With the expanding platform of the Internet, the rate of fraud and breaches have dramatically increased as its access eases. Fortunately, the joint forces of Opus 111’s Jim Harvey and Emerald City Solutions’ Grant Eckstorm provide the appropriate steps to take prior, during, and after an incident of fraud or breach. Each and every individual is susceptible to such incidents and it’s best to stay updated as measures modernize over time. Maximized security is not and should not be limited to those with expertise.
Meet Jim Harvey & Grant Eckstorm
Jim Harvey: Good morning, my name is Jim Harvey and I am the president of Opus 111, a group of wealth management firms based in Seattle, with offices in Seattle and Spokane. I’m joined this morning by Grant Eckstrom, who is the managing partner of Emerald City solutions, which is a managed services provider in computing IT that we work with for our company. Grant is also a certified information systems professional CISSP, which is the gold standard for security. Grant, yesterday we were talking with Bob of exceptional benefits and Darrell David of Cyber Scout about the Washington State employment security breach recently that we’ve seen. And evidently a form of Nigerian ring that’s been operating for a while. And a blast last month, Washington State added 100,838 new unemployment claims, many of which were fraudulent.
Washington: Mass Fraud & Breach
Jim Harvey: And I know we’ve had clients and family members that have occurred. You were mentioning off the phone that you’ve seen that too, and recognize the fact that relatively, everybody’s information, has already been compromised. But there are practical things that you can suggest that anybody should do to protect themselves. I just wanted to get your take on the situation here in Washington State right now and the steps that people should take to protect themselves, both as individuals and their families but also as companies.
Grant Eckstorm: With what’s happening here in Washington, but not only in Washington, it’s one of the larger widespread. A couple of different things that have taken place are a lack of security system from unemployment insurance on the new systems put in place. They relaxed its security to make it easier to file the claims, but obviously that doesn’t help from a security perspective. It makes it easier for criminals to make changes as well. Not to mention, they’re really more designed to be able to handle about 7,000 claims in that short amount of time. They saw about 100,838, and it overwhelmed the system and they took advantage of that. Hundreds of billions of dollars got sent over to Nigeria, but also a lot of red flags were missed. Unemployment checks getting mailed out of the state and email addresses were basically burner, meaning you can sign up for an email address without inputting any information and doesn’t require a password. So, a lot of those red flags were missed and that really should’ve gotten picked up from fraud prevention teams. Ultimately, there’s not a lot you can do, what’s done is done. To your point, the information is already out there. We’re just starting to see the use of a lot of information that’s been stolen back in 2017. Some of the other things you have to take into account is your information is out there and it’s not something you as yourself to protect your information. If you say that I don’t want it on the cloud, it’s too late, all your information is already in the cloud.
A Protective Step: User Accounts
Grant Eckstorm: So, you have to take steps that are gonna protect you. You have to do everything you can to protect yourself. One of them, I’d say probably the easiest and most long-lasting, is don’t run as an administrator. Meaning that when you are on your computer, you should use a user-based account, and not an administrator. What that means is that, if you do click on something in phishing email, whatever it may be, it doesn’t allow that to actually execute as an administrator. So you can’t have anything pop up that will ultimately take over your computer, start turning on your cameras, start doing keystrokes, things like that.
Jim Harvey: I had no idea that that was a thing, I don’t even think about stuff like that, so that’s a really good one. So in other words, if I’m just operating my computer, you want to create a separate user and the administrator is one that you do for any kind of downloads or system changes, right?
Grant Eckstorm: Exactly, the modern operating systems nowadays, they’ll tell you when they need an administrative account or administrative credentials. The scary time is when you’re not doing one of those things and you’re getting prompted to put your administrator credentials, that’s when you know that you’ve got an issue. From a day to day perspective, browsing the web, reading your emails, things like that, they don’t require administrative rights. ‘I need to install printer, a new piece of software or make some major settings changes to the computer.’ Rarely do you have to put those in, even in our business, we don’t have to use them very often. That’s 25-year old best practice. A very, very easy task, and there’s a lot of information on Google on how to do it as well.
A Protective Step: Multi-Factor Authentication
Grant Eckstorm: Probably, the next runner up is multi-factor. The password is dead, and the reason why I say that, is that the password is getting breached so often, that you just can’t keep track of them. With the multi-factor authentication, it doesn’t matter how complex your password is, or how non-complex. You have to have that second form of authentication, and you’re probably starting to see it now with bank accounts and similar security-sensitive accounts. A lot of email accounts are starting to see it now. I would say it’s almost mandatory. When you set up a new account, make sure they use the multi-factor. It’s a stopgap to be able to protect that account, even if an email or in some cases, your identity, you want to make sure that you have some way to protect that from happening.
