SuperManager Podcast: Security and Avoiding Malware

Christine: You’re listening to SuperManager, the podcast for people who manage people and business with ideas, trends and expert interviews to help you be a SuperManager.

Sam: So I’m here today with two actually very good friends that I do business with on a regular basis.

Sally: My name is Sally Bowles and I’m with Prefix technologies and I’m looking forward to this podcast.

Tasha: I’m Tasha with Web Design by Knight and I’m looking forward to it too.

Sam: I’m Samantha Naes with CN Video Production. We do corporate video and uh, I’m kind of lukewarm to it. I used to be in IT, I know you guys know this, but I was at one time a software engineer. I was an IT manager and I had another friend in it that told me this hilarious story, probably wasn’t very hilarious at the time. He worked at a bank and one of the higher ups, one of the VP’s of the bank got an email and this was several years ago. It had a link in it and he clicked the link and it went out it damaged his computer, it deleted files and it went through his email and it sent the same email out to everybody in his address book and started a whole problem. And he called me and said, oh, I’m having a horrible day trying to clean up this mess. This happened. And the first thing they did was they notified everybody in the company, don’t do anything. This email has a virus, don’t click on it when you get it. They cleaned everything up, they repaired the laptop that was infected, they, you know, repaired all of the damage. And then they sent out an all clear that said, okay, we, everything is should be back up and running again. And then it happened again and it was the same guy. And they said, what is wrong with you? And he said, well, you said it was all clear. I think his perception was that there was something wrong with the link and they fixed it. And so he clicked on it again and it happened all over again. So not everybody is technical and understands how these things work. There are several tools that are available now that help keep offices secure. The more advanced the tools get though, the more advanced the hackers get and the viruses and the threat.

Sally: That’s true.

Sam: So we’re going to talk a little bit today about some tools and best practices and things that companies and managers can do to help keep the technical environment a little bit safer in the office. Sally, you mentioned a phishing email quiz.

Sally: Yes, I think those are probably a great educational tool. It would allow their employees to start spotting those things, and realize the dangers that would, the first time I took a Phishing quiz and I’m supposed to know what to look for… I got a 60%.

Sam: What is a Phishing quiz? Where do you get one?

Sally: Well, you know why you can get one free right off the internet if you want to. Several large companies compile quizzes and send them out quarterly for all the employees to take because the phishing emails become more and more sophisticated as time goes on. Never click on a link unless you’re sure where that email is coming from. It’s better to ask than it is just to open up the link.

Sam: You know, I actually got an email from somebody that said, here’s our updated proposal, can you take a look? And I thought, well that’s kind of odd, although we had been talking about products and making changes and I actually emailed her back and said, is this legitimate? Did you send this for me to open? And I copied her boss who’s the person that I normally communicate with and she responded and said, yes, we wanted you to have an opportunity to take a look at it first. And I said, oh, okay. And so I clicked on it and then right after I clicked on it, I got an email from her boss that said, nope, that wasn’t her. Don’t open it. They actually had somebody intercepting the responses asking if it was legitimate and responding with a simple yes it is.

Sally: That’s called email spoofing. When somebody can take your email address and just start sending emails out like that.

Tasha: Also a lot of companies are getting targeted… Hackers, you know, they can research a company, they can find out who the CEO is, they can find out all this information, and then if they know that you’re partnering or working or have a IPO out or something, they can actually go in and pretend that they’re that person and send you, do you approve this purchase order or send us, you know, the $10,000 for down payment. So reaching out to those people is paramount before you pay anything. And also before you click on anything.

Sam: Yeah, that’s true. If I would have called. Yeah.

Tasha: Yeah.

Sam: These quizzes though, this is learning for the employees, so it,

Sally: Absolutely

Sam: Intended to teach them,

Sally: What to look for,

Sam: Kind of open their eyes, Do you feel like you learned, you said you didn’t do very well the first time you took the quiz?

Sally: Yeah, I’m embarrassed to say that, but it’s true. You know, these phishing emails sound legitimate. They look legitimate. They often have beautiful graphics and they create a sense of urgency and so it gets people to click all the way through. We have a client that not only was their email spoofed, but they spoofed their, uh, accountant, bookkeeper person who sent out to all of their customers that they were now accepting payments in a different,

Sam: Oh no,

Tasha: Companies lose a lot of money.

Sam: Yeah.

Tasha: Through schemes like that. Yeah.

Sally: Yeah, they do.

