Are You Cyber Secure?

DP:

So it seems like every so often there's a big news headline about a new cyber attack, whether it's Twitter, the Colonial Pipeline, Marriott Hotels. And these are the big ones. These are the ones that make the national news. I'm sure there's countless smaller ones that never even get reported.

RM:
That's absolutely right, Dave. In our practice, we see all of those little ones. And the scary thing is it's just getting worse.

DP:
Why do you think?

RM:
Dave, I think it's really hard to stop these attacks. And we recently did an IT cyber survey, and we found that only 39% of responding companies felt very prepared. That's really a frightening number when you think about it. And the reason is it's coming from all over and they don't know how to stop it.

DP:
And there was another number in that survey that really stuck out to you. Tell us about that.

RM:
Yeah. Our survey was really interesting in that we found 71% of the executives that we asked and interviewed said that they felt that the next attack would come from inside the organization. And by that, they meant it was really from an accidental staff error. So it's a really difficult thing to stop, especially when it's your own staff that are creating these issues.

DP:
So what's the answer?

RM:
Oh, the answer is actually not so hard. The answer is training. You really have to put the time and the money into training your staff. Whether they're working in the office or they're working from home, we have to put that money into them, because there's certain statistics showing that almost 90% of the ransomware that's out there gets clicked by an employee. So with that, it really makes you want to encourage those employees if they see something, say something, educate them, and keep training them along the way.

DP:
And from your findings, are companies training? Are they investing in training and getting their employees up to speed?

RM:
Not so much, which is really strange. In that survey that we did, we found that 31% of these organizations have never even held a training event, which is really unbelievable if you think about it. It's right there in front of you. Train the employees, help them not click on these bad links, and you won't have these events in these organizations.

DP:
Right. Obviously, there's a budgetary component for training, so companies have to be cognizant of that. But tell our listeners why trying to save money on training could be penny wise and dollar foolish.

RM:
Yeah. I always wonder why do they try to not spend the money on training? And as you said, it is a penny wise, pound foolish type of decision. But the downside is just so high these days and what can happen to your organization that you really have to put the money in there. And if you don't, you're just almost setting yourself up where you might as well just go get some liability insurance to cover it, because if you're not going to have a proper defense structure with your employees at the front of that, you're really setting yourself up for failure.

DP:
Yeah. And the bad actors, they only have to be right once-

RM:
That's right.

DP:
... to really cause some havoc. I know you and I were talking a couple of weeks back, as far as how the bad actors are evolving and they're lying in wait and they might be dormant for a while and poking and prodding. So things may not be as rosy as you may think they are at your organization. Tell us a little more about that.

RM:
Yeah. We're seeing this different trend happening now where, as you said, the bad actors don't just knock on the door and try to kick it in. They gently go in through the window and they just look around and they try to see what are some other ways that they can have access to systems and get access to things. And they watch and they listen and they learn. They're very smart. They go to work just like we do, and they spend all day trying to find out where can they get the best bang for their buck.

And so we spend a lot of time with our clients encouraging them. The first thing you should always do is get a risk assessment done. Similar to how we go for our health annual checkup, we encourage our companies, "Get an IT assessment done once in year. See are there some open windows in your house? See are you leaving certain user access available?"

You mentioned earlier big, large events such as Colonial Pipeline. Those could have easily been stopped if someone had looked around and said, "Oh, these employees don't work for us anymore. Let's go back and do a little access management and remove some of these employees that are no longer with us." Just some basic housekeeping like that can have massive and really impactful decision making in your cybersecurity policies.

DP:
Good points there. There was another area where it seems like some companies are reticent to invest in either the training or the hardware and software or the personnel and just say, "You know what? I'll take out a cyber liability policy just in case I get hacked, and that's going to be my holistic strategy." Tell us why that's not really the best of ideas.

RM:
Yeah. That makes me think that, "Hey, I'm a diabetic and I'm going to take some medicine, which means I should eat as much sugar as possible." It doesn't add up to me when companies have that strategy. And I will tell you the liability that the insurance companies are providing is getting harder and harder to effectuate. So if there's an event at an organization, if they did not want to spend that money, as you said, on training, they have a ransomware event, it's really hard to get the liability coverage now just to pay for that event and that damage that happened.

Now, the strategy I feel is even more faulty, because your damage is not just that dollar amount of that ransomware. Your damage is also, I would say your reputational risk, because you now have to let people know what happened. Are your customers going to be comfortable with the way you operate? They're going to learn that you don't provide adequate training and you don't provide adequate defense systems. Are you providing the right duty of care to your customers in making those decisions internally? And are they going to stay with you as a customer?

So the damages go far and wide outside of just paying for the, let's call it ransomware amount. It's really a much, much bigger decision making process that happens with your customers and potential future customers of doing work with your business.

DP:
Yeah. You can't really put a price tag on your reputation, so good point. So Rahul, any final thoughts or words of wisdom for all of the potential victims out there? Because we all are, if we have a computer or cell phone or electronic device, we're all potential victims.

RM:
Yeah. When we shifted and people have started to work much more from home, we shifted the model in cybersecurity from protecting what I call the castle, protecting your office. And a lot of our systems were built around that. I would say, as some type of advice moving forward, really change your mindset to protect the individual. So where is that individual in your organization working? Where is their internet access? Is that access secure? People are starting to travel and they're trying to work from airports and they're working from trains.

I saw recently last week the FBI just put out a alert that, "Do not use these public charging stations for your cell phones because they easily can be hijacked. And hackers can use the little USB sticks that come to those dongles where they plug into your phone, and they can easily get the information off your phone."

So I would spend a lot more time strategizing with your internal technology team or your external team, whoever you have, about how do you protect the individual and where they're getting access, and is it secure to your corporate networks?

DP:
Well, Rahul, thanks for your sage advice and expertise.

RM:
Sounds great, Dave. Thank you.

DP:
And if you want to see the results of EisnerAmper's cybersecurity survey, visit EisnerAmper.com. And thank you for listening to the EisnerAmper podcast series. Visit EisnerAmper.com for more information on this and a host of other topics, and join us for our next podcast when we get down to business.

^{Transcribed by Rev.com}