.png)
BeansTalk
BeansTalk: Where Expertise Meets Opportunity, Mauldin & Jenkins' podcast, where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience.
BeansTalk
Cybersecurity Landscape: Balancing Technology & Risk
How do emerging technologies impact cybersecurity? In this episode, we’ll explore the risks organizations face and share expert insights on minimizing exposure, strengthening defenses, and staying ahead in today’s digital world.
About Our Guests
Jameson Miller, CPA, CISA, CISSP, CCP, CCA, is a Partner in the Chattanooga, TN, office and has been with the Firm since 2006. He has experience performing information systems regulatory compliance and framework reviews, System and Organization Controls (SOC 1, 2 and 3) Examinations, and cybersecurity assessments for information systems.
Jon D. Hightower, CCSFP, CHQP, CISA, CRISC, CIPT, and FAIR, is a Director in the Raleigh, NC, office. He has experience performing information systems regulatory compliance and framework reviews, SSAE 21 System and Organization Controls (SOC) Reporting, and Technical audits and cybersecurity assessments for information systems.
About Our Host
Brandon Smith, CPA, is a Partner based in the Atlanta office and the Advisory Practice Leader.
Welcome to Beans Talk, M&J's podcast where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience. Welcome. Today's topic is the source of many sleepless nights for business leaders. It seems like every time there's a new technology that gets revealed, shortly thereafter, there's also discussion about the cybersecurity risks that new technology poses to our organization's environments. It's constantly coming at us, all the different cybersecurity risks that we're facing, and it seems impossible to address them all. But there is a lot that we can do to help mitigate those risks and improve our posture against them. And that's the topic we'll be covering today because none of us are alone. And to address this topic today, I'm very excited to be joined by leaders from our IT services practice. Hey, Jameson. Jameson, will you do a favor for our listeners and just tell them a little bit about your background, your experience, and some of the services you specialize in information technology?
Speaker 02:Sure. Thanks, Brandon. I'm excited to be here. My name is Jamison Miller. I'm a partner here at Mauldin & Jenkins going on my 19th year. And as you mentioned, I oversee our technology services division, which includes cybersecurity assessments and IT audits and SOC audits. We'll get into some of that stuff, I guess, in a little bit, but g lad to be here and looking forward to today's discussion.
Speaker 01:I am as well. Thank you so much for joining us. You have a lot of really valuable context to bring. And Jon, also, thank you for joining us.
Speaker 03:Well, it's good to see you this morning. I'm Jon Hightower, and I'm a director at Mauldin & Jenkins, and I'm focusing mostly on... compliance and then also cybersecurity risk. So we help a lot of our clients actually navigate those things that we just talked about, about how to reduce risk, but not go overboard and try to get those things in place to help them sleep better at night.
Speaker 01:And Jon, you just hit on something that I find incredibly relevant. You're not going overboard, but there's a lot that we're worried about. Susquehanna business leaders everywhere, from the headlines to the different providers out there selling tools to just seeing what's happening to your neighbors, it feels like the risks to our businesses are endless. And it's kind of a tough thing to think about, where do we start? We don't have endless resources at our disposal to address all these risks. So Jon, would you mind helping us kind of continue down that path in terms of what are we actually trying to do here? When it comes to us stepping into this cybersecurity and IT security space, what's the goal that we're trying to kind of work toward and address?
