Skip to main content Skip to footer site map

Helping Businesses with Cybersecurity, Cyber Insurance, & Awareness Training

Jonah Wisch, Program Director at the National Cybersecurity Center (NCC)
Jonah Wisch, Program Director at the National Cybersecurity Center (NCC)

Watch

Summary

This week on Paychex THRIVE, a Business Podcast, host Gene Marks is talking with Jonah Wisch, Program Director at the National Cybersecurity Center (NCC). Listen in as they cover everything from what the NCC is and what it does to, cyber insurance, awareness training, and everything in between.

Topics Include:

00:00 – Episode Preview
00:48 – Welcome, Jonah Wisch
03:18 – National Cybersecurity Center (NCC)
04:53 – Funding for the NCC
05:33 – Cyber for small businesses
06:08 – Cyber insurance
07:43 – Cyber risk questionnaires
11:25 – The role NCC plays in cyber insurance
13:05 – Cyber guidance from the NCC
13:33 – NIST Cybersecurity Framework
14:07 –Cybersecurity and Infrastructure Security Agency (CISA)
14:38 – Center for Internet Security Top 18
14:56 – What is a framework?
16:52 – Email compromise
18:07 – Ransomware
19:20 – Risk with AI
20:26 – Cybersecurity awareness training
23:20 – Wrap up

Learn more about the importance of Cyber Security.

Find out more about cyber liability insurance.

View Transcript

Jonah Wisch (00:00):

When there's, you know, criminals coming at you from all different angles, sometimes if there are kind of basic protections in place that don't provide a second layer of defense, once you click on that link and they're able to get a foothold, move around, it's just a matter of time.

 

Speaker 2 (00:21):

Welcome to "Paychex THRIVE," a Business Podcast, where you'll hear timely insights to help you navigate marketplace dynamics and propel your business forward. Here's your host, Gene Marks.

 

Gene Marks (00:37):

Hey, everybody, this is Gene Marks, and welcome back for another episode of the "THRIVE" podcast. Thank you so much for being here, and thank you for Paychex for putting this podcast on. If you're watching us on YouTube or you are listening to us, we have a lot to share with you today. I have got Jonah Wisch with me today. Jonah is the program director of the National Cybersecurity Center. Jonah, first of all, thank you so much for joining us.

 

Jonah Wisch (01:01):

Yeah, Gene, thank you for having me.

 

Gene Marks (01:03):

So, you're in Nebraska now, but the National Cybersecurity Center is in Colorado Springs, correct?

 

Jonah Wisch (01:09):

Correct. Yeah. My wife and I, we live in Omaha, Nebraska here. We've been here for about two and a half years. We used to live in Colorado Springs and we were there for a few years. So I've been working remotely out here from Omaha. A lot of the work that we do is in Colorado, but a lot of it's national as well.

 

Gene Marks (01:25):

Yes.

 

Jonah Wisch (01:26):

So.

 

Gene Marks (01:27):

Very cool.

 

Jonah Wisch (01:27):

Yeah.

 

Gene Marks (01:28):

You know, it was just my wife and I were just in Colorado Springs last year. We stayed at the Broadmoor Hotel. Man, that place is amazing there.

 

Jonah Wisch (01:33):

Yeah. Beautiful.

 

Gene Marks (01:34):

It's so nice, and Colorado Springs is a great area, but so is Omaha, so very nice. So, so first of all, let's talk about, before we talk about the National Cybersecurity Center, and obviously a lot of this will dovetail. Tell us a little bit about yourself. What's your background and how did you ultimately become the program director there, and what does the program director do?

 

Jonah Wisch (01:56):

Yeah, great question, Gene. Thank you for that. So, I've got a little bit of an interesting background when it comes to cybersecurity. I've been at the NCC for about two and a half years now. You know, started as a coordinator, moved up, manager, director, and oversee a good amount of programs now. But before that, my undergraduate degree is actually in health and human performance, and did a lot of work in data science and in the analytics side of athlete management systems. And then moved into more of a, you know, business and operations role with the NCC, and helping grow programs, and helping reach more of an audience. So I don't, you know, when it comes to cybersecurity, in terms of the advisory and the consulting side of things, that's a lot of the work that we do, especially in Colorado, I'm never going to say that I'm a hands-on keyboard. That's a phrase we like to use. I'm not the hands-on keyboard expert, but we know plenty of 'em and we can connect people with the right people to help 'em in that capacity. Yeah. We live here in Omaha. I've got an awesome little chihuahua here that my wife got when she was in high school, about 15 years old. And we've got our first baby on the way here, baby boy. He's…

 

Gene Marks (03:14):

Congratulations.

