There is no such thing as a safe place. Given all the recent occurrences of hacking and penetration in Yahoo, Experian and other tech giants, it’s high time we look at business cyber security as an increasingly urgent issue. Joseph Cheung talks about the issue and the broad-term challenges with cyber security. What information are you putting out there? Are you okay if a convict or some “prince” in Nigeria gets access to that information? Essentially you’re leaving little pieces of your personal puzzle out into cyberspace, whether it’s your personal puzzle or your company’s puzzle.
Together with Morgan Nolan, Joseph runs Toggle Industries, a company that educates companies to stay vigilant of threats, and to develop strong fundamental mindsets for data protection.
We’re doing something a little different. We’re going to have a special episode, given all the recent occurrences of hacking and penetration in Yahoo, Experian and so on. I’ve got Joseph Cheung and Morgan Nolan from Toggle Industries coming in to talk us about the issue and the challenge with cybersecurity, a broad term. Some of the things that you can do and basically, it’s going to be a wide ranging discussion and hopefully when we’re said and done, there are some things that you can pick up that you can do where you’re not the tallest person in the foxhole. With that being said, Joseph, Morgan, thanks for being on the show.
Thank you for having us.
We’ve had one event after another, from Deloitte getting hacked, NSA is getting hacked, Experian, which is on top of everybody’s mind, that’s half the population in the United States. From what you’re doing in your field and what you’re hearing from your customers, what are you hearing?
One of the biggest things that we hear from our clients is why is this happening? Why is nothing being done to solve these problems? A lot of times we see, especially with Experian, we’re all sick of hearing the fact that Yahoo has gotten hacked. We keep hearing that and we’re just so tired of it. A lot of our clients are asking us, “I know I have the service with you and thankfully nothing has happened to us thus far, but how can we help our colleagues in industry? How can we help our fellow neighbors in the ecosystem? How can we prevent those incidences from happening to our colleagues?”
We keep trying to tell them, “All you have to do is continue to be educational within your staff, educate your clients as well as to have a good fundamental mindset and honestly, be vigilant.” A lot of times the clients, they don’t realize that their personal cyber security is literally in their fingertips. If they choose to disclose X information or if they choose to sign up for Y service without looking at the potential repercussions and when I say repercussions, you’re registering for a newsletter, for recipes or you’re registering for what may be perceived as free ABC. It doesn’t matter.
You think that by giving out your @gmail, @yahoo, @whatever email account or by providing some nonsensical information, you think that it’s free to you, but in actuality, what are you sacrificing? A lot of the times we have these very frank conversations with our existing clients and for the mini seminars that we do. As a matter of fact, we have two coming up and we always ask those questions. “What information are you putting out there? Are you okay if the person in jail or anywhere else or some prince in Nigeria gets access to that information? Are you okay with that?”
Most people, they don’t think that someone is going to get access to their information. You always have to think of the most unsavory individual or the most unsavory organization getting access to the information that you’re willy-nilly putting out there. Is that information you really want out there? Essentially you’re leaving little pieces of your personal puzzle out there, whether it’s your personal puzzle or your company’s puzzle. Eventually, an organization, an entity, an individual, they’re going to cobble all these pieces together and have not necessarily a full picture, but they can use what they have to social engineer, reverse engineer and gain access to your sensitive documents. The way I always tell people is everything that you own in terms of your information, everything that your company does as well as how it does its business is sensitive information.
Morgan, you’re interfacing with your customers. What are you thinking about the Equifax and for the average person out there, how should they think about it and what should they do?
I believe we’re talking about the Equifax. I feel like sometimes in this world we’re sitting here going Yahoo, Experian, Equifax, it was all clouds in our minds here. Equifax, it’s a very unfortunate incident. The last statistic that I heard was 143 million Americans were compromised. That’s over 44% of our entire population and we’re running around 325 million right now. I heard, however, I believe it was yourself who stated it that it’s looking like it’s more around the 145.5 million mark now. It’s really unfortunate and we have to ask ourselves, these companies and for their specific situation, it’s a company that we didn’t elect necessarily to give them our information. We didn’t say, “I trust you with it. Take care of it for me.” No, it was given to them before we even had a say in it. Now, we’re sitting here with ourselves saying, “I’ve been hacked. My information’s gone.” It hasn’t necessarily been used yet but, “Where did I sign up for this? Why aren’t they taking care of my information?” It’s unfortunate.
Business Cyber Security: You always have to think of the most unsavory individual or the most unsavory organization getting access to the information that you’re willy-nilly putting out there.