Speaker 03:So when I work with clients and we talk about risk, talk about specifically for cybersecurity, we go from the approach of what are your crown jewels? What does that mean? Is that data? Is it business processes? Is it sales? What are the different things that you've got to have protection around to keep your business running like you want it to run? So we look at it from, like I said, data. Everybody's got employee data. That's HR data. You want to protect that. You have customer data, whether it be credit card data or possible just information that doesn't need to get out. If you work in healthcare, it's obviously patient and protected health data, doing those things like that where you really want to focus on those things first. How are you managing that information? That can include a lot of different things. Are you encrypting databases? Are you doing certain things to help protect that data if somebody got that far in your network? Then we just kind of work our way out as far as layers of protection. So that could be through firewalls. It could be through access controls. And then we start looking at the outer layers as well. So working with them to kind of figure out, okay, what are your crown jewels and then how you protect that? How many layers of protection are you putting in front of that? That's where we start. And then we look at where are your threats coming from? So the next thing is, is it going to be what type of threat actors are going to come after your data? Is it going to be criminals? Is it going to be, you know, script kiddies, so to speak, which are like people just trying to prove that they can do certain types of hacks? We want to look at that as well and say, okay, how sophisticated are your adversaries? So if we can figure that out as well, that's how sophisticated we need to be when it comes to technology, how much you want to put in front of that. But when we talk about the right size, we really want to put the client in a position where they have the protection they need, not spend too much money and too much time and effort to do those things, but still be able to function because it also can limit operations. So we're trying to limit that. And kind of the analogy I give them is that, hey, we want to put you in a position where if somebody comes and looks at your organization, looks like they want to try to hack your organization, you want to make it just complicated enough to make them pause and say, do I want to spend time and resources ongoing after this company or do I want to look down the road for an easier target? So if we can do those type of things, plus help them with making sure they're hitting their regulations and all those kind of... We've got to put them in that position where they still meet what they need to meet from a business, also meet what they are from a regulatory perspective, and then, again, right-size the treatment for their crown jewels.
Speaker 01:Yeah, I love how you put that. You make it seem so manageable. This isn't something that we're having to go in and reinvent the wheel on and just kind of enter blindly. And I love that idea of crown jewels. What are we actually trying to protect? What's important for us to protect? Obviously, we can't protect everything 100%, so where are our priorities? And you're talking about the data relevant to our environments, like your example in the healthcare industry when it comes to patient data, but the data we're protecting might be different from the data you are protecting. In addition to business processes, as you're describing. So I love that Crown Jewels concept. That's really helpful. And then kind of how we respond to keeping those protected and what might be relevant to us. And you also introduced the idea of regulations. How might we be required to protect this data? So Jameson, can you kind of give us some background on what that would look like in terms of, now that we've gone through the initial process of what do we need to protect, why are we protecting them from a certain perspective?
Speaker 02:Sure. So the thing about regulation, especially here in the United States, is we have 50 different states that have adopted various types of regulations around cybersecurity. So that's challenging for an organization, especially if they're operating in multiple states. That can be challenging for an organization to get their hands wrapped around, so to speak. Also, We've also allowed the industries, the various industries, like financial institutions, for example, they're regulated by the Gramm-Leach-Bliley Act and the FTC safeguarding rules around consumer information. And that kind of siloed approach has made it more difficult for organizations that are operating in maybe more than one of those silos. Perhaps they're doing some type of maintaining health records or something like that, and so they're regulated by HIPAA. When you're regulated by multiple agencies or regulations, it becomes really difficult to figure out which one should we really follow and where can we get some bang for our buck. And so that's one of the things that we try to help our clients out with, navigating those situations and making sure they understand the regulatory environment they're operating in. It's very important.
Speaker 01:Yeah, definitely. So there's a lot of different things we need to consider in terms of what regulations might apply to us, depending on what our crown jewels are, what industry we operate in, the data we have on site and the different business processes we have, and also just risks specific to our environment and how different fragmented agencies and regulatory bodies around our country have kind of interpreted those and provided guidance on how we need to be responding to those. But I guess another question to you, is that the why behind cybersecurity? When it comes to securing our posture against technology threats, should our baseline be just staying in compliance with regulations? Is that enough?
Speaker 02:Yeah, that's a really great question. I think the most straightforward answer is organizations have to kind of determine that for themselves. Like, every organization is going to have a different risk appetite. But I do believe that, you know, as a privacy expert, security expert, that as a company, if you're operating in a public site and you're– conducting business with the public, that yeah, you have an obligation to protect whatever data it is. And also, if you're operating your business, you're going to have trade secrets. You're going to have things that you want to keep inside that you don't want necessarily your competitors getting access to. So it goes more beyond just protecting consumer information. It could be protecting business secrets, like Coca-Cola's secret formula or whatever. That's very important to them.
