Get the latest tips and tricks from cybersecurity and IT experts on how to keep your data safe no matter where you’re working.
Cybersecurity continues to be a big topic of conversation given the COVID-19 pandemic. Many companies had to quickly adapt to a fully remote workforce and are now discussing what their “new normal” work environment will look like while keeping data safe from bad actors.
People often think a cybersecurity incident won’t happen to them or their business. Either they’re safe enough or their company simply couldn’t be a target of an attack. In reality, small and mid-sized organizations can be the perfect target for cyber-attacks.
Whether you’ve had a cyber program in place for a while, or you’re just getting started, there’s always something new to learn.
On September 29, 2020, Mike Trpkosh, Director of Cybersecurity at Pathway Forensics, joined Houston’s East End Chamber of Commerce for a discussion about cybersecurity best practices and how to prevent cyber-attacks while your employees work remotely.
- Bad actors will always find ways to take advantage, so you need to be aware of cyber threats regardless of if you’re at a brick and mortar office, working from home, or working from another remote location.
- Cyber threats are just more sophisticated versions of what we’ve seen before. Why? Because the old ways still work.
- Bad actors realize that fooling a human is a lot easier than hacking into a computer, so any way that they can get in touch with a human through social engineering tactics is their best bet. Educate yourself, your organization, and your friends and family on ways to address these issues.
- Investing in proactive cybersecurity strategies is a no-brainer. But first, understand what’s at risk and then have an expert help you understand how much to spend to protect your business.
- Simple ways to combat cyber threats include:
- Verify you’re sharing information with who you think you are, especially if a request involves finances, transactions, or includes a sense of urgency.
- When working remotely, use a VPN to access your company’s network.
- Always use two-factor or multi-factor authentication to enhance your password protection.
- Conduct cybersecurity training across your entire workforce to ensure they help keep your data safe.
Read the transcription here
[Frances Dyess] Good morning, everybody. This is Frances Castañeda Dyess, President of the Houston East End Chamber, and it’s an honor to welcome you to our business webinar. Today we have “Working from Home: Avoiding Cyber Attacks and Best Practices for Security”.
In a couple of minutes we’re going to hear from Jason Rorie and Michael Trpkosh, but before we do that, we have a sponsor for our program today: Christopher Sanchez with Comcast Business, Christopher, thank you so much for being a sponsor of our program today.
[Christopher Sanchez] Hello, how are you doing? My name is Chris. I’m from Comcast Business and I service all of the East End Chamber area.
[Frances] Wonderful. And you are welcome to say any opening remarks. And I know we have a special question we’re going to ask all participants on Facebook Live and that are watching it right now to answer. But any opening remarks?
[Chris] Yes ma’am. I just would invite everyone to answer the question and I would like to have some candid conversations about what’s making you guys successful during these difficult times in our new normal, if you will. So I look forward to seeing you guys out in the field and talking to you soon.
[Frances] Great. And, Christopher, in the chat box if you wouldn’t mind putting your email address and phone number so that people can get a hold of you and we’ll add that to the Facebook Live as well. So, thank you so much for being a sponsor today.
Today’s program is on cybersecurity and if you haven’t noticed, it’s been a big topic of conversation given the COVID-19 pandemic and many companies shifting to fully working from home instead of the workplace.
So, when people think about cybersecurity, they often feel that it probably won’t happen to them. Either they’re safe enough, or their company isn’t big enough to matter or things like that. But in reality, small and mid-sized businesses often are the perfect target for cyber-attacks. Whether your organization has had a cyber program in place for years or you’re just getting started, there’s always something new to learn.
And today we’re very honored to have Jason Rorie, Founder and Chief Security Officer at Elevated Technologies, and Mike Trpkosh, Director of Cybersecurity at Pathway Forensics, for this conversation about cybersecurity best practices, potential pitfalls, and how to optimize your cybersecurity program.
Jason and Mike, thanks so much for joining us today.
[Jason Rorie] Thanks for having us.
