Episode #05 of Intentional Wealth:
Internet Security and Cyber-Threats
with Brian Hess

Never miss an episode of Intentional Wealth by getting notified of new episodes (and all of our educational resources) directly via email:

Download the Transcript Here Or Read Below

Welcome to Intentional Wealth, a monthly podcast where alongside notable financial professional guests, Private Wealth Advisor and Founder of Braun-Bostich & Associates, Amy Braun-Bostich, delivers useful insights and strategies that help YOU live your best financial life! Remember, when your goals are meaningful and your wealth has purpose, you can truly live with intention. Now, here's the host of Intentional Wealth, Amy Braun-Bostich.

Amy Braun-Bostich: Good morning, everyone, and welcome back to Intentional Wealth. We're shifting away from our normal financial life format to one of more general interest. Today's guest is Brian Hess, President of Spera Partners, an IT company located in Murrysville that's been providing innovative technology services to businesses and schools in the Pittsburgh area for over 30 years. Hey Brian, welcome and thanks so much for joining us today.

Brian Hess: Thanks, Amy. Happy to be here and great to talk to you today.

Amy Braun-Bostich: We are thrilled to have you here to educate our listeners on what's become an all-too-common topic of conversation these days: cyber-security. Let's start with you telling us a little bit about yourself, your company, and some of the solutions you provide to your clients.

Brian Hess: Thanks Amy. So, Spera Partners is an IT consulting firm that does managed services for our customers like you. We do IT support, we sell equipment and services, and we really try to provide proactive solutions for our customers to help them achieve their potential.

Amy Braun-Bostich: Great, great, impressive. And as your favorite business client wink, wink, I can attest to the value of the solutions delivered to my firm, and to the relationship we've enjoyed over the years. So we really don't worry too much that things are being taken care of because you guys have been really just so thorough in helping us. So thank you for that.

Brian Hess: Yeah. I mean, really that's a, when you think about IT services, it's getting ever more complex and complicated and secure requirements, legal requirements, and some of the stuff we're going to talk about today, so yeah, it's one of those things we're trying to take that load off business owners so they can focus on growing their business and doing what they need to do.

Amy Braun-Bostich: Okay, great. So let's just dive in right now to the topic at hand. What are the say top half dozen or so major threats? Most of us should be looking out for.

Brian Hess: So I’ll list them here at the beginning, and then we can go into some more details. So certainly phishing campaigns, business email compromise, ransomware.

We're going to talk about pawned passwords, remote access hacking, and then certainly one of the easiest phone calls.

Amy Braun-Bostich: Okay. Well, a few of those sounds somewhat familiar, but others I've never heard of “pawned passwords”, I don't think, but anyway, can you go into detail on each of these threats and what these criminals are looking to accomplish?

Brian Hess: Certainly. So the first and most obvious I'm sure everybody who's listening to this has probably got one of these, fishing, which is an attempt by a bad actor to attempt to, through email, get you to take some action. The most common one that started, certainly over 10 years ago is the Nigerian email or, somebody from Nigeria emails, you and says… hey, you're a long, long lost cousin. If you let me send you $10,000, I'll let you keep some of it, right? And then if you responded they sort of send you down a rabbit hole, you really don't want to be on. The most recent one and in that arena is somebody says, Hey, I'm on your computer, I have all these files that I'm sure you don't want people to see. Please send me, through cryptocurrency $150 and I'll make sure that it never goes anywhere. And of course they provide no proof. Maybe they have a password, but in general, the emails that are coming in like these at this level are really just fly by. They shoot out thousands of these a day trying to get somebody to take advantage of you.

Amy Braun-Bostich: How does the business email compromise happen when we're also careful about our emails?

