鈥溌槎勾 Talks鈥 hosts top professionals from different sectors of the lumber and building material industry to share their expertise, with a heavy emphasis on practical, tactical strategies to help you serve your markets and grow your business.
This episode of 麻豆传媒 Talks Credit contains information regarding cyber security that every credit manager and business professional should hear.
Thea鈥檚 guest,聽, is the President and Co-Founder of , a full service digital development, big data, and IT security company.
From horror stories to practical advice, this episode will leave you with a broader knowledge of potential threats and strategies to protect your company, and yourself, from digital scams.
Check out our sponsor !
Article mentioned:聽
Watch this conversation and more great content from 麻豆传媒 journal via our YouTube channel
And be sure to subscribe from your favorite podcast platform below:
Please send all podcast inquiries to聽thea@creditoverlord.com.
Prefer to read about it instead? Take a peek at the transcript below.
(Editor鈥檚 note: Transcript is AI-generated and may include some errors.)聽
Thea Dudley聽
How long does it take for your company to activate a new customer? Nuvo helps 麻豆传媒 suppliers get customers ready to buy on House accounts in minutes, not weeks, not days, with instant verifications, streamlined job sheets and real time credit insights, your team can start loading trucks while your competitors are still checking references. Check out Nuvo. Reach out to the team@nouveau.com 迟丑补迟鈥檚 to learn more.
Thea Dudley聽
Hey, today we are exploring the intersection of credit management and cybersecurity threats. Here on 麻豆传媒 Talks Credit. I鈥檓 Thea Dudley, your host, also known as the credit Overlord, and we鈥檙e going to talk about how 麻豆传媒 pros can protect their companies and sanity from digital disasters. And with us is one of my absolute favorite people. I love to hang out with Joe. Joe Bonanno, owner of archetypes, SC he is down here in South Carolina with me, Myrtle Beach resident, which makes me incredibly jealous and probably one of the most seasoned cybersecurity experts in the country. And Joe, you have the best, most terrifying store of terroristic tales that as a credit manager, make me feel better about my job because your sounds so much more horrifying.
Joe Bonanno聽
Oh, it is every day. It just gets worse and worse.
Thea Dudley聽
It makes me feel better, though. So we鈥檙e going to do something a little different today. We鈥檙e going to play a little quick fire Q and A called Cyber myths, true or totally ridiculous. Are you ready?
Joe Bonanno聽
I am absolutely ready.
Thea Dudley聽
I don鈥檛 know how much fun it鈥檚 going to be for some of us, because, well, I put this together. Some of them I鈥檓 like, This sounds like, what鈥檚 wrong with this one? All cyber attacks involve a hoodie wearing teen in a basement.
Joe Bonanno聽
No, they don鈥檛. Typically, they don鈥檛 involve a person at all. 99% of attacks are automated. They鈥檙e robots that are out there looking for exposed credentials, exposed devices, and running through algorithms to try and compromise your business. And 迟丑补迟鈥檚 not to say that there鈥檚 not a hoodie wearing team somewhere learning how to write these scripts, because there are. Every time a new breach and a significant dollar amount hits the web, it introduces a whole new base of people to, hey, I can make millions at this so here鈥檚 my new business enterprise.
Thea Dudley
I want to say thats always the picture, though. You see a hoodie wearing teen in a basement. Okay? Question number two, two factor authentication is just a hassle.
Joe Bonanno聽
It is a hassle, but it鈥檚 also a necessity. If it becomes part of your daily work day, then you just learn to accept that you have to do it. There are also ways that your IT team can set things up to make it better for you. So we call this conditional access, if you鈥檙e working in an environment that is secure and known and trusted and has the appropriate protocols in place, then maybe we don鈥檛 have to two factor you every time you log in, when you leave that location and you go down to McDonald鈥檚, per se, or Starbucks to go get your coffee and work from there for a couple hours, we are absolutely going to say you are no longer in a safe environment, and you need to re authenticate and make sure we You are you. We certainly don鈥檛 recommend connecting to unknown wi FIS. But two factor is one of the best ways that we can protect ourselves.
Thea Dudley聽
Okay. Next question, we鈥檙e too small to be a target.
Joe Bonanno聽
No such thing. Does not exist. There鈥檚 no such thing. The robot does not care if you鈥檙e a one person company or a 60,000 person company.
