0:00:00.0 ANNOUNCER: So you wanna know the ins and outs of managing your money? Well, Lucky for you. You are just in time for another episode of Master Your Finances with Certified Financial Planner professional Kurt Baker. Kurt and his panel of experts are here for you, and will cover topics from a legal and personal standpoint. They’ll discuss tax efficiency, liability, owning, managing, and saving your money and more. Master Your Finances is underwritten in part by Certified Wealth Management and Investment and Rider University. Rider offers continuing studies programs for adults who need flexibility. Want to add new skills to your resume? Take a continuing studies course at Rider University. Now, let’s learn how we can better change our habits with Kurt Baker.
0:00:45.1 Kurt Baker: Do you wanna know which businesses are now classified as non-banking financial institutions and must comply with FTC safeguards by June 9th deadline? Do you realize how critical it is to manage and mitigate cyber risk, especially in today’s increasingly digital landscape? Bob Michie, president and co-founder of MetroMSP, defines technology strategy and initiatives as critical aspects to clients’ success. Bob is here to provide you with access to an FTC compliance checklist that you can use to ensure your company is meeting the necessary standards for protecting sensitive information, as well as help you understand the potential consequences of failing to comply with these regulations and the importance of taking action to protect your businesses. Today, he will help you feel confident knowing your business operations are secure, and that you have done necessary steps to mitigate cyber risk and comply with important regulatory requirements.
0:01:49.8 Kurt Baker: Now, the requirements are really important, obviously, but I know that cyber risk just in general, I know I went to a workshop just a few months ago and they talked about how cyber risk is on the rise and how insurance rates are going up for cyber risk are on the rise. And insurance companies are actually getting more proactive about, “Hey, you really need to be in compliance and do all these things.” So this is like a real threat. This is not, and it doesn’t matter if you’re a Fortune 500 or you’re a two person operation, everybody has risks. That’s kind of the message that was given to us. And everybody’s like, “uh-oh.”
0:02:18.6 Bob Michie: Absolutely, everyone’s been sitting at home during COVID and so were the bad guys and…
0:02:24.9 Kurt Baker: They’ve been working too.
0:02:26.2 Bob Michie: They’ve been working, they’ve… Cyber attacks are way up with what’s been going on. And as far as insurance goes, before COVID you could get a cyber insurance policy and they typically ask you three or four questions, maybe five questions, and they could write a policy. Now it’s eight to 10 pages of questions, and at the end of it, it says, the questionnaire says, “Did you get your cybersecurity guys to help you fill out this form?” Because no one understands the questions anymore. And the insurance just doesn’t wanna pay.
0:03:00.6 Kurt Baker: Right. And if you’re a small operation, they’re gonna say, “Well, send it to your cybersecurity department.” And you’re like looking around, like [chuckle] What department?
0:03:07.8 Bob Michie: And what we’re seeing in some cases, the company isn’t even getting the app. The insurance agent might be filling out the app, checking off the boxes.
0:03:15.5 Kurt Baker: Uh-oh.
0:03:16.8 Bob Michie: And yeah, it is an uh-oh, because if the company has a data breach, what do you think the first thing they’re gonna pull out and look at?
0:03:24.8 Kurt Baker: Check the application and make sure you had done everything you said you did on the application, which it sounds like you might have missed.
0:03:29.5 Bob Michie: There’s an insurance company in litigation right now that wants to pull back a million dollar contract because the box that was checked on the form didn’t match what they were doing.
0:03:41.1 Kurt Baker: Yeah. I think people underestimate the importance of always making sure you’re telling the truth on an insurance application regardless of what it is.
0:03:48.7 Bob Michie: Sure.
0:03:49.0 Kurt Baker: Because the first thing that an insurance company does when there’s a claim is they go back to the original application and they make sure that everything that you said wasn’t existing. ‘Cause that’s how they underwrite it. If you don’t tell them the truth about how you underwrite, then they’ll have a hard time offsetting that potential risk. That doesn’t mean they’ll deny you for not doing something, either they’re gonna help you fix it, or they’re gonna give you another type of policy, possibly. Right?
0:04:09.7 Bob Michie: Right. But in this case, what’s happening is, the questions that are coming up, people don’t understand what they’re actually asking.
0:04:14.6 Kurt Baker: Right. And .. with cyber rights technology. So now we’re getting into a language that most of us don’t really speak. So if they’re asking you, “Have you implemented X, Y, Z?” You may not even… You may be… Well, they might be talking Latin, right? I don’t speak Latin. So I don’t know which way to go.
0:04:25.9 Bob Michie: So one of the questions they might ask, “Is all your customer data encrypted at rest?”
0:04:31.2 Kurt Baker: Okay.
0:04:31.8 Bob Michie: And people are like, “I don’t know.”
0:04:34.0 Kurt Baker: Oh, right, right. So.
0:04:35.6 Bob Michie: So they’ll say, “My web guy does it or my IT guy does it.” “Well, okay, but we have to prove it.”
0:04:41.4 Kurt Baker: Okay.
0:04:41.8 Bob Michie: So that’s just one of the simple questions that everything needs… In that case, the laptops and the computers that the data’s sitting on needs to be encrypted.
0:04:50.4 Kurt Baker: Right. So you wanna encrypt like, do you actually encrypt the hard drive itself?
0:04:53.4 Bob Michie: Yep.
0:04:53.9 Kurt Baker: Not just put it on the hard drive and say, “Well, I have a firewall, I’m good to go.”
0:04:57.6 Bob Michie: Right. Exactly.
0:04:58.5 Kurt Baker: You have to actually encrypt the data as it sits there, as you pointed out, which is really kind of important. So what… If you wanna just what… ’cause we talked about this June 9th deadline, which is really just around the corner as far as companies are concerned. Like, it’s like tomorrow.
0:05:09.9 Bob Michie: Sure.
0:05:10.1 Kurt Baker: [chuckle] So let’s… Why don’t we talk about what exactly that means and what people should be doing now to maybe make sure that they’re ready for this new rule?
0:05:19.4 Bob Michie: So June 9th is actually the extended deadline. The original deadline was December 22 and people didn’t even know that they had to comply. It turns out everyone’s got different compliance organizations that they need to work with. And in this case, the FTC, the Federal Trade Commission has created and expanded a list, a definition that they called non-banking financial institutions. It’s their way of protecting consumer information. And it’s basically anybody that touches tax returns or is holding wire information for consumers. Because when you go through the FTC reg, it calls out car dealerships right at the start because of all the leasing aspects. People I have talked to tell me car dealerships is really a bank that use cars as a vehicle to make money.
0:06:17.1 Kurt Baker: So it sounds to me like it’s not just… I mean, the typical ones I would think of is like a mortgage company or a finance company, or something like that. But you’re talking about anybody who has your financial information, which could be somebody who actually helps you facilitate a loan, not necessarily is holding your assets.
