Kyle Youngs works as The Iroquois Group’s IT Administrator. That means he is consistently keeping our systems up to date and our staff trained on the Do’s and the Don’ts for our technology. His mantra is “train and educate.” The VPNs, MFAs and firewalls can only do so much if the end user is working against them. Tune in to The Trusted Advisor Podcast to learn how your independent insurance agency can stay safe. Check out other Cyber podcasts here.
Edwin K. Morris (4s):
Welcome to the trusted advisor podcast brought to you by Iroquois Group. Iroquois is your trusted advisor in all things insurance. I am Edwin K. Morris. Kyle Youngs is the IT administrator at the Iroquois Group, a role he has held for the last 13 years. Over those years, Kyle has kept the systems running smoothly and the employees out of harm’s way. What’s the weakest link in the digital world? What do you see as the easiest way to break into a new organization?
Kyle Youngs (38s):
Easiest way to break into an organization at this time is the user, unfortunately. Most people are up to date with their anti-virus and have something in place that detects things, but at, at this point in the most dangerous part of the landscape is really the user, they’re actually the ones letting the most attacks it.
Edwin K. Morris (55s):
Can you give me a further example? What does it look like?
Kyle Youngs (58s):
The best example is email, there’ll be some kind of a phishing attempt into your email where it disguises themselves as someone you know, or somebody that’s higher above you that you would react to with some kind of urgency. And then they will try to get your password and username from you. And once you give them that, that’s like the key to the kingdom. Then they can get in and take the next level it’s to do whatever their looking to do maliciously.
Edwin K. Morris (1m 25s):
Do you think a lot in the social media builds connectivity for someone to target someone for a phishing attempt
Kyle Youngs (1m 32s):
Probably does on a smaller scale, not so much, at least for our business, we have a social media platform, but it’s mainly contained by one person as opposed to a smaller business that might be actually using the same platform for personal as they do business. Just being able to monitor through one person makes a big difference.
Edwin K. Morris (1m 51s):
Well if An agency doesn’t have a specific IT person, who should be looking after cyber security?
Kyle Youngs (1m 57s):
I would suggest the, the principal, probably of the company. If they don’t think that they’re tech savvy enough, maybe a next in line or someone that is tech savy in the company. But to be honest, you really need to put some company dollars towards cyber security because with today’s landscape and how everything is evolving and changing. And it’s always a new threat around the corner each day, each week, you’ve got to put some kind of dollars towards that or some kind of trainings, some kind of awareness
Edwin K. Morris (2m 27s):
That’s what I wanted to bring around, is that, so if you’re talking about awareness, and if the weakest link is the user, it sounds like education and training is probably going to be the easiest fix
Kyle Youngs (2m 36s):
Yes, I think money-wise, that is definitely the easiest fix. You can spend lots of money, obviously, grabbing a third-party company that will monitor and maintain and show you the best steps to take when it comes to cybersecurity. But at this time, one of the greatest things that we can do is train our end-users to not let people in because that’s where the biggest threat is.
Edwin K. Morris (2m 57s):
Does that end up being compounded by the amount of different devices that an individual has access to?
Kyle Youngs (3m 7s):
It does. With a mobile device, you might be in a position where you’re not actually thinking about business at that time, and you get a quick email or something on your phone, you pick it up and you think, oh, I’ll just respond real quick to this and be done with it. And unfortunately that’s when people do get in trouble
Edwin K. Morris (3m 22s):
Going back to that individual level, what should they be doing to protect their password?
Kyle Youngs (3m 26s):
Passwords? There’s a couple of different ways to look at it. Some people like to go with like long and complex passwords, that kinda stuff. In my eyes, if you, the simpler you can keep your passwords, with still meeting some kind of complexity, that’s your best bet. But you really do need a unique password for every platform you use. So just in case, if that platform does get compromised in some way, or if you accidentally give out those credentials to have some kind of attacker that way it’s only that account that’s under fire. Maybe the next step would be a password manager as well. Once you start to get in the way that you’ve got many accounts, a password manager would allow you to have to only remember one password while this password manager can actually generate a unique, crazy password that you would never guess anyways and go from there.
Edwin K. Morris (4m 10s):
Walk me through this, because passwords is passwords. That’s one key to the lock. So with biomarkers using actual fingerprint, eye scans, all that sort of thing, is there a way that that complexity is easily managed?
Kyle Youngs (4m 29s):
Well, you’re actually starting to, to touch on a, the next level of that. MFA, multi-factor authentication, is the next level, which really anyplace where a user can turn that on is where it is, what needs to be done. So when I say multifactor authentication, I’m talking, it’s your password, but then another level that is making sure it’s you. So with multi-factor normally it’s a email that comes to you with a code in it. It’s a text message with a code. It’s some kind of authenticating app that tells you that you’re saying, yes, this is me. Yes, I’m verifying it’s me. And then those things also begin to start to use the biometrics as well.
Edwin K. Morris (5m 5s):
With everybody bringing their own devices to work now, how do you control that? How does an organization control that?
Kyle Youngs (5m 12s):
Actually there is some management capability there. I go back even one step behind that and say, it’s really policy driven. And it’s, it’s also a training when it comes to your users. When, when you have cell phones, stuff like that, you need to say you have to have a password on your cell phone. You need to only use it with secure wifi and that kinda stuff. A, a VPN that we offer our end users and stuff like that, where you’re “going to the next level” is not necessarily managing it at a micro level. With a piece of software, it’s a, the policies.
