Doug: From Rea & Associates studio, this is unsuitable, a management and financial services podcast for entrepreneurs, tenured business leaders and others who are ready to look beyond the suit and tie culture for meaningful measurable results. I'm Doug Houser. On this weekly podcast thought leaders and business professionals break down complicated and mundane topics and give you the tips and insight you actually need to grow your business. If you haven't already, hit the subscribe button so you don't miss future episodes. If you want access to even more information, show notes and exclusive content, please visit our website at jhhz.ngskmc-eis.net/podcast to sign up for updates. Cyber attacks happen every day, unfortunately, with the rise of virtual reliance, many say that cyber attacks are the largest modern threat to business today and for good reason. Since 2003, October has been recognized as Cybersecurity Awareness month, cybersecurity experts at Rea, Ty Whittenburg, is happy to join us here today to discuss the importance of cybersecurity and how it can help protect your business. Welcome back to unsuitable, Ty. Ty Whittenburg: Thanks for having me, Doug. I'm glad to be back. Doug: Always great to have you on, because this is a topic where I am utterly lost. I felt like, 25, 30 years ago, I knew a little bit about cyber environment and those types of things, but no more. You really have to have somebody like yourself involved who does this, lives it, breathes it every day. Before we get into Cybersecurity Awareness month and things to be thinking about, tell us a little bit about your background and how you came to this segment and what your journey has been like. Ty: That's a great question to ask and it's actually part of the Cybersecurity Awareness month. It's week three, where it talks about the journey exploring, experiencing cyber. I've always been a bit of a techy guy, my career wasn't straight IT, I kind of meandered into this. I was a sales leader for a long time, but always had a technical bend, worked with CyberSix group for quite a while, before they were acquired by Rea & Associates. I focused on customer success in the engagements, a little bit of project management, a little bit of governance, risk and compliance work. Ty: My start with information security probably started, it's 21 years now ago, with a large organization that I was with. They were very focused on compliance. When I moved over to Apple, you would think that when you're doing repairs on people's iPhones or iPads or MacBook computers, that there's no compliance involved there, but there's quite a bit that goes on behind the scenes and safeguarding those clients' information. Ty: I knew I wanted to pivot and do a little bit more in this particular role, started doing some self-study, started partnering with some friends of mine that were in information security, joined some local organizations and then wound up that Rea hired a little over, it's almost a year and a half. Doug: Excellent. Ty: Yeah. Doug: That's cool. You've got a little bit of obviously varied experience, both consulting and helping clients as well as inside as well. Talk a little bit about what it's like, say dealing with one business or one company in terms of it's own environment for cybersecurity versus what you do now, obviously working with a number of different clients. Juxtapose that a little bit for us. Ty: I think I liken it to our peer group and public accounting. Every client is different, the accounting rules are the same, the compliance environment is the same, depending on the business. Every single compliance is focused on data security. Whether that be personal health information, credit card information, personally identifiable information, all compliance have data at the heart of it. What differs in this particular role is instead of having to ensure the safeguarding of information in one particular corporate entity, I'm helping out multiple businesses and varying ways, whether that be governance risk and compliance, whether that be as a virtual chief information security officer or help with an implementation of mobile device management. Ty: It varies from each client, each client varies in size, whether that be five employees or 500. It's pretty enjoyable, I think, Rea has a really good niche market, the Amish country, which a lot of times people think Amish do not utilize technology, that's a fallacy. Also, we have varying clients in size from small mediums, some quite large in manufacturing, construction, which is one that you're passionate about, I swim in almost all the waters. I can tread water pretty well Doug: Including obviously international, I know we have international clients as well that you deal with along with some of the other cybersecurity team members. Ty: Yeah. That adds a whole different complexities to it, with GDPR and things like that. Doug: Yeah. We've got cybersecurity awareness month going on. Talk a little bit about the importance of that and what exactly this means, what we should be doing around that. Ty: Another good question. You're always really good at that. The reality here is you are much better at cybersecurity than you say and in your opening monologue, you shared that cybersecurity is probably one of the biggest threats out there. Do you think of what you've seen in movies or the news in the 1920s of the mafia back in the day and whether it be Irish or Italian or whatever and they were trying to take over segments of New York City. Modernize that now with your ransomware actors, your advanced persistent threat actors out there, not only just that, but then nation states as well, too, United States included. Ty: The threat of vector out there is huge. The proliferation of mobile device users has increased that space. Cybersecurity, like you said, your data, our data, companies data, intellectual property has a lot of value out there. Doug: Mm-hmm (affirmative). Ty: You need to put things in place in order to safeguard that information so you'll be in business 10, 15, 20 years down the road versus suffering a catastrophic event, like a breach that could potentially put you out of business. Doug: Yeah. Ty: Not only reputationally, but expenses, legal fees that are incurred, stuff like that. Cybersecurity is everybody's responsibility, not even just when you're at work, but even in your own personal data and how you use it in applications