Thea Dudley聽
We鈥檙e going to dive into that a little bit deeper, because I鈥檓 going to get you through the rest of these questions, because some of these are super fun. If we don鈥檛 store credit card info, we don鈥檛 need to worry about security.
Joe Bonanno聽
Completely false.
Thea Dudley聽
Fax is the safest way to transmit sensitive information, like, you know, payment, credit applications.
Joe Bonanno聽
Oh, absolutely not.
Thea Dudley聽
No. It鈥檚 the front of the salesman鈥檚 truck. You know where it鈥檚 just put that on there. Cyber insurance will cover everything. So we鈥檙e cool.
Joe Bonanno聽
No, and 迟丑补迟鈥檚 one of the biggest misconceptions about cyber insurance. Is most people think they pay for a policy and you get completely protected. But if you don鈥檛 look at the details of what your policy states there are required. Instruments that you must adhere to, and there are things that are not covered. In a lot of cases, ransomware is not covered because of how the act is committed.
Thea Dudley聽
So the insurance is just like every other insurance. It鈥檚 there is a fielded thing, but when you go to use it, it鈥檚 like, what? Nothing鈥檚 covered. Thanks a lot. Our vendors, tech guy, said their platform was secure.
Joe Bonanno聽
I always take that with a grain of salt. I typically will ask for verification of that through some type of audit or assessment. When we鈥檙e using external vendors, we should be looking at how they comply with recognized frameworks like NIST, which is the National Institute of security and technology, I believe their framework around cybersecurity is one of the most well known, and if you don鈥檛 have compliance with that, then you don鈥檛 have compliance
Thea Dudley聽
Texting customer data is fine as long as it鈥檚 just between us.
Joe Bonanno聽
It鈥檚 never just between us. All these Yeah, this is one I don鈥檛 advocate for sending customer data in that way, all of our conversations, our email conversations, can all be monitored, all of those things can all be attacked. All of those things can all be compromised. So we鈥檙e need to make sure that we鈥檙e doing it in a secure way. And verifying customer information via text is not a good way to verify it.
Thea Dudley
Nobody here at our company would fall for a spoofed invoice. That鈥檚 not true. Nice. Nicest way I think I鈥檝e ever heard you say that is the yeah, we鈥檙e just going to move on from that. We hold training once a year to keep employees educated and the company protected.
Joe Bonanno聽
And 迟丑补迟鈥檚 an awesome starting point for for all of us. That鈥檚 an awesome starting point. There should be more training going on than just once a year. The insurance companies will often say you need to do a minimum of an annual training. And some of those annual trainings are pretty good. Some of them are not, but reinforcement on a monthly basis, and developing a culture of security is something that needs to happen at just about every organization.聽
Thea Dudley
So we talk about, you know, there鈥檚, there鈥檚 a lot of talk around phishing, smishing, any kind of ishing and and the question always comes up, well, how does this happen? How did you not see this? But everybody is busy. So walk us through those, some of those common threats, like phishing, invoice fraud, Ransom, I mean, you said ransomware, smishing, like I said, all the other kind of issues that I don鈥檛 even know how. How does that happen?
Joe Bonanno聽
So phishing is, is largely automated. Uh, it鈥檚 sending out emails with fill in the blank information. Generally, they鈥檙e there. In the past, they were awful. You could easily identify what was bad, and they were typically, this is your Microsoft administrator. You need to change your password. Click here. Microsoft will never ask you to change your password in that manner, nor will they provide a link for you to go and change your password. They鈥檒l they鈥檒l want you to enter your URL into your browser and go through a normal login process to do it. Smishing takes us out of email and goes into SMS texting. So these are the fun ones. Of the most recent one I got was there鈥檚 an outstanding warrant for your arrest. You have unpaid traffic tickets in Florida, click here to resolve this matter today.
Joe Bonanno聽
And those are ones that that most of us have traveled on a highway, and most of us have gone through a toll at one point in time, and we鈥檙e very familiar with EZ Pass. So it鈥檚 easy to fall for something like that and go, Oh, I don鈥檛 remember whether I went through that tool and clicking on it to see what it is. The reality is, is that easy pass and those providers won鈥檛 contact you in that method, especially if you don鈥檛 have an account in that state.
Thea Dudley
Yeah, so, yeah, you just magically got, magically got that.
