Managing Rising Cybersecurity Risk in Today's Global Environment
- Published
- Mar 31, 2023
- By
- Rahul Mahna
- Topics
- Share
Rahul Mahna, Partner with EisnerAmper’s Outsourced IT Group, discusses the rising concern of cyberattacks as well as challenges in retaining IT professionals who help keep your business safe. Leaders will also learn the benefits of outsourcing in this Solution Session.
Transcript
Rahul Mahna:By way of background and introduction, my name is Rahul Manha, and I'm the partner in charge of the outsourced IT practice. We have three mandates in our practice. The first is to connect our clients' IT systems. The second is to develop software solutions, and the third is to develop a cybersecurity resilience program for them.
The current environment in the IT world is very tumultuous. We have many software systems, many IT systems that are being used by our companies, and the difficulty is all of those systems are creating cyber issues. It has become a tumultuous situation where it's become very difficult for the internal IT departments to support and update and maintain all of these systems.
In a recent study by the US Chamber of Commerce, 93% of small and medium sized businesses said that they use more than one software system. Out of those 93%, 86% said that they would have a difficult time operating if those systems were breached. Because of this dependency of small, medium sized businesses on their IT systems, it's incredibly important to keep those systems up and alert, and usable, by all the members of their organizations. Without those systems in place, these businesses will fail and they need to have proper attention to keep them up.
In our practice of managing outsourced IT clients, we found that executives are really having a difficult time, how do you manage it? So last year we conducted a cybersecurity survey. The survey has not been released yet, but a few key factors have come out of it. The first is, over 70% of executives found that they believe the next internal IT issue will come from within. So those internal employees need to be brought up to speed. The problem is, there's so many issues that current IT department is managing, that we found over 30% of those organizations still have not implemented a yearly cybersecurity training program. This has created a really difficult situation for those businesses.
We found most of our clients right now are facing a really interesting dichotomy. If I can use a metaphor, think of a castle. So before COVID, everybody would come to work and they'd go to the castle. The castle had a wall, it had a moat, it had a drawbridge, it had windows, and all of those points of entry were fortified by the IT department. What's happened after COVID is everyone's working from home, they're working from Starbucks, they're working from various different locations. Now the IT department does not just have a finite amount of things to block and protect. They have an infinite amount of things to protect. And that's created a real stress in the department, it's created a stress in technologies, it's created a stress in know-how, and we're reaching a real difficult point where how do those IT departments sustain themselves and keep the business afloat?
In a recent report released by IBM, they found that almost 80% of organizations that had one breach had a second breach. This is really an interesting fact to think about because these cyberattackers are not just going to one place, using the metaphor of the castle, they've started going to multiple places. They have what in traveling you call wanderlust, they have a wanderlust for cybersecurity breaching, and they're going to multiple points of entry and they're finding multiple ways to breach these organizations.
So in general, I would say there's an overall problem. The problem can be broken down into three areas. The first area is environment. It's become incredibly challenging to protect the walls of the castle, as I said earlier, and how do you do it with the limited IT department? The second issue is really operations. How do you operate a business when you're constantly worried about, do you have enough manpower, do you have enough technology, do you have enough skills to handle the next breach that could come? And the third issue is governance. We're really finding compliance and governance is becoming a major problem to how do you manage the business. In fact, recently the FTC not only mandated that the business showed that they were showing a duty of care to their customers, and to their data, and to their security, but they're also putting the mandate on the CEO and finding the CEO personally responsible if they don't show that responsibility. So the landscape is entirely changed and it's becoming very, very clear, you have to focus on your cybersecurity program.
When I talk to many of our clients today, I say, there's usually five warning signs they need to be attentive of when thinking about their it. The first is, what's going on with their services? Are their services going up or down frequently? Have they been hacked? They should look at that and think about, are they really getting the right service that they need to run their business?
The second is the business itself. Is it growing dynamically? Do they have the right team to support that kind of business growth? There's usually a paradigm that they need to look at to ensure that they have the capabilities to grow the way they want to grow.
The next is technologies. Technology and the landscape's changing so much, are they using the latest and greatest technology? They might not need to have some of the older technology and they can combine some of those into one technology solution to give them a far better resilient idea and program how to run.
The next is money. We often find our clients are looking at their money and saying, we're spending a lot on IT. Are we getting the most bang for a buck for spending that money, and maybe there's a better way to spend that money today.
