’m sitting, that I’m sitting behind a firewall that has a unique address out on the internet. So, any two of those factors, we can also put certificates on your computer. So, that only a computer with that digital certificate can connect, but multi-factor is definitely mandatory. In fact, in the last six months, I’ve noticed that insurance companies for cyber insurance as we’re going through the renewal process with our customers, that they’re requiring multifactor, that’s how important it is as a defense tool.

Mike Coffey: So, those what those annoying OTP codes from Amazon are, right?

Gary Tonniges: Yes.

Mike Coffey: We sent you a text. Oh geez. And now it’s going to my wife’s email because our Amazon account is under her name and I’m calling her, I need this code and all of that. That’s what they’re doing.

Gary Tonniges: Yes, that’s right.

Mike Coffey: Okay.

Gary Tonniges: That’s right. And that’s a very good example of where they’ve improved the security and decreased the convenience.

Mike Coffey: Right.

Gary Tonniges: And then at some point, people will stop buying from Amazon because it’s literally easier to go buy at Walmart than it is to order it online because my wife’s out of town and I don’t want to bother her, right?

Mike Coffey: Right.

Gary Tonniges: And then they’ll figure that out and they’ll figure out a way to make it more convenient, but still be secure. So, that’s very much still something that’s in motion, but a lot of small companies don’t put that in place multifactor and they see it as onerous or they don’t want to put something on the employees’ cell phones, but you got to do it. Multi-factor is I think mandatory now.

Mike Coffey: So, everybody went remote about 18 months ago, or a lot of people did. Everybody who could did, anything unique about security now that some percentage of our businesses are all operating from people’s bedrooms?

Gary Tonniges: Well, in the spirit of where’s the data, we were already transitioning as a society to identity-based. We used to be what was considered location-based. So, you went to the office and all your stuff was there. That’s where your computer was. That’s where your accounting files were. And we were migrating with cloud services from on-premise to off-premise or out in the cloud, on the internet storage of data and lots of disparate locations. And the identity is what matters. So, “Who am I? Can I prove that I’m me when I log in to Amazon, or when I log into my corporate email?” The move from on-premise to off-premise for a lot of companies that were already cloud-based, the reason we were able to make that shift so fast, because we were already there. A lot of these problems that we have are caused by convenience or laziness, or the fact that like email was never intended to be a storage cabinet.

Mike Coffey: Oh! Mine is.

Gary Tonniges: All right. Yeah. Everybody’s is. So, we really value that convenience and as soon as you force somebody to take like, “Okay, you can only keep 90 days of history in your email.” Then that requires you to have another system that they can put in that’s convenient, and it’s as easy to organize as what you had already. So, the email has a ton of valuable historical, organizationally relevant information in it. So when the criminal gets into that system, that’s a problem. Now, one of the other ways that people get our passwords is through what’s called a keylogger. So when employees went home, if the corporate parent or the business didn’t give the employees a laptop and say, “You can only use this laptop to access email,” they were using their home computers, which they share with their family members.

Mike Coffey: Kids…

Gary Tonniges: … teenager, has video games on it. Maybe it has antivirus, maybe it doesn’t, maybe it has a keylogger on it that records all the keystrokes. So when they log in to the corporate email and type in their password, they’re uploading the password to a criminal.

Mike Coffey: Wow.

Gary Tonniges: And we had that happen. That’s the exact scenario during COVID where a bookkeeper was home using the home computer that really was her son’s gaming computer and was interacting with email, password compromised, password then used to log in as her, sent emails to other folks in the accounting department and vendors.

Mike Coffey: Oh, my God.

Gary Tonniges: Yeah. So, this email hygiene stuff, or the idea of how security awareness does, now that we’re working remote and we’re sharing other equipment as the IT departments, IT companies that oversee this need to be looking at from a remote location, what are they accessing and how do I verify their identity?

Mike Coffey: Okay. So, I drink easily two gallons of coffee a day, often at Starbucks. And I pulled out my Surface, jump on the Wi-Fi at Starbucks. Any concerns there with using those open networks?

Gary Tonniges: There are some security people that have a big problem with that. With me, I don’t see it as a big risk. There’s a few… You’re going to come across that in hotels and things like that.

Now, I can tell you that personally, I tend to just use my cell phone data plan as a hotspot because that’s more secure and I just don’t… It’s only in a pinch that I would use the Starbucks or the hotel, whatever. But sometimes I do. And the reason that it’s not a big deal is that because everything has now running inside of an encrypted channel. So, when you open a browser and it’s got the little lock up on top, and it says HTTPS, anybody that would be sitting next to you, watching what you’re doing, they might be able to see your machine name. They might be able to see your Mac address to identify that you were there, and they might be able to see that you’re going to Amazon, but they don’t have any ability to see inside that data channel. So, what difference does it make is kinda my attitude.

Mike Coffey: So when I’m uploading my latest OnlyFans video from Starbucks, I’m safe?

Gary Tonniges: Yes. Sure.

Mike Coffey: Okay, good. Nobody else is, but I am. Okay. Well, that’s all the time we have today, Gary. That was a fast 30 minutes. I really appreciate your time. Thanks for joining us.

Gary Tonniges: You bet. Thank you.

Mike Coffey: And thank you for listening.

You can find previous episodes, show notes and contact info for our guests at goodmorninghr.com or on Facebook, Instagram, or YouTube. And don’t forget to follow us wherever you get your podcasts.

Also, don’t forget to register for Fort Worth HR’s Strategic Mindset Conference on September 17th. You can do that at fwhr.org. Gary is speaking as am I, so we’ll see you there, I hope. And in the meantime, don’t forget to follow us wherever you get your podcasts. And Rob Upchurch is our technical producer and Imperative’s marketing coordinator, Katy Bautista, keeps the trains running on time, and I’m Mike Coffey.

As always, don’t hesitate to reach out to me if I could be of any service to you personally or professionally. I’ll see you next week, and until then be well, do good, keep your chin up.