Sam: And Tasha you were talking about educating team members. It’s interesting because there are safeties that businesses, organizations put in place, and like I noticed some of the smaller businesses are going to be more susceptible. The larger companies, they tend to really have protocols put in place, software monitoring blocked links, you can’t use Dropbox, things like that. But that doesn’t do as much good if the team isn’t also knowledgeable on what they can and can’t do because they may find a work around, I can’t click on this link, so as a work around, I’m going to do something that’s even less secure that the system is allowing me to do.

Tasha: Yeah. And I think that most businesses need to have some sort of policy and training in place. Like Sally said, there’s a lot of companies that even offer free phishing schemes so you can test your employees and figure out where your vulnerabilities are. You have to not only test them, but you have to train them in best practices of not only email but website searching because you can get hacked from the websites too.

Sam: What about antivirus and malware scans for your computer?

Sally: Well, that’s a minimum. Firewalls are going to be top even for a small business now. There’s one antivirus that I’m aware of that does include ransomware protection. I truly believe in the next year or two more and more companies will include that as well. Yeah. Um, ransomware was a $1.5 trillion business in 2018. Smaller businesses are getting hit with it because the larger companies, as you said, are certainly better protected. One example is about six weeks ago, a private practice physician’s group that had been in business for years. They got hit with ransomware, all of their patient files were encrypted and their IT company did not have a restorable back up. Their call to lawyer and the lawyer advised them to lock the door and claim bankruptcy because he said there is no way out of this. Having ransomware protection on your antivirus is paramount for sure. Even for small businesses.

Sam: And it’s protection and then a backup plan.

Sam: I mean I’m a small business and I don’t think that anybody’s going to target me, but just to be on the safe side, but, I’ve got Tasha on my side.

Tasha: But that’s the thing is, is a lot of these hacks aren’t targeted. They are just throwing that out there and seeing who bites. It’s not that they’re targeting you. They find a vulnerability somewhere and they’re going to exploit that to everybody and see who it gets to. People are always thinking of, I’m a small business and I’m not going to get hacked or I’m not going to get attacked because I’m not worth it, but that’s not the game that the hackers are playing. It’s almost the complete opposite. They’re just like, woo hoo, anybody who wants to get hacked, I’m gonna throw this out there and if you click on this or you go to this website and I’m going to give you this virus and then you know I’m going to hold your computer for ransomware and game over.

Sally: And the hackers don’t necessarily know what size business they are. They just know that you clicked on something or you were looking at a certain website. They have no idea if you’re an individual or if you’re in a large corporation.

Sam: What are some of the things that an organization can do from a technical standpoint to help protect the company data and keep this from happening?

Sally: Well, a restorable backup is imperative. So many people think they have a backup, but if it’s not restorable,

Tasha: And I would say multiple restorable because especially in the website world, you might have a backup, but there might be a sleeper file in your backup. You know, it’s just a file that’s sitting there and it’s like every Tuesday come awake and see if I’m supposed to do something. And so if you have a month of backups and that sleeper file has been on your system and then you don’t have any from two months ago, if you restore that one month ago, then that sleeper file is still there. It can still do all the damage.

Sam: It’s incredible. If only they would use their knowledge for good instead of evil.

Tasha: Exactly.

Sally: That would be, it would be a great world.

Tasha: It would be a great world.

Sam: I like Sally, your comment about a restorable backup. It’s kind of like the Seinfeld episode when he went to rent a car. And he said reserving the car is the one part. That’s the easy part. Actually having the car, that’s an important part. Doing the backup, you know, that’s easy enough, but being able to restore the backup is a whole different thing. A little bit more important.

Sally: It is, and I think particularly a lot of small businesses just assume that they have a backup, that they’re fine, but going in to make sure it’s restorable. You’ve got to do that.

Tasha: And you have to have it in different locations also.

Sally: Oh yeah.

Tasha: So if you have a backup and it’s on your computer and your computer gets ransomwared, I mean that gets encrypted too. It’s not like you’re going to magically pull that back up off. So it needs to be in the cloud or on a terabyte drive or something that you can use.

Sam: What about from a management standpoint besides the quizzes? I mean, no employee wants to be that idiot that clicks on the wrong thing and causes horrible problems. How do we keep that from happening?

Sally: Well, they’ve got to have policies and procedures in place, so if something does happen, the employee understands who they need to report it to and that they need to probably shut down their computer. And I mean, if you have a plan in place, I always tell people it’s kind of like, remember when we were all in school and we had fire drills, we all knew where to go. If somebody is compromised, they need to have that plan in place so that they know exactly what to do to keep the company safe. Because I agree no employee would ever do anything intentional. But these, but these hackers are getting pretty darn savvy.