Joe Bonanno聽
A lot of these are when you sit back and you think about them, they鈥檙e like, Well, duh, of course. That鈥檚 not true. But when you鈥檙e rushing through and you see something that says you鈥檙e going to be fine $250 if you don鈥檛 take care of this in the next 24 hours, it creates that sense of urgency, and we do things that we normally wouldn鈥檛 do when we鈥檙e panicked and not thinking through what鈥檚 in front of us, and 迟丑补迟鈥檚 one of the largest challenges that we face, is taking a moment to breathe and understanding whether it鈥檚 true or not well.
Thea Dudley聽
So that kind of brings me to something else that that always. I hear this a lot, and I know this is one of your giant pet peeves, because you hear this so much, especially in the line of work that you do. It鈥檚 the why is the it won鈥檛 happen to us? Mindset so dangerous and expensive and incredibly naive for people to think that it鈥檚 not going to be, it鈥檚 not going to happen to us, and until it does, you just don鈥檛 believe it鈥檚 true. It鈥檚 like, it鈥檚 like mail fraud, or, you know, any of those things. It didn鈥檛 happen to me, so it鈥檚 cool.
Joe Bonanno聽
The it鈥檚 not going to happen to us crowd, are the largest target of of this type of fraud and these crimes because they鈥檙e unprotected. They鈥檙e not taking steps to make sure that they are protected. They鈥檙e not following best practices, and in a lot of cases, most of their users aren鈥檛 trained to even understand what to look for, so they鈥檙e the ones that fall for it the most. And it鈥檚 incredibly sad. I field calls all the time. Of well, we sent a payment to x. I paid my bill. Why is my company still saying that money and well, you paid somebody, but you didn鈥檛 pay the person you owed the money to, and it鈥檚, well, 迟丑补迟鈥檚 not my problem. I paid the money. You still didn鈥檛 pay your bill.
Thea Dudley
I still I didn鈥檛 get the money. So it ain鈥檛 happening.
Joe Bonanno聽
And those types of situations are tough because in a lot of cases, they put a contractor out of business, especially inside the construction industry, we see this very, very frequently, where an ACH payment for a significant amount of money goes to an incorrect person, and now you still owe your bill, and now you can鈥檛 make payroll. And it鈥檚 the spiral that comes from that, and insurance is not going to act quickly to get that money back into your pocket, if they act at all, if you have coverage for that type of thing, but in most of these cases, it鈥檚 the first question they鈥檙e going to ask is, did you verify the information before you sent the money? And your response is going to be, no, I just sent the money.
Thea Dudley
One of my favorite stories that you You told that I absolutely would love for you to share with our listeners, is when you know a company president is like, No, we鈥檙e good. We鈥檙e totally good. We have everything on lockdown you could never and it鈥檚 like, okay, challenge accepted. I鈥檒l, you know, and you basically walk into somebody鈥檚 business set up like you work there. Nobody questions you. So I鈥檓 going to let you tell the story, because I thought it was so cool. I loved this and it was It was horrifying and fascinating me at the same time.
Joe Bonanno
And the more horrifying part about the story is that it was a bank. It was a large bank, it was a a new system, and they were very proud of what they built. This was a corporate headquarters, a data center and a Customer Service Center. And in this instance, the tester, the penetration tester, was tasked with gaining access to that headquarters, gaining access to the Customer Service Center and gaining access to the data center. His first day on site, he walked in with a group of individuals. Was able to walk right past security, go through their secure gates with the group, and get on an elevator and go up to the top floor of the building. That individual proceeded to sit there, plug into their Wi Fi or into their network in a conference room, he sat in that conference room all day undisturbed, collecting data points.
Thea Dudley
So nobody questioned him. It鈥檚 like nobody walked by and went, who鈥檚 the new kid sitting in the conference room over there? He walked in hoodie, so he鈥檚 got to be cool.
Joe Bonanno
Exactly. He was dressed appropriately. He looked like he belonged there. And in a lot of offices, a lot of enterprise offices, you have consultants in the office on a regular basis. So these people are not unusual to be there. But he sat there all day. He set up man in the middle attacks. He gathered information off their servers, and when he left at the end of the day, he attended three retirement parties on his way out, he walked in. He celebrated with the employees. He gathered merchandise, company logos, business cards, employee IDs, access cards, the whole nine yards as he walked down every floor of this building, he walked out. The next day, he went to their customer service center and did the same thing. He sat outside talking with a group of smokers, walked into the building, was not impeded in any way, sat down at a customer service desk and matched his targets that he set up inside of headquarters. The next day, he went to their data center and made it through seven locked doors and plugged his USB drive into one of their servers, which was his end goal, was to get that in place when he delivered his findings to the CTO. The CTO. Was. Response was, Well, we didn鈥檛 know you were coming.