0:06:32.3 Bob Michie: Absolutely. So like you said, a mortgage company.
0:06:33.9 Kurt Baker: Right.
0:06:37.8 Bob Michie: A real estate office could have some of that information. And then in the reg it even calls out a property appraiser, which you think, well, it’s going deeper and deeper as to…
0:06:49.8 Kurt Baker: ‘Cause they have pretty limited information on your finances. They only know about your house or your piece of real estate you’re buying, but how much. They don’t really have financial information on me.
0:06:57.6 Bob Michie: I know, but it calls…
0:06:57.9 Kurt Baker: Interesting.
0:06:58.8 Bob Michie: It actually calls them out by name.
0:07:00.0 Kurt Baker: I wonder why that is.
0:07:01.6 Bob Michie: I don’t know.
0:07:03.0 Kurt Baker: Any theories on that?
0:07:03.1 Bob Michie: It’s just, they’re part of that whole data stream. And here’s the thing, if the property appraiser gets compromised and the appraiser sends information back to the title agency or the bank, that’s another entry point. So it’s using that other person’s trust. So it’s really having to vet all the vendors that are part of the transaction.
0:07:26.2 Kurt Baker: Or maybe they don’t want… Well, I’m thinking of another angle, maybe it’s that because years ago they had issues with appraisals being inflated or wrong. So what if somebody has access or able to breach the appraiser system…
0:07:35.6 Bob Michie: There you go.
0:07:36.0 Kurt Baker: They could then put fraudulent appraisals in, which means that another person could actually lend money at a much higher level than they should have. And now you end up what we had back in the ’08, where people were upside down on mortgages because the appraisals were too high and they didn’t really, they weren’t correct. I’m just…
0:07:50.7 Bob Michie: Yeah. It’s…
0:07:50.8 Kurt Baker: I’m theorizing here. But…
0:07:52.0 Bob Michie: Yeah. Exactly. We can guess all day.
0:07:53.3 Kurt Baker: It affects the financial transaction in some way and affects your financial life in some way, is what it sounds like. ‘Cause it’s a very broad brush.
0:08:02.1 Bob Michie: But the very last definition that they have in there for the, when they’re talking about the actual companies, they actually define something called a finder.
0:08:11.8 Kurt Baker: Okay.
0:08:12.7 Bob Michie: A finder is an individual, could be somebody at a networking group that you met. Maybe you know somebody that’s looking for a mortgage, and you make a referral to somebody. You’re not part of the transaction. You’re not gonna get…
0:08:24.8 Kurt Baker: No, I just said Susie go talk to Tom.
0:08:26.7 Bob Michie: You’re not gonna get compromised or know any information about that.
0:08:30.3 Kurt Baker: Right.
0:08:30.7 Bob Michie: Compensated rather. You’re not gonna know any information about that. You’re still classified as a finder in that definition. I don’t how it’s gonna get enforced, but it really goes down…
0:08:39.0 Kurt Baker: I’m not sure what encrypted and what information I’m supposed to be protecting for that transaction.
0:08:42.6 Bob Michie: Exactly. [laughter] But its really…
0:08:44.2 Kurt Baker: Not sure what I just did.
0:08:45.3 Bob Michie: It’s really for your business to really protect everything that you are doing. And how…
0:08:50.5 Kurt Baker: So even if it’s not part of my business, if I’m sending… Like at a chamber event, if I’m referring people to other people…
0:08:57.3 Bob Michie: By the definition.
0:08:57.5 Kurt Baker: I have to have my data encrypted even though none of my data is part of this interaction that we’re having.
0:09:04.4 Bob Michie: Yeah.
0:09:04.7 Kurt Baker: None of it other than my name, maybe.
0:09:06.5 Bob Michie: It’s gonna be a hard one to really pursue. But there’s actually real monetary fines for data breaches now.
0:09:15.4 Kurt Baker: Okay. So, alright. So obviously there’s the stick involved here. So we have to…
0:09:20.2 Bob Michie: There’s a big stick.
0:09:21.1 Kurt Baker: There’s a really big stick. So what do we know so far about what all this means? So what should I be doing as a small business? I mean, the bigger businesses, hopefully they’re paying attention. If they’re not, they better get on the board because they have like no time. Even smaller business. What should we all be kind of doing now to see if we’re in compliance, or what kind of are the first steps?
0:09:40.6 Bob Michie: So there’s nine steps that they, that the FTC defined for businesses that have access to over 6,000 records. And that…
0:09:48.6 Kurt Baker: Okay.
0:09:49.0 Bob Michie: And that’s actually another definition to really look at because it’s not necessary 6,000 of your records. Because if you’re a service provider and say you’re a bookkeeper and you’ve got access to a bunch of client records, all those records add up as some stuff that you can add to. So we really tell people to… There is an exemption in what needs to be done. So there’s nine steps that… Nine steps of things that people have to do today. And the exemption takes some of them away. But I can’t do the rest of them without doing everything.
0:10:22.7 Kurt Baker: Okay.
0:10:23.3 Bob Michie: So everything for a small business really starts with the cybersecurity risk assessment. Let’s understand where the data is before we can protect it.
0:10:32.0 Kurt Baker: Right. Which, of course, everybody should be worried about cybersecurity anyway, regardless of the regulation because it is a real threat. You don’t wanna get locked out of your own data. You don’t want people breaching your own data and messing with it because that’ll create a big mess. ‘Cause most of us hold a lot of information there, which can affect us, right? All right, so what we should probably do is kind of go through each of these steps. And maybe walk through what we need to do. But before we get into that, why don’t we just take a quick break right now and you’re listening to Master Your Finances. We’ll be right back.
0:11:00.1 ANNOUNCER: This is Master Your Finances with Kurt Baker, Certified Financial Planner professional. Learn about tax efficiency, liability, owning, managing, and saving your money, and more from Kurt and his experienced panel of guests. Master Your Finances is underwritten in part by Certified Wealth Management and Investment, and Rider University. Rider University offers flexible education for adult learners. For more information, it’s rider.edu/nextstep.
0:11:31.8 Kurt Baker: Welcome back. You’re listening to Master Your Finances. I’m here with Bob Michie and we’re talking about cyber security and a June 9th deadline and the nine steps that we should be taking that the federal government has put out. The FTC is saying that we need to take care of, to be in compliance. So you want to give us an idea of what these things are that we should be doing and how we should be doing it?
