Treasury Talk PODCAST

CyberSecurity and Your Small Business

Treasury Talk Season 1 Episode 1

Join Michigan's State Treasurer Rachael Eubanks and Michigan Treasury’s Ryan McElhone to learn how to protect your business’s reputation and bottom line.

CYBERSECURITY RESOURCES:

PODCAST Season 1, Episode 1

Treasury Talk: CyberSecurity & Your Small Business 

Hosted by MI State Treasurer Rachael Eubanks, with guest Ryan McElhone 

Intro: Welcome to Treasury Talk and Your Small Business, a podcast for small business owners hosted by Michigan State Treasurer Rachael Eubanks. Our trending topics with subject matter experts will include CyberSecurity, Tax Prep, Continuous Improvement, Economic Impacts, and Inclusion and Diversity. Listen for takeaways that will support you and your company.

Treasurer: Hello to our listeners! This is Rachael Eubanks with a new podcast that all small business owners and entrepreneurs will find informational and hopefully entertaining. Today, I'll be talking with Michigan Treasury's Ryan McElhone on ‘cybersecurity and your small business’. A scary topic in honor of Halloween. Welcome Ryan! Can we talk a little bit about what you do at Treasury and a little bit about your job? 

Ryan: Sure. Thanks for having me Rachael on this very first podcast; I’m very excited to be here. Like you said, just in time for Halloween, it’s cybersecurity awareness month. While we're thinking about everything scary in the world, we might as well think about cybersecurity, too.  I'm Ryan McElhone; I am the administrator for the Office of Privacy and Security here within Treasury. 

Basically, my day-to-day job is making sure that we keep taxpayer information secure, so that means setting up good controls, making sure that we understand why people need the data that they are requesting, and making sure that we're doing the monitoring. That we know exactly what's going on with the information that we have at our disposal -- and we want to really make sure that the taxpayers have a sense of comfort. We're protecting the data in the way that they would expect their data to be treated. Related to that, we also do a lot of privacy-related things. 

Privacy is a little bit more geared towards the actual use of the data itself. So, it's looking at things, like what do we collect? Why do we collect it? Do we have laws that say we can collect this? Or is it just something that's kind of nice to have? Or maybe it's a tool that we need in order to do business that we do. We really get critical about what our business areas are using that information for. We have a lot of really good conversations with Treasury employees about proper handling and security of information. That's my day-to-day, all year round, but it's really nice to take a month out of that year and to really just think about cybersecurity as it relates to everybody. 

Treasurer: Ryan thanks for sharing your background and we are so grateful to have you with that expertise here in the department. As you said, to make sure that we can keep taxpayer data safe and keep the Department's data safe. I'm really also happy today that we can share this through our first podcast with small businesses that may not have someone with your expertise in this area. So much appreciated, and when I lie awake at night one of the first things I think about is cybersecurity in terms of risks that are out there, risk for our organization and risk for the State, State of Michigan as a whole. 

Can you talk a little bit about why that might be? Why is cybersecurity so specifically important to Michigan small businesses? 

Ryan: Well, there's a couple of things that we want to protect against.  Small businesses just unfortunately don’t have the resources that the State of Michigan or some of the larger corporations have at their disposal. Unfortunately that puts small businesses in a place where if there's one cyber-related event that occurs to them, that might mean that they're out of business. It can shut down a system completely. For example, if you're an internet vendor or you are only a storefront web page and that's not available, well, you can't do business all of a sudden. 

Small businesses also are very reliant on having cash on hand and making sure that their banking information is secure. If that becomes unavailable to them, they're going to be in a world of hurt. One thing that we're moving towards is really a marketplace where privacy is a value to the customers. You think about the reputational loss that businesses have had, such as Target or SolarWinds. 

Some of those large organizations are able to financially recover and reputationally recover, but as a small business you might not be able to recover from the type of reputational damage that could be done if you're the target of a cyber-attack. 

Treasurer: Absolutely, and people have long memories, right? Your customers will remember this for a long period of time and consider whether or not they want to do business again based on that experience. So, I think that's really important for small businesses to think about. 

What do you think makes a business attractive to cyber criminals? Is it just small business? Is it all business? Are small businesses more vulnerable to cyber-attack than larger businesses? 

Ryan: I think they're an easier target because they just don't have the expertise to be looking at these types of events. On the flip side, a lot of small businesses are not thinking about I.T. events and the kind of global events that are occurring. 