Sam: I know in another podcast somebody had brought up, I think it had to do with an ideal workplace and he brought up a really good point. He said that’s not always organization wide. Sometimes it’s by department and I would imagine it’s the same thing here. You would have different problems from your design group than you would have from your it department than you would have from your call center or your sales group. They’re going to have access to different things and different problems.

Sally: I think that’s where the IT department’s going to come in. And again, as far as access to that firewall, if you’re a call center, they probably have you pretty well locked down as they should.

Sam: Hopefully.

Sally: That’s utmost importance. But again, I think the biggest thing is having those policies and procedures in place so that they understand the second they need to call their it department and that the second that it department can remote in and isolate that problem as quick as possible. And I think oftentimes employees either don’t understand how important that is or they don’t want to get in trouble.

Sam: Yeah.

Sally: And so they avoid the call and they don’t embarrassed, right? Yeah. They know that they’ve done something wrong and Uh Oh. And really these hackers can get through a large company anywhere from 8 to 14 minutes. I mean, it doesn’t take long at all. So it’s imperative that they understand that the quicker they report it to safer everyone is.

Sam: And there are so many different ways that it can happen. And again, by department there are different things that people need to be aware of. I mean, you have some employees that are doing research, so they’re browsing and clicking on links and you have some employees that get a lot of correspondence, so they’re getting emails from people that they’re not as familiar with and all kinds of different things that can go wrong. What are some of the different ways that these viruses come in or happen?

Tasha: It’s so varied. I mean, that big hack that happened to, was it Target? It was through the HVAC system and it was not even an employee of the company. It was just somebody who was hired to do the HVAC system. The company didn’t realize that the HVAC system was connected to the whole network. So they just went in that way. It can be from outside your company too. If you’re not aware of your company’s policies, your firewalls, what’s connected to what. So as an organization, you need to look at that and see who needs to be isolated and what those vulnerabilities are for the people that aren’t isolated. So it can be from the outside, it can be from email, it can be from websites, it can be almost from anything and that’s why the phishing programs are good. But if it’s not email, they’re going to get you on a website. And if not a website, I mean maybe somebody even bringing in a flash drive from outside. Um, you know, you’ve got to check your organizational policies on that.

Sam: You know what’s interesting about that,

Sally: You need to have a policy on bringing in your own device.

Sam: Sometimes policies and technology can work against you. We work with various organizations in different sizes and levels. And some of them, it amazes me. I’ll say, okay, your video is ready and I send you a Dropbox link and they click on it and everything’s great and I’m like, oh good. They were able to get to it. Some of them they say we can’t use Dropbox, but we have our own, so they’ll give me as a vendor access and then an account and I can log in and I can share files, but some of them just find their own work arounds. And then there are companies that say, well, we don’t have any way of transferring files in and out. You’re going to have to write that to a hard drive and deliver it to us. Is that really more secure or could it be causing more problems? I’ve had employees in extremely secure companies that say, we can’t use Dropbox, we can’t use anything for transferring files. So here’s my home email address. Go ahead and send me the link to my home email address.

Tasha: Policy wise, that’s a big violation.

Sally: Yeah.

Sam: But they’re doing what they’re doing, what they have to do to get work done, because

Sally: They figured out a work around,

Tasha: Right, but if you have policies in place, you should make your organization so that employees can say, look, how do we get around this situation? We need these files. How do we get it? So then the IT department can put that into the policy, but if people are just going around the policy, then there’s,

Sally: It opens you up to too much,

Tasha: Yeah.

Sally: Danger.

Sam: And Sally, you started to talk about people bringing their own devices into work.

Sally: That’s huge.

Tasha: It is.

Sally: You can have a very secure network and feel confident in your IT department, but when people start bringing in their own devices, your IT department is left vulnerable.

Tasha: Are you letting those people onto your network? I mean it’s even not only owned devices, but are you offering in your organization two WIFI networks? A free one for, maybe visitors which isolates that traffic, and then one for your organization that keeps that isolated from all the people that are coming in and just doing their day to day stuff.

Sally: We actually recommend that you have your secure network and then offer one that’s called guest.

Sam: Well you set us up with that and here’s the funny thing, when you talk about work arounds that can cause problems. I actually found where employees were, I would look at their devices, the printer, their computer and they’re logged on to the guest network and it’s like why are you working through the Open Wifi? Oh, I couldn’t remember the password to the other WIFI and guest was easier. So I just went ahead and,

Sally: Oh boy.

Sam: And signed on to, you know, changed over to that.

Sally: Again, that’s part of education though. Yeah. And even updating passwords to your secure network. I would say every quarter you should be updating those passwords.

