Data Security and How Not to Get Duped for Millions

Show Notes

The internet’s bad actors are busy. Ransomware attacks are widespread and cost businesses in the United States alone some $42 billion in 2024. In this episode of The Whole Idea podcast, join host Greg Oberst with guest Chris Geiser, chief technology officer at DCG ONE. Learn about ways to avoid an attack on your business. See how establishing a culture of security mindfulness can help your employees spot other common and costly scams.  

Other links you may like to check out:

About us - https://www.dcgone.com/about
Strategy - https://www.dcgone.com/strategy
Technology - https://www.dcgone.com/technology
The Agency - https://www.dcgone.com/agency
Let's connect! https://www.dcgone.com/contact

Email us: podcast@dcgone.com

Check us out on social media:
LinkedIN, Instagram, Facebook

Transcript

Greg: Here's a topic that will not go away no matter how hard you try. In fact, it's better to embrace it lest you be fleeced. Hello everyone, welcome to another episode of the Whole Idea podcast by DCG ONE. I'm Greg Oberst. On the show with me today is Chris Geiser, chief technology officer at DCG ONE, and of course we're talking about the ongoing, ever-growing need for data security in the workplace. Chris, welcome back to the Whole Idea podcast.  

Chris:  

It is great to be here, Greg. Thank you for having me again.  

Greg: 

When you and I last met on this podcast, the subject was artificial intelligence, but on this episode, I want to bring some much-needed attention to data security, a subject not just close to your heart, but also close to your duty as chief technology officer here at DCG ONE.  

Chris: 

Correct.  

Greg: 

Let's start with ransomware. Seems like it's one of the most prevalent types of attacks lately. It's in the news a ton, many brands and orgs are getting hit. I saw one report in which a tech called it a plague. Why is ransomware seemingly more widespread now than it was, say, a few years ago?  

Chris: 

I think because more than any other attack type that might be carried out, let's say by a nation state actor, right? You hear about attacks on utility grids and other things. These are all things that the government worries about. Business is more interested in business. Business is more interested in making sure that the day to day is carried out without disruption, that businesses serve customers, that they continue to be a going concern and make money.  

And so what ransomware, the goal of ransomware is two things. The first thing is disruption. When the ransomware hits, when it gets through the, when it gets through whatever its attack entry point is, it encrypts whatever it can find, whatever it has access to, whatever it has permission. To make a change to it will encrypt those assets and when those assets are encrypted and locked, then you are locked out of those assets. They may not, they may as well not exist for you at that point.  

The second point of ransomware is exfiltration or what we call exfiltration, and exfiltration is exactly what it sounds like. It means that somebody is taking data in an unauthorized way from one place and putting it in another place like the dark web. So if you have customer data, let's say you have an e-commerce site or an e-commerce program and you keep a database of your customer data and personally identifiable information, if they lock up that database first, they've disrupted your, they've disrupted your industry, you're going concern, you are now not able to carry business out the way that you normally would because your e-commerce program cannot write or read from that data source.  

The second piece is now they own your data. And so, the bargaining begins, and it's become so sophisticated that some of these ransomware organizations actually have an account manager. “Hi, I'm Chris. I'll be your account manager while we negotiate your ransom.” And so, it's a very scary thing. It's something that there's all kinds of philosophies and all kinds of ways to try and defend against it. The first line of defense always being the user. The entry point will always be average…I don't mean to call any of our employees average, but… 

Greg:  

It’s just somebody that's in the office. 

Chris:  

…And they're going along, they're doing their work. They get an email that looks very legitimate that may have, you know, tied back to what we talked about with AI may have been generated by, by AI. And once they look at that, if they're if they're fooled by it, they click in, they give up a credential. And when you give up a credential, it's like giving somebody the keys to your car and saying, please don't steal it, you know, you know, an honest person is not going to steal your car, but somebody that's got other intentions is going to take your car and you've basically given them the keys.  

Greg: 

So this is fishing as one way into the entry point. 

Chris: 

Or you know, you want to use the fancy term, the attack vector would be, would be a phishing attack. It could also be something along the lines of social engineering. I go to your LinkedIn profile. I learn everything about, about you, Greg, and I call you and I say, “Hey, I thought that thing that you did was really interesting…” and we started a dialogue.  