 

Jonah Wisch (03:15):

…in January, so.

 

Gene Marks (03:16):

Congratulations.

 

Jonah Wisch (03:16):

So, a lot of exciting things happening, thank you.

 

Gene Marks (03:18):

So, life is good. Life is good. So, let's talk about the NCC, the National Cybersecurity Centers. First of all, you guys are a nonprofit organization, right? You're not a government organization or are you? Tell us a little bit about, you know, how you guys are organized and, you know, how do you operate?

 

Jonah Wisch (03:36):

Yeah, absolutely. So, we are a nonprofit, you know, 501 organization. We do get that question a lot in terms of whether we're a federal agency. You know, when we do work with local governments and they see National Cybersecurity Center, they normally ask the question, "Why are the feds knocking on our doors?" And we say, "No, no, no. You know, we're not here for that."

 

Gene Marks (03:55):

Right.

 

Jonah Wisch (03:57):

You know, we're a nonprofit and, you know, our mission statement, kind of reading word for word here, is to build a collaborative, operational, and interdisciplinary model for cybersecurity and space that transforms our nation's ability to detect, protect, and deter threats. So, touching on that, we are also home to the space ISAC. ISAC is the Information Sharing and Analysis Center. There's, I know, over a dozen, I don't know the exact number of ISACs there are across the country, but they're aligned with critical infrastructure industries. And ISACs are designed to, you know, share information as it comes to, or relates to cybersecurity threats. So that's one of the really exciting, you know, programs we have. That team is great. And, you know, being in Colorado Springs, great location to have, you know, the space ISAC.

 

Gene Marks (04:53):

Sure. So, who provides your organization's funding? Is it individuals or do you have corporate or commercial or government, you know, sources?

 

Jonah Wisch (05:00):

It's a mixture. Federal, state, local grants, private donations, revenue generation. We have a mixture of all the above.

 

Gene Marks (05:09):

Got it. Okay, so the people that are listening and watching this right now, they're running or managing, you know, businesses of all different sizes, and, you know, now that we've sort of got the lay of the land of who you are and who the, you know, the NCC is, you know, the next question is, you know, why should I care? You know, I'm running the business, you know, what does the National Cybersecurity Center have to do with my business? So explain to me why.

 

Jonah Wisch (05:33):

Yeah. Very good question. So we've got two programs that we run. One is called Cyber for Government Leaders, and the second is called Cyber for Small Business.

 

Gene Marks (05:40):

Okay.

 

Jonah Wisch (05:42):

We've done a lot of work locally in Colorado as it comes to small business, and we've been running Cyber for Government Leaders nationally for the last couple of years. It's a educational webinar series that we do with open sessions we do with individual organizations. And we're doing the same thing with Cyber for Small Business. In terms of the work we've done with small businesses, and kind of, you know, why this matters, this conversation, I wanna lead with one, kind of one talking point, which is around cyber insurance.

 

Gene Marks (06:12):

Okay.

 

Jonah Wisch (06:14):

So, the way that, you know, I get questions a lot from small businesses is, you know, "What do I start with? You know, what is the best way for me to reduce risk? What is the best way for me to, you know, spend my money on cybersecurity?" 'Cause for them, it's a business decision.

 

Gene Marks (06:31):

Hmm.

 

Jonah Wisch (06:33):

Unless they're running an IT or a cybersecurity company, they aren't going to wanna spend time learning the technical side. They, you know, they're bringing in an IT vendor, they're bringing in a cybersecurity provider, but they want to know from a business perspective how to spend their money.

 

Gene Marks (06:49):

Sure.

 

Jonah Wisch (06:51):

And, you know, there's a controversial, somewhat of a controversial conversation right now about cyber insurance because premiums have been going up over the past few years as the risk of ransomware has increased. But my message there is not to, you know, throw stones at the insurance companies, but to listen and say, "Look, everybody in business speaks insurance, even if it's not their first language."