You think about the pandemic, you think about the hurricanes that we've just experienced -- unfortunately they make small businesses targets for cyber criminals that want to take advantage of these types of global events and make bad situations even worse. 

During the COVID pandemic even the State of Michigan was the target of all sorts of different fraudulent attempts to get information -- phishing attempts, specifically. So, it's really important that these small businesses be vigilant and be able to look for this stuff. If there's something out there that just sounds too good to be true, it probably is. 

Treasurer: I think a lot of people think “okay there's somebody that's on the outside and trying to force their way in” but most of the time it's individuals from the inside that made a mistake-- maybe by clicking on a link. So how do you bring awareness to the fact that that's such a vulnerable point for organizations? 

Ryan: Yep, it could be a malicious or disgruntled employee, or it could be somebody clicked something on accident. They click one of these phishing links and now they've exposed the whole business. I would say it's really important that we have frequent communication with employees about how they're using the equipment at their disposal. 

If you're a staff of 10 or less, it's really important because you probably don't have  web filtering technology and you don't have all the stuff that's catching these potential phishing attempts. It’s really important that you have communication with your employees to say, “hey you’ve really got to be on the lookout for this; you're not to use our equipment to for personal reasons”. 

Just anything that you can do to  help avoid some of those situations -- and also  have really good controls, especially when you have  disgruntled employees or employees that are leaving. Make sure that you're doing an inventory to say, “okay what do they have access to, that we need to go back and make sure that we've changed passwords”. Do those kinds of basic things to keep unhappy ex-employees from causing further damage. 

Treasurer: You mentioned passwords, which I know is a big area for you. You’re trying to improve on security. Do you have any best practices for small businesses in terms of setting organizational passwords? 

Ryan: Most systems out there will have a configuration that enforces some sort of a minimum password requirement. 

When you're setting passwords you also want to be careful that you communicate with employees to avoid commonly used passwords or phrases. For example  the passwords “one, two, three, four” or the frequent “October 2022” or “fall 2022”. A lot of people think if you just put an exclamation point at the end, that makes it a secure password. 

There's just a lot of common mistakes that people make when it comes to passwords that could hinder a business. What we recommend is actually using password phrases because the longer the password is, the more secure it's going to be. Use a phrase that means something to you but maybe replace the ‘a’s with the @ symbol, or  replace ‘I’s with exclamation points. Just so that it's something that you can remember, but it's also secure. 

Treasurer: I heard you are a gamer you play video games is that true? What platform do you like to play on? 

Ryan: I own all the platforms, I'm a little bit of a video game junkie. I would say anything on Xbox, anything on the Nintendo Switch, I'm buying it Day One and I'm playing it for way too many hours. 

Treasurer: So do you have secure passwords on your Xbox and switch? 

Ryan: I do. I have different passwords for personal life versus work life. When it comes to personal life, I make sure that I've got a password with a phrase that means something to me -- with numbers that only mean something to me. It’s really important that you monitor the Microsoft Outlook alerts that'll say “hey  somebody tried to get into your account from  this location”. As soon as you get one of those, you should be going out there and changing that password. 

Treasurer: That's a really good tip. I myself am a Nintendo gal. I like the switch, I just can't give up that Mario Kart.

So who are these cyber criminals? What are they after? Are they always after money? Or could they be after something else? 

Ryan: Well, it's not always money. One thing to keep in mind with small businesses being an easy target, is small businesses can have a lot of confidential information that they might not be aware of. 

Info like employee history when you are hiring or onboarding; what information are you collecting from an employee prior to them starting with your business? 

You also have customer information. What information are we gathering from these customers? And what would a cyber-criminal want to do with it? 

In some cases,  like I mentioned earlier, sometimes criminals they just want to see what they can do so they might get into your system and literally just shut it down for the sake of shutting it down. Which to them, is kind of a novel or fun thing but to you, that's your livelihood and now you can't do business. 

Absolutely there's a lot of people out there doing nefarious things for a variety of reasons. It's not always money; let's say some criminal does make it in the system and a small business is dealing with an impact to their organization. What do they stand to lose in a cyber event? I would say the biggest thing probably is reputation. If you are making the local news, nobody's going to want to do business with you anymore. 