The final thing I ask them to do is look at your competitors. What are those competitors doing today? Are they using the best technology? Are they doing something more novel than you are? Your competitors sometimes have the answers that you don't, and you need to look at those to make sure you're operating the right way.
So with all of what I've spoken about, the walls of the castle, how do you secure it with an ever-changing cyber landscape? It's all doom and gloom. However, there are some ways to prevent this. One idea is to outsource your IT. Find a right partner to help you. This can be really beneficial to an organization.
Some of the benefits that I've often seen are, one, improved service. It's really hard for that small IT department to be able to manage and help all the employees of that organization. It's much easier for an outsourced IT department to help improve the services. The second is scalability. When a business grows, it's really hard to hire employees, especially in the landscape we have today. An outsourced IT vendor can help add people when needed, scale up, or also scale down too.
Other ideas that come out of outsourcing your IT is your morale improves with the internal folks. They suddenly become much happier that they've outsourced the IT. There's folks that are there to help them. There's folks that are there to improve their lives and to be able to run their business. Once they have that extra energy, they can actually focus on growing the business, and doing things that they needed to do to move the business to the next level.
We often tell our clients, it's not if you're going to get hacked, it's when you get hacked. And so are you prepared When you do get hacked? By having the benefit of other expertise with an outsource provider, you can really minimize your downtime that you might incur, or possibly eliminate it entirely. That's a real benefit of adding extra expertise to your IT department.
Another interesting benefit when you work with other people is they bring other fresh ideas to the table. So there's constantly new innovations happening. Your IT department might not know about them because they're working every day to maintain the systems, but they might not understand what are the latest and newest systems out there. Working with an outside vendor can give you access to some of those systems and really improve the performance of your organization.
Coming into the new year, it's always important to reevaluate where you are and where you're going next. We see a definite enhancement in cybersecurity needed because the hackers have gotten much smarter. They often go to Class A office buildings, they're not working in small dungeons. People think of them as hiding in a corner. They're really not anymore. And as they improve where they go to work, why they go to work, it's really important to protect yourself.
One of the biggest things we see this year is, follow the money. We're finding more and more hackers are going to where the money is. So the hacking is not only at the lower levels. We're finding it now much more in this year to the CEO, the CFO, and the COO, because they control the money. And when you control the money, that's where the hackers want to spend their time. In years past, we'd often find that the bad actors would go try to just disrupt the business. So they would try to attack your firewall. They would try to just attack your computer. They would try to just encrypt things and make things a little messy.
Moving forward in this new year, we're seeing that they're not really spending their time on useless activities. They're going to the dark web. They're purchasing information that they could use to go attack a person that has access to the money. The other thing we're noticing in this new year is they're not doing it right away. We're seeing that people are starting to wait. The bad actors are waiting to find the right opportunity. We're also finding they're learning how to mimic the voice of the person that they're trying to capture. So for example, they will sit and watch a CFO's emails for six months, and as they watch, we found they're getting smarter, and they're using the same tone and texture of that executive's email. And when the time is right, they go in, they pretend to be that person, and they use the same tone and texture to mimic that person and ask for money to be moved to a different area. So some of these ideas really need to be thought about in the new year.
One way we're trying to help mitigate some of these concerns in 2023 is by using artificial intelligence. A lot of the tools and technologies that I mentioned are available to experts in cybersecurity panels of people that we have is that we are constantly evaluating new systems. Some of the technologies involve looking not only at where we are today, but looking at what someone might do, and anticipating what they might do, and preventing it before it happens. The use of artificial intelligence is being used on the desktop right now. It's being used on your computer itself. It's also being used in the cloud. And with the move of everyone moving to the cloud after COVID, using your Teams, using Slack, using very different and many different tools in the web, we're noticing that the hackers have also started to move their outreach to the web the same way. And so we're trying to use artificial intelligence tools to protect our clients that are using these different tools and softwares on the web, and protect them in different ways so that they are secure as well.
So moving forward in the new year, I'm often asked, "What's the best piece of advice I can give to an organization?" You don't always have to go to an outside provider. You don't have to go always to an outside vendor. You could do a lot of the work inside yourself. And the biggest advice I tell people is to educate your employees. Over 80 to 90% of the hacking that happens is because an employee clicks an email. The clicking of the email is something that you just have to really help your employees. They have to learn, they have to be trained, and you have to find the right way.