that you frequent. Doug: Yeah. You bring up a good point. We've got to think beyond, it's not just some individual hacker out there, this is true organized crime. Ty: It really is. Doug: Yeah. Which is scary, like you said, whether it's a nation state or a group of organized criminals, it's frightening. The resources that are being deployed by these bad actors, threat actors towards this, have to be astronomical, growing exponentially. Ty: If you go out and you buy Microsoft 365 for yourself on the dark web, there is the capability to go out and buy malicious software to utilize against ransomware to use against people as well too. You don't have to be that super technical, you didn't have to go to MIT or California Polytech and be this Wiz Bang computer programmer, you just have to buy the software. Doug: Yeah. That's scary. Thinking of that, how do you, and how does the team try to help mitigate those risks for our business owners out there? What are some of the things we should be aware of and paying attention to? Ty: The first thing is we always want to focus on identifying where the data lies in the organization and how it flows through the organization. I think where we help organizations as well, too, is helping to put a framework together to help them have a business conversation about their technological tools that they use as well as data that's on those tools. Ty: More importantly, we focus in on helping to educate from a business perspective and make sure that just like you're talking about your top line revenue, you're talking about what your client projections are for the next few years. You need to have technology as a part of that conversation. Doug: That's well said. I think the other thing we try to get folks to think about, don't think of this as an expense item, think of it as an investment. An investment in your business and your business's future. Right? Ty: Correct. We are all in the data business now, Rea, right? Doug: Yeah. Ty: With the information that we audit for clients, or do tax work on, the amount of information that we maintain on the relationships that we have with clients, our clients that are in manufacturing and tracking their inventory and any type of computer aided designs and stuff like that. We are all data driven and to pretend like we are not, is a bit naive. I don't want to say to the people listening in the audience that they're naive if they haven't thought about that. The reality is, there's a reason why there's a Google, a Facebook of the world and they make their billions on the data that we provide them freely. Doug: Yeah. Very good point. Speaking of those entities, not too far from where I live within 10 miles actually, Google, Facebook and Amazon have collectively invested more than $5 billion in data facilities. Ty: That's right. Doug: That's just incredible to me. I drive by there frequently to check out the construction as it's ongoing and the security that they deploy around those physical facilities is just unbelievable to me. Ty: Yeah. I was listening to a podcast this week, I served in the military and you'll hear a lot of IT vendors use military grade, which is a catchall marketing phrase. It's good for click bait, where's my marketing guys at? Ty: But, their facilities to your point is military quality, physical security protection for them. There is a security force, there's surveillance material, you have to be badged up. If you're visiting somebody, you better be on the roster ahead of time. There is no surprise visit just to say, "Hi." Doug: Right. Ty: There's call and response, who goes there? Doug: Yeah, exactly. It is funny. You talked about obviously individuals and organizations trying to educate them and raise awareness, how do you get somebody to be smarter and more intelligent about recognizing and understanding the threats and being aware of those things? Doug: I know we get, for example, in our firm, we'll have attempted attacks and they'll test us and prod us those types of things. What are some of the tools and techniques that you try to deploy with client organizations to help raise that? Ty: Internal social engineering is a good tool, sometimes culturally though, it can have a little bit of a rub with your people because it's like rubbing your nose in it so you have to be careful. I always challenge that you don't necessarily have to be the Microsoft 365 expert as an end user, but giving people some tools of basic things to pay attention for, anomalies, if you receive a PDF from a client and it's not in the top header line of your email, but it's in the body and you teach them how to hover over it, it has a link, just those simple things. Ty: It's amazing that my peer group and information security and IT sort of blamed the end user for a long time. The end user is, there's a lot of protection tools out there, but at some particular point as information security experts, we can't keep blaming them. You go to school for a reason, you teach people for a reason, I think the biggest thing you can do is have proactive conversations with folks about what to look for. If they do have a mistake, ask them what they learned from it, don't rub their nose in it, you obviously have to pay attention. Ty: There's some organizations that it's a zero sum, you make a mistake and you're out. I'm a big believer and I had a mentor that used to say, "Once a mistake, twice a pattern, three times a behavior." I believe our job is to make sure we educate people so that it doesn't become a behavior. Doug: Yeah. That's well put. I think of it akin to driving, certainly some of it is user error, the driver's fault. If we put in place enough, let's say guardrails or safety features, whether it be road markings, certain signals, et cetera, et cetera. We put in enough safety measures, then it makes it better for all. It sounds like this is very similar in many ways. Ty: I'm a big fan of saying, and I probably said this before on earlier interviews with you, Doug, see something, say something. Doug: Yeah. Ty: If it feels weird, say something, even if you clicked on it by mistake, say something sooner versus later. That has as much impact on an organization as buying antivirus or anti-malware software, if you made a mistake and you say something sooner versus later. Doug: Yeah. Ty: My mom and dad used to always say that if you tell the truth, it'll set you free. If you report it quickly, we can respond