[Mike Trpkosh] Glad to be here.
And Michael, we’ll start with you if you want to give us some opening remarks on what we can learn about what’s happening on this topic.
[Mike] So, obviously it’s been a challenging situation for everyone. The biggest challenge that I’ve seen is clients moving from a brick and mortar to a hybrid solution where you have parts of your workforce working remote to an entirely remote workforce. And a lot of organizations were not prepared for that. Their defensive perimeter was more geared toward one location versus the remotes and the challenges with staffing up for that and getting the technology in place and educating the workforce on how to work remote more securely.
[Frances] Thank you. And Jason? Would you like to have any opening remarks on this topic?
[Jason] Just to echo what Mike just said. It’s kind of a whole different environment now with everybody shifting to work from home. It’s a different environment with a different set of distractions, and that’s what a lot of the cyber criminals are betting on now that everybody is working from home. So, it’s just a whole ‘nother level of being vigilant and taking your time because the threats have increased tremendously. Again, the cyber criminals are banking on this new way of working and know that there’s extra distractions and definitely taking advantage of it.
[Frances] Wow! I’m afraid already.
But let’s start talking a little about how COVID impacted some of the organizations that you work with or what you’re hearing out there. Do you know of any cybersecurity best practices that you’re glad are in place right now and were there any gaps that you identified during the pandemic that you were able to address and have added to help companies be protected?
[Jason] For us, I think that one of the new best practices that I guess is even more critical now with everybody being disjointed is that working from home really brings a whole ‘nother level of verifications of certain things because the email phishing scams, I think the number increased over 600% or something crazy like that.
So, really taking your time and verifying the emails that you receive. If it comes from a coworker, a boss, a vendor, a client that doesn’t look quite right and you’re kind of unsure, especially if it has anything to do with money or some sort of transaction, is verifying that. You know, picking up the phone, getting who sent you the email – or who you think sent you the email – get them on the other end of the phone and verify that the transaction or whatever they’re asking you to do is truly legitimate. Because again, with all of the distractions at home, it’s really easy to fall for a phishing scam because they’re getting more and more sophisticated.
That’s one of the biggest things we’ve done that’s helped our clients is just making sure that you take your time, slow down, verify things. Because I’ve seen a lot of people and a lot of companies lose a lot of money and I’ve even seen people lose their jobs because of this. So, it’s just something you really have to take your time and sort out.
[Frances] That’s a very good point – slowing down. I’ve even heard of one of my chamber members – they got an email from who they thought was their accounting person that said, “Please authorize this.” It was a $2500 payment and it looked legit and she thought it was from her and she approved it and the transfer was sent. And then they realized wait, this doesn’t look right. So, just be slow and verify, especially right now.
Michael, anything to add to that?
[Mike] What Jason said is exactly right. I think the biggest thing that organizations can do is really focus on security awareness training. October is Security Awareness Month, so it’s a great time to roll out or enhance an existing security awareness program.
The increase in attacks that Jason referred to are all social engineering based. One of the things that I was looking for and some of my colleagues during the COVID crisis was new attacks. There are not new attacks. They’re retreads of old attacks. And why do they still use them? Because they still work. That’s what’s interesting is that exploiting that vulnerability is that we get better, but yet we don’t get better.
So, what Jason said: slow down. With security awareness training, there are 3-5 steps any person can do with an incoming email, especially one where you know there’s financial implications to it. Five steps like hover over the sender’s name and make sure that it’s coming from there. Any time that you’re being put on or backed into a corner – “it’s a must”, “we’re going to disconnect you” – those are red flags as well. Simple things like that. And I’m sure Jason has some other tips. But easy things like that which the average person can do.
But Jason is exactly right about the distractions at home. There’s more going on, you’re not as focused as you would be if you were in the office. So, it is kind of the new normal.
[Frances] Thank you. So, as companies are looking at their new normal, what would be some key considerations they should be aware of? Especially since some of them are going back to the office, but some of them are going to be working remotely throughout the whole year and up until next year.