 

Gene Marks (07:23):

Right.

 

Jonah Wisch (07:23):

You know, they understand different types of insurance, workers' comp, you know, disability insurance, all of that, different types of risk insurance. Cyber insurance is new, and so people are getting accustomed to it. But when it comes to reducing risk, you have to make, it all comes down to a business decision.

 

Gene Marks (07:41):

Sure.

 

Jonah Wisch (07:43):

So, when you look at your cyber risk, you know, survey or questionnaire you have to fill out every year, and those are probably the first areas that you should tackle when it comes to monetarily reducing risk, you know, deciding what to prioritize. So, everyone loves to talk about the security awareness training, you know, reducing the risk from phishing, social engineering, all important factors because we know that somewhere around 80 to 90% of attacks originate from some type of human error. But there are, you know, probably a dozen, two dozen other line items on your cyber insurance questionnaire that you need to look at and say, "What's gonna be the best return on investment here? And if I invest this amount of money in this type of protection, how much is that gonna reduce my premium, increase my coverage?" And I think in terms of, you know, the language that everybody speaks, trying to find a way to talk with small and medium-sized business owners, that that's kind of how you have to approach it. And not trying to go through, hey, let's fill out this 150 question, you know, technical questionnaire…

 

Gene Marks (08:51):

Sure.

 

Jonah Wisch (08:53):

…to try and get them to understand where their technical gaps are. A little bit of a long-winded answer, but-

 

Gene Marks (08:58):

No. It's interesting about cyber insurance as well. Like, back in the day, it's been around for a while now,

 

Jonah Wisch (09:03):

Yeah.

 

Gene Marks (09:03):

probably about a decade. And back in the day it was like, just like added into like a typical commercial insurance, probably. Like, yeah, we're throwing it in cyber insurance. Now it's become like, insurance companies, you're like, "Oh, my God, what have we got into here? This is becoming like a much bigger thing."

 

Jonah Wisch (09:15):

Yeah.

 

Gene Marks (09:16):

So now they're like stripping it out and they're creating separate policies with separate premiums, and it becomes that much of a cost. I can't imagine why any business would not wanna have cyber insurance nowadays. It just seems like, you know, I hate to call it a necessary evil, because the, you know, insurance companies wouldn't like that. But it just seems like something that, you know, you gotta have. So, okay. So fair enough. So, you know, is your role at the NCC like to, you know, educate businesses on the value of having cyber insurance or to help us choose cyber insurance or to give us questions? 'Cause in other words, if I'm sold on cyber insurance, to me, it seems like, okay, I'll just go to my insurance agent and they can explain to me what the policy is, you know? How could you help me in that ?

 

Jonah Wisch (10:05):

Yeah, in terms of if you're going to directly to your insurance provider and you're saying, you know, "What are the details of my policy?" you know, they'll spend as much time as they want to go through, you know, what the items there, you know, that you need to check off in terms of check boxes

 

Gene Marks (10:19):

Sure.

 

Jonah Wisch (10:21):

…on your questionnaire. What we want to provide in terms of value is, you know, locally in Colorado and nationally for small businesses, or I'll just say SMBs in general, is that when you don't have someone on your team that understands what type of timeline and technical requirements there are for all of the items on that list, or any assessment in general,

 

Gene Marks (10:42):

Hmm.

 

Jonah Wisch (10:45):

…is why is this important to your business? Why actually does it reduce risk? 'Cause if you don't know the technical background of, you know, something on that questionnaire, if it's implementing endpoint detection and response,

 

Gene Marks (10:58):

Sure.

 

Jonah Wisch (10:59):

…if I know nothing about that as a service or as a product or a tool, to me, it's a checkbox.

 

Gene Marks (11:04):

Sure.

 

Jonah Wisch (11:05):

But business owners do need to understand what it actually is behind that. So they know their responsibilities to bring in, if they need to bring in a vendor to make it happen, if they need to have someone on their staff manage it over time,

 

Gene Marks (11:20):

Sure.

 

Jonah Wisch (11:22):

…you know, that's kind of where we want to come from.

 

Gene Marks (11:25):

So, Jonah, you know, currently, if I'm as a business looking, you know, and considering cyber insurance, how could you guys play a role in that? How can you help me?

