Today, we are going to talk a little bit about cyber attacks specifically the risk that small business, small to medium sized businesses face.
Kristina Coons: Hi everyone. This is Kristina Coons with JMARK. I’m here with Todd Nielson, Tom Douglas, and Dax Bamborough. We are going to talk a little bit about cyber attacks today. Specifically the risk that small business, small to medium sized businesses face. I forgot to say this is the BITE, Business Innovation Technology Experience.
Kristina Coons: So let’s start off with basically getting right to it. Tom, what would you say to someone who says, “I’m not a target. I’m just a small business in the American Midwest, that would never happen to me?”
Thomas Douglas: I guess the first thing I would say is wrong. All businesses are being attacked in today’s world. Most of the time, the attackers don’t know who, where or how necessarily, a business could be compromised. They’re attacking everyone. It’s a scanning system that scans anything and everything that’s on the internet. If they find a hole, then they start to drill down and double down on that in order to penetrate the business. So there’s a massive amount of energy that’s going into just finding any vulnerability, any exploits that they can find online. The bad guys essentially are blind to who they’re attacking until they find the vulnerability. Then they start to uncover a little information about them. So every business, every home, everything on the internet to include a laptop at Starbucks is under attack.
Thomas Douglas: What a lot of people don’t know is that the bad guys, the hackers, if you will, they actually operate oftentimes out of the Middle East, oftentimes in areas that we can’t go with the FBI or the CIA or where we don’t have an agreement with the country. But they’re legitimate businesses, they come into work every day. They have an HR department. They have health insurance, they get paid, they do all those things. So those bad guys I mean, it’s not some guy drinking Mountain Dew in a basement anymore. It’s real bad guys who are getting paid big money to find a way to penetrate any and every business that they can. That that includes a business of two or three, five people all the way up to businesses that have hundreds of thousands of employees.
Kristina Coons: I thought that was really shocking when I heard that they’re full on businesses just like we are. I think it was Jeremy said this, someone asked him when I was in the room. So if you actually pay the ransomware, what’s to say they’ll give you your stuff back. He was like, “Well, actually, then if they don’t, they will lose credibility. They are a real business. So they really do follow through. It’s really interesting.
Thomas Douglas: They do follow through and they have a Help Desk. They have a guarantee, and they help you to retrieve your data because, like you said, if their reputation is that every time somebody pays the ransom, that they still lose their data, their whole business model starts to crumble and they stop making money.
Todd Nielsen: I think we need to … I’ve written a lot about this. You’ve talked about this a ton, Tom. We’ve talked to so many people about this. I still don’t think that there is a clear picture about how someone could get hacked because it’s somebody else, it’s happening to somebody else. But I mean, every position in a company can open up the entire company to a massive attack. What are some of the examples that you all have seen at companies that you have never thought would have breached them?
Thomas Douglas: The most common is still the phishing attacks, the simple email where they’re getting better and better, they look legitimate. They either look like they’re from somebody inside the organization or from a vendor or a Dropbox or a UPS. I mean, they they really do look legitimate. When people click on them, the growing challenge and risk is that people are seeing more and more email from their phone. So it’s harder to tell if it’s an internal or an external email.
Thomas Douglas: It’s harder to tell if it’s legitimate or not. So they click on something, they put their username and password in, and it’s game on. The threat has risen a lot more in the last couple of years because people are integrating the core network to Office 365 or to the G Suite from Google. Because it’s the same username and password that people have in their email that they manage on their Workstation or their server accounts as it may be, once they get that password, they get the keys to the kingdom. It’s still the number one way.
Todd Nielsen: Yeah, it’s gotten even a lot farther too. I mean, there are video files now that they figured out a way to embed malware in it. they’ve figured out how to embed malware in images. So you could pull up a web page and it could load something onto your … There’s malware that can be in the code on the backside of a web page. So you could just be browsing a website and bam, you’re breached. It is unlimited. There are just so many little ways that you can just screw yourself.
Thomas Douglas: Yeah, that’s exactly right. They call them drive by infections. You’re literally browsing. Ironically, it’s marketing departments that are one of the worst because they’re always looking for fun images to put into their marketing. But it’s the drive by environment that can get you. So if you don’t have the latest and greatest updates, you don’t make sure that the vulnerabilities on your workstation have been mitigated, then that and the other one is social media.
Thomas Douglas: So one of the main tricks that they play is they’ll buy a social media ad from Facebook and/or whoever it is, and that has to go through an approval process where Facebook or whoever checks the code to make sure that everything’s good. But once it makes it through that authorization process, they change the landing page on the backside. So even Instagram, I’m sure you’ve all seen those ads that they pop up and you swipe up to see more, and it pulls up a whole new web page. Well, that goes through an initial approval process. But once it’s approved, they can change the code on the backend. There’s been a couple of companies busted for doing it or individuals busted for doing it. So when you swipe up and you look at that ad, it can actually infect your phone even. So you have to be really careful about the drive by experience because it can definitely cause harm.