0:11:56.4 Bob Michie: Sure. We can certainly run through some of these. And there’s a lot of detail in the FTC regulation itself, but one of the main things to really start looking at is, we mentioned a minute ago, is the cybersecurity risk assessment. You need to assess where your data is, how it’s protected, and what vulnerabilities there exist. And the FTC regulation actually says you need to have a qualified individual do that. It doesn’t specify specific qualifications or certifications that it needs to have, but it’s not something that you’re going to be giving to the secretary in the office and say, “You’re now our qualified individual.”
0:12:43.6 Kurt Baker: You just can’t bless somebody in the office and say, you’re our qualified person for this activity. Because that may be… So you have to have to say you did at least some kind of due diligence about who this qualified person was. Like they had something.
0:12:54.5 Bob Michie: Right. And…
0:12:55.5 Kurt Baker: You can’t… They don’t define it though.
0:12:55.7 Bob Michie: And that’s the thing, I actually was on a call with the attorney at the FTC that wrote it.
0:13:00.8 Kurt Baker: Okay.
0:13:01.0 Bob Michie: And they said, “No, we didn’t put a specific qualification in, you don’t have to have a CISSP or any specific security certifications, but you have to be qualified from… You have to have somebody qualified looking at it.” And they left it very vague.
0:13:14.7 Kurt Baker: Okay. All right.
0:13:16.7 Bob Michie: As long as companies are going through that process, you could do it with a third-party, you can have a third-party be your qualified individual. You don’t have to hire them on staff. But that qualified… The third party is going to have to be working with somebody of appropriate authority at the firm, or a practice to actually implement change when it ultimately comes down to it.
0:13:39.6 Kurt Baker: All right. So you need a qualified person, not defined, but it has to be a qualified person that knows what… Basically, somebody that knows what they’re talking about. Knows what they’re looking for.
0:13:46.0 Bob Michie: Absolutely.
0:13:47.4 Kurt Baker: Okay. So you start off with the cyber risk assessment, which is kind of where most baseline start. Now you sound like you’re in my profession. Right? Let’s talk about the basics.
0:13:53.5 Bob Michie: Exactly.
0:13:53.8 Kurt Baker: Where are we at now? Yeah. So you wanna make sure, Okay, what do we know? What are the big holes? What things are going in good shape, and how do we fix it? So that’s the baseline. So you start off with the risk assessment and then where do we go from there? So obviously… Yeah.
0:14:06.5 Bob Michie: And then we go from there. We’re gonna find stuff, we’re definitely gonna find stuff in the risk assessment and the FTC regulations actually pull some stuff out. And just like the insurance companies are asking about multi-factor authentication now, the FTC is saying it’s gotta be there. So that… They actually class dropped the multi-factor authentication as one of the requirements as it’s not dropped it, but it’s listed there as you must do it.
0:14:32.3 Kurt Baker: Oh, you must do the multi-factor authentication. Because I have noticed, especially in the last year, that everybody was kind of delaying and I was… Some of them, I was kind of surprised. Some fairly large entities were not doing the multi-factor authentication, which I just kind of thought was like, Why not? And, but I know there’s technology behind it, but I feel like everybody that I’m aware of that has anything to do with this data personally seems to have this in place now.
0:14:54.6 Bob Michie: They do.
0:14:55.1 Kurt Baker: At least, who I’m dealing with, so.
0:14:56.8 Bob Michie: But what we’re still seeing is a lot of smaller companies are not enforcing it for some of the most critical things like email.
0:15:06.8 Kurt Baker: Okay. That’s true. And they do let you… Yeah, that’s true. Like, they’ll have it, but that you don’t have to necessarily opt into it.
0:15:10.8 Bob Michie: Right.
0:15:12.9 Kurt Baker: That’s also true, actually. Okay.
0:15:14.5 Bob Michie: So, now, in the near future, in the next couple months, Microsoft’s gonna mandate it on the Office 365 platform. It’s just gonna be… It’s not gonna be an option to not use it because it’s just, once the bad guys get into an email account…
0:15:31.5 Kurt Baker: They can go anywhere.
0:15:32.7 Bob Michie: They can go anywhere. Well, they get access to everything that’s in that environment, so…
0:15:38.0 Kurt Baker: We use the email for a lot of things, right? That’s how you validate. That’s how you get… That’s how you get authenticated. Sometimes you can send out a 2nd step by going to the email address. Right?
0:15:46.8 Bob Michie: You can go to the email address. And that’s why we recommend that email and text messages aren’t the method of authentication. If possible use an app based authentication on your phone because it’s a lot harder to replicate.
0:16:02.0 Kurt Baker: Okay. So use those authenticator apps that we have on our phones.
0:16:05.5 Bob Michie: Absolutely.
0:16:05.6 Kurt Baker: That not everybody’s using, so I know you can choose. So what you’re telling us now is forget the email, forget the text messaging, which I was… It was interesting. I was surprised the first time I heard that they can defeat texting to your phone, which I thought was kind of interesting. I think they can work around it somehow, apparently.
0:16:21.1 Bob Michie: So there’s a couple different ways. But they… There’s a video that was done for a TV station where someone pulled up YouTube of a baby crying in the background then called up the mobile phone company and had the phone moved to a different physical handset.
0:16:41.9 Kurt Baker: Oh, seriously? Wow.
0:16:43.8 Bob Michie: Yeah. They social engineered the cellular provider, here’s my new phone. I don’t have the information, but here, move it over. And…
0:16:54.4 Kurt Baker: And they did it.
0:16:55.1 Bob Michie: And they did it. The woman was very convincing. She had this, a YouTube video playing in the background of a baby crying.
0:17:03.6 Kurt Baker: Oh. So they were feeling sorry for her. And they…
0:17:07.1 Bob Michie: They were feeling sorry for her, and she had her script right down. And most of these attacks that we’re seeing are all social engineering or email.
0:17:15.0 Kurt Baker: Okay. So there’s a human factor still involved in these breaches to a large amount, right? That’s my understanding at least.
0:17:20.9 Bob Michie: And that leads right into the next requirement of having security awareness training for your staff. Train your staff. No matter how big or how smart you think they are, we need to constantly remind people of breaches that can happen. And things to look for. I got a call last week of somebody that had been trained, he got a popup on his computer that said your computer’s infected call Microsoft for help. Well, he knew better than to call the number that they were giving them there. However, he pulled out his cell phone and googled Microsoft support and called a different set of bad guys, and proceeded to let them on his computer.
0:18:10.6 Kurt Baker: Yeah. I actually heard, happened to a family member of mine where they did it with Best Buy, where they looked it up online, Google searched Best Buy helpline. And sure enough, the number comes up and it looks authentic.
0:18:22.8 Bob Michie: Thank you for calling Microsoft.
0:18:24.8 Kurt Baker: And they just call up and they answer the phone and they go into your computer. And then I think it took about 3 or 4 days at least for them to get the computer back online again. It was a mess. Total mess.