You also stand to lose customer information and your own information. When you're a small business, you're putting a lot of your personal life into these small businesses. So not only have you exposed potential customers that are interacting with your business, you've put your whole livelihood into this business. You don't know how that could potentially catapult into attacking your personal life. Going back to that password question, how many times do we know people are using the same password over and over again. So, if they're able to get into your small business’s password, there is a likelihood that they can also get into your personal life. There's a lot at stake when it comes to these cyber-attacks. 

Even though cyber-attacks may not be financially motivated, a small business still may have significant financial costs such as losing their income or running into regulatory fines or legal fees .

Treasurer: Can you talk a little bit about how that could play out if an organization is subject to a cyber event? 

Ryan: Sure, I think  the most important thing small businesses need to know is what regulatory requirements they have to meet. 

You think about PCI for credit cards which is the payment card industry requirements that are out there. 

You think about HIPAA if you're a health-related small business.

There's all sorts of other government entities that are monitoring these types of businesses that have statutory requirements businesses have to meet. So, if a business doesn't do the right steps to protect their information to make sure that they're secure, the business could be subject to additional fees and fines as a result of a cyber breach due to a lack of due diligence. 

Treasurer: If a small business has been listening and they just want a couple tips from you, what simple measures can business owners take to identify risks and protect their information? 

Ryan: Small businesses see things out there like ‘Square’ or other credit card payment type businesses that are available to them -- and a lot of the platforms that are out there are really great or can be configured to be secure. Part of what a lot of folks don't understand though, is just because I'm using one of those services, that doesn't inherently make me more secure. As a small business, you need to make sure that you understand what a vendor is providing exactly, and what your roles and responsibilities are. 

When you're looking at this, you want to look for shared controls. For example, on any sort of  contract or agreement that you enter with these vendors, they're not going to say, ‘hey if you're a small business you need to  make sure you're removing employees’ credentials that no longer require access here’.  That's something that they don't do on your behalf. So,  really understanding what those vendors are providing to you and what they're explicitly saying that you as a small business owner need to have in place. Those are small steps that you can take to make sure that you're secure and that you understand  what protections you have. 

Treasurer: I think that's really good. Now, let's say a business has gone through a bad security event and they've come out on the other side -- and they've come out either okay or improved. Can you think of any real-life cybersecurity success stories or a best case scenarios to help someone who has been impacted by a cyber event? 

Ryan: So, I would say the best-case scenario is you come out of that with no real impact, as far as data breaches. You understood what the software vendors were providing to you, and you were able to stop it quickly. It didn't impact your business income, and it didn't impact your day-to-day operations. The best-case scenario is you've learned a lot about what cyber events can do to you, and you’re making sure you’re prepared.

 Because unfortunately, we're just in a world where these types of attacks are not going to decrease -- they're increasing exponentially every day. So, it's about what we can do to be better prepared for the next time a potential cybersecurity event occurs. 

Treasurer: So, Ryan, do you think every organization should think of this as an eventuality, not as an ‘if’ but as a ‘when’? 

Ryan: I do. That’s  the approach that we've had for cybersecurity for the last decade-plus -- it’s not ‘if’, it's ‘when’ and it may have already occurred. 

We do a lot of monitoring of auto logs, and  it's to try to find those events where  we may not be aware that somebody was already in our system. Really, at this point it's an eventuality if it hasn't already occurred, which again goes back to Halloween -- it's a very scary thought! 

Treasurer: It is indeed a scary thought. So, let's say a small business has been listening today and they say, ‘now I know why this is really important and why I should take action’. Where would they turn for resources to take the first steps? 

Ryan: There's a lot of good resources out there. I'm going to plug Michigan Treasury specifically for tax-related types of cyber activity that occurs, so go to www.Michigan.gov/Treasury.  

Anytime we have knowledge of a cybersecurity threat we will issue a press release, especially if folks are trying to act as Department of Treasury for your tax information. We only communicate through mail. We don't send emails and we don't try to call you. Especially during tax season those attacks are on the rise and we just want to make sure that you're protected. 

Additionally the federal government’s National Institute for Standards and Technology or NIST, has a great resource out there specifically for small businesses. The State of Michigan actually uses the NIST framework for our own policies, so it's a great reference point that you can use for protecting your own information. 

Treasurer: Outstanding. Ryan, I always enjoy talking with you. You're a wealth of information about this topic, and it really is a topic that is important to me. It will continue to become more and more important as this digital world that we live in continues to expand. I so appreciate your time today, and thanks everyone for listening. ~

Transcript has been edited for clarity. 

CyberSecurity Resources 

 

People on this episode