[Mike] I think one of the things that organizations need to focus on is two security topics that they could really add to their defenses are the VPN and multi-factor authentication.
Multi-factor authentication just increases the complexity or reduces the likelihood that an attacker is somehow going to compromise your password, well now they need two factors.
The VPN, it encrypts all of the communications between you (in a remote location) and your brick and mortar company network.
[Frances] Well that makes me feel a little more comfortable. Now that our staff is working from home, we do have a VPN and every morning when I log in, I am very grateful that we have another day of safety. But we get tons of those phishing emails, and it’s just very nerve-wracking. Even some of my employees get emails from me thinking it’s from me, but it doesn’t sound like me, so they know to just delete it, which is very, very scary.
Another question here is what are some common cyber threats that you feel will always be around? Or is there anything new that we should keep an eye on? Mike, I know you talked about something new, but Jason, do you see anything new that’s coming out there?
[Jason] Well, I think phishing email will never go anywhere. I think over 90% of all breaches start with a phishing email, so those will always be around.
I think some of the newer tactics are more in the social engineering realm outside of email. There’s a thing called vishing, which is I think becoming more and more popular. It’s bad actors picking up the telephone and calling companies to try to get sensitive information, so that’s why it’s calling vishing (because of voice). Of course, social media social engineering attacks. I think there’s over 86 million fake Facebook profiles that hackers use to try to get information from people over social media.
So, bad actors realize that fooling a human is a lot easier than hacking into a computer, so any way that they can get in touch with a human – email, phone calls, social media. And it really just kind of goes back to slowing down, verifying who you’re talking to over whatever type of media you’re having the conversation in that you’re talking to who you think you are.
It’s a scary world out there and these types of threats are just going to get worse and you just have to stay safe.
[Frances] Good. So, companies might think that cybersecurity is a huge financial investment, and potentially one that’s tough to justify unless or until an incident occurs. How do you typically address this topic, or do you have any examples of why it’s important to make this investment?
[Jason] As a business management team, owners, C-level executives, you have to think about security and the investment of what is the potential loss. There is a part of cybersecurity where we do quantitative analysis for your security investment. You know, how much could you stand to lose if you don’t make the investment? And it’s really just calculating return on investment just like any other type of decision.
And it’s not as expensive as you think. Training programs are inexpensive to run. Email phishing simulations, training videos, we do that for all of our clients. It’s worth looking into and having those conversations. You don’t want to overspend, but at the same time you need to invest in your security program to protect your business because at the end of the day, one wrong click can cause some massive damage to a business, so you have to be prepared for that.
[Frances] And Michael, you gave an example before we started of someone who recently got hacked. Can you share that information?
[Mike] Sure. So, it’s on the front page of the Wall Street Journal this morning, and it’s the largest school district in the Las Vegas area. They fell victim to a ransomware attack. Because a lot of organizations now we’ve been preaching have your backups offline, have your backups offsite.
So, a lot of organizations are refusing to pay. Now attackers have stepped up their game by saying: okay, what we’ve also done is not only have we encrypted all of your data, but before we did, we took a bunch of it and we’re going to show you some snippets of it if you don’t believe us, but then we’re going to dump all of this confidential, sensitive information out into the public.
It’s bad enough if it’s a regular organization, but if it’s a healthcare organization, now they’re looking at fines, and it’s just a mess for organizations. So now, if you choose to go that route and say we’re not going to pay, now they’re going to extort you by threatening to release that information. But then they’re also going to say: and if you pay, now it’s going to cost you to get the keys as well. It’s a crazy deal.
Like what Jason was saying was one of the things that we offer our clients is a benchmark assessment of sorts. I don’t want to charge somebody a lot of money to tell them what’s wrong, so we make it very low cost. But what we do is we talk to you – and exactly what Jason said – is if you don’t know what you’re protecting, if you have not classified your data, if you don’t understand the value of your data, you have no business trying to spend money on security because you don’t know what to spend.