0:18:33.0 Bob Michie: So in this case it was a minor incident for him. It was only $700 or $800 worth of Amazon purchases that happened because they let him on his computer.
0:18:43.6 Kurt Baker: Oh goodness.
0:18:43.9 Bob Michie: Before it got shut down. But getting that Amazon account back was painful.
0:18:49.0 Kurt Baker: So that’s an important thing to realize is that just by looking it up online, you not necessarily gonna get the real number. You need to find it from another source. Which is hard to do it. So you have to find it from a known source for sure. You gotta make sure it’s a known source.
0:19:02.5 Bob Michie: Yeah and we all… Most of us know that Microsoft doesn’t do end user support directly. And I’m not sure where he got it. But with the… The ironic thing, thinking about this is one guy, he… One guy got the popup on the computer and somebody else got the actual phone call. So who got the commission? [laughter]
0:19:20.3 Kurt Baker: Oh, right. Think they work together in the background? I don’t know commission that thing. [laughter] So not good. So they’re pretty smart out there, I think is the bottom line. So we have to be careful with what you’re doing and how you’re doing using known sources. Using things that you already have in your hands that you already know how to get a hold of it. Keep track of that stuff.
0:19:37.6 Bob Michie: Keep track of it and go to the actual URLs that you should be going to. And the safety tip there is if there’s sites that you go to a lot, bookmark them because it is so simple to type in the wrong URL.
0:19:56.0 Kurt Baker: Right. And they do buy those…
0:19:58.6 Bob Michie: They buy all the lookalikes.
0:20:00.3 Kurt Baker: The one digit off kind of URLs things, because they know how people make typing mistakes all the time. So once you get that down. So yeah, so you wanna make sure that you’re paying attention. Now when you go through this, and it sounds to me like this person was pretty smart, but they also… I know that a lot of people say that even though they do the training, they have to do ongoing basically pop quizzes kind of thing. So you don’t want to just say, “Oh, I’ve trained my people. They’re good to go.” ‘Cause we’re human beings and a week later they’re back to work again. And the same habits are gonna go back into place. So part of this process is to every once in a while kind of send them one of these things and see how they respond. Do they actually stop and think about it, or do they click on it and now you’re in trouble?
0:20:38.1 Bob Michie: And that’s definitely something that needs to be done. It’s actually called phishing test emails we’ll send out.
0:20:44.5 Kurt Baker: Okay.
0:20:44.9 Bob Michie: And if you answer the question back to the insurance application, I’ve seen where the insurance application asked if you were doing phishing simulation emails. And then if you say, “Yes,” they wanna know the click through rates. They wanna know stats of how successful is this and are people clicking on it? Everything is going into underwriting these days.
0:21:11.1 Kurt Baker: So even those tests. So how often do they expect you to kind of do these tests?
0:21:15.5 Bob Michie: The applications didn’t say anything specific about the test. We like to do them at least quarterly.
0:21:20.0 Kurt Baker: Okay.
0:21:20.9 Bob Michie: And we’ll send them out over the course of a quarter, probably different ones to different users. And if I want to, I can typically get a phishing email clicked on in about a week at a company.
0:21:37.2 Kurt Baker: Okay.
0:21:38.6 Bob Michie: ‘Cause I actually will send out three different ones.
0:21:41.2 Kurt Baker: Right.
0:21:41.8 Bob Michie: And they all lead up and stack on each other. And by the time people get to the third one, they’re like, “Oh, this is important, I’m gonna click on it.”
0:21:47.8 Kurt Baker: Oh, okay.
0:21:48.5 Bob Michie: So I will social engineer the phishing emails in some cases because like I said, 80% of the time we can get somebody to click on an email.
0:21:56.4 Kurt Baker: ‘Cause they’ll figure if it keeps coming back, then, “Oh, this must have been actually something that’s legit. It wasn’t a one-off kind of deal”.
0:22:01.5 Bob Michie: Well, actually what I’m talking about, I actually change it. The first one, I’ll send them a message that says, “You’re out of space on your Apple account.”
0:22:10.7 Kurt Baker: Okay.
0:22:11.7 Bob Michie: And then the next day I’ll send… I’ll actually send a fake message. I’ll send out a fake message that says, “Your Apple account’s been updated, the new subscription cost is X.”
0:22:21.8 Kurt Baker: Okay.
0:22:22.7 Bob Michie: And people are like, “Oh I’m not spending money. I gotta cancel this.” So they click.
0:22:27.7 Kurt Baker: Oh. So they’re concerned about it. Oh yeah. Okay. Well, that’s pretty incredible. And then what’s the third one real quick?
0:22:35.4 Bob Michie: The third one is, around Christmas we’ll include FedEx messages.
0:22:39.9 Kurt Baker: Okay. All right. So basically vary it and see what people are gonna do on that. So that’s awesome. We’ve got a lot more things to go through, but we’re gonna take another quick break. You’re listening to Master Your Finances.
0:22:49.9 ANNOUNCER: This is Master Your Finances with Kurt Baker, Certified Financial Planner Professional. Learn about tax efficiency, liability, owning, managing, and saving your money and more from Kurt and his experienced panel of guests. Master Your Finances is underwritten in part by Certified Wealth Management and Investment and Rider University. Rider University offers flexible education for adult learners. For more information, it’s rider.edu/nextstep.
0:23:23.5 Kurt Baker: Welcome back. You’re listening to Master Your Finances. I’m here with Bob Michie, and we’re talking cyber security and the nine steps, the things that you should be doing to get ready for June 9th, which is right around the corner, which is an extended date. So those of you who didn’t know about the date, you’ve already missed the first deadline. And you just got lucky, then now you know there is a deadline. So it’s time to really get basically serious about cybersecurity not just because it’s a good thing to do, but also because the FTC is gonna start watching and having large penalties if we don’t do the right thing. There’s another aspect to this, which we don’t wanna really have to deal with frankly.
0:23:56.5 Kurt Baker: Okay, so we got the parts that we did now, which are really you wanna set up your cybersecurity risk assessment, and then you have to start bookmarking sites, making known sites, and be careful when you call these numbers out of the emails, and setting up some type of testing system where you know that the employees are kind of paying attention to these emails that are coming, so they don’t accidentally give the bad actors, so to speak, access to your system. So once they get the emails, then they can get a lot of stuff, and that’s a really bad one. So after those, What are some of the other things that we should be doing?
0:24:28.6 Bob Michie: So just to follow, just to continue on from the training aspect, I actually lump employee training and monitoring together. And monitoring is much more than what the individual is doing. It’s really in watching what that computer or system is doing because there’s a lot of, when the bad guys are getting into systems they’re setting up stuff for these systems. They’re setting up persistent threats so that these systems are calling home to go let the bad guys in in the future to do stuff.