There was a great story about a security professional that is a guitar player and has a custom, a very expensive custom Gibson Les Paul. And he went on a guitar for him, and he was, you know, talking about how he needed something changed on the guitar. There was something that he would like to do, and somebody reached out to him and said, oh, “That's exactly what I do. Ship me the guitar and I'll, I'll make sure that that gets done and I'll charge you this much” and whatever. And so he shipped the guitar out and he never heard from the guy again and he said this guy knew all about me from this forum and he used all of my, you know, sensitive touch points to gain my trust and then, you know, through the use of a slightly longer play than a phishing attack was able to steal something very meaningful from him.  

Greg:  

What's interesting is that companies are paying up. The average cost of a ransomware attack is something more than $5 million.  

Chris:  

That's, that's probably, that's probably very close to correct because you have to add in, you have to add in how much opportunity cost did you lose in not being able to run your business during the time that you negotiated. Then you have to add in the price that you if you pay the ransom, you have to add in the price that you paid for the ransom. You also have to add in now the fact that you cannot prove there is no legitimate way for you to prove that data that's been exfiltrated has not been exposed. So now you're liable for, you know,, a free one year subscription to Experian or some credit monitoring service for whatever personally identifiable information has been exposed if it's, if it's HIPAA…you know, healthcare data, electronic personal health information, then you're on the hook for potentially for fines if it's malfeasance, malfeasance, meaning you knew that there was a hole in your security system and you did nothing about it.  

 Then there's the inevitable legal action that will more than likely be taken. Everybody should remember that those are by the record. So, for every name that's in your database, if you have 1000 names, a HIPAA Fine could be $10,000 per name. And could also carry jail time. So it's a really dangerous slope to be on if you're not paying full attention to this.  

Greg:  

And it could be a pretty wide net, as you're saying. It's not just about you; it's about everybody you work with potentially.  

Chris: 

That's absolutely correct. You've basically become the, you've become the door. When you have vendors, your vendors pose a risk and so you have to have a third-party risk management program in place to make sure that your vendors are doing the exact same thing that you're doing. In HIPAA, we have what's called a business associate agreement and what what's also called a chain of trust, and the chain of trust says. That if you're working with a third party that they're agreeing to the same sets of rules for safeguarding data that you are and so you want to make sure that you always have those types of agreements in place, but that you do a trust but verify in saying, do you do this, do you do this, do you do this?  

I spend countless hours throughout the year answering these questionnaires for our customers that want to know that we're safeguarding their data in the right way. So, we have to turn that, and we have to do the same thing for our vendors to make sure that they're safeguarding our data in this in the right way.  

Greg:  

It's not always just about big companies either. I think ransomware, people who do the attacks have numbers in their favor. If attack a number of small companies, then that's a pretty good haul for them, even though it's a smaller haul from each smaller company. My point is, you can't let your guard down if you're a small company.  

Chris:  

That's absolutely correct. And, and there are many small companies that serve bigger companies and may have, and may have access to a bigger company's data, right? Back in the day, we used to work with enterprise companies and, and we had something that that hung over the technology area that said act as if. And we were not a $10 billion, you know, valued company the way that one of our main clients was, but. In conversations with them they said you're part of our perimeter now and so you need to act as if you are part of our security plan and so we took that very seriously and I can credit the guy that told me that,, a guy named Bill Bonny he was the, the senior vice president of security at T-Mobile at the time. He was the one who got me started down this path.  

We had a great experience in building our program alongside their program, and so we learned we learned from some good experts and we're able to develop a program that we've now taken here to DCG1 and are continuing to try and build every day. It's never, it's never over.  

Greg:  

Yeah, constant state of construction, I imagine. Like our freeways, let's talk about another increasingly common type of attack, BEC as it's known, business email compromise.  

Chris:  

So, business email compromise is when a bad actor gets control of someone's email box. And once they do that, they can be that person, and they can send out something that says, “Hey, Greg, I, I need you to fill this out today in order for you to stay within our, our vendor compliance” And you open that spreadsheet up and you look at it and you say, boy, this is asking for a lot of really interesting details that I'm not sure that we, we should be giving up.  

And so, you write back to that person, and you say, “Hey man, I just got this suspicious attachment from you. Are you sure that is this for real? Is this you?” And the email comes back and says, “Oh yeah, definitely, it's legit. You got to do it today. I need it today.” And because that person's email box is compromised, you don't know that you're actually having an email conversation with somebody that is inside that email box and they're basically controlling the conversation.  