That’s what Jason and I both – we preach that and we both try to do that. We want you to understand what’s at risk and then we can help you understand how much to spend. They always say with security, there’s no ROI on it, but it’s cost avoidance. So, that’s where we start.
[Frances] Good answer. So, for companies looking to be proactive with cybersecurity solutions for the first time, what would be a good place to start in terms of the services and protection they should look for? Obviously first give you guys a call, but what are some of the first things for someone doing it for the first time can look forward to doing?
[Mike] I would say policies and procedures. Wouldn’t you agree, Jason? That’s the foundation of your house, really.
[Jason] I would say definitely if you don’t have any security policies and procedures that’s a great place to start. You know, bringing out a company to do an assessment and make sure that the controls are hopefully in place that will satisfy the policies. But at the end of the day the policies are what management’s and ownership’s expectations are when it comes to security, so you want to make sure that you actually have the controls in place that will satisfy those policies.
So, when you have someone come out and maybe do a gap analysis to make sure that what you have security-wise actually does stack up to the industry standards and what can best protect your business. And if there are gaps, then you can put a plan in place to move forward to fill those gaps and better secure your data.
[Frances] Good. So, Michael gave an example of a Las Vegas ISD being hacked. Jason, can you share a time when you had a particularly difficult cybersecurity problem that you helped solve and how it was solved and what did you learn from that experience that you could share with us?
[Jason] We’ve been through so many phishing email scams that materialized into extorted money and hundreds of thousands of dollars trying to trace that down. We’ve dealt with ransomware attacks as well, both from restoring the data, helping negotiate with the bad actors to try to get the encryption keys. Of course, you know, working on the insurance side as well – some experience there with insurance claims and trying to recoup some of the financial loss.
There’s a lot to learn and really at the end of the day the biggest lesson is don’t let it happen to you. That’s really where the training comes back into play. Having an aware staff is just as important, I think, if not more important, than some of the technology controls that can help mitigate some of this stuff from happening. So, if you’re out there and you’re not being trained on a regular basis, you should be, and it’s definitely something to look into.
[Frances] Great. And now that we’re all doing Zoom meetings and Microsoft Teams and we’re using our cameras, are there any additional exposures to using the camera for Zoom and Microsoft Teams that you’ve heard of?
[Jason] Not really. I mean, I’m not saying it’s not technically possible for a hacker to gain access to your system and your camera, but I would be more concerned about the email threats and making sure that when you’re working from home, accessing company resources, whether they’re in the corporate office, over a VPN, or cloud-based, that you’re doing it properly, and like Michael said, that you’re making sure that multi-factor authentication is enabled, you have complex passwords, and you’re being very safe as much as possible when you work from home.
So, I wouldn’t be too concerned with using Zoom and Teams and cameras. I’d be more concerned about data access and doing that securely.
[Mike] I would say that, you know, while it’s creepy to think that someone has access to your camera or your microphone, the root of that is probably through a phishing email. If they can get access to that, they’re already in your machine. So, that is almost a byproduct of the bigger problem.
[Frances] Thank you. I know that one of our chamber members, Tejas Office Products, has this little device they gave us and it’s a little – it’s like a door that you just stick onto your camera and it closes. And I just use it all the time because I’m just afraid that someone is out there. But thank you for that.
Also, when you talk about cybersecurity insurance, what does it cover and can you give an example of a claim, any of you two?
[Jason] With cyber insurance, there’s kind of two parts to it. There’s what they call first-party and third-party coverage.
And first-party is if you as the policyholder of the organization gets hit with a cyber-attack that ultimately causes, you know, financial loss, the first-party coverage would help kind of recoup some of that cost. I mean, it could be a ransomware attack that takes the system down and you maybe could call a claim because of lost revenue that you suffered because your systems were down.