We’ve looked into it. I took a look myself. My family and myself have been subject to the data loss as they put it, or they “suspect” it has, whatever you want to call it. What we have to do, what we have to look into is how are we going to protect ourselves at this point? 44% of the people have lost their information. What is that going to do to us first off? What information have they taken? What can they do with that information? We also have to look into what we’re going to do to try to be able to protect ourselves. There’s no perfectly clear answer to that. You can freeze your credit score, that’s one thing that you can do. That’s one thing that I know a lot of clients have.
What the person would do is they would go to their credit reporting, TransUnion, whoever?
What you can do is you can either go through a service. You can go through Equifax itself if you want to trust them with that again, however, I will make one big stipulation about that. If you do use their free credit monitoring that they’re pushing out to people, you will end up waiving any rights that you have to claim any losses. If you want to make a claim against them, if your information is stolen, whatever the case is, if you use their free software, you are waiving all rights to that. That’s very fishy in my personal opinion.
I’ve heard there’s been a bit of an outcry about that. I don’t know where that’s going to end up at. If you take and block your credit report, in your understanding, what does that do for the person that just blocked it?
Essentially what that’s going to do is that’s a deterrent. It’s not a fix all, it’s not something that’s going to cause them to not be able to do anything with the information they have. All it will do is it will make it more difficult for them. Not being the tallest guy in the foxhole, that’s one of the ways you can do that. What it will do is it will supposedly freeze your credit score where it is. It will make it much more difficult to open any new accounts, more difficult to get any new loans.
More difficult to start a credit card, which is a lot of what people are afraid of right now is that somebody is going to open an account or someone’s going to open up a credit card and start charging like crazy. There’s going to go my credit score. That’s one of the things that you can do. Unfortunately, it’s not perfect. There are very few things in this world anymore that are perfect. Freezing your credit score can cause some amount of difficulty which can help you. That’s the big situation there.
The other thing that you can do is you can sign up for some credit monitoring, like your LifeLock. I know there’s quite a few of them out there that will assist you. Basically, what that does is it’ s very similar to being sick. You want to know that you’re sick as early as possible so you can do something about it. That’s what those services are doing for you. They’re saying, “Somebody is trying to use your information and we’ve picked up on it now right when it’s starting to happen so we can do something about it now,” instead of six months down the line, you find out that you’re responsible for $150,000 credit card bill for a credit card that you didn’t even open. The problem is, is you have to go to the United States Government. You have to go to the credit card company and say, “That wasn’t me,” and now you get to prove it. If you can’t prove it, “Congratulations, here’s your bill and good luck.”
Simple things to do, you can block your credit score, you can engage in outside monitoring service. You think about the environment that we’re swimming in and at this juncture, there’s not much we can do about what has happened. Our social security numbers are compromised. I can’t go file for a new one as far as I know. It’s not like a credit card that gets lost or stolen, you can’t change the number. Here we are. There are certain things that we can do. For the business owner, simple things that a normal small business owner can do to perhaps lower their risk profile?
One of the first things I would recommend people look into is taking a look at their DUNS numbers, if they have DUNS numbers. Not everyone has.
What’s a DUNS number?
A DUNS number is a Dun & Bradstreet Number. A lot of organizations who do business with the government, they require a D&B number. Equifax isn’t a corporate social security number organization. However, many individuals starting out their businesses, they fund their businesses using their personal SSNs as personal guarantors, PGs. Through that relationship, they now have a D&B number, which is also in some way, shape or form, tied in to their personal information. From that perspective, it’s incredibly important to not only look and monitor your personal Social Security Number, but also be proactive and look into and maybe even pay for report or request a report from Dun and Bradstreet to identify, “Have there been any inquiries onto my business profile?”
I don’t disagree with what you said. On the personal end, if your information was stolen, you’re between a rock and a hard place at the moment. If you go ahead and you take a look into those free credit monitoring, if you keep track of your own credits score and what’s being opened up in your name, so on and so forth, that will help. What I recommend for your business is looking into organizations who provide some cyber security education, whether or not it’s ours, whether or not it’s a different one, whether or not you’re looking it up on your own. Granted the cyber security companies are going to know a little bit more than what you’re going to be able to find and be able to tell you fact from fiction.
It’s worth it for your organization to get trained on cyber security. I’m going to give you a story. It’s based off of many true stories. The names and everything are changed. You have Jill from payroll and Jill gets this interesting email from her CEO. His name is Mark. Mark says, “Jill, I want all of your records. I need it for this report. I need it now. I need it done. Send it to me.” Jill’s thinking, “This is weird. I’ve never had Mark asked me for this before, but he seems pretty anxious to get it. I better send it there or I’m going to be under hot water.” Jill packages it up for him, sends it over. She picks up the phone, calls Mark and says, “Mark, did you get the payroll information? I just sent it over.”