0:25:02.3 Kurt Baker: It just sounds like ET, gotta phone home here.
0:25:04.8 Bob Michie: Yeah, pretty much.
0:25:06.6 Kurt Baker: Okay. All right.
0:25:07.9 Bob Michie: So depending on what report you look at the, it could be 100-200 days that the bad guys are sitting there going around looking at systems before people even…
0:25:20.1 Kurt Baker: So let me… Yeah, make sure… So what they’re doing is they’re getting access to your computer, and the computer is now talking to the bad actors. And then the bad actors figure out when’s the optimal time to actually kind of take it. This sounds a little bit like what happened to Sony where they were in the system for a long time before they actually found out what was going on. And then they started threatening with all this stuff that, “We’re gonna reveal all this information.”
0:25:40.9 Bob Michie: Well, during that time that they’re actually on the system, they’re actually extracting data and looking at it. We’ve seen incidents where the bad guys have asked for the exact amount of cybersecurity insurance or the exact bank account balance because they’re watching and they know and they’re finding everything. So that really means that there’s additional monitoring that’s gotta happen from a cyber perspective versus just buying antivirus and assuming that it’s gonna catch everything. And these are real people that… We actually use a real cyber team to actually monitor what’s going on. We are using AI to review some of that stuff and then send it to a real set of eyes to know what’s going on.
0:26:18.2 Kurt Baker: My understanding is like the cyber… Not the cyber security, but the antivirus thing is kind of more of a reactive. Like, “If it gets in the system now, we’re gonna try to get rid of it.” But this is more of a proactive thing where, “We’ll just try to stop this stuff as fast as we can once it gets there.” It’s a little bit different as far as the way it works, as far as…
0:26:38.0 Bob Michie: Most of the antivirus tools out there, you actually get downloaded signature, they call signatures which are…
0:26:43.6 Kurt Baker: Right.
0:26:44.1 Bob Michie: It’s looking for known threats.
0:26:45.6 Kurt Baker: Right.
0:26:46.0 Bob Michie: So if it’s seen it before, the antivirus can stop, can prevent it…
0:26:50.2 Kurt Baker: Okay.
0:26:50.8 Bob Michie: The stuff I’m talking about the persistent threats are these applications that are calling home to new command and control systems that are sitting out there, that the bad guys are going after. In fact, the… We won’t get… Topic for another call would be a recent FBI operation that was called the Operation Cookie Monster. They took down the bad guys.
0:27:14.1 Kurt Baker: Oh, I like that part.
0:27:15.0 Bob Michie: Yeah it was pretty good. [laughter] But the monitoring piece really is a third party process for what’s going on because nobody’s gonna build these systems… Build a 24/7 center for people to monitor. That’s one of the things that we take care of.
0:27:30.9 Kurt Baker: Okay.
0:27:34.2 Bob Michie: Part of the… Back to the FTC list is… It actually spells out you need to create a written incident response plan.
0:27:40.5 Kurt Baker: Okay.
0:27:41.8 Bob Michie: Now, written incident response plan really is documentation about what you’re going to do when a breach happens. Not if it happens, but when it happens.
0:27:51.2 Kurt Baker: Okay.
0:27:52.1 Bob Michie: Who you gonna call? Do you have that list of data available? Because we recommend everybody have cybersecurity insurance.
0:28:00.2 Kurt Baker: Okay.
0:28:00.2 Bob Michie: It’s just good practice today and the cyber insurance company is gonna want to get involved right at the start and help manage this breach.
0:28:12.5 Kurt Baker: Okay.
0:28:13.1 Bob Michie: If there is a breach. They’re gonna help you determine if there is. And that’s called… That would lead to an incident response team being assigned from the insurance agency, typically.
0:28:26.5 Kurt Baker: Oh wow. Okay.
0:28:27.4 Bob Michie: Because if someone gets a data breach, and they call their IT guy say, “Oh, my computer’s compromised put it back the way it was.” They’ve just destroyed evidence in today’s environment.
0:28:40.8 Kurt Baker: Okay.
0:28:41.4 Bob Michie: So we’ve just corrupted a crime scene, or made a crime scene go away and in that case the insurance company might not even acknowledge the threat, might not even pay.
0:28:51.1 Kurt Baker: Is this what I hear digital footprint? Is that where that gets involved?
0:28:54.0 Bob Michie: Yeah, that’s part of it.
0:28:54.7 Kurt Baker: You can see how they got to that point. I guess you can back into and maybe find these bad actors somehow is that what you’re trying to do?
0:29:01.7 Bob Michie: I don’t know if we’re gonna find the bad actors, but we wanna find out what they accessed.
0:29:04.8 Kurt Baker: Okay.
0:29:05.0 Bob Michie: So we talked a little earlier about email being compromised.
0:29:08.5 Kurt Baker: Right.
0:29:09.1 Bob Michie: So we worked with somebody that had his email compromised where the bad guys were in his email and resent invoices after he sent them with different routing information, so he didn’t get paid.
0:29:22.3 Kurt Baker: Okay.
0:29:23.2 Bob Michie: So that person notified the insurance company, the insurance company assigned a cyber team to invest a breach response team. It was $35,000 of investigation and forensics.
0:29:34.3 Kurt Baker: Wow.
0:29:34.3 Bob Michie: To figure out what these bad guys accessed.
0:29:38.9 Kurt Baker: Okay.
0:29:40.6 Bob Michie: Because when the bad guys are in your account, we have to assume every single email that are sitting there right now, the bad guys read.
0:29:48.9 Kurt Baker: Wow, that could be a lot of emails.
0:29:50.3 Bob Michie: There’s nothing confidential in your email?
0:29:51.9 Kurt Baker: Oh, no. Definitely not. [laughter] So that’s… So I guess on the email side, I know a lot of the industries now are going to like encrypted emails themselves. The email itself is encrypted. So does that aspect assist with this process or is that…
0:30:08.3 Bob Michie: If it’s sitting in your email account? No.
0:30:11.3 Kurt Baker: Okay.
0:30:11.8 Bob Michie: Because they’re accessing those emails just as if they were you.
0:30:15.4 Kurt Baker: Okay. So the end-to-end, that’s only gonna do it while it’s in transit. But if you have a fully… The actual account itself is something you have to… Is an encrypted email account, which is another step. So it’s a little bit different.
0:30:27.5 Bob Michie: Some of the encrypted emails. Yes. There could be a platform just for sending this one-off message and it is not being saved as a sent item in your email.
0:30:36.0 Kurt Baker: Okay.
0:30:36.5 Bob Michie: ‘Cause that’s where the… They’re looking at your sent items. They’re looking at stuff that’s coming in.
0:30:40.4 Kurt Baker: Okay.