Jim Harvey: Well, it’s interesting to point that out, because just yesterday you, you had a call with my firm about doing just that. So today, we’re rolling out multi-factor authentication, which means that every laptop, every desktop, every device that we use, will have that multi-factor authentication. And, you know, I mean, it’s kind of a pain because you have to have that other thing. But on the other hand, the security that comes from knowing that you have that other thing is very reassuring.
Grant Eckstorm: Yeah, dependent perspective. We’ve seen so many business email compromises this year alone. The one common factor that comes into play is, none of these accounts have multi-factor authentication on them. If you have multi-factor, if your account has been breached somewhere that you don’t know about, they still don’t have that token that you have in your hand. That is the safeguard to keep that account safe. And keep in mind, getting in my email is just a stepping block. If somebody got access to your bank account, and they drained it, that’s ultimately what they’re going for. Having multi-factor on that type of account, I can’t think of anything other than just it’s a requirement.
Your Convenience: Password Hygiene & Managing
Grant Eckstorm: Using a password manager goes back to the password is, dead. From a security perspective, we see the bad password hygiene is everybody using either the same password over and over and over again, because it’s convenient or using a small variation of that password, like putting an exclamation or the dollar sign at the end of it. We know how that works, or changing the number as you go through your sequence of people using the same password. These are easy to figure out from a security perspective. And a password manager, suddenly, you don’t have to know what your passwords are, you’re not storing them on a little notebook, you’re not putting them in an Excel spreadsheet that is password protected. We know how that works, too, if none of those are secure. Using a password manager with multi-factor authentication on it, is a must. Once you get in there, you’re able to have large complex passwords that you don’t even have to remember. I don’t know what any of my passwords are anymore. Being able to have that freedom of not having to worry about what that is and having 25 plus character passwords, I know that they’re not going to get brute force attacks. With multi-factor now, I’m not concerned about it at any level. Password managers are a lifesaver from that perspective, but also it’s an ease not having to remember all these. I think they’re saying that by 2021, the average person is going to have five to 600 passwords that they have to remember for all these different accounts, like that he can’t remember that! And that’s where you get the bad password hygiene.
A Fall-Back: Full Disk Encryption
Grant Eckstorm: Another good one is full disk encryption. If your device is stolen, they have a tendency to get feet. In fact, I have a family member who left his phone on the airplane and ended up over in North Carolina. Having full disk encryption on these devices protects the data. Ultimately, that’s the important thing about the device. I will tell you that the local authorities, the police, don’t care, they’re not going to try to find it. They just want you to do an insurance claim. You get the latest newest model and you move on with your life and restore the data. The important thing is your family pictures. It’s your emails, it’s whatever that you want to store on there. Believe it or not, most times, it’s the pictures that have a lot of value from a family’s perspective. So make sure that you protect that data. If it ever walks away, you’re not concerned about that device. It turns out to be not a big deal.
Grant Eckstorm: Another simple one, pasture computers. If you are regularly patching your computers for Microsoft updates, the Adobe’s, the Java’s, the Chrome’s, the Google platform stuff, that’s a really easy one to do. Most systems out there are going to do an automated for you. Microsoft’s definitely gotten more aggressive in the last couple operating systems to help with that. Some of the other ones are going to require manual, but it is important for those to be done.
Jim Harvey: And the reason for the patching is that they’re constantly upgrading as they learn about new security breaches, right? So that’s what it’s for.
Grant Eckstorm: Well, constantly upgrading, but also they’re posting out on the web, all the vulnerabilities. It’s a literal cookbook for criminals to know exactly how to take advantage of your computer. And these companies are doing that from a liability perspective. If you don’t take advantage of the information they’re providing to the world, then you’re actually the one that is vulnerable. So it’s really important to make sure to stay up on that.
