Cybersecurity: Protecting Your Data and Your Business

Dan Lohrmann (00:00):

I just wrote an article for CSO magazine talking about is Gen AI bringing back shadow IT on steroids? And so, the idea that every employee is taking it in their own hands to go out to ChatGPT and Bard and these free tools and use them, and it seems though, but you know, there's so many issues with that. There are issues around, you know, basically fake news, you know, information that it brings in a lot of different problems related to is the data accurate? Is it timely? The licensing issues, the ownership issues, and then it will be used against us to attack us.

 

Speaker 2 (00:44):

Welcome to Paychex THRIVE, a Business Podcast, where you'll hear timely insights to help you navigate marketplace dynamics and propel your business forward. Here's your host, Gene Marks.

 

Gene Marks (01:00):

Hey, everybody, it's Gene Marks, and welcome back to another episode of the Paychex THRIVE Podcast. Thank you so much for joining us, whether you're watching or you are listening. It is Cybersecurity Month, and we're talking about cybersecurity. And I've got a really great expert here with me to discuss cybersecurity and overall security issues that are impacting your business. It's Dan Lohrmann. Dan is the Field Chief Information Security Officer for the public sector for a company called Presidio. Dan, first of all, thank you for joining me.

 

Dan Lohrmann (01:29):

Hey, Gene, it's great to be with you. Thanks so much for having me.

 

Gene Marks (01:32):

Yeah, I'm glad that you're here. You've also written a book called "Cyber Mayday and the Day After: "A Leader's Guide to Preparing, Managing and Recovering "from Inevitable Business Disruptions." We're gonna get to that book in a minute because there's a lot of great information in it. Let me first ask about yourself and Presidio. Tell us what Presidio does, and tell us what you do at Presidio.

 

Dan Lohrmann (01:51):

Sure, yeah. So, Presidio is a global digital solutions provider, and we work with companies all over the world based here in USA, but we work really globally helping companies make good decisions around technology, whether that be moving to the cloud from on-prem, whether that be, you know, cybersecurity, doing that securely, how they, now the latest hot issues around Gen AI and how they integrate, you know, generative AI into their operations and use that effectively. So we really are a complete solutions provider in the technology sector.

 

Gene Marks (02:29):

It's amazing. And your clients are generally in the U.S. I'm assuming?

 

Dan Lohrmann (02:32):

Yeah, mostly U.S. We do have European operation based out of Ireland, and we have operation in India, and so we're a global company, but yeah, mainly US, and large, over, you know, over 4,000 employees. So we're a large company.

 

Gene Marks (02:49):

That's great. And why would a smaller company hire you to provide IT services? Explain to me some of the services that you guys perform.

 

Dan Lohrmann (02:55):

Sure, absolutely. Well, first of all, I just, I didn't mention my background, but personally, I worked at the National Security Agency. I was in England with Lockheed and ManTech. So I worked in the intelligence community, and then 17 years in Michigan government. So we, and before I joined Presidio, we have experts in, you know, working with state and local governments, federal government, all different public sector, but also small and medium sized companies, large companies. And we have expertise. You know, I think the number one reason is people love working with us. We have a great, you know, like over 98% retention rate of clients. People really believe and see our case studies, you know, are really impactful. So, they've, you know, we've been there, done that, gotta say, got the t-shirt, but, you know, every individual business is unique. And so, being able to have examples of where we've implemented solutions in the past is a big reason why people, you know, do business with Presidio.

 

Gene Marks (03:55):

So, if I were to work with you guys though, would I be hosting my applications with you? Are you taking care of my hardware, my network? You know, clearly I know nothing about security.

 

Dan Lohrmann (04:06):

Sure, gotcha.

 

Gene Marks (04:07):

Are you providing advice there? Tell me a little bit more.