At the same time that they're doing that, they're also ferreting out, OK, what do I usually, what does this person usually get from Greg? What does this person usually do in their day-to-day business transactions with that? Is there any payment information I can reroute into another account? And then the next email might be, “Hey Greg, thanks for filling that out. What I'd like to do is we need to change our ACH transfers to this account moving forward.” And if it's a vendor that we would be paying, then all of a sudden, we're making our vendor payments to a bad actor and the timeline for an attack like that.  

That could go on for 30 or 40 days before we understand that we've paid, you know, however much, and the vendor finally comes back and says, “Hey, you haven't paid this bill.” Well, sure we have. Here's a canceled check. Here's an ACH transfer. Here's whatever proof we have. We show our receipts, and they say, “No, that's not our account.”  

And so business email compromise allows them to find out the most daily and mundane and routine details that you have. About how you do your job and then use that to, to socially engineer without you being able to verify it. And we've seen it happen fairly recently where we've gotten emails to the, or tickets to the help desk that say, I got that. I just got this from a vendor and or from a client and I don't think it's right. I emailed back and I asked if it was okay to send and they said, yeah, of course it is.  

And I still don't feel right about it, which was good because it means we have a risk aware culture. In letting that person know, hey, contact your client and let them know that they might be compromised,, contact them by phone, take an alternate routes, send a text message, do something to make sure that you're not sending this through a channel that we know is that we know to be compromised and so they did that and of course they found out that the that the client was indeed compromised, didn't know it.  

And so that business email compromise was being worked probably across, I don't know, 5, 10,15, 20 different companies were receiving the same thing, asking maybe the same question and then once being answered, oh yeah, it's legit saying, “Okay, great, I'll fill it out.”  

Greg: 

So, you mentioned culture as being an important part of prevention. Let's talk about that for a few minutes. How do you establish a culture of security mindfulness inside the office?  

Chris: 

It starts with awareness training. Our employees go through an awareness training. We actually try to make sure that the awareness training that they do is not the limiter to what they learn. And so, you have to keep reminding people over and over and over again. What's really kind of great and exciting about it is that we get good feedback. We actually get people that respond to it and say, “Yeah, please keep these coming because they think.”  

The good news about being able to build the culture is that people see themselves in it, they see the benefit in their personal lives from learning this at work and then they apply it at home. If you don't have multi-factor authentication on your Instagram account, it's probably time to probably time to look into that. If you want to keep your Instagram account intact, otherwise, I mean, how many times have you seen on your social media posts, please don't accept a new friend request from me because that's not me and whatever. And so, you want to give people tools, you want to give them awareness, you want to encourage them and not judge them, you know, you want to say every one of us has the capability to stop this.  

We had a really great moment in January. We were in the middle of one of our security audits and the auditor who was walking through the facility with me, she asked me in one of our warehouse areas if she could take photos of some of the ingress egress controls that we had and I said sure, as long as you take it in this direction and etc. Within minutes of her taking those photos, one of our fulfillment people high on my list of people that are risk aware sent me an email saying, “I don't know who that lady is that's walking along with you, but she just took a bunch of photos and you know, you might want to look into that.” And I wrote back, and I said, “Thank you, she's an auditor.” But I showed the email to the auditor and the auditor actually put that we are a risk aware culture in her report, and it just is there's no one thing that we can do. It's, it's all the things.  

We did the Cybersecurity Awareness Month in October. I tried to keep it up for 31 days, but it got, it got a little out of hand after a while, but we, we have great partners in our, our security posture that provide us with a lot of content that we, that's useful. It doesn't talk down. It's not judgy, you know, we, we can't walk by and, oh, I can't believe this user got us hacked. That's not it.  

It's, I'm really glad that these users are, are on board with what we're trying to do, and we have great people here at DCG ONE and just. If you tell them what to look for, they'll look for it and I, I'm always encouraged by the feedback that we get back saying, “Hey, I think this is suspicious.” And I think they do a great job of staying alert and staying aware and the minute we stop driving that awareness, it falls to the back, and we need it to not ever fall to the back.  

Greg:  

In this area of human risk management, as you sometimes call it, is fluid.  