Third-party is more to protect you if you were to cause an issue or a cyber-attack on a third=party organization – that could be a customer or vendor. So, if you get ransomware or someone gets into your system and they use your email to send out phishing emails and they send it to all your vendors and one of those organizations click and they get infected and then find out that it was actually your fault, that’s where the third-party claims come in. They help, you know, kind of offset lawsuits, compliance fines, and things of that nature.
So, you want to make sure that if you have cyber insurance, which you should, that you have pretty comprehensive first- and third-party coverage within that policy.
[Frances] And Jason, does your company offer cybersecurity insurance?
[Jason] One of my companies does. Cybersecurity Insurance Group is a boutique insurance agency that I’m just a partner in that helps businesses here. We’re only licensed in Texas. So, yeah, we can definitely help with that.
[Frances] That’s good to know.
So, a lot of these mom-and-pop shops were not online and now they’re getting online because of COVID-19, so they have opportunities for exposures. Is it better for companies like that and startups to use and outsource their IT? Because we are a small office and we do outsource our IT and they monitor our VPN. So, is it better to do that or any other suggestions for smaller companies that don’t have a full-time person?
[Mike] I would think that there’s kind of a point of diminishing returns there because if you’re small, that’s where you would want the help, but at a certain point there’s also scalability and if you’re too small, it doesn’t make sense to have some of the services.
So, again, we go back to the risk assessment, we go back to looking at, for example, logging and monitoring for a mom-and-pop shop. While it’s important, it may not be cost-effective for them to do that. So, there are different solutions, and you would want to find an organization that has to tailor to you. But, like I know for a fact some of the monitoring solutions that are out there, you’ve got to have the sweet spot – it’s a couple hundred seats, you know, a couple hundred endpoints to make it worth your while.
Again, if you don’t know what you’re protecting, you don’t know how much to spend to protect it.
[Frances] Interesting. So, you know, who are these hackers out there? Do you know what motivates them to do this? I also hear now that people are hiring hackers to work for them. What is your thought on that, either of you?
[Jason] I mean, it’s a big business. They’re truly – they’re businesses. You know, in these remote locations they hire hackers, and they go to an office and they run it like a company. I mean, their mission is to break into systems and extort money from organizations that they can breach and that’s really what it’s all about.
I think Michael was talking earlier, you know, the days of just someone hijacking your web browser and is causing annoying pop-ups, those days are long gone. Hackers realize how much money they could make from breaking into systems and extorting money from people to get their data back in the event of ransomware. That has turned into a multi-billion-dollar business out there. So, that’s why you have to stay safe because, you know, they’re hiring and the hacking groups they’re coming together to create super groups that are really putting together some pretty nasty stuff.
Again, you have to get trained, take your time, be safe.
[Mike] I’ll give you an example. About a month and a half ago, my daughter – like a lot of young people – she’s into Instagram and she worked really hard to get a bunch of followers and stuff. And she called me one Saturday morning and said, “My account’s been compromised and they – the hackers – are demanding this.”
I spent an entire day working with these knuckleheads from the Ukraine and they seemed like they were nice guys: “hey, don’t take this personally”, you know, going back and forth with them all day long. I actually saved the email threads because I thought I might write a paper or do a presentation about it.
They have a customer support group that if you’re having trouble getting the Bitcoin, they’ll transfer you to them, they’ll talk to you about it. I mean, it’s just like Jason said, these are not hoodie-wearing street kids. These are very intelligent professionals; they know what they’re doing. And don’t ever think you’re going to outsmart them. They know every possible option of what you’re doing.
The number of followers she had directly correlated to how much money they asked for because they know the different levels of what people can do with these Instagram following numbers and it was crazy. They were telling me all of this stuff about how they determine how much money to ask for, you know, because you’re like, “Oh well, I don’t have the money.” “Oh yes, with your number of followers you can make this much money, and so here’s what we’re asking.”
They want to keep it to where it seems to be a fairly simple decision: well, I could make this much money, so this is just the cost of doing business. They want to get in, get out, and move on to the next one.
[Frances] That’s pretty scary. So, they just took over her, I guess, password, and now it’s theirs and is that what you’re saying?