Edwin K. Morris (5m 43s):
What would an organization look for if they’re trying to plan a contingency, if you will, a digital contingency for an attack? What is an attack?
Kyle Youngs (5m 52s):
There’s many levels to an attack, I mean, there’s very small levels of attack where your email is compromised and now someone’s using your email addresses to phish, but then there’s the next level of attack where someone actually gets into your company. Again, this is going to go back to a policies and training. When an end user recognises any of these and it’s an anomaly, in the long run, when you see something in your environment that does not look the same or out of normal, that is where you’re going to need the end user to speak up. They need to get to the right person, tell them who to talk to, which, which person they talk to to get something started, to verify, is this an issue? Or, you know, is this just a, I’m just being cautious?
Edwin K. Morris (6m 34s):
I would assume that is at least addressed in this training and education of all of the personnel involved because it’s easy to get overcome, but just by daily activities in sometimes security. And that’s what this is, the security of the data in the system is reliant on that individual out there in the field. So that’s a constant reminder. You have to constantly stir that to keep that in the front of mind.
Kyle Youngs (6m 60s):
Edwin K. Morris (7m 2s):
What would be your recommendation for any kind of software solutions or third party systems out there? Yeah.
Kyle Youngs (7m 8s):
When it comes to the software solutions, there really isn’t a catch all system without paying lots of money unfortunately. Using the third-party vendors that, that suggest that to you, even they’ll tell you like, it’s a many prong tack, try to protect yourself. When it comes to what they can do, goes back to the training aspect. Everyone has antiviruses, that’s going to be your baseline. That’s gonna detect anything, but really that proactive approach is what we always try to do nowadays, as opposed to the reactive, which is when you find something that’s in there and you’re trying to fix it, the proactive approach is the route that our company and most are taking these days to stop them from happening to begin with.
Edwin K. Morris (7m 52s):
Got it. What’s the primary driver for all of this malicious activity? Are you seeing a majority of it being for ransomware? Is that something else? Is it just a interruption of a business?
Kyle Youngs (8m 6s):
Sometimes I actually sit back and try to think of this myself. A lot of the times it’s, most of the stuff that we see on our end is so small scale because they’re not getting to the level they want to get to. My guess, the bigger goal for them is the ransomware. That’s your dollar maker right there. We make sure that if something happened today, we’re able to go back to last night to get us back on the same spot.
Edwin K. Morris (8m 28s):
You bring up a critical, I think, easily overlooked part of this puzzle piece here, the puzzle of protection, is that if you don’t do systematic updates and or systematic backups, you’re really creating an opportunity for havoc.
Kyle Youngs (8m 47s):
Yes. Because as soon as you don’t have something to restore to, that’s when you’re, you’re vulnerable, but you can’t go backwards and start from scratch, that’s impossible. But when you have that backup or restore point, now you’re giving yourself an option to not give into these attackers.
Edwin K. Morris (9m 3s):
Now do you suggest to have a hybrid approach for that backup storage, one onsite and one offsite, or what’s the best opportunity?
Kyle Youngs (9m 12s):
If, if, if you can come up with some kind of cloud backup for your system, that’s probably your best bet because that way you get rid of the onsite issue of it. So you get rid of fire, water, all that kind of stuff. The cloud backups are normally, a, in more than one server. So there’s one on the east coast, one on the west coast, they then handle back-ups to back up you.
Edwin K. Morris (9m 30s):
The last thing I’ll ask is what’s your recommendation on an encryption.
Kyle Youngs (9m 34s):
Encryption? At anytime that you can turn encryption on, that’s what do you want to do. But once again, we’re going to go back to training. When it comes to training your employees, encryption, whenever using any kind of sensitive information, like a social security number or credit card, you’ve really got to train them to send encrypted emails when it comes to that part. On the other side, you’re, IT is most likely already handling encryption on the websites and that kind of stuff, too, but when it comes to the end user, that’s where that knowledge is important as well.
Edwin K. Morris (10m 3s):
So your recommendation is especially for personal information. If you’re using email, that’s a very open opportunity for pillaging, is putting that information through an email system.
Kyle Youngs (10m 15s):
Exactly. The encryption is, is just a way of making it so it doesn’t come through in what we call a clear text, clear text is something that goes across the internet, exactly how you wrote it or typed it. And anyone could see it that way. When it goes through encrypted, it’s all jumbled, there’s an algorithm that’s put in place and then it’s ciphered on the back-end to, to, to make it readable again for the user. But in transit, it’s not able to be red. You just walk the dog here with me, is, does the virtual private network encrypt it automatically? Well, the virtual private network is already kind of taking its own steps because now, you know where that data is going. So it has nothing to do with the encryption at that point. It’s the fact that it’s now on a, a network that you control as opposed to a Wi-Fi that’s at a Starbucks.
Kyle Youngs (10m 60s):
You know, you could technically be on there, you know, some guy in there that’s doing the exact thing with a key logger, and just copying everything that you write down. But when you’re in the VPN, you’re actually on a, a, a controlled network. Okay.
Edwin K. Morris (11m 14s):
Well thank you for the great information. I’m sure it’ll hit a lot of folks at this time with cyber security issues are in the news daily. Thank you very much, Kyle.
Kyle Youngs (11m 24s):
Edwin K. Morris (11m 24s):
Thanks for listening to this edition of the Trusted Advisor podcast brought to you by Iroquois Group. Iroquois is your trusted advisor for all things insurance, and remember get out of the office and sell. I am Edwin K. Morris, and I invite you to join me for the next edition of the Trusted Advisor podcast.