 

Dan Lohrmann (04:10):

Yeah, simple answer is all of the above. So, you know, we have people that, you know, go through the cloud. We have, you know, we work with the biggest partners with the biggest companies in the world. So, we're AWS biggest partner in the public sector with them. And we work with Amazon Web Services, we work with Microsoft, we work with Google, we work with, you know, the big cloud providers. We work with a lot, in the security space where I focus, we work with, you know, the CrowdStrikes and the SentinelOnes, and go through the laundry list. I'm gonna skip some, but, you know, new companies like Wiz and really helping companies integrate, you know, those products and services. But also just really starting off, backing up, really starting off with an assessment of, you know, what currently your environment is. You know, a lot of our clients start with a basic assessment we call it a posture assessment, a cloud security assessment, or just an overall company assessment, just to really understand kind of what's working well and how can we, you know, enhance that and help that and continue that. And then also, you know, maybe right sizing. A lot of the companies I talk to every day, I talk to Chief Information Security Officers all across the country. I especially focus in the public sector, but everyone's trying to get down to less tools. You know, they feel like if they have 50 tools, they wanna get to 25. If they have 100, they wanna get to 50. If they've got 40, they wanna get to 20. So, you know, having a platform that really works for them and the tool set that works for them. And then, you know, they're saving money by being able to turn off the tools that maybe they don't need. So, you know, really being integrate, you know, both platforms, best in class, but also the ability to implement new tool sets that are required in certain situations.

 

Gene Marks (05:52):

Dan, you say that you guys do assessments, and I'm sure you assess companies and organizations of all sizes.

 

Dan Lohrmann (05:58):

Yep.

 

Gene Marks (05:59):

I'm kind of curious, like, you know, what are some of the things that you find? Like what are some of the most common issues, particularly with your smaller and mid-size assessments that you do that just keep repeating themselves?

 

Dan Lohrmann (06:11):

Sure, yeah, I think, you know, it oftentimes starts with the basics. And so really, you know, looking at cybersecurity awareness month and the national themes around cybersecurity, you know, I think, you know, can it be easier than it is? You know, and so the basic things around identity.

 

Gene Marks (06:29):

I'm sorry, did you say just say SaaS security? Is that right? So, software as a service?

 

Dan Lohrmann (06:33):

SaaS security, yeah, we can do that, but I mean, but basically security can be easier. And that's the national theme this year is that we need to make security, I say simple, but go back to basics and look at that. And I think, you know, in some cases it can be complex. So, I don't wanna make it too simple, but, you know, the basics of around awareness training. I mean, most of the recent ransomware attacks, most of the recent attacks are around people being fooled into the clicking on links, you know, training their staff, really being able to understand both phishing attacks, you know, the help desk, you know, questions around identity. Who are you? Multifactor authentication, you know, issues around passwords. How do they make sure that their identity, whether that be single sign-on, whether that be using a wide variety of different tool sets, how can they integrate identity better? I think those are huge issues. I think backups are a huge issue. And making sure you have backups that are, again, this is not new and different, and most people have probably heard this before, but are they immutable backups? Meaning that can not be changed, and that they're, you're making sure that those are available not just off, you know, on site but offsite, that you have, you know, really good backups that you can restore if, you know, God forbid you were hit by a ransomware attack, that you have the ability to restore timely and be able to make sure that their networks are secure. So those are just a few of the items. I mean, we could go through, you know, other items, I mean.

 

Gene Marks (08:03):

No, that's fair. You know, most of my clients, Dan, when I talk to them, and my business is, well, I mean, I have 10 employees. You know, they, particularly the small mid-size business world, they have sort of like a smattering of cloud-based applications.

 

Dan Lohrmann (08:16):

Sure, absolutely.

 

Gene Marks (08:18):

You know, like a typical client, though, like their accounting system, maybe it's QuickBooks or something, and they've got that in the cloud, and maybe they've got a CRM system like a Salesforce or a Zoho, and that's in the cloud, and maybe they have an office collaboration system like, you know, either Office 365 or Google, that's in the cloud. You know, and then when they create documents and spreadsheets, they tend to save it on either, you know, Microsoft, you know, OneDrive or Google drive or, you know, doc, you know, Dropbox, you know? So, I see that a lot with businesses. They've got different applications. So, number one, like how would Presidio fit into that model? And that's number one. And number two is from a security aspect, like why should I care about security so much? Like isn't Microsoft and Salesforce and Intuit who makes QuickBooks, you know, aren't they the ones that are dealing with the security over my data? Do you know what I'm saying?

