Skip to content

On-Demand: Are Your Employees Enabling Hackers?

Oct 29, 2019

Your employees can be one of your company’s biggest vulnerabilities when it comes to cybersecurity. Audits are revealing continuing risks resulting from employee behavior - even if the company has training in place. This webinar explains how to identify your risk, as well as why these vulnerabilities continue and what can be done to prevent them.


Lena Licata: Wonderful, thank you guys, and thank you for everyone for joining today. We can go ahead and go to the next slide. So as Niky mentioned, my name is Lena Licata. I am a director in EisnerAmper's process risk technology group. My specialty is in IT risk and cyber security.

Given that today's webinar is one of the shorter ones I wanted to break, bring you through an analogy I use all the time when I talk about cyber, which is the castle. And in the next few slides I'll go over what I mean by that, and if you have any questions about today, it will be a very high level overview that we'll go over today. So if you would like to deep dive in any specific areas, I am available after this webinar for any one-to-one calls.

When it comes to cybersecurity, solving challenges related to cybersecurity isn't done by doing one thing in one area. I think a lot of times people think that, well if I just fix this one thing, maybe I can fix cyber. But that's what makes cybersecurity so complex is that there are so many different layers and players that need to be involved in order to really solve cybersecurity challenges. What we'll do is we'll go through the next couple of slides and we'll go through what I mean when I call it the castle. I think this is a pretty easy way to sort of break down such a complex issue.

So if we go to the next slide, generally when you think about cybersecurity, people think about the walls of the castle. When I talk about the walls, I talk about the technology behind cyber. So you've got firewalls, antivirus, DLP, log monitoring, et cetera. These are the specific technological components that keep a company secure. But like I mentioned, this is just the walls around the castle and that's not going to stop every single problem that you might face when it comes to cybersecurity.

But key things to keep in mind when securing your walls of your castle would be to perform, and I would recommend annual, vulnerabilities scan, but there's both external and internal scans. So an external scan is going to look at your different IP addresses and configurations. And then an internal scan will look at various different configurations on the different end points within your network. Those scans will come back with various different action items or configuration changes that you should make. And just getting the scan done isn't enough. Actioning on those items included in your report is very key. Otherwise what did you pay for?

And then the next piece of this is regularly testing your processes. So you may think that, hey, we backup our data, we put it here, it's all good. But if you haven't tested those backups and restore data, you may find when you actually need to use it that it's not working. Therefore I recommend regularly restoring data if you're not already getting those ad hoc requests. If someone calling in and saying, hey, can you restore this file or that file, I had this problem or that problem. So doing at a minimum annual tests, but up to quarterly of restoring data is key.

The next piece of this is really your incident response plan. Incident response is critical so that if and when you do have an issue, you're not going to be prepared for every single incident that comes your way, however, by having a framework and a plan that you test at, again once annually or more, you will know the basic outline of what steps that you should take. You'll know who the players are that need to have a seat at the table to address this and you'll just in general be more prepared to deal with what's going down. And time can be critical depending on what happened, to shutting down different things in order to address an incident or a breach.

And then lastly, the other key control here that I have is disaster recovery. So again, having a plan in place, and the reason why I talked about these in this order, they've really all sort of work hand in hand, but disaster recovery and incident response work very, very closely together, and it is very key that you have a disaster recovery plan that you both revisit annually, you'll see a theme there, as well as test annually to make sure that if and when you do need to use it, you're not dusting it off the shelf hoping that you can follow along. But that you have gone through and worked through these processes.

Moving on to the next slide, the next piece of what I call the castle is the king, what would be a castle without a king? So when I talk about the king, I'm talking about the tone at the top. And this gets into governance, policies and procedures, audits, vendor risk management, risk assessments, and without that culture and tone at the top, people may not necessarily be taking some of these things very seriously. And I can tell you that we work with a number of different clients and over the years I've had many say to me, well we're doing the right things, we just don't write it down. But if you want to keep personnel accountable as well as you want to address things like a key man risk, where one person knows everything and if they're no longer there tomorrow, you'll be in big trouble.