Brian Hess: Okay, so business email compromise is a form of fishing, but it's, typically we'll call it spear fishing or, there's other names for it, but the general name is business email compromise, and this expands on an attempt to, in this case, it’s usually impersonating somebody you know, an executive or the business owner. Or maybe it's a relative, but they're trying to trick you or their employees into wiring payments to an alternate bank account. This can look legitimate because it comes from a compromised email account, or sometimes they spoof an account, which looks like the email account, but really isn't.

So maybe instead of Amy at Braun-Bostich.com, it's like Amy at Braun-Bostage.com. Right? And if you just don't see that letter change and it looks like it came from Amy, we've had examples of many many times in the businesses we work with, and this is a most common one out there right now. I've had administrative assistants, almost wire money to executives, or, to offshore bank accounts because the executive sends an urgent email saying, hey, I'm not near my phone, but I need you to email $10,000.

We've had customers wire to vendors, the vendor sends them an email saying, hey, don't wire it to this account, wire it through a different account. Looks like it came from the vendor, looked legitimate. We've had mortgage companies where somebody almost closed on a house, and they sent it to the wrong one because somebody who was monitoring the emails and at the exact right moment of closing, they said, hey, don't wire here, wire it there.

So in all these cases, those are pretty scary, right? In all of these cases, hundreds of thousands of dollars are involved and all these cases look very legitimate. So that's the scary part of this. In both of these cases whether it's fishing or business email compromise, the first thing you need to do is pick up the phone and try to communicate with that person over the phone, right? So if there's a change from the normal process, that's the first dead giveaway. Hey, do I trust this change? Pick up the phone, call that person say, hey its Amy, did you change your routing codes this month, or are you going into a new bank account. That's usually all it takes, right. Call the business owner. Hey, I know you wanted me to wire this, you didn’t want me to call you, but can I text you or can we talk about this? And they'll be like, what are you talking about? Right. So that's usually the easiest way to take care of that.

Amy Braun-Bostich: Yeah. We always, we always have, you have to call, you have to call and confirm, you know, we don't, we don't work off of emails at all.

Brian Hess: The second thing that I recommend for businesses, and again this is more accounting than it is technical, but we make sure everybody is aware in your company and your organization, you should always have two people authorize a wire transfer, just it's just good policy, right? So it eliminates fraud on a lot of different.

The other big one for email to make sure is that you're using what we call two factor authentication and certainly becoming more prevalent. I think people get a little bit more comfortable with it, but if you don't have two factor authentication, even on your own account, your personal account or your work account, we highly recommend you take some time and get that set up.

It prevents users from getting into your email account. And that's really one of the things that they're doing is they get in these accounts, and they sit for weeks looking at how your organization works or looking at how you work, waiting for the right moment where they can take advantage. So that two-factor authentication is an important step in eliminating that.

Amy Braun-Bostich: Now are there ways to see if they're sitting there waiting? I mean, can you, can you find an intruder without them doing anything? If they're just sitting in there.

Brian Hess: So the tricky part, there is that sometimes, yes. And usually what happens is emails will start to go missing because they've routed certain emails to certain folders or maybe deleted them automatically.

So if you start to notice anything suspicious in your account that you wouldn't normally have seen like an email show up and then a second later disappear, or emails, you know, somebody said, I sent you an email, didn't you get it? Anything along those lines is a good first step. But sometimes it’s tricky to get that. That's why that two factor becomes super important.

Amy Braun-Bostich: Gotcha. Okay. And then you said something about ransomware as well, right?

Brian Hess: Right. So ransomware has been around for a while. It's not quite as popular as it used to be for home users because they've sort of moved to the corporate world, but again, we'd go over because It's an important thing to make sure. So ransomware is basically when a bad actor has gained access to your computer or your computer systems or your network, and they encrypt all of the data on your network. So one day you walk in, you turn on your computer and it says, ha, ha, ha, we've encrypted all your data.

Please send me X amount of dollars to get that data back. So that was the first level of this. Now they've taken it to the next level and then not only say that, but okay. So some people just don't pay because they don't care about the data. But the next thing that they'll say is, well, I'm going to release all these pictures, all these passwords, all this data out on the internet.