Speaker 01:Yeah, so there's a lot of business jewels that we need to protect and the regulations are an important component of that. Which ones apply to us? How do we make sure we maintain compliance and bring those best practices to our environment, but not lose sight of just keeping secure what we need to keep secure? You know, just as business professionals, as people who are, like you said, operating in just the public space and obligations that come with that.
Speaker 03:Awesome. And one thing I can add to that, too, is it's based on the culture of the company. It's, yes, we, you know, they might have a regulation that they have to follow, but I've seen different organizations handle that different ways. Some people, their baseline is the regulation. They are going to fill it to a T, and that's probably all they're going to do. So, but if the culture is we really care about our customers or care about our customers' data, they wanna go beyond that a little bit to make sure the customers feel comfortable that they're doing all they're supposed to be doing to protect that data. And that usually translates all the way down from the board, right? That is important from a board perspective, all the way down to the leadership. And that really shows up in a lot of different ways. One is how they run their security, how they report their security. And then secondly, also, it's more of how they train their employees. I know banking regulations require that, but I see better organizations that are really more security focused, they're focused on their employees as well. And part of that's because, let's just say you have 500 employees. I call it that you have 500 firewalls that you have to look at because, especially with phishing and business email compromise, the human is the firewall. So the better training that you do, this kind of thing, that's what I try to help companies get better at as well, is if they can get the human element figured out. And again, it's about culture and making sure that this is important to the company. Usually the employees will be more vigilant as well.
Speaker 01:So. No, Jon, you're exactly right. And you just introduced a really important component of today's episode, which is, you know, I opened it with, this is an area that keeps us up at night. And you talked about some examples like all of our employees, there are firewalls. There are so many different threats that are out there, it's kind of hard, at least for me, to keep track of them. You know, the ransomwares and the business email compromises and the different kind of concerns that are out there for potential incidents and breaches. So can you all kind of talk me through some of the kind of headline primary risks that we're working to defend ourselves against these days? Jameson, can you help start us out?
Speaker 02:Sure. You know, I think one thing that's important is when you hear about all these different types of attacks like ransomware, business email compromise, and things like that, what you have to understand is that just because that's a different type of malicious threat, the way that those types of things are getting deployed in organizations, they're not reinventing the wheel. A lot of times that starts with some type of social engineering. So that's going to be a phishing email or vishing, which is like voice phishing. So somebody calls employees at an organization and tries to convince them to do things.
Speaker 01:Versus phishing instead of being email, right?
Speaker 02:Yeah. Phishing would be an email. So vishing would be, you know, the voice aspect of that. And, you know, you just call a company up pretending to be Jane Doe in the IT department and try to talk people into running certain commands on their computer. And then that could possibly allow you a foothold into a network or somewhere to start. And then from there, they're going to try to start escalating their privileges. And that's why when Jon was talking earlier about having those layers of security, how important that is because we're all given a set of certain circumstances it doesn't matter who you are, you can be subject to a social engineering attack. And so it's important to have those additional layers of security there in place so when inevitably that does happen, which it will, that you've got these other layers there that are providing that additional protection to mitigate against those kind of threats.
Speaker 01:Yeah, and when it comes to those headline risks, I mean, phishing is the one that I feel like we hear a lot about, especially now that phishing is kind of getting even more scary with things like phishing and other different avenues that folks are trying to leverage, tricking our people into bypassing cybersecurity protocols to have some kind of an action against our enterprises. Jon, same question to you. When it comes to kind of headline risks, that enterprises are facing, what are some of the big ones in your mind that folks need to really make sure they're addressing?