So you really want to make sure that you have the right policies and procedures in place and they're not, again, just put on a shelf. You want to make sure those policies and procedures are revised, there's that theme again, annually. And it doesn't mean that you have to rewrite them. It just means you want to make sure it's still current to your process and if you have someone start new, they can follow along. As well as if they're socialized and people know about them and that they're in place that is available either on a shared drive or intranet site, et cetera.

One of the very key themes in today's day and age are vendor risk assessments and just in general cyber risk assessments, et cetera. One of the things that you see a lot today is people are outsourcing more and more. And it's all well and great outsourcing something except for the fact that that risk of what you outsource still you own. So if that person you've outsourced it to isn't protecting it adequately, it's still going to come back on you. So you want to make sure that any vendor that you're using has an adequate, the same, or better control environment than you have. And you can do that by either collecting SOC reports, third party audit reports, or doing your own assessment on those vendors.

You also want to make sure that you're doing an annual risk assessment of both your IT environment as well as your cybersecurity preparedness. These audits and risk assessments will just help you put together your strategic one, three, five year plans, which really get into the governance and tone at the top. It's all sort of a one big, nice little circular process here that just helps you be prepared and everyone is well educated on what needs to be done.

And lastly, on the next slide, the last piece of the castle is the townspeople people. I mean, what point is there of having a king if there's no people to rule. And so your employees are key to helping run your castle. They can either be your greatest weakness or your greatest asset. Stewart can really delve into this topic, but you want to make sure that you're training your employees, you're testing your employees, sending them fake phishing test so that they're prepared when the real one comes through. Hopefully they just think it's another phishing test and they send it off to security. And it's really, really important, and I know that Stewart's really going to drive this point home, but creating a culture of security so that you do what I say all the time is you elevate the sniff test so that when something comes through to someone, they look at it, take a sniff, that doesn't smell right, or oh, that's my best buddy, of course I'll respond to that email.

And there are different things that you can do in different parts of the castle to help you secure this for the town's people. If you want to append a tag to the subject line that that tells you that that email isn't coming from someone internal. So if you think it's your best buddy, but it says external and your best buddies sitting in the cube next to you, maybe that elevates your sniff test to say, "hey buddy, did you really send this to me." And they go, "oh no, don't click on that." But that's elevating the sniff test.

With that I will turn it over to Stewart and again, I know I went through things very quickly in the interest of time and if there are any questions about any of the things I went over or you'd like to deep dive into any one of those topics or areas of the castle, please let me know.

Stewart Rose: Well thanks a lot Lena, that was great. I could see you stayed up late with your drawing pencil there. Doing your king and your castle, and those other things. But I wanted to start by really talking about what is really cyber safety today, and it is long-term behavior change.

And I'll use an analogy here to get started. Suppose you're in the business of manufacturing something and during that manufacturing process there's a caustic acid that's used, and if that acid is spilled, it would cause almost $8 million worth of damage. Can you imagine when an assessment is done, you find that 51% of the people have not been adequately trained in how to avoid that? It would be unheard of, yet that's what we're facing today in the world of cybersecurity. We're facing a lot of people that aren't adequately trained. And I use the seatbelt, that's what's going on in the video, with the picture at the top. It's really intuitive behavior, like putting on a seatbelt. It took a while to get there, but people don't even think about that now. Of course you've got all the buzzers that go on inside, but long-term behavior change is critical.

I want you to think about you're a passenger. You're at LaGuardia, it's January 15, 2009. You're getting on a US Airways flight 1549. The pilot is Chesley Sullenberger. You take off, he hits a flock of birds. Now, do you think in terms of long-term behavior change, the way he learned to fly that plane and land, the miracle on the Hudson was from reading a book and underlining things in yellow? No. The way Sully learned that was time and time and time again of practice. And we're going to talk a little bit about what it takes to establish long-term behavior change. It's quite a goal. Okay.