0:30:40.8 Bob Michie: And when they get in your email, sometimes they’ll actually create rules, so that you don’t even see responses coming in.
0:30:47.1 Kurt Baker: Okay.
0:30:47.5 Bob Michie: So if you’re… If in this case the person was sending back emails from his client and they were getting redirected to a different folder, he never saw them.
0:30:58.0 Kurt Baker: Oh wow. That’s not good.
0:30:58.7 Bob Michie: So the bad guy was really interacting in his email real time as him and we can trace it down. And in this case, this person did not have multi-factor authentication turned on.
0:31:10.0 Kurt Baker: Okay.
0:31:10.4 Bob Michie: He does now. [laughter]
0:31:11.1 Kurt Baker: I’ll bet. [laughter] He’s probably using the app too, right? [laughter] So It’s like… I guess. Sometimes we learn the hard way unfortunately. But yeah, so essentially take advantage of all these things, right? So…
0:31:26.9 Bob Michie: So in addition to the written incident response plan, the FTC would like to see written policies and procedure. How do you destroy old computers and old data?
0:31:38.3 Kurt Baker: Okay.
0:31:38.7 Bob Michie: There’s a whole list of policies in the reg that they recommend that you should have. But destruction of data and destruction of PCs is a big one because…
0:31:50.4 Kurt Baker: So any recommendations on if I need, I’m replacing a PC, I’m getting rid of the old one. Any steps I should take with the old PC that you would recommend before we throw it in the garbage?
0:32:00.2 Bob Michie: Definitely.
0:32:00.6 Kurt Baker: Or in a grinder. [laughter]
0:32:01.6 Bob Michie: Actually taking it to the recycling center and having them drop it in the grinder is one thing.
0:32:06.3 Kurt Baker: Okay.
0:32:07.2 Bob Michie: You wanna come up with a process for securely wiping the hard drive on the device.
0:32:11.7 Kurt Baker: Okay.
0:32:12.1 Bob Michie: There are definitely free… There’s tools out there that’ll do it. There’s services to where you can actually just pull the hard drives out and wipe them.
0:32:22.0 Kurt Baker: Okay.
0:32:22.2 Bob Michie: And those I actually saw one nonprofit up in Randolph I think that actually takes old electronic computers. All anything with a plug. I think they take and they’ll actually pull the hard drive out and give you a Certificate of Destruction.
0:32:36.0 Kurt Baker: Okay.
0:32:36.3 Bob Michie: And that’s the thing, we really wanna follow that data path of the lifecycle. That hardware, if you destroy stuff, document that you destroyed, take pictures of it or get a certificate it’s been destroyed because… I don’t care, you could take it outside and beat it with a hammer.
0:32:49.5 Kurt Baker: Okay.
0:32:49.9 Bob Michie: Beat the hard drive with a hammer and call that destroyed. Just document it.
0:32:54.2 Kurt Baker: Okay. You gotta take movies of yourself and then you can throw it on YouTube and maybe make a few bucks off of…
0:33:00.6 Bob Michie: There you go. [laughter]
0:33:00.9 Kurt Baker: Your destruction technique, [laughter] latest and greatest, right? Okay.
0:33:04.6 Bob Michie: Now if we’re in Texas, well we destroy them in different ways.
0:33:07.0 Kurt Baker: Okay right. [laughter]
0:33:07.7 Bob Michie: Shoot them.
0:33:09.0 Kurt Baker: Firearms might be involved. Is that what you’re trying to tell us? Okay. But as long as you’re destroying it and you’ve documented that you did it, which is interesting. So even if you’re doing it yourself, you still need to document what you did.
0:33:20.4 Bob Michie: Yeah. Because you can’t… You need to prove it in the future, ’cause if someone says, I got data off one of your old hard drives, like, wait a minute, I destroyed all my hard drives here’s documentation of everything that we destroyed, and…
0:33:29.8 Kurt Baker: Okay.
0:33:30.0 Bob Michie: And all that stuff.
0:33:30.8 Kurt Baker: Good and that’s smart.
0:33:33.1 Bob Michie: And part of the risk assessment really is documenting the inventory of what you have.
0:33:37.5 Kurt Baker: Okay. Good advice. Okay? So what else should we be doing?
0:33:43.9 Bob Michie: What else should we be doing?
0:33:45.0 Kurt Baker: Yeah.
0:33:47.5 Bob Michie: I think we’ve hit pretty much everything in that list.
0:33:50.4 Kurt Baker: Is that the nine steps?
0:33:52.5 Bob Michie: Yeah we…
0:33:52.8 Kurt Baker: Okay. I know we kind of combined them as we were talking, so…
0:33:55.9 Bob Michie: Yeah, we tend to combine some of them when I present having that incident response plan and knowing who to call, that’s really the big one.
0:34:03.2 Kurt Baker: Okay.
0:34:03.4 Bob Michie: And I’ve got this, the checklist that we’ve been using.
0:34:08.4 Kurt Baker: That’s awesome. All right. Well, that’s a great wrap up, so we’re gonna take another quick break. You’re listening to Master Your Finances.
0:34:14.9 ANNOUNCER: This is Master Your Finances with Kurt Baker, Certified Financial Planner, professional. Learn about tax efficiency, liability, owning, managing, and saving your money, and more from Kurt and his experienced panel of guests. Master Your Finances is underwritten in part by Certified Wealth Management and Investment, and Rider University. Rider University offers flexible education for adult learners. For more information, it’s rider.edu/nextstep.
0:34:47.6 Kurt Baker: Welcome back. You’re listening to Master Your Finances here with Bob Michie. And we’re talking about cyber security. So we went through kind of the basics of the things that we need to do for this June 9th deadline, which is really just intelligent security assessing, getting the insurance in place, taking the steps necessary to protect yourself and doing the proper training with yourself and your employees to make sure that they know the initial upfront, like what they should be doing, and then the ongoing monitoring, which is a huge thing. I know.
0:35:14.5 Bob Michie: Absolutely.
0:35:15.0 Kurt Baker: In my world, monitoring is the biggie. You can always set things up, put the greatest plan in the world to place, but once life starts, things change. And you just need to be ongoing monitoring and making sure that you’re keeping up with the reality of what’s going on. Same thing with the security world. The bad actors are getting smarter, so we need to stay on top of it and get smarter too. So what other advice do you have for everybody out there who has data, which is all of us and maybe has a business and needs to kind of protect things.
0:35:40.8 Bob Michie: Nobody’s got a shortage of data. So we actually spend a lot of time working with law firms and CPAs. And I’ve been talking to several CPAs over the past couple weeks about the FTC regs, and it was pretty funny that several of the CPAs I talked to hadn’t heard about it at all yet there’s an impending deadline right after tax season for them.
0:36:04.7 Kurt Baker: Right. That’s all I want to hear is another deadline.