Sam: We do a lot of onboarding and orientation video and historically it’s been more for the company. Welcome to the company. These are our company policy, but I’m seeing more and more we’re doing them on a department level. Welcome to the department. These are the rules and regulations for this department. These are tools that you’re going to be using, this is what you’re going to be working with. I think things like that can be really helpful to teach employees along with the quizzes.

Sally: Absolutely.

Sam: Any other suggestions for these poor department managers?

Tasha: I think one of the things that managers need to be aware of is they need to have an open environment so that their team can say where they have problems. Because if they can’t tell you where they have problems, they’re going to try to solve those problems themselves and go around it, send it to my home email and I’ll bring it into the office on a flat site. Get that, you know? So, so managers need to make or have some sort of process in place to where people either can freely voice their concerns with their problems or anonymously submit, you know, I have this company that I’m dealing with and I need x, Y and Z to happen. So managers need to be aware that their employees, if not given the tools, they will create them and find ways around them.

Sam: That’s a really good point. We have one client that initially we had issues because they’d say, Dropbox is blocked, we can’t get to Dropbox so you’re going to have to find it. And I said, okay, do you have a tool that we can use to send the video? And they said, well, let me talk to IT. And then they came back and said, okay, they have set up a Dropbox account for us and have given limited people access to that Dropbox account. So we’re going to share a folder with you and that’s monitored by it and you place things in the folder, we’ll take them out of the folder. So they were able to get work done in a more controlled way.

Sally: Right.

Sam: And this happened to be the same person that initially said send it to my home email address.

Sally: But that’s great that their IT department was able to help them out, find a solution. They knew it was going to be secure and everybody was able to move on. But had that employee not reached out, she would’ve figured out her own work around and possibly compromise the network.

Sam: Right.

Tasha: And then you have to make sure that your it department also has policies in place to shut those holes down because that’s what they are creating. They are creating a hole in your network. And if you let that open for the transactional period after that, you need to shut that down because that’s just one more poll that you have to fill.

Sam: All right, so who’s got the worst security horror story? Not naming any names, Sally, you look like,

Sally: Well, we’ve got a couple. I would say probably the biggest one was… They were large manufacturer and somebody brought in their own device and decided to watch porn during lunch and while watching porn,

Sam: Well at least they brought in their own device.

Sally: There was, there were ads that came up along the side that I guess looked interesting, so he clicked on one of the ads and in less than 20 minutes files started just becoming encrypted. We actually worked with the FBI on that one to make sure that IP address got added to the bad guy list as we call it. But yeah, they were down for probably close to 24 to 36 hours for their own safety because we wanted to make sure that every single thing was clean before we opened it up to that hole.

Sam: Can you imagine being the employee that brought down the network, watching porn in the office and going home and telling your spouse, “I had a rough day today…”

Sally: Well, he’s still there.

Sam: Oh really?

Sally: He’s still there, so yeah… No longer bringing in his own device. Yeah. People don’t often realize that IT department can go in and even if they’re not coming forward saying, I think I might’ve clicked on something, we can say no you were in there you were. It was you.

Sam: You might as well confess. We’re going to figure it out.

Sally: Again, the biggest thing, and it anybody’s employees can do is just tell their manager as soon as, even if they just speculate it.

Sam: Have open dialogue.

Sally: That’s critical.

Tasha: It used to be in the past you would say, it’s not, if you get hacked now it’s when you get hacked…. How fast can you recover? How fast is your response time and how long can your organization take being down before? It’s just detrimental to everything.

Sam: Well I count on the two of you. When I fell for it and clicked on that link, the first thing I did was called Prefix and Orion said, okay, let me check your computer. Let me find out what happened. And then I also knew that if anything horrible did happen, Tasha, you’ve got all of my data and all my files and website, everything backed up and I think you’ve kind of gone through the plan before. You know how to bring everything back and yeah, so I’m in good shape. Thanks for that.

Tasha: You do have an interesting scenario, but you do have to go in and make sure your backups are good and you do that on a regular basis. You can’t just do it one and oh, that one’s good. You have to restore on a timeline.

Sally: Absolutely.

Sam: Well thanks guys. I’m glad that you were able to.

Tasha: Yeah, its been fun.

Sally: It has.

Sam: If anybody has any additional questions about this and wants to get ahold of you, Sally, how can they get ahold of you?

Sally: They can call me with any questions at all at (314) 764-0295.

Sam: And Tasha, what about you?

Tasha: My number is (314) 223-7496 and call anytime if you have any questions at all.

Sam: Awesome. Thanks guys.

Sally:Thank you.

Tasha: Thank you.

Christine: Thanks for listening to SuperManager by CN Video Production. Visit our website at cn-video.com for additional episodes and lots of SuperManager resources, or give us a call at 314 VIDEO ME.