Pathways with Amber Stitt

Focus on Tech: CPAs and Cyber Security Issues and Ways to Avoid Phishing

February 21, 2023 Amber Stitt
Pathways with Amber Stitt
Focus on Tech: CPAs and Cyber Security Issues and Ways to Avoid Phishing
Show Notes Transcript

In today's episode of #ThePathwaystoPeakPerformance, Bryan Wilbourn and I talk about smaller businesses and the ways they can be affected by cybersecurity attacks.

He tells a particular story about a CPA's office where an employee was a victim of a wire fraud circumstance. The attack was what the tech world calls a "Whale Phishing" situation. Someone had impersonated the CEO and we tell the story here!

How do you protect against this? Risk Assessments held by a CyberSecurity Team can help to reduce the risk of allowing for PIIs to be compromised.

What is PII?

Personally
Identifiable
Information

When PII is leaked, the ramifications can be detrimental. Your security team will help to teach you what to look for on a daily basis, especially during any busy seasons that come with the industry that you are in.

These are just a few types of information that businesses need to protect:

PCI and PII (Anyone)
HIPPA and PHI (Typically Healthcare)

Bryan reminds us to always, Stop, Look, and Think...
To find their team you can reach Bryan Wilbourn at Echelon Technologies: bryan@echelontechs.com
www.echelontechs.com

Thanks for listening!

(Intro) 0:00 - 1:00

Amber  1:01
Hello, and welcome to The Amber Stitt Show. I am your host Amber Stitt and today we welcome back my friend and colleague Brian from Echelon technologies. Welcome back, Bryan.

Bryan 1:12
Thank you. Thanks for having me back. I appreciate it.

Amber 1:16
So in previous episodes, we have really drilled down into cybersecurity 101. We shared some stories, unfortunate stories about what is going on out there between just the dark web and then the surface web. We talked about that and then acronyms to teach what to look out for, but kind of some steps. So all of that's been linked up in previous episodes in the description boxes and I'm going to do that again in this episode. But today, I'd like to have a shorter episode to really talk through some steps. If a person is going to use a cybersecurity team, what does the cybersecurity team do? And I know that you have a story, I think with one of your clients prior to having you guys on board. Just some of the things you can face as a small business owner if you don't take this seriously. So I'm gonna let you dive in and share some steps that way people can see, "Alright, if I don't have this, I need to check this off the list. I need to get this going." And then how this really worked within one of your client firms. So I'll let you take it from there, Bryan.

Bryan 2:21
Thank you. And thanks again for having me back. I appreciate it. Yeah, so today I want to share a story about a CPA firm that we work with and how he got to our state, and how, how came to us to really helping to manage and mitigate the risk that he is sitting on. And it all stems from one final story of his previous partner of his who at their prior company.  The new receptionist actually got hit with a business email compromised a whale phishing email, so they impersonated the CEO and asked her to wire $20,000 off while he was in a meeting, need her to wire the money off while he was in meeting and email to let him know that it had been done. And he would call her once he got out of the meeting. So she did that. didn't think anything of it too much. Two weeks a days later, they came back and tried to hit him again. So two things may raise red flags. They like $20,000 go out the door and didn't realize it well. Yeah, they were that big that much cash flow to the guys had enough guts to come back and do it again.

Amber 3:38
OK. Lots of meat, whale meat, I don't know. Fishing. Okay, so a new hire has access to wire information. Okay, so this could be any one of us that just goes okay. We're in an interesting environment now trying to hire teams. This person is new and wired that much money assuming just okay, this new boss wants this. I mean this is huge because we wouldn't assume that people that we would hire would approve such things. Just we wouldn't think common sense that would be a natural reaction. And then it happened a second time. So I mean, this is so key to how education is so important for any people on the team.

Bryan 4:23
Absolutely. The position was such that she would be income she would handle money like that. This company is a multimillion-dollar company. So $20,000 going out the door was not it wasn't until the second time that she actually called that CEO and said "Do you really am I really supposed to send us again?" He said, "What do you mean, again?" I know she didn't last very long, unfortunately, but it's just a testament to, again, we humans being the weakest link so they were partners at the time. So this gentleman who I speak up now the CPA firm, he's out on his own he has two offices, one in Missouri and one in Arizona, which is probably too much information in itself. But he came to us and said, "Look, I want to mitigate my risk. I want to make sure that I am not you know, I don't have a bunch of data out there or a bunch of risks sitting out there", and sure enough, he does he has about $335,000 in residual risk that he's sitting on and that comes in the form of all kinds of different things. Such as a clearinghouse number, Social Security information, email, PII, and personally identifiable information. credit card information, Visa, MasterCard, US driver's licenses, and American Express are on there. All these things are on the local systems that if you were to get hacked, he's going to jail probably, but honestly, his business is certainly going to be under.  So, these are things that you can take, that business owners can take steps that they can take today, that doesn't have to break the bank, which the first would be to get a risk assessment for your business.

Amber 6:00
It's a risk assessment for the practice, for the business. Okay.