 

Dan Lohrmann (09:10):

No, great questions that really, we get those all the time. And I think, I think the first question is, you know, when you just look at where the data breaches are happening, I know we're gonna talk about the book in a minute, but stories from around the world and what things are happening that cause data breaches and what causes ransomware and, you know, and doing kind of the analysis after the fact, and you look at companies that thought they were prepared were not prepared. And there's a wide variety of reasons for that. It could be, you know, a posture assessment. You know, if you're doing everything perfectly with Microsoft or AWS or Google, that's great. In most cases people aren't. And so, you know, and so it's having a continuous process. It's people, process and technology. So when you look at an organization, you really say, do you have the right people doing the right things? Do you have the right processes in place that are repeatable that you can make sure that your configuration, that your instance, that your cloud, you know, configuration, your architecture is secure? And not just once. A lot of times people do a one-time assessment, but then, you know, six months later, three months later, something happens, and they have a bucket that is vulnerable and that gets hacked. So being able to do, you know, continuous assessments, being able to look at an environment and say, okay, we're strong in these areas. We're not strong in these areas. Being able to look multi-vendor, because oftentimes most companies, you know, honestly use multiple vendors. It's not just one vendor. And then, really looking across and saying, you know, what really is going on? We say that now with Gen AI. I've just done a number of recent blogs. I blog for Government Technology magazine and on Generative AI, even knowing, you know, what are your employees doing? What's going on? We talked about this more than, you know, more than five, seven years ago about CASB, cloud access security brokers. But knowing what data do you really have? Where is it going? How is it being secured? In many cases, you may be doing that well or you were doing it well, but you're not now.

 

Gene Marks (11:14):

Right.

 

Dan Lohrmann (11:15):

Or it's not being done in repeatable ways. So really doing an assessment of what is being done well, what, you know, encryption, data at rest, data in motion, making sure that the protections you have in place are adequate for the type of data that you have. And so, I think those are the assessments that need to be done, and I think oftentimes people do it right once, but they can't keep it going. They can't keep it going over time. And maybe they don't have the right configurations in place for their current environment, what they're doing today.

 

Gene Marks (11:44):

When you say the right configurations in place, I mean, to me it's all about access to the data. You know, like, you know, yeah. Microsoft has got, you know, great security over its data. So does AWS, so does Salesforce, so does, you know, Intuit. I get all that. But you know, they can only do so much.

 

Dan Lohrmann (12:03):

Sure.

 

Gene Marks (12:04):

If a user account gets infiltrated and somebody, you know, invades my QuickBooks online database and steals all my data. I mean, you know, if somebody has access to that account because we had poor security controls at the user level, that to me is, you know, there's only so much that, you know, QuickBooks can do about that. That's my responsibility as the business owner, right?

 

Dan Lohrmann (12:25):

Correct, that's exactly right. And I think being prepared in the event, and, you know, having an incident response plan, knowing what that plan is, who needs to be involved, practicing that with things like tabletop exercises, and really thinking about that. Even if you're a small midsize company, you know, asking those what if questions cause it's not just a technology question. If you were to have a ransomware attack or a data breach, thinking through these as a company. There's legal aspects. There's business aspects. There's, you know, a variety of financial aspects to it. And so really thinking through all of those different pieces in an incident response plan and then testing that plan, those are all things that we can help with.

 

Gene Marks (13:03):

All right, that's great. And again, we're gonna, I wanna get to your book in just a minute, but just a couple more questions when it comes to just security over, you know, over your data.

 

Dan Lohrmann (13:13):

Sure.

 

Gene Marks (13:14):

And there's, you know, just a couple. Number one is there's a lot of people now obviously working remotely and working from home.

 

Dan Lohrmann (13:20):

Yeah.

 

Gene Marks (13:21):

Tell me as a business owner why that's a security concern for me and what I should be doing about that.