[Mike] That’s exactly right, Frances. And guess what? She now is a big fan of multi-factor authentication.
[Frances] Wow. Now say that again. Multi-factor authentication. And that’s the two-way passwords.
[Mike] Correct. You get an app for your phone. And the one that I use – and I’m not promoting and just because I like it – but it’s called Authy – A-U-T-H-Y. Any banking, social media, anything that is of value to you, you should check into it and see if there’s two-factor authentication available. Like if you do any type of trading, insurance, healthcare, all of it you can use one app and you just pull it up and it gives you this code and that’s what you type in and that’s what would have saved her. And she learned a valuable, a painful, lesson.
[Frances] Oh I’m so sorry. But I wrote that down. Authy. I’m going to look into that because my husband will not do anything on his phone to do with his checking account, credit cards, but I do. I’m going to have to look into that two forms of authentication.
[Mike] Do you ever use Authy or do you have another app that you use?
[Frances] No, I don’t use any of that. That’s what I’m going to look into now.
So, what made you two get into this business? We’ll start with you, Jason.
[Jason] You know, I started, oh man, now I guess over 20 years. You know, when I was in the military – in the Navy – I had a top-secret security clearance, so I got exposed to a lot of military-grade cryptography back in the mid-90s and that just really kind of started my career in IT and security and has just progressed to today with Elevated Technologies and a couple other companies that I have.
And it’s just really a way to help out small businesses from the security aspect. Being the lifeblood of the economy, we’re here to keep those businesses safe and provide them some pretty robust services that they can afford and be able to be secure. So, that’s really kind of what got me into it, and I think it’s interesting the way things have developed, especially probably over the last five years. There’s just a lot going on and a lot to stay in from of, so it’s exciting. I mean, I really enjoy it. It’s fun, somedays.
[Frances] Jason, you’re a member of the chamber for many years and we value you. And you’re a small business owner and you’re a vet. So, I think people out there, if you really want to talk to someone about making sure that you are cybersecurity trained and everything else, please give Jason a call because he’s very knowledgeable in this.
And Michael, how did you get started in this business?
[Mike] So, I’ve been in the IT space for over 30 years. I was a programmer. I date myself, but I was a Cobalt programmer when I got out of college, but I always had kind of a closet fascination with the security and hackers and stuff like that. So, I always read about it, attended different hacker group meetings like B-Sides and stuff like that.
Finally, then when I went back to school and got my MBA, cybersecurity was part of it. And, of course, all I wanted to do was break into things, so I became proficient with the different tools and stuff, became a Certified Ethical Hacker, but then really kind of morphed beyond just the technology space. One of the things that you’ll see now is I’ve been around long enough to see where the Chief Information Security Officer was a technical subject matter expert in IT at first, but now with digital transformation, you’re seeing that the CISOs are now, if they don’t report directly to a CEO, the CEO has a channel directly to them for advice. And you’re talking about someone now that generally oversees IT risk, the cybersecurity, and the compliance.
So, I’ve just kind of grown with it and just love it. I tell everyone that I interview: first thing is this job has nothing to do with an episode of Mr. Robot; it’s a lot more than that. A lot of times that kind of blows out their candle, but you know, there’s a lot to it and if you don’t want t learn every day, you’re going to get run over by it.
[Frances] It’s so scary and it’s so true.
This is an interesting question. With all the listening apps and devices, how do you think that is impacting security? Listening to Alexa, Google Help, etc. Either of you?
[Jason] I mean, it definitely has an effect I think on privacy. It’s not to fool – everybody knows that these devices have the ability to listen. You know, phones are the same. That’s why you see Facebook ads pop up after sometimes just having a conversation with someone. You know, I’ve experienced it as well. As much as I hate to say that it’s part of the norm, I mean, it kind of is in a way.
So, it’s just one of those things that you need to know is possible or is happening and just almost act accordingly. So, don’t try to expose anymore than you have to.