Thea Dudley聽
That falls under, hey, I鈥檓 getting ready to hack or rob you or whatever I鈥檓 doing. I鈥檓 going to be there at 11. Can you have, like, maybe a snack and a cold drink for me? Because, you know, we want to make this a fun event.
Joe Bonanno
And when these this is, this is a combination of attacks. So you have, you have an intruder coming into your building, you have unauthorized attacks against your network that he鈥檚 performing. Insider threat is probably a bigger challenge for an organization like that than several other things, but the fact that the CTO response was, we didn鈥檛 know you were coming. So he said to them, he said, Fine, I will be here next Thursday to test again. So next Thursday came around, he brought in a friend of his, and he walked up to security. Said, we鈥檝e got a KPMG auditor here to to audit some systems and and I need to speak with the CH O, the chief of human resources. They paged the chief of human resources. They came down. They escorted him up to the building. They conducted a very thorough investigation with him, with that individual. They then asked to see the chief security officer, the CRO walk, or ch O, walked him over to the CSOs office. They sat down, had a chat with him in the security operations center, looking at their screens. He then asked the CSO to page the CTO and have him come to the office. As soon as he walked in, he said, What am I doing here? You knew I was coming today. You knew I was going to be here. I didn鈥檛 give any fraudulent information. Why am I sitting in your office today?
Thea Dudley聽
And that CTO said that
Joe Bonanno
They didn鈥檛 have an answer, that 迟丑补迟鈥檚 a complete failure of the processes that they put in place to secure their building. And it鈥檚 amazing that that type of thing happens frequently. We鈥檒l walk into a business, and we鈥檒l walk through that business unimpeded to wherever we need to go. Nobody stops you and asks you who you are. What are you doing?
Thea Dudley
Because people are polite or they鈥檙e just busy. They don鈥檛 want to seem confrontational. They don鈥檛 want to Hey, Hey, you. Who are you? What are you doing here?聽
Joe Bonanno
It鈥檚 uncomfortable for a lot of people when they see somebody they don鈥檛 know to walk up and say, Hi, my name is Joe. Why are you here?
Thea Dudley
Okay, well, because nobody comes near us. So like, Who are you and are you here to help? Are you staying? Which? So now I want to talk about the top five Dumb Ways that AR gets hacked. And, you know, those are some things that, you know, as I kind of went through and we put this stuff together, the first one was the copy and paste map. You know, that that whole copy and pasting, you know, using the same password for everything, and you know, I鈥檓 the worst. I will use the same password for like, a million things, and then I change it by like, one number. And you and I have talked about that, and you have told me, in pretty much this language, I鈥檓 an idiot, and I need to stop doing that. So I鈥檝e tried to be better and use some different tools, because convenience apparently equals no common sense, and you鈥檙e lazy and you鈥檙e just a big target. So let鈥檚 talk a little bit about the same that the password mess here.
Joe Bonanno聽
Here鈥檚 why, utilizing the same password, and it鈥檚 it鈥檚 interesting that we bring this up because we鈥檙e about to put an article on our website about password managers and why, why you need better security around your passwords.
Thea Dudley
We will make sure to get a link down below to that so that it鈥檚 easy for people to find.
Joe Bonanno
Absolutely so I鈥檒l start off with a story, because I love storytelling. In a company that I worked for many years ago, it had implemented a 9060, to 90 day policy on password resets. So every 60 days you had to reset your password. One of my friends at the company, who was a director at the time eventually moved into a VP spot there, raises his hand and says, Well, I think this is silly. Why can鈥檛 we just create strong passwords and deal with it. If you鈥檙e asking me to change my password every 60 days, all I鈥檓 going to do is put a one and then I鈥檓 going to put a two, and then I鈥檓 going to put a three. So those types of changes inherently are insecure, because it鈥檚 something 迟丑补迟鈥檚 easy.
Thea Dudley
So password, 1234, is not a recommended.