 

Dan Lohrmann (13:27):

Yeah, I mean, I think, the reality is, is that, you know, when people first moved during COVID, a lot of it wasn't well planned out, and it wasn't really, you know, I have so many stories I can tell you Gene of literally people grabbing their desktop computers and stuffing them in the back of vans and bringing them home. And, you know, you just have pictures of cables flying around and.

 

Gene Marks (13:50):

My stories are of people just going home and sharing their computers with like their seventh grader. You know what I mean? And accessing their like financial data that way.

 

Dan Lohrmann (13:59):

Correct, there's plenty of those as well. You know, so that shared computer at home. Yeah, you're doing, you know, it's like, dad, you know, I need my computer back so I can do my homework.

 

Dan Lohrmann (14:06):

No, totally, totally agree. And, you know, so home networks that were really never built for security, the assessments, and so, you know, mixing home and work, that blur is really everywhere. We see it with people with their smartphones. We see it with their laptops. We see it with home networks. So, the basic hygiene things we talked about, you know, for this show today, just, you know, the basic issues around backup, around data being secure, about being protected, about being, you know, identity management, who has access to the data, how do they have access to the data? All of those questions are done in a new environment. So just because it was a certain way and architecture at home, you know, now the endpoint is the end of the network. The network has expanded. It's no longer the building you used to be in. And so we talk about things like zero trust, and zero trust, and I don't wanna get into a lot of technology discussions today for this program, but, you know, really the idea that, you know, we have to test, you know, it's not just, you know, because you're in the building, you're secure or just, you know, now you can be anywhere in the world. You know, anywhere, anytime, any data. How can you make sure that that transaction that you're having in a business sense is secure? And that's again, data at rest and data in motion. And so, there's a wide variety of things that people need to think about. And I'll mention one more that I didn't mention earlier, patching, you know, your systems are, you know, do you have the latest? And just in the last week there's been some zero-day malwares that have been patched by several vendors, Apple and some others. You know, what is that process? You know, and is it done in a consistent way? Is it done in a repeatable way? Training people so they know. Again, the people, process and technology, you know, what is acceptable, what is not acceptable use of your company resources in various scenarios? I mean, I think all of those can happen, and there's plenty of stories and we can share some of those of where things have gone south and what we can learn from them.

 

Gene Marks (16:06):

Okay. You know, I just, I also wanted to get your thoughts on, you know, just in September there was a large casino in Vegas.

 

Dan Lohrmann (16:15):

Yep.

 

Gene Marks (16:16):

That was struck with a ransomware attack. They wound up paying millions of dollars in ransom. And they're not the only big company that's been hit by this. I mean, you know, a couple years ago, like the entire transit system in San Francisco was shut down. Hospitals have been hit with this, energy companies. There was a pipeline on the northeast part of the, you know, the U.S. a year or two ago…

 

Dan Lohrmann (16:34):

Yep.

 

Gene Marks (16:36):

…hit by a ransomware attack, you know, and it just, it's, again, as a small business owner, Dan, you know, you're like, geez, I mean, like, these are like the largest companies. These companies have, this casino, I mean, I can't even imagine what their IT staff, you know, was like, and yet they still get hit by this ransomware attack. How does this stuff, I know you don't know the details of all those, you know, what went on behind the scenes, but like just how does this stuff happen, you know? And when we trust our data with companies like yours and other big companies like the Microsofts and the Googles, how do we know that it really is safe, you know, and secure when these kinds of attacks still occur?

 

Dan Lohrmann (17:16):

Yeah, I mean, that's really the focus of my book, "Cyber Mayday," and I know we're gonna get to that in a moment, but it's, the story's in there. I can share a couple different stories and, you know.

 

Gene Marks (17:24):

Let's get into it. Let's get into it because it dovetails right in, and by the way, everybody, the book is called "Cyber Mayday and the Day After: "A Leader's Guide to Preparing, Managing and Recovering "From Inevitable Business Disruptions." You can get it on Amazon and other places. So, okay, so these big infiltrations happen. You address it in your book. Tell us, you know, tell us what you talk about in this book.