 

Jonah Wisch (11:35):

Yeah, so since we're located in Colorado, you know, we have a lot more connections network-wise to different service providers, different consultants within that region. As the National Cybersecurity Center, we're looking to expand our footprint nationally, state by state, and, you know, organization by organization. If a small or medium-sized business reaches out to us, you know, with specific questions on how do I, you know, tackle this issue, we're gonna approach it from an education perspective. We'll have educational materials, you know, resources that we can point them towards. And then we have connections professionally that we can, you know, point them in the right direction, connect them with individuals. When it comes to cyber consultants, if you do have a cyber insurance provider, this is a little bit of a side note, but if you do have cyber insurance, and you are currently experiencing, or you have experienced some type of cyber incident in the past,

 

Gene Marks (12:37):

Right.

 

Jonah Wisch (12:38):

…they really should be the first person you reach out to. You know, I always put that disclaimer out there, you know, we are here to provide resources and point people in the right direction when it comes time. However, your cyber insurance provider is gonna, if you make a claim, in order to make a claim, you need to use their resources to clean up issues.

 

Gene Marks (12:57):

Right.

 

Jonah Wisch (12:58):

So, I always put that out there.

 

Gene Marks (13:02):

On the organization, the NCC, you know, mentions different types of cyber guidance.

 

Jonah Wisch (13:08):

Yeah.

 

Gene Marks (13:10):

There's the SBDC cyber guidance, which I'm assuming is the Small Business Development Center cyber guidance.

 

Jonah Wisch (13:15):

Correct.

 

Gene Marks (13:16):

There's the CISA cyber guidance, and there's the NIST

 

Jonah Wisch (13:19):

Yes.

 

Gene Marks (13:22):

You know, cybersecurity corner, you know, is what it's called. Can you explain to us what all three of those are so that we have an understanding of these types of programs?

 

Jonah Wisch (13:32):

Yeah, absolutely. So, in terms of the most utilized cybersecurity frameworks, there's the, what's called the NIST CSF, NIST is the National Institute of Science and Technology, I believe.

 

Gene Marks (13:44):

Okay.

 

Jonah Wisch (13:45):

CSF is the Cybersecurity Framework.

 

Gene Marks (13:47):

Okay.

 

Jonah Wisch (13:47):

That is used kind of as the most basic overarching framework for how to approach creation and development of a cybersecurity program. They break it down into identify, protect, detect, respond, recover, and govern, and the different protections that, you know, subcategories within that. Then CISA or the Cybersecurity and Infrastructure Security Agency, that's a federal agency as well, they have different, you know, models and protections that they recommend. There are other NIST frameworks that are more in depth, that are for more so DoD and federal agencies to comply with and follow that are extremely detailed in terms of 500-page documents with endless amounts of controls. And then there's these other most popular framework is called the CIS Top 18, that is the Center for Internet Security.

 

Gene Marks (14:48):

Okay.

 

Jonah Wisch (14:48):

So, we always promote those two Top 18 controls in terms of, you know, different buckets or categories of how to approach a cyber program.

 

Gene Marks (14:56):

So, what does a framework mean then, Jonah, like, you know, again, for a small and mid-size business, say they wanna comply with, you know, with the CISA framework or the, you know, NIST framework.

 

Jonah Wisch (15:07)

Yeah.

 

Gene Marks (15:09):

What do you mean by framework?

 

Jonah Wisch (15:11):

Yeah, so when it relates to a small or SMB community, they're going to have different regulations they need to reply or comply with HIPAA, GDPR.

 

Gene Marks (15:23):

Sure.

 

Jonah Wisch (15:24):

Regulatory frameworks, you know, they have their own specific list of check boxes that you need to comply with. Frameworks are more to help someone who's creating a cybersecurity, you know, defense, increasing their defense posture, giving them a guideline for how to do so. So breaking different protections into categories, like I mentioned with the NIST CSF, identify, detect, protect, respond, recover, govern.

 

Gene Marks (15:53):

Sure.

 

Jonah Wisch (15:53):

So, any type of, you know, security or defense, you know, concept, you have, you know, different, you know, aspects of that. We're talking physical security. You know, you're looking at, you know, human resources, physical, or, you know, technology resources. You know, every type of security industry has different ways to break things down. And there are, those are the two most popular frameworks, the NIST CSF, and the CIS Top 18.