Joe Bonanno
1234 is not a great password. And people have come up with varying strategies. So I鈥檝e seen a password dash the month a year. So April 2025, is going to be 0425 and next month, it鈥檚 going to be 0525 at the end, and we鈥檝e moved away from recommending reggae. Changes because it creates a lot of hassle for people. Now you have to remember a new password. It鈥檚 it鈥檚 annoying, and it doesn鈥檛 create security. What? What creates insecurity is then taking that password and putting it across 400 different accounts, and the reason why is, if one of those accounts get compromised, I鈥檓 going to take your username and password and I鈥檓 going to run it through everything 迟丑补迟鈥檚 out there. I鈥檓 going to hit your LinkedIn, I鈥檓 going to hit your Facebook, I鈥檓 going to hit Instagram, I鈥檓 going to hit your banks. I鈥檓 going to hit everything I can with that username and password combination and see where it hits. And sure enough, it will hit somewhere. Now, creating a different password and managing it through a secure password manager. You鈥檙e you get compromised at one account. It鈥檚 only one account that got compromised, and not all of them. Now you don鈥檛 have the work of updating all of those passwords. You only have to update one, and by exceeding, meeting or exceeding their minimum standards, you put yourself in a good place. So our recommendation is always minimum of 12 characters, preferably whatever the maximum is for that system, and then something 迟丑补迟鈥檚 easier to remember. We prefer phrases today over over other types of things. So think in technology and specifically in design. When you look at fonts, there鈥檚 the quick brown fox jumps over the Lacey dog. It鈥檚 something 迟丑补迟鈥檚 easy for me to remember, and it鈥檚 about 30 characters. Now, I鈥檓 not saying I use that as my password for anything, and I wouldn鈥檛 recommend that as a password, but working off things like that, and then introducing numbers, special characters and other things to replace different things, gives you a very strong base for a password.
Thea Dudley
You鈥檙e going to kind of go into that. Because Password Manager even that, when I first looked at it, I was like, here鈥檚 one more thing I gotta Jack with. And again, I, I know I am, like, the worst at this because, yeah, I, I passwords are like my nemesis. They鈥檙e they鈥檙e irritating. They will be gone and well, and one day, you know, my account will be hacked, and I鈥檒l, I鈥檒l be crying to you, going, how help me fix this? But it鈥檚 the finding those password managers that to me, was overwhelming, so I appreciate that we鈥檒l be able to dive into that in the article. Second one is the Reply All of doom, accidentally sending sensitive customer data to the entire sales team, the janitor and a weirdly suspicious Gmail address that definitely wasn鈥檛 on the CC list when it came in. Yes. How does that happen? And then how do I pick? How did that one, like random address get in there? And now I鈥檓, well, somebody had not in a good place.
Joe Bonanno
Somebody had to put it there so it didn鈥檛 just magically appear. Somebody had to have added that in. It probably wasn鈥檛 seen on the initial email when it came in. But certainly it鈥檚 a training issue. If we鈥檙e sending out sensitive customer information, we should never be doing a reply. All, we should be doing a standard reply, and we should be verifying who we鈥檙e sending that email to before we send it. I don鈥檛 know of any financial information that needs to be sent reply. All, also better ways to manage that data, and it could be asking individuals to log into a specific system where they can see that data, rather than sending it out through math.
Thea Dudley
I鈥檓 anti Reply All anyway, because the people that that will send you鈥檒l send them something, and they send thank you back, and they reply to all. It鈥檚 like, seriously, do you that? Mean 迟丑补迟鈥檚 just, fuck falls into pet peeve, not anything to do with hacking. It鈥檚 just nobody鈥檚 looking for more emails. So can you not? I鈥檓 just gonna assume you鈥檙e grateful to get the stuff. I don鈥檛 need you to send me a thank you. And everybody on the email got the Thank you too. So 迟丑补迟鈥檚 just, 迟丑补迟鈥檚 just a pet peeve has nothing to do with hacking.
Joe Bonanno
Absolutely down on that. I鈥檓 very much in that same camp, and a lot of it is, is training individuals not to hit Reply All and not to spend that type of data in that type of way. That鈥檚 the easiest way to fix the problem is training.
Thea Dudley
We鈥檙e going to get to training in a little bit here, because you say training is the easiest way, Joe, training is is hard. People are unique and awesome individuals. They depending on who you are and how you approach things and what your capacity for change is. Training sometimes feels like the hardest thing. It鈥檚 like I have told you not to hit Reply All like 15 times. Why don鈥檛 you write it on a sticky note and paste it to your your computer so that you remind yourself, hey, don鈥檛 do that, because I can鈥檛 keep having this conversation with you.