The Right Way to Utilize Backups
Grant Eckstorm: As backups, that’s the last line of support. It’s huge talking about encrypting your device and protecting that data. If you lost that device, who cares because you have the backups? But I will tell you that you have to be careful with thinking that your stuff is backed up. The moment that a human gets involved in a backup, you have a 60% failure rate, you really want to work on the rule three. You have the data on your computer, you have maybe a hard drive, maybe it’s a network-attached storage device in your closet, whatever might be, and then you have it in the cloud. The reason why this rule three is really important is recently, we’ve actually seen those, the ransomware not only infect the computers, but also infects the backups. The two of your legs of the tripod have been taken out. The cloud is the only thing to restore your data. But if you are putting all your data on a hard drive thinking that is okay, you’re most likely going to lose all your stuff. I hear that all the time. ‘Oh, no, I’ve got it on. I went down to you know, the local big box store and I bought this hard drive and that’s where I store my store all my data, Mike.’ Well, the problem is that those have a failure rate. You’re racing the hard drive, that’s your computer. So keep that in mind, correct? Yes, they’re not designed to store the data. They’re just designed to help back it up as a secondary. There’s a reason why they’re cheap.
Breaches: To Manually Track or Not?
Grant Eckstorm: Along the lines of today’s topic, monitor your stuff on the dark web. Going back to how many breaches are going on right now. There’s no way to keep track of it. I, myself as a security professional, I stopped trying to keep track of it a long time ago, there’s so much happening on a daily basis that you need to have some sort of service that’s going to alert you about this specifically. If you have, you know, a bank account that got breached or an email that got breached, you’re gonna get notified to that information being stolen. If you try to sit there and watch the news. I’ll tell you that unless it’s over, potentially a million accounts, you won’t even make the news anymore. You having some sort of service to tell you about what’s going on with your identity is really, really big.
Optimizing IoT Use: What is It?
Grant Eckstorm: Let’s see what else, your IoT devices at your house, are like patching. You want to make sure that those are nice and secured. I will be honest, there’s nothing scarier than having a voice come through your baby monitor and start talking to your children or somebody watching you through your nanny cam. So, IoT stands for the internet of things. The world is now connected to the internet: your ovens, your microwaves, your stoves, coffee pots, you can turn it on with a voice command is connected. Even washing machines are now connected. So thermostats, I can go on and on but all the things that are connected to the internet. The problem with them is they weren’t designed around security, they’re designed to be able to get you connected and mass-produced them. They are going to come out with the default settings that make it really easy for you to set them up. The problem with that is that those default settings are widely known, they’re very easy to take over and be compromised. Take a little extra time to make sure that you reset the passwords on them to something complex. Make sure that you are patching the firmware from time to time, it goes a long, long way to make sure that that your house is protected. Yes, the voice-activated devices have made life convenient, but also very convenient to steal identities and information to so make sense.
Security Measures: Then and Now
Jim Harvey: Some years ago, I lectured at a national conference about data security and that was 2008. Things have gotten a lot more sophisticated. The basic point and I got a lot from the Department of Commerce, is it was a real challenge to do all the technical stuff that you want and have the firewalls and the anti-spam ware and malware. For example, I was at another convention last year in DC and one of the cybersecurity specialists for a big broker dealer said that the biggest click through on a phishing email was free Domino’s Pizza with a click rate of 60%. You can have all the training in the world, and you make that one mistake that one time, and now you’re exposed. So that to me is where you want to be. All the things that we’ve talked about this morning, I really want to thank you for your time. But having said that, it’s good to have that backup, whether it’s Life-lock, or Cyber Scout, where they will unwind it for you and protect you. And if there’s a financial exposure, pay it back. We’ve seen, I’ve seen, one of my clients had $100,000 taken out of his $401,000 plan. And thank God, that we had Life-lock for him, because he was able to claw the money back. Had he not been able to call the money back, Life-lock would have gotten a cheque and put $100,000 back in their accounts.
Concluding the Discussion
Jim Harvey: So like you say, you want to be as secure as you can but insure against the inevitability. We only have 330 million people in this country and the experience breach alone was 143 million. That was about half of them right there. There are things that we should do and really excellent job today. Pointing all that, I know that we’re really grateful that we work with an outside like you guys, because you’ve really dramatically improved our ability to protect not only ourselves, but more importantly, our clients’ data through all these measures, so, thank you so much for your time. This has been great. And, stay safe out there.
Grant Eckstorm: Yeah, you too. I appreciate the time, Jim. Thank you.
Choosing to optimize your security, is not a big brainer, and neither is the act of it. With the discussed preventive measures, take them. A few minutes of your time is worth investing to prevent a drain of time and energy in the incident of fraud and breach. In addition, check yourself, are you backing up your data the right way? If not, take the necessary actions to correct them.
The easy way in will buy a ticket to a hard way out. Fraud and breach chooses at random, never think it cannot happen to you. Stay informed in events of mass frauds and breaches, ways in securing your accounts, password hygiene, IoT use, encryption, and backups.