 

 Dan Lohrmann (17:44):

Yeah, we do. And I mean, a story's worth a thousand, you know, a story, a picture's worth a thousand words, but let me paint a picture.

 

Gene Marks (17:49):

Sure.

 

Dan Lohrmann (17:51):

Really, one story we shared, it's 35 true stories from all over the world. My co-author's from Sydney, Australia. And what we saw missing was true stories, you know, what happened, like you just mentioned, behind the scenes? What happens during the ransomware negotiations? What did they do?

 

Gene Marks (18:04):

And by the way, I apologize to interrupt you, I mean, like, it's a tough book to write because people do not like to talk about this stuff. You know, I mean.

 

Dan Lohrmann (18:11):

Correct.

 

Gene Marks (18:12):

These are mistakes. I mean, I'm assuming people get fired because of these mistakes. There's shareholders, there's lawsuits, it's whatever. And so it's, I mean, I applaud you for digging into this and actually able to pull out some of these stories from some of these companies cause it could not have been easy to do.

 

Dan Lohrmann (18:27):

Yeah, and lemme just give you one story, then I'll tell you how the book is. You know, it's what you should be doing before, during, and after a major incident. And for small, medium, and large companies, we break that out. We talk about practical steps you can take, but this one quick story. Your network has been locked. You need to pay $30 million U.S. dollars now. The following is a real-life negotiation between a ransomware gang and a $15 billion U.S. victim company that was hit with a $28.75 million ransomware demand in January 2021.

 

Gene Marks (18:57):

Unbelievable.

 

Dan Lohrmann (18:58):

It's funny to watch a few of your admins trying to install MS Exchange server in three days, and you can't do it. This is from the bad guys. We have encrypted 5,000 of your 6,000 servers. If you do some very simple calculation and expenditures, it's like, say $50 per hour, maybe $65 per hour. So, in 24 hours to restore one server multiplied by the number of servers on your network, that's like $10 million in labor expenditure alone. And it's always interesting. Little side note here, the bad actors who are doing these ransomware gangs often are better at quantifying the cost to your business than you are because they do their homework. They know how much it's worth. They know what you're losing, and they know what people will or won't pay.

 

Gene Marks (19:43):

These are intelligent, experienced people that know how to sell their product. And their product is these keys to unlock the ransomware, right?

 

Dan Lohrmann (19:51):

And they do this as a business.

 

Gene Marks (19:52):

Yeah.

 

Dan Lohrmann (19:53):

And it's really a global thing. So, I'll continue quickly in the story. It says, but don't forget that you spend all this time on installation and oops, you can't even restore any data because it's gone for the next thousand years. They added time factor pressure at the end of the message, but also showed some mercy at the same time. The timer's ticking. In the next eight hours, your price tag's gonna go up to $60 million. So you either pay us our generous offer of $28.75 million, or invest in quantum computing and expedite your decryption process, a little humor in there, little back jabs. When the company asks for additional time, the crooks counter by writing back, I don't think so. You aren't poor and you aren't children. If you're f'd up, you need to meet the consequences. A day later, when the company finally managed to get the authority to pay $4.75 million in a ransom, the extortionist agreed to a lower demand to $12 million on the condition that the remaining amount be paid within 72 hours. I'll jump here to the end. But it says this, after a few additional messages and negotiations back and forth, they agreed on the following things. The hackers would never launch any new attacks. Remember, you're dealing with criminals here.

 

Gene Marks (21:00):

Yeah.

 

Dan Lohrmann (21:01):

So, I don't know if you believe them. Number two, the company would get the tool to fully decrypt all the encrypted data. Number three, the hackers would completely leave their network and never target them again. Number four, the hackers would give the company access to the data it deleted to delete it themselves. The data would never be published or resold. Again, dark web.

 

Gene Marks (21:18):

Unbelievable, how do you enforce any of that?