[Mike] I think we’ve become a society – because of our need for instant gratification we’ve created our own dilemma. And what I mean by that is we want to utilize whatever it has to offer, but we never take the time to read the privacy implications or understand those implications. And so, a lot of people – it’s unbelievable what they will give away when they agree to some of these end-user license agreements (EULAs) that you see on these apps or websites and stuff or the cookies. People just blindly click “yes”, and if they really understood what they’re giving up, they would think twice about it.
[Frances] Interesting. I know on Facebook – I’m on it – and I get the ads and I love the eyewear Maui Jim and there was a special for $39.95 for limited edition. So, I clicked on it and started – I’m like these are some beautiful – and they’re regularly $300 glasses. So, I asked my husband, “Hey, would you like a pair?”, and he’s like, “This doesn’t sound right.”
I didn’t even notice this: the capital J and there was a capital I and a lowercase M and normally it’s a lowercase I. That should have been my red flag, but I thought this is a good deal, I better get it before they’re sold out. I bought a couple and then after I sent in my credit card information, I thought that was a dumb thing to do because I looked back at the ad and there were 300 comments but nothing was visible, no comments were visible.
And then later on I get another ad that looks similar, but it’s the same company product and same thing: there were no comments and it just new and I thought. And then all of a sudden – thank goodness – I get a text from my credit card that says, “Fraud alert: did you use this?”. So, I did call them, and I said it was my purchase, but I think it’s a fraud so can we just not let it go through.
It’s just simple things like that. And I know, Michael, that you had said that there’s five things maybe that you should look for and hover over the name. What are some of those other tips for people like myself? And I did see a comment that says, “This is a hack. If it’s too good to be true, it is.”
[Mike] Some of the things that are very simple to do is if you take your cursor and you hover over the “from” in an email and if it says it’s from Microsoft and then you see just some string of letters and characters dot com – red flag. Again, if it’s demanding that you make a decision right now, you know businesses won’t do that.
The biggest indicator – and Jason, you’ll probably smile when I say this – is very, very loose command of the English language. A lot of times you can almost read it and tell what country they’re from.
A legitimate organization will never, ever ask you for credentials over the email. Or if they call you, they will never ask for credentials. Now, you may say, “Well, I called the bank and they asked for my account number.” You initiated that conversation. That’s a trusted communication. You called them. If you ever get these types of emails or phone call scams – they’re starting to be more prevalent, too – just tell them, “Hey, I hope you don’t mind, but I need to verify this.” Then you turn around and call because another big one is the police department. That supposedly is authority and that you’ll tell them anything. Well, don’t do it.
It’s little things like that. So, just be on the lookout. Look at the sender, look to see what the content is, make sure that the grammar is correct; if there’s like three spaces in a comma or three spaces in a period, a legitimate company would never send that out like that. And then look at what they’re asking you to do. If they’re asking you to click on a link, hover over that link and make sure that domain is the same domain from the sender. If it’s not, challenge it.
[Frances] Those are good tips, very good tips.
Another question here: is Tik Tok really a big security risk and how do people use the information you scan from the phone – either of you?
[Jason] I have heard, that is I’ve read an article that some security professional reverse-engineered the app and just the amount of information it was accessing on your phone – it was a long list of things. So yeah, like Michael said, when you download these apps and agree to install them, you’re agreeing to let the app access all these things – your photos, your contacts, other apps. You know, that’s kind of how they build their database of knowledge about you.
So, again, it’s just knowing that the app is accessing some pretty sensitive information to make your decision, to be okay with it, which most people aren’t, and they probably shouldn’t be. Or, if you’re okay with it because you won’t be out that bad, then you essentially accept the risk. And that’s a big thing when it comes to risk because there has to be some level of acceptance, so you just have to make sure that you’re well aware of what you’re downloading when you’re installing, what it has access to, and just make a good decision from there.
[Frances] Right. So, there’s a lot of senior citizens and parents that are getting on the internet now. And Michael, I’m definitely going to ask my parents to get that Authy thing to do the double verification switch. You always wonder because they’re a little bit more vulnerable.