Chris:  

Yeah, what worries me more and more is how much our personal digital lives are sort of blending into our work daily lives through the use of devices and things like that. We've all got email on our phones; we've all got maybe Teams or Slack on our phones and so. You know, we have to do a lot of things to limit how much anybody can actually do in in any one place and just sort of keep access to things that we want that we want to consider confidential or sensitive isolated from those vectors.  

Greg: 

Let's talk more specifically about what those approaches and tools are that you put forth.  

Chris: 

Sure. You know, the techniques and where it hits personal users or individual users the most is probably starts with your password,, or let's, let's actually back off the word password and let's, let's say your key, whatever that is, whether it's a password or whether we have some other technique employed. The days of passwords are probably, probably numbered.  

Greg: 

A lot of facial recognition now and that sort of thing.  

Chris:  

Well, you know, it's funny I was explaining that to somebody yesterday and, and, they said, “Oh well, if you have the facial recognition,” they said, “yeah, that means all they have to do is punch me until I'm unconscious and hold the phone on my face. Great.” But there's a lot of, there's a lot of things about never using the same password twice, using a strong password, using a password manager. Those are things that you can do to to help yourself, but also multi-factor authentication, not by SMS message, which is turning out to be the worst thing you can do when you do multi-factor by SMS it's very, it's very interceptable and probably proven recently in a couple, a couple of really high profile,, attacks that those SMS messages are susceptible to interception. They're not encrypted.  

Greg:  

So, you should opt for the email.  

Chris:  

No for secondary verification, I would always go with the authenticator app. I feel like right now that's, that's the best thing that we have, although we're finding out that those things can be gamed, and that's why I think coming from places like Microsoft, Google, others, I was reading a forum, on a company called Sophos yesterday. Where they were saying that this whole password less or pass key or pass for, you know, like. There's so many other ways that we're looking to create a sense of multi-factor authentication and consideration even a physical devices is very much on the table because we want to make sure that we can, we can actually verify who somebody is, but we not to give too many state secrets away, we have, we have a program in place for, for managing all that that we're continuing to evolve based on what we learn every day.  

We have a, we have a good group of security vendors that help us stay aware of what the best approaches are and so we're working with them constantly to understand, okay, where does this leave us on any given Wednesday, where does it leave us?  

The second thing is just email in general, email, SMS. I think letting users know that should question everything is a just an absolutely huge step in the right direction that nothing is as it seems or nothing should be taken at face value anymore, especially where emails from executives and text messages from executives are concerned, that's one way that That attackers used to drive a sense of urgency into it if our president Brad Clark texts me and says, Chris, I need to, I need you to do something for me right away. That's one of the, the dead giveaways, you know, I know Brad Clark's tone. I know Brad Clark's voice. If I call him, I know that I'm actually speaking to him and if I get something that, that seems funny from him, I'm going to call him and I'm not going to, I'm not going to react within a within a text message and so watching out for those types of things is critically important and then also watch what you share.  

Social media is really a great harvesting ground for me to be able to spend a little time there and and come up to you and say, “Greg, I know you. You don't, you may not remember me, but you and I went to the same high school, and I also know Joan who was your best friend in high school and she and I have been talking and I think you'd be the right person to pull in on this business opportunity I have going on.”  

There's a great book out there by a woman named Maria Konnikova. She's a clinical psychologist at Columbia University. And she wrote a book called The Confidence Game, which really breaks down how grifters work and what the psychology of grifting is. And when I read this book, I couldn't help but apply it all digitally. The same cons, the same grifts, the same scams that were run in 1492 are currently running digitally and that was, that's what makes them even more dangerous is because the payload is almost instantaneous.  

Greg:  

Can you just distinguish the difference between multi-factor authentication and 2FA?  

Chris:  

They're the same-ish. If you have, if you have two-factor authentication, that's known as something I have and something I know. So, something I know is my password. Something I have is an authenticator app or a physical card or something. That I push in to verify that my password has not been stolen. So that's two-factor authentication. It’s multi-factor authentication simply because it’s more than one, but multi-factor authentication can also be rolled into 3 factors, let's say, or true multi-factor where it would be something I am, something I have, and something that I know.  