 

Dan Lohrmann (21:20):

Exactly, exactly. And the last one, I love the best. This is the one I love, Gene, the hackers would provide a full report on all of their actions, how they got into the network, how the attack was carried out.

 

Gene Marks (21:30):

Of course.

 

Dan Lohrmann (21:30):

Tips on improving their security awareness training program and how to stop other hackers from hacking their network.

 

Gene Marks (21:38):

You know, this is like a great marketing campaign for Presidio, don't you think, right?

 

Dan Lohrmann (21:48):

Exactly, the company ultimately paid an $11 million ransom. So, I jumped to the end. It was $11 million ransom. But, I mean, there's lots of stories. We go into a lot of the details, but, you know, there are steps you can take. And, you know, it is, you know, there are statements out there. Business owners have heard this. You know, there's two kind of companies, those that have been hacked and those that don't know it yet.

 

Gene Marks (22:04):

 Yeah.

 

Dan Lohrmann (22:04):

I think, you know, there are steps that you can take just like you can protect yourself, you know, driving a car. There are steps you can take to make it less likely. Can you stop 100% of all car accidents? Probably not. No, you can't. But you can take steps to protect yourself by driving safely, by wearing seat belts, airbags, et cetera. There are things you can do. I mean, and there are steps you can take. We mentioned some of them earlier. Backups, you know, having, you know, working, in many cases you wanna work with a managed service provider, but in some cases you wanna do it yourself. But, you know, really making sure you follow those best practices and taking steps before, during, and after incidents. And I would just say to the small business owners, look at what your peers are doing. Look at what the others in the industry who are experts. If you wanna talk to those people that you know, who are, you know, the models in your specific area, your specific region of the country, or, you know, I encourage those organizations. A lot of times we have what we call ISACs, information sharing analysis centers, whereby business function or by, you know, whether that be healthcare, whether that be financial, whether that be government, you can learn from your peers.

 

Gene Marks (23:16):

So, you know, we were talking about different steps to, throughout this conversation, I just wanna make sure that if you guys, you know, you guys are listening or watching Dan had mentioned about doing backups of course. Having an assessment done first of all by somebody experienced in the IT world, particularly with security like Presidio is a critical thing to get you started with, updating and upgrading all of your operating systems on all of your devices. Do not, I'm looking right now at my laptop, and I've got the little thing in Windows saying that I need to like update and restart Windows. It's been sitting there for the past two weeks cause I haven't bothered to do it. I'm an idiot, right? I mean, I should be doing that automatically. And the reason why a lot of that stuff is super important is because the example that you give in your book, people went after a large company. I get it. You know, they walked away with $11 million. That's fine. Any business is subject to something like this.

 

Dan Lohrmann (24:04):

Sure.

 

Gene Marks (24:05):

However, if you're running a small business, the numbers are smaller. So, the people that wanna make these attacks, this is what I feel, and I'm curious to hear what your thoughts are as well. They're not gonna make the attacks unless it's like really like low hanging fruit. You know, like they got their cost as well. So, they're gonna spend all day trying to infiltrate a system so they can walk away with a couple thousand dollars in a ransom. It's just, it's not worth it when there are so many businesses out there that are still running like Windows Vista, you know, and having, you know, or really poor security, right? So, they're out looking for people where they can attack easily.

 

Dan Lohrmann (24:36):

Yeah.

 

Gene Marks (24:36):

Which is why just doing some of these basic things that you've just mentioned, Dan, having the assessment, you know, getting the training done, having a, you know, again upgrading your operating systems, having security software, it just makes it harder. It doesn't eliminate it. But, you know, a criminal or somebody with malware looks at you and be like, you know what? These guys aren't worth it. We got other people to go after. Does that make sense? Is that like a good sort of point of view.

 

Dan Lohrmann (24:58):

Totally agree, and you know, we say that, you know, in the physical security world, you know, you just need to be more secure than your neighbor because you want the robbers to go to the next guy.

 

Gene Marks (25:06):

I think they took like the bear, like when a bear, you know, is chasing you and you know, when you say like, I just have to run faster than you. You know what I mean?