Speaker 03:So I still think efficient is number one. Social engineering, we're still seeing new techniques come out where we're seeing AI being used to duplicate voices, to duplicate images, be able to recreate people within the organization. They're getting very creative, so that's always there. Secondly, I'm still seeing where Organizations are not mature enough when it comes to security controls within the environment, what I like to call child-proofing the environment, especially with employees. Limiting their access is a big deal. We go back to this, you know, we talk about least privilege. And on top of that, protecting from the outside world. So with firewalls, you know, protecting their web browsers, not allowing the employees to do too much with what they have so they don't introduce, you know, malicious files into their systems, go to websites they shouldn't be going to. You know, those are some, you know, we consider that simple security, but I still see organizations not doing that very well. And part of it's because they don't want to be the nanny type organization or nanny security state where people can't go and do things they need to do. But it's about spending time and actually finding out what employees need and then let them go to legitimate sites like their banking sites and things like that. But if you can really help narrow some of those, like I said, that layers of protection, it can keep some of the bad actors out of the system unintentionally. Because again, you've got a lot of firewalls as employees, what I mentioned earlier. And the thing is that there's a lot of opportunities, especially when you start going to the internet, for issues to come or arise where you could possibly get compromised.
Speaker 01:Well, that's excellent. So I feel like we've kind of got a good picture of how to approach the scary issue that's keeping us up at night of IT security, where we're identifying our crown jewels, what's important to us, both the data and the important business processes of our company, assessing our regulatory landscape, what different laws and regulations out there are applicable to us, but then also just realizing that we have a certain obligation and a need and a desire to be hardened, not just because a regulation points us to it, and then thinking through some of those headline risks, like obviously phishing. and looking through practices to, I love that child-proofing our environment concept, to protect us from some of the major risks, but be mindful that we're not disrupting operations. So what's kind of a call to action for our business leaders who are listening in? What are steps they can be taking to help us walk this journey in order to improving their security posture? Jameson?
Speaker 02:Well, I think first, that's going to start with changing the culture in an organization to make sure that they are focused on a security-first kind of culture. That's gonna be the biggest driver, as Jon alluded, in any organization, the tone at the top. And it literally starts at the top and it works its way down throughout the entire organization. So if you have that good tone at the top, then odds are that your organization's gonna be doing the right thing. The next thing is making sure that people understand like that they play a part in cybersecurity, even though they might just be an employee at the company that doesn't have much to do with financial reporting or secrets that the company has, but they still have access to things. They still have access to corporate resources, and they have a duty to protect that access. And so making sure that they understand that, that's going to be the second challenge. But, yeah, what do you think, Jon?
Speaker 03:So in addition to doing that testing, what we taught them on a certain topic for, let's say, for the month, the other thing they need to do is actually– Do you want to verify that your security tools that you've invested in, that you're paying monthly fees on for software or for AI threat type analysis. Y ou want to make sure those are working. So that's where you need to partner with somebody that can do what's called red team exercising. So come in and do a penetration test and actually test the control. See if you flip the alerts by doing certain actions within your environment. You want to verify that what you've invested in and the strategy you put in to actually protect those crown jewels, you want to make sure that those things are actually working properly. So teaming with, you know, a good, you know, organization, you know, like with Modern Jenkins, with our penetration testing group, saying, hey, we want to scope out these particular type of controls that we put in place. We want to see if you can trip those for us. And if not, then that's great. We know that we've got some work to do. But if you do trip them, we know that things are working properly. So that's one thing I don't see organizations do enough of. I see them invest in security and they throw a lot of money at it and throw a lot of technology at it, but they're not actually testing and verifying that those things that they put in place are actually working.
Speaker 01:Yeah, yeah. I can see how you're exactly right on that, but I love the kind of strategic approach y ou all painted for this, this critical business area, which is, you know, tone at the top and then go through the risk assessment to see what's most relevant to our environment. Just knowing that's going to include social engineering concerns and our people. So they can show that we're responding to those risks through things like training. And then as we're investing in those, you know, expensive technology tools for our workstations and our infrastructure, testing them, make sure our investments are working, working properly and are doing the things they need to be doing. Jameson and Jon, while I have you, I'm just curious, are there any new or novel threats that you've been hearing about that have caught your interest or something that we should make sure our listeners are familiar with?