If you don't pay anything, that's sort of becomes an extortion version of that. So then those cases by the time that's already had, by the time that's happened. It's too late, right? They've already compromised your system. They already encrypted the data. So that's what ransomware is.

Amy Braun-Bostich: Now, there was a big case of ransomware. What was it last year? I think with a, was it an oil or a pipeline company?

Brian Hess: Sure continental oil had a huge ransomware attempt. That's why I said they've moved on millions of dollars they got from continental because they shut down their pipeline. Basically they couldn't control their valves and we couldn't control the flow of oil through these pipelines.

And it was pretty scary. So perpetrator had gotten in and basically encrypted all the data on their networks and to them, it was easier to pay that ransom than it was to try to undo all the damage they had done. So yes, this ransomware has become a huge issue where corporate hospitals have been shut down. Weekly, schools are being shut down because people have gotten in and hacked in the accounts and shut all the systems down. So yeah, it's become certainly a big deal.

Amy Braun-Bostich: I thought it was pretty impressive though, that the FBI could claw back that most of that Bitcoin that was paid out, I didn't realize that that that could be done, but that was sort of a fascinating case of ransomware.

Brian Hess: Yeah, it really is because what we need as a country and, certainly Biden has done some, some work here and Trump's started as well was we need our cybersecurity institutions are really step up because it's an international problem, right. They sit in Russia, they sit in Turkey, they sit in these foreign countries, China in some cases, even state sponsored and do these types of attacks.

And it really creates a problem for small businesses who don't have the resources to really track these down. So, they are getting better at it and they’re trying to track down some of the more infamous gangs. But yeah, it's definitely a big problem. So.

Amy Braun-Bostich: Well, that's really interesting. You had mentioned something about pawned passwords, but what is that? I've never heard that term before.

Brian Hess: Yeah. So, so if you're not familiar, so one of the things that goes on right now is when companies are breached, a lot of times what the bad actors are doing is they are taking the password databases of these companies.

So a good one is Cigna now, which if you've ever used words with friends you know, it's a very popular app on your iPhone, right? You basically play Scrabble with somebody online, that account, all the passwords in that system were not encrypted. So if you used an account on that system, your password is compromised and it's out there in the wild, right?

Basically there's a site that you can sort of upload into your list of links for people to look at. And you can basically put in your password and see if somebody has, if it's already been exposed in one of these huge data breaches, 3.1 billion passwords were just released this week and an amalgamation of these various breaches and just put online for anybody to go through and search.

So it basically has your username and your password for these various breaches that have happened. All over the internet.

Amy Braun-Bostich: Wow, scary stuff.

Brian Hess: Right? So what we recommend for that, for when you, for certainly there's a way you can go to and check, but the thing that we are trying to recommend people to do is you really need to generate a unique password for each of your accounts.

And everybody says, oh my God, that's a huge challenge. It's a huge issue to do that. But if you reuse the same password over and over, you're really giving yourself a huge exposure to somebody breaching one of those companies and getting that, that password companies are getting better, how they store them and hashing them and things like that. But it's still not perfect and in a lot of cases they're still on plain tech.

Amy Braun-Bostich: So do you have any like, tips for that? Because it's really hard to remember all those passwords and I know it's like taboo to write them down. So is there like a system that people can use so that they can do.

Brian Hess: Yeah, the industry is getting a little bit better here. Google and Apple, both have password managers. Certainly apple’s is built into their safari web browser and Google's is built into their Chrome browser. So if those are your browsers, you use the first thing we tell you with apple and Google is turn on your two factor authentication. Again, at that level, and they want you to have that two factor authentication on your Google account or your apple account, and you can use their password managers that are built right into their browser.

So a lot of times that works great. Chrome does a great job, It'll suggest a password when you need a password, it recognizes those fields and it'll give you a complicated password and then it will store it right inside the Google manager.

