Cybersecurity in the Education System

Transcript

Opening

Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, operators, sales, marketing and other cybersecurity leaders face in today's world.

Today, we are fortunate to have Steve Fisher joining us.

Conversation

Mike Krass: Steve, wave and say hello to our listeners.

Steve Fisher: Hello! I could hear the wave, but it was flying. I could hear it.

Mike Krass: As we all know, we quickly get that first question. Steve, tell our listeners why you're qualified to talk about security.

Steve Fisher: Thank you, Mike, for the opportunity to talk to your listeners. My background has been 30-plus years in media. I left that business almost a year ago and spent some time learning about a company out of Missouri. I've known the owner for probably 40 years, and he started 14 years ago in the shredding business, which is very security-sensitive document management information. The thoroughness you have to go through to make Steve unqualified to get in that business is pretty rigid. He transitioned into document management, converted data files and print files to digital files, and stored those in the cloud. They're also companies also involved in HIPAA-certified faxing. So, when I was available, he talked to me about coming on board and helping them with a cybersecurity solution that we've been asked to be a qualified reseller for in the summer. I dug deep in and learned as much as I could about cybersecurity industries and tech in general and concluded that it's security first in cybersecurity. The cyber part is later, so my role here is to help people who should be more engaged in decision-making. And that would be some of the heads of organizations as opposed to leaving the shoulder by the IT department, especially in a world where IT professionals are tasked with so many things and have an organization.

I've tried to dumb down the whole big monster called cybersecurity, and just really short people can understand it. Companies and the superintendent of schools can understand it. I met with a group of super dentists last week in Missouri. We talked about this, and I said, hey, a lot of guys, when you see me at conferences, you'll say, hey, talk to my tech guy, talk to our tech group, and so forth. And, I say, when your network is compromised, are you going to have your tech person talk to channel five? You're probably not. You need to get a hold of this. And so, really coming at this from the perspective of an admin administration and digging deep into this. So that's my background, and I think that qualifies me to get into the space.

Mike Krass: Awesome, Steve. I appreciate you walking all of our listeners through the background. Education is one of the top two industries that gets hit with many cyber threats or attacks and ransomware, among other things. So, a target-rich environment sounds very callous, but it is like schools are at risk in a big way. Let's talk about problems. I heard you start talking about it. Tell our listeners about a problem you'd like to explore today.

Steve Fisher: The problem I like to explore is COVID and even coming back into the workforce. We saw a lot of turnovers, and in the workforce, when you come back, the rules have changed, particularly on the cyber insurance side of things, onboarding people, and so forth.

Dealing with training and onboarding related to tech in the new age of changing jobs and things. I see that as a big issue because I mentioned IT directors and the CISOs, which stretched beyond belief. Still, human resources is also an area where there's probably a lot of need to fill a spot. Training and onboarding, particularly related to tech, will be hard and it will be challenging.

When you bring everybody on, and you're looking about these things. Then you're also looking a the rise in business insurance due to cyber squarely, depending on what type of your industry you're in, but targets include health care and any business manufacturing. They relied on a significant component of their business being plugged into the internet and into the cloud, and there's going to be a perfect target.

Mike Krass: Businesses that are perfect targets when plugged into the cloud or an Ethernet connection. I'm having a hard time thinking of businesses that aren't connected. Am I missing something? Are there businesses that are more or less connected?

Steve Fisher: If you're outsourcing payroll, and if you're taking any invoice online for doing anything, the smaller you are, the fewer things you do online. You might argue that the more likely you are to be compromised. When you consider the thing that triggers most attacks is still phishing, and 50% of all the reason they got attacked is on their payroll. It's somebody on the payroll who made some mistake, either through phishing, employee mistake, internal theft, or those things. That will drive the insurance industry to say, hey, let's take a step back and look at how you're onboarding your employees and associates and find out what you can do to minimize these situations.

Mike Krass: Human factor is what I heard you say about training and policy. And they mentioned onboarding. When people are departing the business for whatever reason, whether it's on their own accord or whether the business has let them go, I could also consider a target-rich environment or people who have recently left the company. Because if you haven't shut them down entirely yet. And I'm doing this in air quotes, shut them down in terms of all their systems. It might not look irregular if there's a random login here or there unless somebody is looking. They realize, like, oh, actually, Mike left this company last month. Why did he just log in to our payroll system, accounting system, or maybe into one of our business intelligence systems? This isn't an issue, but you might be in the finance team in a BI system. The CFO might be modeling revenue, expenses, or incredibly confidential or sensitive information. And yet, there's just this login here or there that no one's paying attention to before you know it. They've got a pretty good handle on your business.

Steve Fisher: I'd say that the most famous offboarding mishap would be the quality of pipelines. We're two days away from shutting down the United States because we will run out of fuel, and colonial was compromised by a former employee's email. There wasn't properly eliminated on the network, and they had the email and the password and got it, and I guess some people could say, though, the rest is history.