Bryan 6:06
Right. 100% and this is going to evaluate your local devices, the network's things that are on there, PII, and the different things that I just described, because today it's not so much about technology and it crippling your systems. It's the risk that you sit on. You know, you try and get cyber liability insurance these days -- five years ago, a few years ago, it was a one page application, now it's like 18 pages. And they're very selective about who they take and they are very quick to deny claims.

Amber 6:35
Interesting.

Bryan 6:37
So as a small or medium business owner, it's imperative that you partner with a company that's going to make sure you check all the boxes. This is not a matter of if you're going to get hit, it's a matter of when you're gonna get hit.

Amber 6:45
Can you...I know you've...I've gone to different conferences, and we've heard some talks about this. And I asked people, what do you have in place and a lot of people shake their heads that they don't have anything and they go, "It's a gimmick, you don't really need these things", but what was the ramification for one of either a client or one that you know about where if the errors and omissions insurance didn't cover, and they didn't have this other policy, or lack of training? What was one of the biggest hits you saw a company face from a liability perspective?

Bryan 7:18
There's one pretty big one had like 1.2 million, or something like, that were the fines.

Amber 7:27
Yeah, fines. So who's assessing the fines, do you know?

Bryan 7:23
Their a healthcare, their a healthcare organization, so not only do they have HIPAA that they were dealing with but also PCI. So if they had credit card information on there, and then of course, you know, all the HIPAA stuff and the PII so there were three different areas that they were really suffering from.

Amber 7:48
Yeah, and I just as an insurance broker, you know, I've had your team helped me with some of the implementation, but those of you in the financial services that take on social security numbers, we do have some of the E applications that have that security where it goes direct to the carriers and the underwriters, but it's even any of my friends that are watching, you know, you can see where this can be really detrimental if you don't have those layers like we were talking about the onion in the first episode or second episode and peeling back the onion of all the things that could happen and these people are very smart. Maybe a little bored during COVID to be more creating more problems for us. But yeah, they're creating new ways every day. So, I'm certainly going to link up your information so people can ask you questions and see, if is there a way that you can help, or have a partner that can help them throughout the nation. I know that listeners are not always in Arizona, but you guys help all over the nation. I believe, correct.

Bryan 8:52
Absolutely.

Amber 8:53
Yeah. So any final takeaways for the listeners today? As far as even if you're not a business owner. Or, you know, I would even say an as a new hire if you're new. If you're a new hire, maybe it's also part of your responsibility, not just the company that's hiring you to take some initiatives and learn a little bit more. And we've talked about making sure you pick up the phone and verify maybe we'll land there, Brian, what would be just some things for individuals just to be aware of and maybe pull in some things we've talked about from previous episodes, which I don't mind that will be maybe a couple of things to finish up with today just to implement as an individual.

Bryan 9:34 -- Stop, Look, and Think!
Sure. I mean, as an individual, I mean, always goes back to the "Stop, Look, and Think", right? You need to slow down. We've got to slow down a little bit. We've got to when we're dealing with email, that's where they're trying to get us. So let's think about where are they really trying to hit us because we are what the bad guys are going after we as humans, so they're gonna go after our emails, they're gonna go after our phones, they're gonna go after our texts. So it's more important than ever to be savvy about this, about that.  If you get your spam risk come across on your caller ID, don't answer it. I'm amazed at how many people still answer that when they see the caller ID.

Amber 10:10
Well now, before we can wrap up then, I need to ask you a question. If you're answering these spam calls is there a way for them to then do something else if you say, "Hello"?

Bryan 10:20
If you say hello often times they're gonna probe you for information but for one it also that's another live person does answer that phone call, so this is a live number. So they're going to keep hitting, keep hitting it,  and keep hitting it. And then, again, if they get you live and you're talking to them, they're going to try and sound extremely convincing, especially the elderly folks that answer those, those calls. It's not Microsoft calling you. Microsoft isn't gonna call you and tell you you haven't yet virus on your computer. IRS is not going to call you and tell him your money. They're gonna send you a letter. So things like that. Just think, logically. Does it make sense? Does it feel off? Trust your gut, basically.

Amber 10:12
Guess that's like, perfect for any lesson. Stop and smell the roses, stop and think, we all need to kind of slow down as it is and, you know, they're certainly taking advantage of us just being really busy people. So, if anything we could close with just kind of slowing down and just really...does something makes sense, and if not verify and so that's a good rule of practice really for anything. So for those of you who are just listening in to this episode, we have a couple more with a lot more information jam-packed in, so, appreciate you all being here. Bryan, thanks for coming back and I really appreciate all the stories and the information. And hopefully, people will take some action today with what you've taught them, so thanks again.

Bryan 11:43
Thank you, Amber. It's been my pleasure. I really appreciate it.

Amber 11:45
Thank you.

Closing 11:47

Thank you for joining us on today's episode of The Amber Stitt Show. For more information about the podcast, books, articles, and more, please visit me at amberstitt.com. Until next week, enjoy your journey at the home, and at work. Thank you for listening!

This transcript was generated by https://otter.ai