 

Dan Lohrmann (25:13):

That's right, exactly. I don't need to run faster than the bear just faster than you. I mean, I think there's definitely truth in that. I think the other thing is you can really look at, I'm gonna give you one quick example. You can look at like a big area is what we call CEO fraud for small companies, but, or e-mail fraud, you know. We talk about phishing, then spear phishing, more targeted, and then, you know, basically whaling, which is going after the biggest fish, you know, going after the, the CFO, the CEO of your company. You're a small company. And what they're gonna do, a lot of times, talking about low technology, you know, just tricking people in emails. I have so many stories of people who thought, you know, they took over a Gmail account, and they were emailing, and they literally took over sessions and were able to trick people into doing fund transfers and lower-level people on their staff who made wires because they thought it was coming from the boss. So having something as simple, and there's FBI stories online. You go FBI CEO fraud stories or FBI, you know, there's a whole website that has these stories. You can go out there on the web yourself and listen to them. But having a process in place of we're never hey, staff, I'm never gonna ask you to do a multi-million-dollar transfer, you know, out of band because I'm on a fishing trip or something. I mean, those kinds of things may seem obvious, but oftentimes lower level employees, these things really do happen. Billions of dollars lost in email fraud or CEO fraud. Just reading some of those stories, talking to your staff about them, people, what would we do if, you know. It could be a 15-minute exercise as part of a staff meeting. You know, if you got this email, would you just do this? Or would you, you know, hopefully reach back out to me and say, hey, is this really me sending this? And you're gonna get more and more of that with Gen AI and fake news and fake.

 

Gene Marks (27:02):

Deep fakes.

 

Dan Lohrmann (27:04):

Deep fakes, you know, facial and all of that. It's gonna happen more and more and more. So, training your staff, going through real stories of real things that happen using FBI case studies. Those things can help your team and can really prevent, I mean, literally I've seen dozens, really hundreds, but I know personally of dozens of companies that were defrauded out of hundreds of thousands and millions of dollars because they believed a message was coming from the boss or the CFO telling them to do something. It was actually coming from an impostor.

 

Gene Marks (27:35):

A comment on Deep Fakes, I wrote last year for Entrepreneur Magazine about a story, it was a bank in the Middle East who, you know, the controller at the bank inadvertently transferred $35 million, Dan, to a criminal's account because he was deep faked. The CEO, these guys recorded, had all these audio contents of the CEO of the bank, cause there's so much of it out there. I mean, people were interviewed on, they're on YouTube. They got, people can deep fake my voice. I mean, I'm all over the place.

 

Dan Lohrmann (28:03):

Me too, me too. I'm all over the place.

 

Gene Marks (28:05):

Yeah, and the technology is very inexpensive and very easy to use. They deep fake the CEO's voice. They made the call to this controller a few times saying, oh, we got a big transaction. I need you to transfer it into this account. And the controller just wound up and did that. And we have to be really careful. It's funny that, you know, so much of the stuff that you talk about today, it's low-tech stuff, isn't it? I mean, it's getting the assessment, getting training, having an internal control. If your CEO is calling for you to transfer $35 million to another account, should not you have some type of process internally where other people sign off on that transaction before something like that happens? These are like common-sense low-tech things that I think do go to a long way towards not eliminating, but protecting us against security stuff. Final, question for you, Dan. I'll let you go. This is great stuff. We touched on it a little bit with Deep Fakes and some of these other technologies. Gimme your, gimme your thoughts. Scare us a little bit about AI. You mentioned about Generative AI. Gen AI is really, can be a great thing for IT people because they can generate scripts and do things even from a point of view internally to save them time, to help them come up with more ways to combat, you know, AI driven assaults. But where do you, how do you think AI is going to, you know, make the security environment more challenging for all of us to protect our data?