Speaker 02:Well, there is one that's kind of surfacing now. A lot of times when you have vulnerabilities in an environment, especially in an organization, a lot of times it happens just out of convenience. Somebody's doing something because it's more convenient. And a lot of times if something's more convenient, that means it's less secure by default. And so there's always a balance to strike there between convenience and making sure the business can operate, but also having that security. So case in point, t his is something that's kind of come to surface recently where a lot of organizations have a lot of different SaaS or software as a service applications that they're having to log into on a routine basis. And so what some employees of these organizations have done is they've taken their employees' organization data email account and they have associated it with a Google account. And it's real easy to do this. Essentially, all you have to do is go to Google, create an account, and then tell that account that you want to assign your corporate account to that Google account. It sends an email to your corporate account with like a four-digit pin. You put that into Google and now it's associated those two accounts together. And the convenience aspect comes into the single sign-on part of Google. So now they can use this Google account to then quickly just click a button on their web browser and log into these SaaS applications. So strictly convenience thing, nobody thinks that this is a security threat until you add in another element, kind of think this through. And so if you are subject to something like a business email compromise, where a malicious actor has actually gotten into your corporate email account, well then they could then associate, go out and create a Google account, associate your company's email to that Google account, and then start using that Google account to log in to all the various SaaS applications that you would be logging into on a routine basis. And all that would all happen outside of the logging capabilities of your organization. And so, what's scary about that is this is going on in a lot of organizations. They're not even aware it's going on. And then it's creating this new vector for malicious actors to compromise other systems.
Speaker 01:Yeah, that's a spooky one. And I think that's also just a great illustration of how the landscape's ever shifting and evolving. Some of these threat actors are getting more and more crafty as to how they're leveraging exploits or just interesting ways of circumnavigating security. Because, Jon, this also ties into earlier talking about access restrictions, ensuring that only the appropriate people have the appropriate level of access to various systems. And this ties into where exactly what you were talking about, this is another way that threat actors are trying to get around even those of us who have good practices in that space. And so, I think that's a great illustration about just ensuring that our organizations have somebody who's constantly thinking about this type of thing, or at least that we have business relationships with professionals who are constantly thinking about this because the landscape is evolving rapidly. So, something that's on my mind is obviously we're gonna try and follow these best practices to help harden our environments, to protect us from something going wrong. But what do we do when something does go wrong? Jon?
Speaker 03:Well, that's why it's really, really important to have a good incident response plan. Now, customers will forgive you if you get even a data breach or something even major. If you've done all the right things on the front end, for the most part, it still could happen. And if it does happen, it's about how do you approach, you know, treating that. If you do a good job with incident response, follow all the regulations, meet all the data privacy needs, those kind of things, setting up customers with, if it's absolute customer data, setting them up with identity theft protection and credit monitoring, you do all those things right, they're typically going to forgive you and still use your services if you're doing good services. But if you don't have a good incident response plan in place, that could be a very, very big reputation risk. If you don't handle it well, customers might not come back. So having a good incident response plan in place is crucial. And then the other thing that we're seeing a lot of organizations do is go to a certain type of backup structure, what's called immutable backups. It's a technology that really helps with reducing the risk of losing data when it comes to ransomware attacks. It allows them to get back up and running a lot faster, that's what you want to do in those type of incidences. And so, having kind of that last line of defense is a really good idea.
Speaker 01:Absolutely, yeah. Because obviously, best case scenario, we stay protected against everything, but just the environment we're living in, we know it's necessary to be able to respond to this. I love the idea of an incident response plan. And also, evaluating the different technologies we have in our environment to assist with an effective incident response to get back online and operations. Well, gentlemen, this was an incredibly valuable discussion. Thank you both so much for making the time to join me and help our listeners with all this valuable information. And for anyone out there who is interested in more follow-up considerations on the topics we discussed today, or any other business considerations you're navigating, please don't hesitate to reach out to us and visit us at www.mjcpa.com. Thank you so much.