Dax Bamborough: I think it goes back to your initial point of talking about these being legitimate businesses. These folks that are doing this, they’re professionals. They’re not just guessing. They’re studying and they’re figuring out what works. The phishing emails and stuff, it goes beyond just what’s in the links in the technical side of it to the psychological side. They know to send emails, that sounds like it’s coming from the CEO when it’s urgent and you need something right away. That plays on people’s fears and people trying to be helpful. Then they know how to manipulate you in any way possible because it’s their job to beat you at this game. Well, it’s not a game though.
Thomas Douglas: No, but that’s exactly right. I’ll share with you, Dax, that they take it to one more degree. If you think back to the Cold War and the Russian spies that would come into America and camp out, and they would learn about what’s going on, they potentially would even get their family involved into the intelligence world of the United States. Well, they they’ve adopted to that same philosophy. They actually go into communities. They embed bad guys into the community to find out who the the C suite is, to find out who the business leaders are, to go to the bars, to hang out with them, to get to know them, and to know when they’re gone on business trips.
Thomas Douglas: So if a CEO has gone on a business trip, that’s a great time to send an email to somebody inside the organization that says, “Hey, I’m at this business trip and …” and Then they get them hooked because the only person who would know that the CEO is on the business trip is the CEO, if it looks that way or somebody within the business or family, obviously. So it makes it look like it’s very legitimate. It seemed and feel like it’s legitimate, they get tricked, and it happens.
Todd Nielsen: So I wanted to share because I still think there are people out there that might listen or read this and go, “I’m not stupid, and it’s not going to happen to me.” So I was just reading that in 2019, there were 4.1 billion records that were breached in just for the first half of 2019. So I don’t see the the full 2019. But there’s only 7.7 billion people in the world. So there were basically more breaches in 2019 than there are people in the world.
Todd Nielsen: Then when it comes to businesses, it says that there’s 68% or, excuse me, what was it? 68% of business leaders feel that cybersecurity risks are increasing. There was another one, it was something like 70% of businesses aren’t ready for a breach if one were to happen. Man, it’s it scares the hell out of me. I mean, there are just so many different ways out there. Nobody out there should be thinking this can’t happen, this can’t happen to me. Because like you said, there’s businesses out there. There are just so many way to make it happen.
Thomas Douglas: Well, it’s gotten to the point where the cyber threat attacks consume more than a third of the actual Internet bandwidth that’s being utilized. So if you if you put that into perspective, that would mean that if you’re driving down the road and every third car that you pass has a drunk driver in it, and then hoping that you wouldn’t get hit. It’s the equivalent to that because it’s literally that prevalent on on the internet now that that is everywhere. If you think it’s not going to happen to you, I guarantee you, you don’t want to be in that circumstance. So I would just say, don’t fool yourself. Don’t tell yourself a story. It will happen to you if you don’t take the right measures.
Kristina Coons: So what are some of those right measures that business owners can take specifically when it comes to training their employees and making sure they’re safe?
Thomas Douglas: Yeah, great question. Well, first and foremost, subscribe to a service that helps your employees to know what the attacks in the the the phishing emails look like. There’s several of them out there. Our preference is a product that’s called NOBO 4 but there’s others that do a great job as well. You integrate it in. Your employees actually go through a class. Then we ask them to take a short quiz to make sure that they actually heard it. Then after that, we want to make sure that we’re testing from time to time.
Thomas Douglas: If people are consistently not learning or falling prey to those kinds of attacks and tricks, then we want to spend a little bit more time with them and help them to have a good appreciation for it. So first and foremost, it’s definitely around training. Every employee is part of the onboarding process, every year, every six months. People need to go through that training as a refresher, because the mechanisms, the way that they try to trick people changes. So we want to make sure that everybody is aware of kind of the latest and greatest mechanisms that they’re using to to fool people in that environment.
Thomas Douglas: Then on the inside of the network, it’s making sure that you’ve got a good solid security solution in place. We talked about the drive-bys. Well, if you don’t have an aggressive patch management policy inside your organization where you’re dealing with those vulnerabilities often and always, then you’re going to you’re going to get infected through one of these drive by mechanism, the mechanisms that Todd was talking about. So it’s really easy to fall prey. It’s really hard to make sure that your environment is safe.
Thomas Douglas: We’ve gotten to the point where there’s about seven vectors that we really have to focus on inside the organization to make sure that they’re all solid, and training, and passing is just part of the equation. It gets much more ingrained into the geek side of the house in order to make sure that the rest of the environment is properly protected. There are other nugget that I would ask all organizations to do, and that’s two-factor authentication, making sure that even on the local workstation, on the local email client, Office 365, that you’re utilizing the two-factor authentication capability. It makes a huge difference in your ability to fall prey to the phishing attacks.
Todd Nielsen: Great topic. I think a lot of people will take this as a fear type of or hopefully they’re leaving a little bit scared. But that’s not the point. The point is to help people be prepared. I think next time, we should talk about the risks that IT companies face, and how that risk can propagate down to clients which is something that is probably not on anybody, any business owner’s mind. But good stuff. Well, again, we’ll post some information along with this episode on our blog and some other resources. Until next time, stay safe.
Thomas Douglas: Thanks. Have a great one.
Kristina Coons: Bye.