 

Gene Marks (16:20):

Got it. Got it, okay. There are a lot of cybersecurity risks that are out there. And you had mentioned earlier in this conversation about ransomware, which still remains to be the biggest. And I'm curious, you know, when you talk to business owners, what risks are you making them aware of and what do you see growing? I'm assuming AI and deepfakes and things like that all have an implication. I'm curious to see what you're seeing out there and what you're recommending to business owners when, you know, that they'd be aware of.

 

Jonah Wisch (16:52):

Yeah, in terms of what leads to loss, which, you know, that is what…

 

Gene Marks (16:56):

Yeah.

 

Jonah Wisch (16:57):

…is most important to think about. It's business email compromise and ransomware. So business email compromise, for the listeners out there, as an example, let's say, you know, a criminal is able to get into the email systems of one of your construction vendors,

 

Gene Marks (17:13):

Right.

 

Jonah Wisch (17:16):

…and they're able to invoice you for a certain amount, you know, which includes bank account information, and you don't have the necessary, you know, dual authentication or even dual approval for an invoice or any other type of, you know, internal policy for sending and transferring money. And someone in your accounting apartment just hits send, and all of a sudden, there's a million dollars you can't get back for a construction project that won't happen because, you know, you sent the money to somebody else.

 

Gene Marks (17:48):

Sure.

 

Jonah Wisch (17:50):

So, that happens really frequently, and the way that that can happen is, you know, a couple of different means, but what it comes down to is a criminal needs access to email systems of either you or someone you communicate with.

 

Gene Marks (18:05):

Right.

 

Jonah Wisch (18:07):

Second, there on ransomware. Ransomware is the end, the outcome of multiple different, you know, endless possibilities of what we call attack vectors.

 

Gene Marks (18:19):

Yeah.

 

Jonah Wisch (18:20):

And what I mentioned earlier, the vast majority, 80 to 90% of ransomware or other types of cyber attacks initiate from some type of human error. So, you know, counted in that is, you know, the mistakes that I made human error in enabling, you know, the business email compromise, clicking on a link, clicking on a link in a phishing email, answering a phone call, and giving out information that I shouldn't to someone I thought was a trusted source, even someone coming into your office in person. So, you know, a lot of this does just come down to common sense.

 

Gene Marks (19:00):

Sure.

 

Jonah Wisch (19:01):

But when there's, you know, criminals coming at you from all different angles, sometimes if there are kind of basic protections in place that don't provide a second layer of defense, once you click on that link, and they're able to get a foothold and move around, it's just a matter of time.

 

Gene Marks (19:20):

Yep. They can really do some damage. Yeah, that is, I mean, both those are big issues. And again, like I mentioned earlier I'm seeing a rise in, I mean, I'm concerned that AI is gonna be causing a lot of havoc with security.

 

Jonah Wisch

Yeah.

 

Gene Marks (19:31):

And I wrote, a few months ago, I wrote like an entrepreneur magazine about a, it's a bank in the Middle East that got deepfaked outta like $35 million because it was, you know, these criminals had taking voice transcriptions of the CEO of the bank and impersonated him, and called up the controller, and they transferred the money. It's pretty crazy stuff, you know?

 

Jonah Wisch (19:54):

Yeah, that type of, you know, anything that can improve the criminal's ability to get past your initial line of defense, is definitely scary to think about. Especially when, you know, one of the talks that I've given in the past, the title was "Humans are the Weakest Link."

 

Gene Marks (20:11):

Yeah.

 

Jonah Wisch (20:13):

Really, what it comes down to is they're looking at, first, I have to get past the humans in your environment. And then I need to worry about the technical side. And that's, you know, how they usually think about it.

 

Gene Marks (20:26):

Which is why training is so important as well, you know, and making sure that your people are up to speed. Do you guys provide, you know, any types of cybersecurity training for employees of a company? Or is it more just awareness-based stuff for the actual owners themselves?

 

Jonah Wisch (20:42):

Yeah, so in terms of security awareness training, we've got a couple of, you know, packages designed for different audiences. One is called Cyber for Executives. So that's designed for, you know, executives of any size company, information on, you know, basic cyber threats, cyber protections, regulations, and decision-making as it relates to cybersecurity.