Policies must be thorough in onboarding and offboarding, but offboarding is the onboarding. That should just be a checklist, and you just boom, you're done. It should be more of a grey area in the onboarding because with the training components related to insurance requirements in terms of fishing and other things to test, the wherewithal of anybody that has access to the internet. There's always going to be some new way to test somebody's ability to trust, and everybody wants to think they won this give away from Home Depot or they're going to get a free network. It's got to be true, and that's the whole thing, and you just really go to these things and test them.

As spearfishing becomes more prevalent, it's going to be even more important. In Missouri, you had a situation where the company had a USDA grant, and the cybercriminal figured out, studied it and then they sent a close but fake invoice to the community. And then, $177,000 later, that cybercriminal has more money, and the community has less money. I don't even know in that situation where the weather insurance is going to be a factor, but those are the kinds of things that are happening more and more. You get malware on your network, and it sits on your network for 252 and a plus 80 days. By that time, it's hard. For example, there was an organization in Iowa where the virus learned who was in charge of account payable and payroll processing, who was the backup, and when that primary person went on vacation, and the backup was involved. The backup received a payroll transfer rerouting to a different bag for the company's CEO. The first pay period after the primary person's paycheck vacation goes into a different bank. These small incremental situations add up pretty quickly for cybercriminals. The question for many companies has been, Who do you call? Who do you think they call me? What jurisdiction is this? It really goes on. In many cases went on to report it, but then the criminal will get away with this and just going to keep on doing it. Training and understanding that it's part of the bill's solution cut it down quite a bit. Getting people not to trust other people is tough, but that's how it has to be. You hear more and more about zero-trust environments or trust networks and so forth. Nobody wants to call somebody a liar. Going through some of this training will be an opportunity for people to start thinking about letting others earn trust instead of automatically getting trust. I mentioned my morning was pretty busy talking to a couple of schools to talk college and K-12. And as I mentioned, those are targets for cybercriminals. Everybody's busy on those campuses and don't have time to monitor all of them, all of the faculty and staff, but many of them aren't even doing some of the initiatives already set up.

Some are more automatic, and your administrators put more restrictions for faculty and staff. Any organization will be imperative to a company's success, not just keeping their insurance policies down but getting an insurance policy period.

Mike Krass: One thing I might share on rerouting payrolls or invoices before we get to our final question. We've seen the episode in terms of tactics and things you can do. Some of our clients who are larger businesses or enterprises are considered large businesses based on revenue and headcount. They're bringing us into what they're calling supplier portals. It's something you have to sign up for. It's all protected through two-factor authentication. You're going to get an email, a text, or both sometimes to get in. This purchase order number is now hidden behind a series of logins that require multiple touchpoints, not just the password but you have multiple touchpoints. And what I really thought about was, Okay, if I rewind, ten years ago, most of our clients would just email us a purchase order. And a purchase order says, “Here's where you send the invoice to, here are the payment terms. Here's the PIO number” The thing that says there's money, and if somebody had done something as simple as gotten into our email ten years ago and hung out within six or 12 months, they probably would have gathered up a pile of PIO numbers. If they got to build, they could be billed in advance of us getting an invoice out. Or we could also be in a situation where they let us bill them, and they let us do the work from an invoice and standpoint, but they change the bank account info that it should be received. But you mentioned, and that reminded me of how far our own business has come in 10 years in terms of how our clients are treating us and the different financial systems they're asking us to interact with. These supplier portals look like they were designed 20 years ago. They don't need to look pretty. They just need to deliver money from A to B from the right source to the right recipient.

Steve Fisher: They were fishing from fax machines and successfully draining accounts on those platforms. A lot of people that are victims of cybercrime are embarrassed. A lot of reporting those incidents goes unreported because nobody wants to say, “Hey, I paid these invoices wrong.” Last week, we had a meeting with a client who said, “Hey, we got hit.” If you're one of our shredding clients, and we're talking to them about their network security and so forth. They said they paid a bill, and it just didn't report it because they didn't want to look stupid. The less that happens, the more we start aggregating these incidents, and the easier it will be to get to minimize the damage. Eliminating the damage might be overly optimistic. Be one of those and keep everybody on guard.

Mike Krass: Speaking of damage, that's a perfect segue. Steve, let's talk about question number three of every episode. Tell us about a terrible haircut you've had in your life.

Steve Fisher: I used to live in my early 30s. I live down in Southern Illinois in a very rural community. I had a cool hairstylist up until that point, and you had to drive 30 miles to get a good haircut. I would bulk up on many products to make whatever happened to look better than it was, but I typically got a bowl cut every time I walked down to this place, and it is almost like you're paying for your torture. It certainly makes you appreciate a good stylist or professional stylist. When you get one today, there was a cash-only joint. It was seven to 10 bucks for a haircut, and he got what you paid for.

Mike Krass: The bowl cut is a classic. We haven't had that answer so far on the show, so your first. Steve, thank you so much for taking the time to speak to our listeners. Thank you for listening to What's the Problem, the show that explores problems that buyers, practitioners, leaders, marketing sales, or just folks in the cybersecurity industry, those problems that they face every day.

Steve Fisher: Goodbye. Thanks for listening.