Do you see any advice for people to tell their parents and loved ones? I know everyone is supposed to be careful, but what are the common things they should be told?
[Mike] Great question. I mean, every time I call my parents, both of them will be like, “Boy, you gotta see what we did on Facebook.” And I’m like oh my gosh, I will always have a job thanks to, you know, folks that use Facebook like that.
But one of the things I would tell you is that everything on Facebook is meant – it allows you to connect, but again, think about what you’re giving up every time you participate in these surveys they have or answer questions, they’re building a profile about you. So, like Jason said for Tik Tok, I mean, is Tik Tok providing information to another government? I don’t know. But what I do know is their EULA (their end-user licensing agreement) grants them access to everything on your phone.
So, when I would tell older folks – even younger people, too, it doesn’t have to just be older folks. But the reason older folks are targeted is because generally, whether they’re single, widowers, or just, generally they are retired so they have more money than younger people, that’s one of the reasons they’re targeted. And they’re willing to accept it because they don’t want to seem like they don’t know, they don’t understand, so they are like, “Yeah, I can do that.”
Don’t be so rigid. Don’t be afraid to challenge it. Just like we said several times already this morning: if it seems too good to be true, it always is. Those deals just don’t exist. I would rather miss out on one deal than get suckered in a hundred other ones, you know? So, that’s what I would tell people is just be careful. If you don’t understand the technology, don’t lose it. If you’re not very comfortable with your banking, I would never suggest anyone do any type of financial or very confidential information use that in any way, shape, or form unless you’re very comfortable and you understand what it’s doing.
[Frances] Thank you. Jason, any other words on that?
[Jason] No, he hit the nail on the head. The elderly people are definitely targeted for those exact reasons that Michael mentioned. So, just talk to your parents. My mom is the same way. We always have a lot of conversations about social media and what she’s doing on Facebook, Twitter, and all the other apps. You definitely need to be educated.
[Frances] Jason actually starts a program. You interviewing your mom on cybersecurity and do something on the web. I saw another gentleman, I forgot who he was, but he talks to his mom about different issues and it’s like a big hit and you guys can educate them.
[Mike] I think it’s great for elderly people to use technology. I just, if you want to get my dander up quickly, it’s how people that take advantage of folks like that.
[Frances] I agree. Well, we’re about out of time, but is there any question that I didn’t ask that you would like to answer or any other closing remarks, words of encouragement? Jason, tell us again your website so we can find you.
[Jason] The website is www.elevated-tech.com. I’ll drop it in the chat as well with our phone number and my email. But yeah, really, we’ve covered most of it. I think the biggest thing again is just human nature, get training. If you don’t have training, slow down, verify anything that looks even the least bit suspicious. I know that’ll go a long way to keeping yourself and your organization secure.
[Frances] And Michael, also put your information in the chat room. But any closing remarks or anything that we didn’t ask or any other cute stories and how’s your daughter doing now?
[Mike] She’s actually, her Instagram following, she got most of them back. She actually was on a podcast that asked her what happened and then how to fix it. She’s had a lot of people ask her about two-factor authentication. So, now she’s an expert.
I think in closing, if you have questions, one of the big things that I like doing is developing these relationships. And it doesn’t have to be about buying anything. If you have questions, I’m very passionate about cybersecurity. If you have questions, shoot me an email. If you have other questions, give me a call. I’m here to help and I love talking about this space.
[Frances] And we can find you on the website. It’s www.pathwayforensics.com.
[Mike] Yes, it is.
[Frances] Wonderful. Thank you very much, Michael and Jason, for taking the time to educate us on cybersecurity. It’s everywhere, it’s real, and during this pandemic, it’s a good time to reset and be secure for when things reopen in a better way.
I wish you both a great week, and everyone, this will be available on our website and on Facebook Live if you want to share this with anybody out there, especially your parents.
Thank you so much.