 

Gene Marks (21:04):

Interesting.

 

Jonah Wisch (21:06):

Cyber for Government Leaders, which not necessarily relates to the SMB space, but interesting information. We've got a curriculum there that we overlap with Cyber for Small Business. 'Cause regardless of your organization, it's, you know, there's a good amount of overlap in the types of protections. So our curriculum, we like to keep it simple. We've called it Don't Get DUPED. And so we did a DUPED 1.0 and we're coming out with a DUPED 2.0. But DUPED 1.0, the acronym DUPED stands for Deploy multifactor authentication, Update passwords, or, sorry, up, let me restart that. We've had a curriculum that's called Don't Get DUPED. Our DUPED 1.0, we've run for the past few years and we're coming out with a DUPED 2.0. DUPED doesn't have-

 

Gene Marks (22:01):

Double duped.

 

Jonah Wisch (22:03):

Doubled duped. Yeah. But DUPED 1.0 as an acronym stands for Deploy multifactor authentication, Update software, Passwords, make them strong, Encrypt emails and backups.

 

Gene Marks (22:17):

Okay.

 

Jonah Wisch (22:20):

And the last one, which is everyone's favorite is, Don't click on things you shouldn't.

 

Gene Marks (22:25):

That's great.

 

Jonah Wisch (22:25):

And so, you know, those are, you know, it's hard to pick, you know, if you were to try to point out what are the top five things you should recommend, but we've simplified it there into our Don't get DUPED, which message-wise, is pretty simple to grasp. We had, you know, one of the coolest parts of running that program for me was one of the special guest speakers on our webinars, we had an on-demand and a live format. But we worked with Robert Herjavec

 

Gene Marks (22:54):

Cool.

 

Jonah Wisch (22:55):

from The Herjavec Group, and he's on, he's the one who introduces the curriculum, and obviously he's a really exciting character, you know, whenever he's on video. And having him behind it was a really cool experience. But Don't get DUPED 2.0 is coming out soon, and we're excited to work with small businesses on that concept as well.

 

Gene Marks (23:19):

You're doing great work. I've been speaking with Jonah Wisch. He's the program director at the National Cyber Security Center. Jonah, it's cyber-center.org. Correct?

 

Jonah Wisch (23:28):

Correct.

 

Gene Marks (23:30):

And the takeaway is we all need to have cyber insurance. We all need to have the right framework for protecting our businesses. We all need to be following the best practices. And I think, you know, what I've learned today is that we can certainly lean on your organization, the National Cybersecurity Center, to help us consult with us, give advice, and educate us to make sure that our businesses are as protected as possible. Did I say that right?

 

Jonah Wisch (23:54):

Yeah, absolutely, Gene. You know, whether you're an executive leading a company, whether you're a elected leader, whether you're a small business, we've got material and resources for you, and we're here to help the best we can.

 

Gene Marks (24:06):

That's awesome. Well, Jonah, thank you very much for joining us. That was really, it was a great conversation, I learned a lot, and you guys are doing great work. So we'll keep in touch.

 

Jonah Wisch (24:13):

Alrighty. Appreciate it, Gene. Thanks for your time today.

 

Gene Marks (24:16):

Everybody, you have been watching and listening to the "Paychex THRIVE" podcast. My name is Gene Marks. If you need any help or advice or would like to suggest any guests for this podcast, please visit us at our site, payx.me/thrivetopics. Thanks again for joining us. We'll be back next week with another great guest like Jonah to help educate you and help you run your business. We will see you then. Take care. Do you have a topic or a guest that you would like to hear on "THRIVE"? Please let us know. Visit payx.me/thrivetopics and send us your ideas or matters of interest. Also, if your business is looking to simplify your HR, payroll, benefits or insurance services, see how Paychex can help. Visit the resource hub at paychex.com/worx. That's W-O-R-X. Paychex can help manage those complexities while you focus on all the ways you want your business to thrive. I'm your host, Gene Marks, and thanks for joining us. Till next time, take care.

 

Speaker 2 (25:24):

This podcast is property of Paychex, Incorporated. 2023. All rights reserved.

 

Topics