We often find that our clients get upset with their employees when they click on something, and let's call it just a phishing test. What we actually try to tell our clients is, why don't you incentivize your employees if they do a good job also? It doesn't always have to be reprimanded for doing something wrong. Give them a reason to do something right. Even if it's a $10 card to a coffee shop, if they did something really well, then you should encourage them to do that.
And back to cyber, it's all about those emails. They'll have good cyber training where they can learn the email headers. They can understand what are bad malicious content in an email. They can look at reply to addresses. There's so many ways that they can learn to do things, just on their own with no intervention. It doesn't cost anything. But if they understand these little nuances, they can make a huge impact into the cyber resiliency program of an organization.
As people are coming back to the office, we're seeing them travel a lot more. As they're traveling, they're getting back on trains, they're getting on planes, they're moving around to convention centers, and they're so excited to be back in motion, they also forget that they have to be secure in that process. So we're often asking and telling our clients, "Hey, why don't you educate your employees before they get back on the road?"
So there's a lot of simple things that you can do. One thing is when you use your phone at a free Wi-Fi, is that really secure? Who is updating that router? Who are the other people on that free Wi-Fi? Are you using your laptop, which is company owned, on a public free Wi-Fi that has not been updated, that is not secure, and has other people that are still using that Wi-Fi for gaming, for going to other websites? Obviously, you don't have to be a technologist to understand if there's a lot of traffic going in one place, the traffic gets a little messy. And so it's really important to think about, do I have to get on that free Wi-Fi? I tell a lot of our clients, the safest thing to do is to use your cell phone. The cellphone and the connectivity you have from your carrier is much safer than using any free Wi-Fi you can. In fact, I never use a free Wi-Fi. I always use my cell phone, and I always connect through the carrier to be the safest that I can.
Another area that we're seeing hacking starting is through text messages. Oftentimes, hackers are buying telephone numbers off the dark web. For those that don't know, the dark web is what I call where the bad guys go to find things that they can use, resell, and use for bad purposes. So they'll often go to buy usernames. They'll go to buy email addresses, they'll buy phone numbers. And when they buy these numbers in bulk, they text message in bulk. When they text message, you might get that message on your phone. But when you get it, and if you click, and it leads you to a login page, it leads you to some kind of authentication page, that's really the hackers back there. And as soon as you put your information in there, they're off and running to the races. So we tell our clients to be really careful as hackers are getting more savvy and using more technical things like text messaging, you have to also constantly be thinking about those things.
So when you think about the new paradigm of cybersecurity issues that are happening, take things like text message hacking, take things like email phishing campaigns, take things like people stealing your cell phone access and mimicking your phone so that they can replicate and get the SMS messages for dual factor authentication, all of these issues are real.
So how does a business protect itself? The first thing every business should do every year is get a health checkup. We do it with our own person. I often recommend the business, you do it for themselves. The best thing to do is get a cyber assessment done. Do it from a third party. A third party can look at your systems, look at your IT department, understand where the gaps are, and build you a really nice technology roadmap to help you prevent some of these issues I talked about right now as well as what's coming next, and there's always something coming next.
As the cybersecurity threat landscape has changed, it's really important to constantly evaluate your systems and tell your employees too. One statistic from a leading firewall vendor is showing there's 152,000 malware attacks that are being blocked every day just by that one vendor. So that really gives you some kind of perspective what's happening out there. It's really important to teach your employees it's okay to say something if they see something is wrong. The MTA in New York does it really well. They say, "If you see something, say something." It's a simple mandate, and I highly encourage our clients that they should tell their employees, "It's okay. If anything looks suspicious, tell your IT department." Oftentimes, the IT department doesn't know and they'll rely on a third party, and that's okay also.
Our practice constantly is putting out articles, information, new ideas that are coming out, so our practice can help educate your IT departments as well. Our website is filled with all of our blogs, our articles, our webinars that we're doing. We're always bringing in these experts as well, and so you'll have full access to the whole idea set that we can provide.
We really appreciate you listening, and if you have any needs that we can help you with, feel free to contact us.
Transcribed by Rev.com
Solutions Insight: Video Series
What's on Your Mind?
Start a conversation with Rahul
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.