0:36:06.5 Bob Michie: Yeah, another deadline. But the comment from them was, “Why didn’t the IRS tell us about this?”
0:36:15.0 Kurt Baker: Because they’re not the FTC.
0:36:15.3 Bob Michie: Because they’re not the FTC. The FTC is trying to protect the consumers. The IRS is trying to collect money.
0:36:22.2 Kurt Baker: Right. Different missions, exactly.
0:36:23.4 Bob Michie: And so the funny thing is looking through some of the FTC regs, if the CPA has been diligent about doing everything that the IRS wants them to do there’s not a whole lot of additional work to do.
0:36:39.2 Kurt Baker: Okay.
0:36:39.9 Bob Michie: But because when they sign up with the e-filing process, there’s a checkbox in there. Obviously, I haven’t done it myself, but I’ve been told there’s a checkbox there that says that you’re complying with all the IRS regs for securing the client data. One of those is actually creating written incident response plans or written information security plan. And a lot of people don’t have it. So. Yeah we do have the June 9th deadline coming soon. This is not something that can be implemented overnight.
0:37:12.9 Kurt Baker: Right.
0:37:13.0 Bob Michie: But at least let’s get it started. Doing nothing is worse.
0:37:16.4 Kurt Baker: Oh, I agree 100%. I mean, I think hopefully they’ll be a little bit, as long as you’re taking action and moving in the right direction, you would hope that they’ll give you a little bit of leniency, but you can’t guarantee it. So do as much as you can before the ninth.
0:37:28.0 Bob Michie: Well, and we can’t guarantee that no one’s gonna get a data breach either.
0:37:31.5 Kurt Baker: Right.
0:37:31.8 Bob Michie: You know?
0:37:31.8 Kurt Baker: Well, that’s the other thing of it. You wanna be ready regardless.
0:37:34.0 Bob Michie: We actually, we’re here to help people manage and mitigate that risk, but no way if anyone comes and says we’re gonna absolutely stop it. Well, the only thing we’re gonna stop it is use the pencil and paper in the room and close the door.
0:37:44.2 Kurt Baker: Okay.
0:37:44.3 Bob Michie: But…
0:37:44.3 Kurt Baker: So we have to pull out the quill pens again, and.
0:37:47.2 Bob Michie: There you go. So I know you got… One of the things we worked with on… One of the things that came in, Was it last February? On security team was we got a… The team got a call from a CPA firm looking for a pen test, which was kind of weird. A pen test, penetration test to see what’s happening, to see what would happen or what vulnerabilities they might have. And it’s kind of weird because a tax season for a CPA, they don’t wanna do anything but taxes.
0:38:18.8 Kurt Baker: Yeah, they’re pretty busy, yeah.
0:38:21.5 Bob Michie: So we dug… The team dug a little deeper and figured out that the reason they were calling was because their e-filing status had been shut down, because the IRS… From the IRS because someone was using their accounts.
0:38:36.0 Kurt Baker: Oh my goodness.
0:38:36.6 Bob Michie: And what happened was an email got compromised at the company and every day when the CPA went to log in or e-file, he had to reset his password.
0:38:50.2 Kurt Baker: Oh.
0:38:51.3 Bob Michie: Because the night before, the bad guys were getting in and using his email account to change the password to refile.
0:39:00.1 Kurt Baker: Oh my goodness.
0:39:01.2 Bob Michie: So there were hundreds of accounts that were e-filed on their behalf and it just turned into a really bad day.
0:39:12.2 Kurt Baker: That sounds awful.
0:39:12.3 Bob Michie: Yeah.
0:39:12.6 Kurt Baker: ‘Cause I’m assuming they’re after things like refunds.
0:39:14.6 Bob Michie: They were after things like refunds.
0:39:16.1 Kurt Baker: [laughter] Okay. So they’re redirecting the refunds and putting the new ABA and the new account numbers and all this kind of good stuff in there, so…
0:39:22.1 Bob Michie: Absolutely so.
0:39:22.7 Kurt Baker: Instead of your happy client getting their refund, that your unhappy client saying, where’s my refund?
0:39:27.7 Bob Michie: And if the bad guys do it soon enough, they file early and file often…
0:39:33.3 Kurt Baker: Right.
0:39:34.8 Bob Michie: They’re getting those filings in.
0:39:36.1 Kurt Baker: ‘Cause that happens pretty quickly. The IRS is pretty good at doing these refunds, so you better act fast.
0:39:41.7 Bob Michie: You better act fast, ’cause most people drag their feet to file their taxes and when when they go to file, Oh, you’ve already filed.
0:39:48.7 Kurt Baker: Yeah, that would be a very bad day.
0:39:50.2 Bob Michie: But yeah, can you imagine, but from the CPA perspective, from a business perspective, telling your client, you can’t file today because you can’t access the IRS.
0:39:58.9 Kurt Baker: Right.
0:40:00.3 Bob Michie: So you know, short story… Make it a short story, they had to go through and do a mitigation, and incident response to actually prove that they’ve secured their data in a better way to actually get back into the IRS systems.
0:40:17.2 Kurt Baker: Okay. Were they able to go back and stop these returns from being sent to the wrong direction?
0:40:22.5 Bob Michie: That I don’t know. I didn’t get that deep into what was actually happening on the business side there, but it’s just…
0:40:27.1 Kurt Baker: That’s not bad. That’s…
0:40:28.5 Bob Michie: It’s just so easy especially using something like we talked earlier about email, using email as your multi-factor.
0:40:35.8 Kurt Baker: Okay, so email is out for multi-factor, text messaging is out for multi-factor. Use the authentication app. We’ll just keep saying that, right?
0:40:42.3 Bob Michie: Always where possible and encrypt your data.
0:40:46.0 Kurt Baker: Okay. And encrypt the data. That’s the hard drive encryption, because a lot of people don’t realize you can encrypt the data on the hard drive. Yeah.
0:40:52.3 Bob Michie: You can definitely encrypt the data on the hard drive. The other piece that people don’t realize how easy it is for the bad guys to really get access to a system once you click that link or open that Word document.
0:41:08.1 Kurt Baker: Okay.
0:41:08.2 Bob Michie: And these protections are meant… The monitoring pieces are meant to watch for things like this. But right before… The last live demo I did before COVID was a… It was a what the hacker sees when you click on that link demonstration live.
0:41:27.6 Kurt Baker: Okay.
0:41:28.6 Bob Michie: So I had two PCs… We had two PCs in the room and I did a demo of what would happen if you clicked on and then of you know someone would open up the Word document and then over on the other computer I could access the documents, I could turn the camera on without the…
0:41:44.5 Kurt Baker: Okay.