So that's where your facial recognition comes in. Let's say you have a password manager app on your phone, and you need your face to unlock that. So, your password manager is not something that somebody that picks up your phone, first of all, you have your pin code on your phone. You have your facial recognition on your password manager, and then once you use your password manager, you also have to back that up with your multi-factor app.  

Where it becomes multi-factor as opposed to just two-factor is in something like the way that Microsoft does it where I enter my Office 365 password. I could enter multi-factor authentication, just the six-digit code that's on my Microsoft Authenticator app or what's going to happen is it's going to do something called challenge response where it's going to say, okay, we're showing you a number somewhere only we know where and that number is in a random sequence and you need to enter that number in order to be able to continue and we're only going to show you that number for a minute. And if that number just suddenly pops up on your screen, you have a chance to say I didn't ask for this number and if you hit that then you know a whole other series of events start to take place from the from the IT side and I won't talk about what those events are, but the nature of it is such that it's not just I'm going to enter a six-digit code, but that in this moment, the code is this and for you to even look at.  

And, you know, the next step, you need to get this part right. So, you're continually jumping through hoops, and I think, I think what's happening is all these things are getting to a point where they're beginning to be gamed. The challenge response vehicle came up from the fact that people were doing something called credential stuffing. If a password was compromised, they would just keep logging in with the correct password until the person who is getting the two-factor authentication notice would just give way and say, OK, yeah, here's the number stop bothering. And all of a sudden, they're in, somebody that's on the other side of the world could potentially be into your system because you entered the code, some, you know, on your authentication device or your authentication vehicle and it wasn't you that actually requested it. So that's why that that this is not me button is right there for you to say, but I didn't ask for this, and that stops it dead in its tracks.  

So multi-factor authentication is becoming more and more complicated. I know that certain government agencies, I know that certain larger companies, they require they require the something I have to be physical, like a card that you insert or a token that you have that reads out a number that's not on your device. It's like this is the token. So, those RSA tokens seem to have gone away in favor of what are called UB keys you plug that into your USB port and it says, okay, unless, unless Greg is in the trunk of a car somewhere we can assume that because he's got this key that this is him.  

Greg: 

Chris, exactly who are these bad actors and where are they set up?  

Chris:  

They are set up anywhere they want to be set up. I think the picture that people draw in their own minds is that they're in some, let's call it, the, the picture that I used to draw was the other side of the Berlin Wall and dank and faceless apartment building where they had set up a row of hackers that are that are doing this on behalf of a of.  

And if you remember KAOS from Get Smart, but like an organization like that, you know, very cold war, I guess I'm showing my age with that, but they are wherever they want to be, where you are, your physical location makes no difference.  

But what matters is that they've got corporate structures now, they've got. They've got managers, they've got account services people that help you through the process. This is how you're going to pay us, and this is what we're going to do with your data, and this is what the next step is. They've become extremely sophisticated. It's not a case of some kid in their parents' basement causing trouble. It's not Matthew Broderick playing War Games. It's people that have families and they like business operations and homes and cars and they get up and they go to work every day, and this is what they do.  

You can't say that they're in any one location because the internet makes it possible for them to be anywhere they want to be, but where the attack comes from, well, maybe that's somewhere else, to say that they’re all in Russia, they're all in China, or they're all, some it's not a thing. They are wherever they want, wherever they want to be, they've made, they made that choice, that this is how they're going to apply their skills and that's what they do. They built an industry out of it and hackers were always interested in payloads. What's the payload for this?  

Some hackers were also interested in, in vandalism back in the day…where we have a problem with this. We're going to hack that site. We're going to deface it and we're going to, we're going to tell everybody what we think of these guys and there's probably some of that still around and,, at some point somebody noticed that there was, you know, money to be made, that there was, there was a legitimate, well, not legitimate, but there was a business, there was a business model that, a sustainable and scalable business model for this.  

And that's what makes it so incredibly dangerous and so incredibly serious and why we take it so incredibly seriously is because You know, we take our business incredibly seriously and so if nothing else, you know, in spite of the, you know, control versus chaos, spy versus spy kind of kind of face that you might want to put on it, we're a business, they're a business, and we, we want to keep our business operating at peak. They want to keep their business operating at peak and those two goals are at odds. And so that's why we have to be at our absolute best.  

Greg:  

So, when I think about the Internet of things, from wearables to the refrigerator and the data going on and all those things, I can imagine that this only makes your job more challenging.  