Amy Braun-Bostich: Yeah. Sometimes I'm a little hesitant cause I think, well, what if I try to access that site, and I'm not really on my iPhone or something like that. I'm not gonna be able to know what the password is if I'm on another computer.

Brian Hess: Right. So the last thing is if you have an apple phone, right, it stores it there and you can browse it through there and if you don't have a Mac, if you're somewhere that you're not, but always remember the consequences. If you use the same password and then you need it, that's great, but if it's compromised, what's it worth? So certainly for your banks and your, you know, where your money sits and where your credit cards are and where your important information and your life's photos, whatever it is, those accounts really need to have that unique password.

Again, writing it down isn't as bad as people claim it to be. Cause it's sitting at your desk as long as not your office, right. Where everybody's getting to, but we don't really recommend writing them down, just store them in a, in a digital way. There are digital password managers that'll work across a variety of platforms.

There's ones that you can put on your phone if you want to do it that way. So yeah. As long as that password manager is protected with two factor authentication, it's a really good way to, to keep yourself secure.

Amy Braun-Bostich: Gotcha. And then what's remote access hacking that you had mentioned. How does that work?

Brian Hess: Okay. So a lot of cases, people want to get to their PC remotely and so they will open up a way to remote into their PC, whether it's a VPN on a corporate network and then remote desktop to your PC or at some other variety. Remote access hacking is the same thing, right? Somebody has found how you are getting on your machine and then they take over that.

And then I now have complete access to your PC. And the scary part of that is we actually had a customer that had this happen to them. They had remote access to their server, open up to the internet a couple of years ago. And one day we're on the machine doing some work and we see the mouse and keyboard and start moving, you know, mouse and keyboard clicks, moving without anybody touching it, either one of those on the, on the machine.

So it's kind of scary, ended up getting a password database that was on that system. And so that's what can happen, right? Once they're on that machine, that's a way to get on a network and in a way start to take over your machine. So if you need remote access to a PC, there are secure tools that can do that.

So LogMeIn in most people are super familiar with that one. We use a product called remote workforce, both of those support, again, they support a two factor authentication and that doesn't open it up to the internet. You can't go directly to the machine. You have to log into the service and then the service connection to the, to your PC.

Amy Braun-Bostich: And then it hides the connection. So nobody can hack it. Is that it works?

Brian Hess: Correct, because what they're doing all day long is, these bad actors have tools that basically scan the internet all day everyday looking for these things. Remote access ports, right? So if you open that up to the internet with your, you know, some people can do it very easily with the, your router and your PC.

You can make it available, and you can remote in, and people will share their movies, or they share files, or they do whatever. And it all sounded great 10, 15 years ago, but now it's just become a nightmare as far as people getting into these systems. So I actually worked on a case where somebody had a network attached storage device connected to the internet and a bad actor uploaded child pornography onto that site. So it was a big issue. So you have to be super careful exposing your computers to this.

Amy Braun-Bostich: Yeah, it so sophisticated anymore. I just don't even, I can't even kind of understand how that works and how they can do what they do. Even some of the top government agencies have been hacked. So that's really startling to me.

Brian Hess: And it's ever more complex, right? You, you mentioned hospitals, government agencies, all of these places have been compromised. And usually it's something very simple, right? A user opened up an email they shouldn't have, it starts with that. Or somebody le an unpatched server connected to the internet or it's, it's all these things that it is very complicated.

We spend sadly more and more of our time is spent on the security side and not so much on  moving technology forward for some companies because the risk is just can be so high. So. It's important that you have for your individual internet presence, all your accounts, you make sure they're secure.

You review them. There are tools, Google now even has a tool that will check all your passwords to make sure they're secure. You just have to take that time, right? It's like you said, it's scary to think about what, you know, how you're enabled on the internet, but, If you take the time and think about where your important data is, start with that, and then secure those.