0:41:45.2 Bob Michie: And turn… That little light doesn’t mean a whole lot. We can turn that off, so you can actually sit there and record it.
0:41:49.2 Kurt Baker: Oh, you can turn the light off, so that doesn’t help you.
0:41:51.1 Bob Michie: Nope. You know…
0:41:54.2 Kurt Baker:.. I had a little thing which had a little slider where we can just slide it over the camera.
0:41:56.9 Bob Michie: I’ve seen a lot of laptops come back with poster stamps on them.
0:42:00.6 Kurt Baker: Right.
0:42:00.7 Bob Michie: Over the camera that was…
0:42:01.7 Kurt Baker: Have you ever seen the pictures of… Who was it? I think it was Mark Zuckerberg used to have a piece of tape over his camera on. They showed something…
0:42:08.3 Bob Michie: Or Band-Aid, yeah.
0:42:08.6 Kurt Baker: Yeah, something over the camera because he figured old tech I mean here’s his tech guy and he’s using the basics right?
0:42:14.9 Bob Michie: Right.
0:42:15.0 Kurt Baker: Sometimes the basics work better than anything, right?
0:42:17.4 Bob Michie: Now the laptops have built in slides to cover the camera or turn the mic off, but…
0:42:21.7 Kurt Baker: Right, which is… Yeah, but most computers don’t have that, so you gotta rely on just protecting yourself. So it’s almost like immediate it sounds like. Once you click on the link, boom there are in.
0:42:33.3 Bob Michie: It was immediate, so she clicked on the link… Actually she opened the word document. It wasn’t even the link. So she open… In this case just…
0:42:38.3 Kurt Baker: Just by opening the Word document.
0:42:39.1 Bob Michie: She opened the Word document, the word document reached out over the internet and called home and said, “I’m here. What do you want me to do?”
0:42:46.8 Kurt Baker: Wow.
0:42:47.2 Bob Michie: So these guys have really incredible tools and I ended the presentation with the question. I was like, Everyone’s heard of key loggers, but have you ever seen one?
0:42:58.1 Kurt Baker: Okay.
0:43:00.0 Bob Michie: Key logger will record all your keystrokes.
0:43:00.6 Kurt Baker: Right.
0:43:02.2 Bob Michie: And this is why we don’t want people using home computers to access the business resources, ’cause we don’t know what’s on them.
0:43:10.8 Kurt Baker: Right, that’s true.
0:43:11.6 Bob Michie: What did the kids download last night? What other things got into it and if the bad guys have access to the computer they can see the screen.
0:43:20.5 Kurt Baker: Okay.
0:43:21.7 Bob Michie: And the keys.
0:43:23.2 Kurt Baker: So if you’re a business owner who has remote employees you should have those computers protected as well, correct?
0:43:29.4 Bob Michie: Absolutely.
0:43:30.2 Kurt Baker: Yeah, so not just your ones in the office, but anybody who’s accessing it. So I assume there’s a way to make sure that you don’t let them access unless they have the proper security in place if they’re employee.
0:43:38.7 Bob Michie: Right, so we want to deploy business class computers to the home users and manage them appropriately with corporate level firewalls protections.
0:43:50.0 Kurt Baker: Okay.
0:43:52.0 Bob Michie: But back to the key logger.
0:43:52.6 Kurt Baker: Okay.
0:43:54.1 Bob Michie: So I said no one’s seen it. Would you like to see one? So I told the assistant that I had there it was one of the… It was one of our clients, and I was like I prepped her to do it. So she went to QuickBooks Online and I said put in a username and a password but don’t hit return.
0:44:10.1 Kurt Baker: Okay.
0:44:11.2 Bob Michie: And then I turned around and hit return and popped the password up on the screen that she just keyed.
0:44:16.9 Kurt Baker: Okay.
0:44:17.2 Bob Michie: She jumped out of her chair.
0:44:18.3 Kurt Baker: I’ll bet.
0:44:21.2 Bob Michie: And she… I had told her ahead of time we were gonna do it. She didn’t really believe it was gonna happen and it was that quick. It wasn’t even that she had to hit submit or anything, the actual key…
0:44:27.7 Kurt Baker: Just by actually pressing the keys themselves.
0:44:29.9 Bob Michie: Yeah.
0:44:31.3 Kurt Baker: Wow, wow. Yeah, so they’re pretty smart.
0:44:35.0 Bob Michie: These guys have nothing but time on their side and these are organized businesses.
0:44:40.0 Kurt Baker: Right.
0:44:40.3 Bob Michie: And in fact they’re so smart. You look at salesforce.com and all these other places, their software as a service. Well, now we can buy Hacking as a service.
0:44:49.9 Kurt Baker: Hacking as a service.
0:44:51.0 Bob Michie: Hacking as a service.
0:44:52.3 Kurt Baker: Okay.
0:44:52.8 Bob Michie: And they will actually split the ransomware with the person that gets them infected.
0:45:03.9 Kurt Baker: So if I break into… What was it? Atlanta or someplace then they’d shut down the whole city or something at one point? Or I forget what they did. It was in Atlanta somewhere. Some large government entity and it took them a while…
0:45:15.0 Bob Michie: It took them a while.
0:45:16.3 Kurt Baker: To get everything back up and running. So it happens. So even these big… We hear about the big ones, but I think what’s important is that even these small businesses have a lot of vulnerability because they know there’s money there too. I mean a small business owner a couple business… They know that these things have decent amount of assets in these checking and saving, you know these accounts, so they go after them.
0:45:35.6 Bob Michie: And you actually hit it right on the head. People say I don’t have anything that the business wants… That the bad guys want. Everybody listening to this has a bank account. That’s what the bad guys want.
0:45:45.3 Kurt Baker: Right. So by logging in on the keystrokes like you just pointed out they can get whatever they want. So any final words of wisdom before we sign off today? It’s pretty awesome.
0:45:53.8 Bob Michie: My final words always are, Make sure you’ve got multi-factor authentication in it and to comply with the FTC regs. Make sure you follow the rules and we’re here to help. [chuckle]
0:46:03.9 Kurt Baker: Alright and June 9th. Thanks again for coming on, Bob. You’re listening to Master Your Finances. Have a wonderful day.
0:46:11.0 ANNOUNCER: That was this week’s episode of Master Your Finances with Kurt Baker, Certified Financial Planner Professional. Tune in every Sunday at 9:00 AM to expand your knowledge in building and managing your wealth. Missed an episode? No worries. You can subscribe to a free weekly episode of Master Your Finances to listen to on your favorite podcasting platform. Apple, Spotify, Google Podcasts whatever, Master Your Finances is underwritten in part by Certified Wealth Management and Investment and Rider University. Rider offers continuing studies programs for adults who need flexibility. Want to add new skills to your resume? Take a continuing studies course at Rider University.