The next slide. Okay. This is... I want to talk a little bit about stuff that you hear about in the news every day, but it's still really startling. According to a recent study, every 39 seconds, a cyber-attack hits companies and government offices in the U.S. Every 39 seconds. The survey also shows that last year over 6.4 billion, that's with a B, fake emails were sent out every single day. Over 2 billion private identities and $3.5 billion of damage control. It's incredible. Yet, less than 2% of the technology staff work on cybersecurity. The budget is mostly defensive and more than a third of the vulnerabilities are due to employee behavior. You've really got some incredible numbers out there and you start thinking about what are the drivers.

Well obviously the financial loss is a key driver that I just talked about, but you've got other drivers, you've got drivers such as regulation. It's not just from the states, you've got GDPR. Other state, as far as, an overall regulation, you've got the California Consumer Privacy Act, the Illinois Personal Information Protection Act, the Nevada Internet Privacy Act, the New York Stop Hacks, et cetera. And then you've got other federal regulators. I could go on and on and on. I've got six of them from Gramm Leach Bliley, Children's Online Privacy, Family Education, HIPAA, NIST, et cetera.

So you got a lot of regulations that are driving this thing. And going back to the financial side, the Equifax settlement, it's so infamous, I should say, has already caused that company $525 million and they think it'll be 700 million by the time they're done. The Uber thing $148 million was paid and they were actually caught paying a hacker to keep quiet. And of course the Yahoo 85 million looks small compared to what's going on now.

Right now, according to IBM, the average hit is about $8.19 million in cost, 242 million the cost of a single record. Of course the health side is most important.

Next slide please. Let's talk a little bit about the old method. It's really a fallacy that repetitive exposure does the job. You see too many times you see this idea of one and done that might be fine for OSHA where you've got a small fine, relatively small fine and a one and done is proof to the regulators that you've got it, that you've done the training, but things are moving today. And they're moving quickly in terms of risk audits and risk assessments. And they're moving away from was it, did it happen? Did it work? That's really, Lena, maybe you could add to that, but as we look at risk audits today, as I said before, we should show that the UMass study shows that 51% aren't prepared. Is that something that you're seeing yourself as you go into these audits, Lena?

LL: No, what I'm seeing when I go into audits is things are kind of across the board. You've got some people that really aren't doing much of anything when it comes to training, et cetera. And some people it's a once a year compliance activity. Other people are really putting some teeth behind it. But it's really, really across the board. And when we do these audits we try and make sure that we give people a roadmap of success and give them three, six, nine and 12 month plans for really how to increase their security posture.

SR: Thanks. Well that's the whole point here is if the audits or the risk assessments don't pick up the problem, people are really blind that it exists and they get blindsided quite easily. And so the audit process of picking this up is extremely important.

So getting there, the book on the right that you see, Make It Stick, the Science of Successful Learning. The author is Henry Rodrick the Third, he's a distinguished university professor in psychology at Washington University in St. Louis. And if you're really interested in what learning is all about, the science of learning, it's a great book to pick up. It's a great read. It really gets you into what does it really take to learn? Next slide please.

Of the several things that are involved here, I'm just going to get into a few of them. But the first one that's really important is does somebody care about it. If you don't really care, you're not going to learn. And so part of it is some people go into training and they try to make a fool of somebody by putting on the dunce cap and saying this person failed a phishing test, and making an example of them. That's one way of motivating. But a lot of companies don't really like that. They don't... That's not part of their culture. So what about caring? If you go back to the awful days of trench warfare, when somebody got up and ran across a field and you said, what was the key motivator for that under fire? Was it, well this is for God and country, or was it because I want to protect my buddies?

And what you find is it's really this team protecting your buddies, et cetera. And so caring is a very important element as you approach long-term behavior change. Making sure that your employees don't make stupid mistakes. They're not stupid people, but some of these mistakes are pretty careless. I suppose careless is a better word than stupid.