 

Dan Lohrmann (29:25):

Yeah, absolutely. I would emphasize, Gene, that I see a lot of benefits to AI. I see this really gonna be transforming. It's the hot, it's the hot button issue right now. Everyone's talking about it. And there's a lot of great things that it can do. I just wrote an article for CSO magazine talking about is Gen AI bringing back shadow IT on steroids? And so the idea that every employee is taking it in their own hands to go out to ChatGPT and Bard and these free tools and use them. And it seems though, but, you know, there's so many issues with that. There are issues around, you know, basically fake news, you know, information that it brings in a lot of different problems related to is the data accurate? Is it timely? The licensing issues.

 

Gene Marks (30:13):

Yeah.

 

Dan Lohrmann (30:14):

The ownership issues. And then it will be used against us to attack us.

 

Gene Marks (30:17):

Yeah.

 

Dan Lohrmann (30:18):

And so, it's gonna make the environment, more and more tools in the industry from the vendors we talked about earlier are incorporating AI into their solutions.

 

Gene Marks (30:25):

Yeah.

 

Dan Lohrmann (30:26):

But I think we're at a time right now during this transition where it's like, there's a lot of hype, and so the challenge is everybody is kind of trying it out, playing with it. I would tell people start with getting a good understanding or assessment of what's going on in your current company. You know, you can use tool sets from companies like Netskope or Zscaler or others of the traditional CASB we call it, cloud access security broker. But just know what's even going on. And then you can, as you see fit, you can either block things or enable things or encourage people. Hey, you're doing this, that's great, but we don't want you to do it here. We want you to do it over here via this licensed product and not via this open source product. So those are the kinds of things, I mean, I think it can bring about a lot of good for companies, but I think we're in a transition time right now where a lot of people may be doing things and there might be legal liabilities with that. The people are sticking data out there. They're sticking code out there. And they don't have ownership of that, right? So it's out there in those sites and who knows where that data and that code is gonna end up. And so I think, I mean, I would advise caution. I mean, but I certainly, I'm a user of the tools, and I think it just needs to be done in a really thoughtful way. Think about your governance and how you implement tools in any area of software. You know, how you bring new tool sets in and making sure that you're thinking through that. My blog at CSO magazine, maybe we can put a link to it, will give you a lot of tips on how you can do it.

 

Gene Marks (31:53):

Dan Lohrmann is the Field Chief Information Security Officer for the public sector at Presidio. He is also the author of "Cyber Mayday and the Day After" "A Leader's Guide for Preparing, Managing, and Recovering "From Inevitable Business Disruptions." Dan, where can we find you? And, by the way, you mentioned about your blog with CSO. Give us, do you have a URL for that or someplace?

 

Dan Lohrmann (32:15):

Yeah, govtech.com is the, it's Government Technology Magazine, but you can just Google Lohrmann on cybersecurity or Lohrmann on Cyber. It'll pop right up. I do a weekly blog for Government Technology magazine. Feel free to reach out on LinkedIn. I mean, that's probably the place I most interact. You know, feel free to send me a Linked request. Happy to connect with you. I'm also on Twitter, which is now X of course.

 

Gene Marks (32:37):

Okay.

 

Dan Lohrmann (32:38):

It's @govcso, @govcso. And happy to, you know, reach out and talk to anyone if they wanna talk about how we can help.

 

Gene Marks (32:47):

Everybody, you've been watching and listening to the Paychex THRIVE Podcast. My name is Gene Marks. Thank you so much for joining us. If you need any tips or advice or would like to suggest a guest for the future, please visit us at our webpage, payx.me/thrivetopics. Again, thanks for watching or listening. We appreciate it very much, and we'll see you again next week. Take care.

 

Gene Marks (33:08):

Do you have a topic or a guest that you would like to hear on THRIVE? Please let us know. Visit payx.me/thrivetopics and send us your ideas or matters of interest. Also, if your business is looking to simplify your HR, payroll, benefits, or insurance services, see how Paychex can help. Visit the resource hub at paychex.com/worx. That's W-O-R-X. Paychex can help manage those complexities while you focus on all the ways you want your business to thrive. I'm your host, Gene Marks, and thanks for joining us. Till next time, take care.

 

Speaker 2 (33:43):

This podcast is property of Paychex, Incorporated. 2023. All rights reserved.