At least that's a start, right? And then from there you work backwards and every time you have a chance to update a password, make sure you use a secure one, you make it unique, and make sure it's long. It's not so much how complicated it’s how long it is. Now, a lot of companies have requirements around how much special characters and uppercase and all that, but really it's really about the length. If you can get it over 10 characters, it's almost unbreakable through what we call brute force.

Amy Braun-Bostich: Oh, that's, that's really good information. How about when you're getting ready to log into something and, and you put your password in and then you get a popup that says, ah, this password has been found in some data breach. Do you want to change it now? Is that legit?

Brian Hess: So again, it depends on how that came to you. If it came through email, no. I never trust through email. So, I've gotten emails from, this is recently, this week from GoDaddy, hey, we think your website was breached and the email looked perfectly legitimate.

But what I did is, I still went to go daddy directly. I didn't click on anything in the email link because so many times those links in emails are compromised. So I go to GoDaddy site directly. I log in there and I look in my messages and see if that was there. It was this case, but you always start with assuming it's not legitimate.

Just like your front door, we use the analogy. Like, do you let anybody in your front, into your house from your front door if you don't know them? Typically the answer is no. So it's the same. When you get an email or you get a notification, assume it's not legitimate.

Amy Braun-Bostich: That's great information. It's just really amazing. The extent at which these bad actors will go to without any morality or remorse. Clearly see that understanding what to look for in order to combat these threats is essential. Anything else that you would like to add?

Brian Hess: So these, the one I do like to cover, I don't consider it IT related, but it is because usually they're trying to get on your computer is some of you may or may not have ever been contacted by Microsoft.

So has Microsoft ever called you, and if the answer is yes, then I would say, no, they didn't call you. Microsoft never calls you. They don't sell computers except the surface. But even if they sold you a surface, they're not going to call you to get on your machine. I've had a lot of stories over the last year where people, Microsoft call them when I'm on my computer.

Is that okay and I'm like, no, why would they call you to get on your computer. So they're not going to call you. And it's going to even extend that a little bit. The IRS isn't going to call you right? The IRS, Amy, I'm sure you noticed the IRS never calls you, right? They send you a. If they need money, you know, certainly if you're in debt collections, you're going to get calls

But, but other than that, nobody's going to call you and ask you for money. They're going to send you a letter, any official government agency or Microsoft or whoever. So never, never have somebody calling you say, I need to get on your computer and then have you go to a link. That's just not going to happen.

If you called them and set up a support case, great! That's probably gonna, you know, you set up a time, you set up a support case, but that's you initiating it. Microsoft's never going to initiate that call to you. So just always be suspicious when you get those kind of calls.

Amy Braun-Bostich: I noticed in outlook. I'll get Microsoft saying, hey, it's time to change your password or something like that and it looks like it's coming from them, but I don't think it is.

Brian Hess: Right, and that's very true. So, Microsoft actually did a study and found that changing your password doesn't increase your chances of being, you know, reduce your chances of being compromised. It actually, what really matters is the length and uniqueness of the password. That it's not one you use somewhere else and that it's longer. So they're not, they've dropped most of their password requirements on changing every 60 to 90 days that doesn't add much value in the security life cycle, because what most people do is they go, okay, so my password today is my dog and my friend one. And then when the password changes to go to my dog and my friend two. Right. So you're not really increasing the, you're not improving the security when you do that.

Amy Braun-Bostich: When you're using 10, let's say 10 characters should you something totally like a unique phrase, or could it be like a, a stanza from a song or a poem

Brian Hess: it's whatever you can type and remember. I've found that it, it doesn't, it can be complicated, you can put mnemonics in it, like use an @ sign for the, a, It doesn't ultimately help, right? Because most of the systems now, after several attempts, will lock out the account.  So, it's like, you can try three times in 15 minutes or sometimes for banks, It's like, you can only try five times in one day and if you get those password wrong, it's going to lock the account. So it's not really super important. What's in the password, just that it's 10 characters and then it's not in a dictionary. It's not something that somebody is going to try in the first five or six attempts.