Another one of these things is spaced retrieval. So if I asked you right now, how many stories are in the Chrysler Building. How many of you would know, because you're on mute, I'm not going to find out. But it's really... I'm going to tell you the answer 77 but the real way that you learn is to go look for that again. In other words, you almost have to forget in order to remember. It's the retrieval and it's spacing time. Right now you see a lot of training that is a quick video of 30 seconds to two minutes and then it has a question related right to that piece that you just saw, and maybe two questions. A simple quiz.

That's not what this is about. This is about spending time between the time that you get information until the time that you have to retrieve it. And so next time you have to retrieve the information on how many floors are in the Chrysler Building, the number 77, when you see that again, the likelihood of it sticking are much, much higher.

And the third one that I have here is called interleaving and that's really, that's the word used in the book, I don't really like it that much. But what it means is mixing things up. So if you're in batting practice and somebody says, "okay, I'm going to pitch to you 10 fastballs, 10 sliders, 10 change up, 10 curve balls." You get pretty good at knowing what's coming. And so if you are sitting there in cyber training, they say, okay, today we are going to do passwords and next month we're going to do this and next month we're going to do that. You get pretty good at understanding that. The problem is that's not what real life is about. Things come at you, you've got to mix it up. As you're doing training, you can't do one subject at a time. It has to be multiple reinforcements going on all the time. Next slide.

Okay. Part of the advertising industry spends billions of dollars every year trying to persuade people to change their behavior, their buying behavior, in that case. But what you learned from these advertisers is to change people's behavior you have to have a certain frequency. If somebody sees one ad one time a year, that's very unlikely. I've spent time in the advertising business and your number of impressions through media is extremely important. The other thing of course is does it engage you? And we've seen old methods... We've seen more new methods that are very engaging. The problem with that is you don't necessarily... If it's just being driven by humor, you don't necessarily remember it. How many people can remember two weeks later, one of the skits from say Saturday Night Live or something. It does need to be engaging, but it also has to have a certain sense of frequency and it's the concept of multiple types of engagement ,more than just one type of humor or something like that.

And then of course multiple channels. The days of getting people to go to the training and saying, this is where you have to go and here's how you have to log in and here's what you need to do. Those days are quickly moving to an end because people don't do it. How many times have you heard, I got somebody else to do it. It was required by the company, so I got somebody else to do it for me. Believe it or not, we hear that a lot. So you have to really start to think about going to the place where your employees are. And of course that could mean, depending on the company, that could be multiple different channels. Next slide please.

Obviously phishing is huge, so there's no question about it, but there's a lot more. When you get into your training, when you get into recognizing threats, recognizing the threat of phishing, there's no question about it. But there are other types, and they are really dangerous. For example, this is a real life example of somebody who the CEO got a request from the IRS for certain documents. And so the CEO said that, well, this doesn't involve me, sends it to the CFO. The CFO says, I'm above this, sends it down to somebody in the organization. Now they see the chain coming from the CEO to the CFO. They look at the request and they readily supply the information to a fake organization that is using that to steal information.

We often hear also about wire transfers. We work with banks. For example, where they're really concerned about the quality of their commercial loans because at some of these smaller businesses are getting hit with things like ransomware. It's driving them out of business. 60% of small businesses that get hit are out of business within six months. It's a startling statistic, but if you're lending money, for example, to any of these or if you have some kind of financial relationship with some of these companies, it's in your best interest to make sure that their employees are not a gateway into losing valuable data. I won't go through each one of these, but you can see that there are quite a few. Next slide please.

The last piece of this before we get to some questions, the last piece of this is really what we call implementation risk. And it's a major, major risk out there. We talked about the need for methodologies that really bring about long-term behavior change. We talked about using some of the tricks or whatever you want to call it from advertising to get people to... to persuade them using these methodologies to be persuasive. But the last thing it's incredibly important is implementation risk. And that means that a company has, they bought a training program or they have an internal training program for cyber, but it doesn't get done. And that's because you've got CSOs now that have so many things on their plate. Organizations that have so many things on their plate. Some organizations have nobody that can really be in charge of this. Other people have people that can be in charge, but what's the problem? They're overloaded, and so they get the assignment, but it doesn't get done and that's huge.