Mark goes, “What are you talking about? I didn’t ask for payroll information.” Its little things like that, making the call before versus after, trying to spot this email, figuring it out. This is weird. I need to look into this before I send out this information because it’s a simple thing that can happen. You want to protect your job, you want to make sure you’re being efficient, you want to make sure you’re doing the best you can. Let’s say our company has 150 employees, “I’m responsible for every single one of their information. I’m responsible for the information of the clients. I’m responsible for the distributors, so on and so forth. I need to make sure I’m doing my due diligence to protect them.” Maybe your boss is going to be irritated, but at the end of the day if you tell them, “I was making sure that I’m keeping everybody in this organization safe and keeping our name clean.” No boss can be too angry at you for that.
If your information was stolen, you're between a rock and a hard place at the moment.
You have basically some policy or procedure for personally identifiable information. If you’re going to send it to the boss, you encrypt it.
In that specific case, if it looks weird, if it’s something that’s not normal, call your boss first. Say, “I just want to confirm this is you before I send this off.” In that case, a hacker had broken in either to the server itself and used the email or had created an email that mimics Mark’s. It looks almost the exact same who sent out the email and she sent it off because it looked like his. What I would do is I would make that phone call and say, “Mark, are you looking for this? This is weird. You don’t normally ask for this information. I just want to make sure.”
It’s the old see something, say something that we hear so much about nowadays. Rudimentary things, they tell you to have this antivirus or that antivirus or this cleaning software or this software installed on your computer. To our chagrin, we find that some of that’s compromised or affected to some extent. At a minimum, for the average business owner, what do they do? There’s one particular software that I won’t name that apparently is now been recommended not to use because it’s supposed to be affiliated with some foreign government.
Essentially, what I’ll tell you is we tell all of our clients. It’s brand new, even people who just come in to consult with us. No solution is 100% impenetrable. No solution is 100% perfect. The one way that you can make sure that that solution is being used to the best of its abilities is by making sure that your employees are using it to the best of their abilities as well. Going through getting that corporate cyber security education, going through having a consultation done, we do consultations for free. We’ll go and take a look at your business, see where your risks are, see how your business is being run and give you even just, “This is what you should do.” Call it a company handbook if you will. We’ll help you write that.
Where you’ll go through and say, “This is the practice that we need to do in this certain situation. This is the type of thing we need to look for. This is what we need to go through before we send off all of our employees’ information.” Education can be immensely effective in protecting your clients, your companies and your personal information, just being educated about it. That’s what I always recommend is that you go through, you have a consultation done, and you get some corporate cyber security education. It’s not cheap. You’re going to go to any organization and they’re going to want to make some money off of it. It’s a business.
It’s expensive or lose your data for several days. Be unable to function in your business for a few days. What’s the cost to you as a business owner if you take and have a breach in your customers’ data goes out the door?
Have you ever seen a really nice car out there, a Ferrari or something? Think about four of those. I say that jokingly, but it is incredibly expensive depending on what organization you’re in. Let’s say you’re a doctor’s office and you lose your patient files and they can prove that it came from you. You just violated HIPAA right there. What we’ve seen on average is each breach of each individual internet of things, and object in your office, let’s say your personal computer, your secretary’s computer, your iPhone. Your secretary’s iPhone, maybe you have three employees who also have computers. We’re looking at about eight devices right there. It has been estimated that the average cost per device is $250,000 for a business. If you have eight right there, you lost $2 million.
Just in the practical terms, the reputational damage.
That does play into the quarter million. It’s reputational loss, loss of business, lawsuits, fines by the government, it goes up and above. The problem is, you say, “I lost $250,000 because of my lost reputation, how long is it going to take you to get that back?”
You look at that and the business owner or the individual looking at this going, “I can’t bring the phone in the office. Don’t communicate, don’t text,” basically, all the stuff that you see all day.
I don’t want to scare anybody, but unfortunately I’m going to give you the 100% honest truth. There is nothing we can do at this point to limit or to not be on the internet. We could go live in the mountains. I never had technology. You were born in that information has been processed by the hospital, which then got processed by another company, so on and so forth. Irregardless of what you think of the guy, President Trump came out and stated that cyber security and cybercrime is the number one growing threat in the United States. You can think the worst of him, you can think the best of them, but the point is, he’s got access to more information than any of us should have and he’s identifying that as being our biggest threat and I 100% believe it.
You watched the old World War II stuff and all the signs they used to have posted. Remember, “Loose lips sink ships,” and all of that and the call to arms. Colorado Springs is a hotbed of cyber security, maybe everywhere else is too. I think about that whole call to action and I begin to wonder if all of this is a catalyst for that approach. We’ve been lulled to a sense of security, internets comfortable, and it’s accessible. A lot of the softwares made it really simple to use. You think about the data at your fingertips. You’re watching TV and you get...