Chris:  

You want to hear a horror story?  

Greg:  

Sure.  

Chris:  

I have a friend, she'll recognize this, but I have a friend who told me just last night that she had a certain electronic toothbrush. And it started acting up in the middle of the night. It would just start making noise and vibrating and falling all over the bathroom vanity, and she finally, she couldn't turn it off. She finally had to wrap it in a towel and throw it in the back of the closet until she could do something with it the next day. So, she gets on like any person would she gets on the website the next day and she orders herself a new one to her home address and a week later, a box shows up for her at her work address and somebody says, “Yeah, you have a box here.” And she said, “I didn't know, I didn't order anything to that address.” And it was a new toothbrush.  

The same exact one that she had just bought and the only conclusion I can draw from that is that the toothbrush, which I said, “Did you ever have it hooked up to the internet?” And she said, “Yeah, it was on, it had an app.” And I said, “Yeah, it basically phoned home and said, I'm done, send, send in send in a new brush.” And so, she now has two of these things and it was basically self-ordered by the toothbrush.  

So, what have we learned? That is what IoT is capable of. So, when you think about, and I'm a big believer in Apple AirTags, not to do a brand endorsement here, but the whole idea of AirTags that, as soon as I leave my backpack or my badge behind, you can see I've got an AirTag attached to my badge. As soon as I leave that somewhere that's not my home or my office, I get a notification on my phone saying that you've left this behind. The idea of that AirTag is that it's basically going to be able to use any wireless signal out there.  

I don't know if you've ever hooked up to the Wi-Fi on a plane but not bought it. As you're hooked up to the Wi-Fi signal, you start getting notifications from all your messaging apps, but you can't read any of them because you're not actually connected. And that's because there are certain notification protocols that I think, and this is, this is my theory anyway, there are certain notification protocols that many wireless gateways just leave open those things, the “AirTags” of the world and the RFID that you might put on your cat, are just open to those types of, let's call them for lack of a better term, low frequency data transmission and off it goes and it tells you precise locations based on that.  

So that only underscores how leaky IoT probably is and so with all the physical devices we have around the plant, we've had, we've had to take precautions about, about all the devices that we have around the plant, and it doesn't make people happy sometimes that we that you know, there has to be an IT person present for X, Y, or Z, but it's the way it has to be because those things are so leaky.  

Greg:  

I've been debating whether to get an app that reads the meat in my barbecue, the temperature, and I just think, do we need an app for everything here?  

Chris: 

Exactly. And then, and then you really have to analyze what you're telling it, and it asks for the world, right?  Like one of the things that we do here with permissions…so Greg if you were in your current position, in your current role, if you were to try to get on a network drive that had PII on it, we would say, sorry, you're…you have no role here.  

Greg: 

PII is personally identifiable information, right?  

Chris: 

Yeah. What the IoT devices do is they ask for a very large role. They ask for almost an administrative role in your personal life just to do this one thing because the developer was too dang lazy to figure out how to ask for a smaller role. So that's why you have to be careful with those kinds of things.  

Greg:  

Yeah, and they can kind of crowd up your phone display as well.  

Chris:  

I know the meat app that you're talking about, and I was hooking my brother-in-law’s up to my phone on Thanksgiving and I got that notice, and I said I'll cut it open and look.  

Greg:  

Yes. Chris, thanks very much for being here on the whole idea podcast and sharing some important words about a critical topic. I'm sure we're going to be talking again someday about this.  

Chris:  

I would love that. Thank you, Greg. Always fun to be here with you.  

Greg:  

Now for some key takeaways: Ransomware and BEC attacks are menacing businesses of all sizes. Phishing and social engineering remain top entry points for bad actors worming their way into your data systems and launching attacks.  

You can't talk about this plague enough with your staff. Tell your team members what to look for, keep it top of mind with regular training and make security mindfulness part of your company's risk aware culture.  

My thanks again to Chris Geiser, chief technology officer at DCG ONE. If you have questions for Chris or need sage advice or guidance on how to beef up your own security program, feel free to write us today at podcast@dcgone.com.  

Thank you very much for listening. Whole Idea of podcast producers are Mandy DiCesare and Kelcie Brewer. I'm Greg Oberst. Watch this channel for our next podcast and more expertise, insight and inspiration for whole idea marketing.  

Take care.