Another part of this risk is really having CSOs or the buyer who really understand what is a good program versus another. Is it just the entertainment value that's being looked at in terms of making decisions. The reality is it's got to go well beyond that. You've got to have a year-round playbook, is what you need. This was a year round task. And you put together this playbook and then you follow the playbook and making sure that people have, reaching out for this kind of support that you need is very, very important.

That really concludes my remarks here. So Lena, I thought maybe what we would do now we came in under our promised time here, which was we would get this done in a half hour and then open it up to some questions. So are there any questions out there in the audience that you'd like us to address?

Let's see. Maybe... Lena, maybe you could answer this. What's the process for performing a risk assessment?

LL: Sure, that's a great question. When we perform them, we use NIST Cybersecurity Framework and we go through each one of the 108 questions that NIST puts out there. And this way you're covering off on every component and facet of cyber security. And then at the end of it after we go through, what you do, what you don't do, what you could do better, we go back and give you a roadmap of how to get stronger, and what to do, and how quickly based on a risk score that should be done. And then we provide a portal for, as people fix things, that they can automatically see how what they've fixed impacts that risk score. It's pretty quick. It takes about one to three to four weeks to complete and is a great input for board presentations, executive management committees to really make sure that they're well educated on what you're doing from a cyber-perspective.

SR: Thanks. I see one here that, that that I'll take. It's similar. What's the process? Again, the word process for establishing a cyber-awareness training program. The process is really understanding where people are today. Not walking in, hey look at this solution and slapping it onto something, but trying to find out what is an individually, what does each organization look like internally in terms of not just looking at their culture but understanding what channels, how are people engaging with management, and how are they engaging with other parts of the organization. And really understanding, okay, let's take a look at where you are now. Then let's set up where you want to be. Well obviously where you want to be is long-term behavior change, no mistakes being made on the cyber world. That's where you want to be.

What does it take to get there? Obviously we talked about, you've got to have certain methodologies that are effective. There's some methodologies that just aren't that effective anymore. There are other methodologies out there that are effective. And then you've got to say, okay, if they're effective but you're not getting where you want to go, are they being implemented properly. That's where we always start, is looking at the organization, making an assessment. And then not just looking at the organization, but asking the employees how do they feel about their skill sets. What do they think, where do they think they are along with some of these. Are they familiar with the cyber security policies, has senior management communicated what it expects of them, in terms of safety matters.

What level of responsibility do the employees have when it comes to cyber security? Do they feel that they are in fact could be the weak link or not? Do they own the problem more or less. So that's all a part of a self-assessment and all of those things work together to try to set up, a what's needed, and then of course, once you do that, you build a playbook for the course of the year, you look at multiple different communications, some of them are videos, some not, multiple pieces of communication over that full year. And then you say, okay, let's implement month by month. And then you look to say, okay, has anything changed. Every time you address it has anything changed that would change the playbook.

I hope that answers the question of process. I spent enough time on it. Any others that... Any other questions out there? Okay. I think we've got some information for you, next steps.

LL: Yeah, it looks like one more question came in. Is there an example or mock playbook for annual audits for a small, mid, large size company? Yes. So the NIST Cybersecurity Framework is laid out step by step of 108 things to do that you could use for an annual risk assessment or audit. There's also a couple other different audit templates that are available out there through the Sands Network and we, as EisnerAmper also perform and could talk through with any specific things that you had in mind if you wanted a broader IT risk assessment or audit or if you wanted something more targeted specifically around cybersecurity. But we could definitely talk through that and provide something in order to help. So please reach out.

SR: Yeah, one last thing. There is a white paper that will be made available in the follow up email to all of you. If you're interested in it, there'll be a link to get a copy of it.

NR: Okay. We hope you enjoyed today's webinar. Please look out for a follow up email with the link to the survey presentation and the white paper that Stewart referenced. If you have questions about today's topic that you would like addressed, please feel free to email our speakers directly. Again, thank you for joining our webinar today.

Transcribed by

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.