Amy Braun-Bostich: That's I always thought that, you know, if I said, if I used something from a song, they'd be able to figure it out or that it doesn't work that way.

Brian Hess: No, sometimes they'll try, you know, they, again, if you have had your password compromised in the past, and let's say you use your dog's name and your kid's name and maybe their birth dates, and now you're just rearranging them around. They're gonna, that'll be something that they would do if they're targeting you specifically, right. They're gonna look and say, well, does Amy have any passwords out on the internet that I've already seen? Let me try a couple of combinations of that. And, they have had some success doing that.

Sometimes they'll most of the time what they're doing now is they'll try to go through the reset procedure. If they've already compromised your email, they'll start trying to reset your password and something else. So grab that reset password, they'll go in and then try to get it that way. Again, it's just important to make sure you have that secondary email account set up for those password resets so that it notifies your main account and your secondary account that we use see it. And then just be suspicious when you see those things come in. I had one this year, I had my credit card hacked in the way I figured it out was somebody had logged in and one of my games, the game stop account, and they left the card open, and they said, hey, you have a cart and game stop. I'm like, no, I don't.

So I called and next thing you know, I had to have my credit card reset. So even me who follows every security procedure, you can imagine still can have it happen. So it's important to make sure you're, you're monitoring all this. And to that end. The last thing I would add Amy is if you, if you are really concerned about it and you, and you feel like you don't have enough information, you can always get what's called personal cyber insurance, and that's usually a rider on your homeowners.

So talk to your insurance agent see if it's affordable and it's something you're interested in. It's a good way. It's another good step if something does happen that at least you have some coverage. The other service that people talk about a lot is LifeLock. I'm not used to personally, but I do know some people, that use it and it gives you a, another step of protection.

Amy Braun-Bostich: Yeah. I actually use both of them. Well, I use, I have a cyber insurance policy for the business, obviously and then, and then I use LifeLock myself.

Brian Hess: Yeah, we, we consider it when we review with our customers. If they don't have cyber insurance for our, our business customers, we absolutely recommend you have it because recovering from a compromise, no matter what happens is expensive.

Amy Braun-Bostich: Yeah. Okay. Well, these are all really useful measures that we can get and stay safe from attacks. And so I really appreciate that. Thinking beyond understanding what these threats are and putting protective measures in place. What else should I be doing going forward to continually ensure my cyber safety?.

Brian Hess: I think the most important thing is just to be cognizant of the news and what's going on in the world. Target was a pretty popular breach a few years ago. And as part of their breach, they offered free protection, free credit monitoring. And so that's something you could have taken advantage of in that scenario.

A lot of people who were breached by target then turned around and got breached through other mechanisms because their usernames and passwords were out there. So. If you see an article on the news and it's one of the companies you deal with, make sure you understand what they're doing to help remediate that problem and resolve the impact to you.

That's the most important thing I would say,  going forward because it's, it's an ever-changing thing. These breaches are happening on a regular basis understand what that impact is to you.

Amy Braun-Bostich: Excellent. That's great advice. Thanks, Brian. Well, you know, it looks like we're near the end of our session and this has been really good.

With the threat of cyber-attacks seeming to loom everywhere in our lives, this discussion has been incredibly informative and enlightening, and most of all, useful to our listeners. So in a business such as ours, we really are careful about personal data security, as you might suspect. And we feel really incredibly fortunate to have you and Spera Partners looking out for us. So I thank you so much for your time, knowledge and insightful guidance, in getting and keeping us cyber-safe.

Brian Hess: Thanks Amy. It was a great experience and I hope I was able to provide good and most importantly, useful information for your listeners. Thanks so much for having me.