relatively quickly and potentially stop a lot of damage. That really lends itself to making sure at the heart of everything, with the technology that folks use, they can feel comfortable to reach out to their IT or their information security teams. Doug: Yeah. That's well said. I always think of the phrase the cover up is many times worse than the crime and the crime in this case might be accidental, but don't try and hide it. Ty: Exactly. Exactly. Doug: It creates more problems. In today's environment, what are the biggest threats to your typical owner managed business? Is it phishing or is it something else? Ty: Business email compromise is the largest threat vector attack surface out there. Everybody out there is utilizing email. The threat actors have gotten much better at impersonating. As a matter of fact, I was engaged with a client that suffered what's called a spoofing event, where I gave that example to you around the PDF link was in the body of an email somebody clicked on it and they used a survey site similar to a SurveyMonkey that looked like Microsoft requesting your Microsoft credentials. The person put it in, or the users put it in, there was a few that did it and then it unleashed, it gave the credentials to the threat actor and allowed them to send out thousands of in essence, spam emails, from the client's account. Ty: Now, this client did the right thing and the end user there, this is what I really want did the right thing, admitted that they clicked on something, said something didn't feel right and the administrators went in and shut them down immediately. In the matter of 10 minutes, over 30,000 emails had been sent. Doug: That's crazy. At least like you said, the damage was prevented from being much worse potentially. Ty: Correct. We conducted the incident response, our team at Rea did, the first thing you really want to go through is make sure that they haven't accessed any type of data, that it was just an email or harvesting of credentials was what they were trying to attempt to do, which that was purely the case. There's a lot that goes into it. Ty: You stop it a lot sooner versus later. I would just finish up with saying that yes, phishing, spear phishing, are your biggest threat vectors. I would probably say up there, the second would be around segmentation of your networks tends to be. It's almost like that flat earth theory, a lot of small businesses will open up, they'll go and buy a wireless router from their local Best Buy or they'll use one from their internet service provider. While those things are okay, they're not necessarily the most secure and if you don't have other tools in place, it just opens you up to greater vulnerability. Doug: Yeah. Flat earth, now don't go all Kyrie Irving on me there. Mr. Flat earth. Ty: Yeah. I wouldn't do that to you. If anything, I might play the role of Uncle Drew, like in a Pepsi commercial. Doug: Very nice. Ty: That goes along with a whole social engineering campaign there. Doug: There you go. Talk a little bit, you mentioned the incident response, we've talked a lot about preventative ness and all those things. Talk about response and what you and the team do along those lines, if there is something that occurs. Ty: Yeah. Incident response is relatively, think of your emergency responders for hurricanes and things like that, there's a level of prepare preparedness that you have to have and tools and materials. Once you get into an environment, you need to be able to identify what's going on. If they haven't pulled the plug already on a device, do you allow them the stay connected to the network so that you can get more forensic information? Or do you pull the plug? Or do you in essence secure that particular device from the rest of the network so that the threat cannot proliferate outside of those boundaries? Ty: Then you go into the whole MacGyver, Doogie Houser, mode around forensics- Doug: Right. Ty: House might be better. Doug: There you go. Ty: Trying to resolve what the issue is. There's elements of chain of custody that you have to do. You also have to think about the legal ramifications. Doug: Okay. Ty: More importantly, you have to determine, is it just an incident or is it a breach? There is a difference between the two. The breach means that information has ex filtrated from your business environment to the threat actors. That takes on a whole new manifestation where you probably should, as an organization, should partner with legal counsel, public relations, if you're large enough, depending on the size and the amount of information and client data that you have. You have to start taking a look at as well, too, around what measures you put in place to safeguard those individual users information that has been exposed. Doug: Wow. It's fascinating stuff and complex stuff, and I'm glad we have you and our team at Rea cyber to assist clients and folks through this because I don't know how you could possibly try to manage it without expertise like you and the rest of our team have. Thank you for that. Ty: You are welcome. I would just say that it is definitely a team effort while incident response is a specialty, I do not claim to be the ultimate incident responder. I can handle business email compromises, I could probably assist on a team with some other things, but when you think of Sean Richardson, he has some incident response chops. We've got some other assets on the team that can dive really deep into an organization and forensically pull out information that the best legal teams in the world would feel pretty comfortable about using if they had to in a court of law that chain of custody hasn't been violated. Doug: Wow. Yeah. Awesome stuff. Thanks, Ty. Thanks for continuing to educate me and certainly our audience and for business owners out there, please don't hesitate to reach out to Ty and our cyber team. They are just fantastic at what they do. thanks again. Ty: Thanks Doug. I appreciate it. Doug: Absolutely. If you want more business tips and insight, or to hear previous episodes of unsuitable, visit our podcast page at jhhz.ngskmc-eis.net/podcast and while you're there, sign up for exclusive content and show notes. Thanks for listening to this week's show. Be sure to subscribe to unsuitable on Apple podcast, Google podcast, wherever you're listening to us right now, including YouTube. I'm Doug Houser, join us next with week for another unsuitable