Joe Bonanno
Yeah, well, and that comes into performance reviews, so certainly.
Thea Dudley聽
You鈥檙e not getting a raise because you can鈥檛 figure out. Better not use that all. But man, we鈥檙e going down a dark hole here. We鈥檙e going to move on.
Joe Bonanno
We are but and it鈥檚 more than just watching a video and attending a training class, it鈥檚 how our managers support our employees and how they empower them to make appropriate choices and how we approach them about the things that they鈥檙e doing wrong and correcting those actions. So it鈥檚 difficult, especially when it鈥檚 somebody who is not supportive of change.
Thea Dudley
But like, how you worded that not supportive of change? Okay, I literally just you鈥檙e like, Look, girl, you are the company mule. You havesat down in the dirt. We are dragging you by the halter, and you are just absolutely fighting it every step of the way.
Joe Bonanno
I had an individual at a client that did not want to implement MFA, did not want to put the application on her phone, because it鈥檚 her phone, and the company doesn鈥檛 have access to that which is legitimate. That鈥檚 fine. You don鈥檛 have to put it on your phone. The fallback from that is your manager is going to have it on his phone, and you鈥檝e now lost your remote privileges because he is not going to be texting that number to you or supplying it in any way, but in person.
Thea Dudley
So fair enough. It鈥檚 like choices.
Joe Bonanno
You can install it and do it and it鈥檒l be great. Or you can report to the office and inconvenience your manager in addition to creating a lag time in the job that you鈥檙e supposed to be performing.
Thea Dudley
Who said tech wasn鈥檛 making everybody鈥檚 life easier, yeah, you know, all right, let鈥檚 go to number three. And I nicknamed this fishy mcfish face, and that is the clicking on the urgent invoice attachment open right away from somebody who claims to be your CFO, your CEO, head of HR, somebody new there, pick a big title that might rattle somebody in one of your accounting departments, and then suddenly they have this aggressive interest to purchase 5000 iTunes cards immediately, and they want you to email it to them.
Joe Bonanno
I鈥檝e got a couple stories around this, my latest one and I shared it with the nice membership at our last meeting, was an email that came into our accounting group that had me on the CC. It was a very well written email. It was for executive consulting services. They attached their 1099, they had a fabricated conversation between me and the individual at the company about this being approved and to email accounting and all of the things. And it was amazing how well this was done. And I could understand any accounting group falling for it without proper training. So in this instance, it was a it was, I want to say a $13,000 charge. So it wasn鈥檛 a significant amount of money. Not to say that $13,000 isn鈥檛 significant, but for executive consulting services for a program to be implemented for some type of training. It wasn鈥檛 out of line for what you would expect. Everything was there that should be there. If you went to the individual鈥檚 LinkedIn profile, it was all correct, but it was all a fraud. The only thing that was out of line was the email address that was attached to it inside of the two. So the two read as the person鈥檚 name, the email address attached to it was not did not match. That was the only thing that did not match.
Thea Dudley聽
Wow, that is some elaborate I mean, you have to really do a lot of steps to create all of those things. You know that to have it all attached like that. Yes. So the next one I know, like a lot of credit departments are getting hit with, hey, you know, here鈥檚 upgraded tech, here鈥檚 software, you know, here鈥檚 all the things that are it鈥檚 going to make your job so great. It鈥檚 going to take the transactional out of it. And I think 迟丑补迟鈥檚 true in a lot of cases. But I also like to call it the vendor blues, because you鈥檙e assuming that if a vendor tells you, Oh, our software is secure, that it鈥檚 true. And I鈥檓 going to remind people, most of them tell you, they that the the training for their software is going to take 30 minutes and that that never happens.
Joe Bonanno聽
No, no. So we鈥檝e been pushing an agenda of verification through auditand and assessment. So if, if somebody says their their technology is is legit and audited and all that, they鈥檒l have a paper trail 迟丑补迟鈥檚 attached to that. Who did the assessment? The results of those assessments, or at least a summary of those assessments, are all things that can be shared.
Thea Dudley聽
As the credit manager is, you know, interviewing these companies, would they just ask? Ask, okay, is it secure? All right, tell me how it鈥檚 secure. What is the question to ask? Is like, Well, show me your paper trail.
Joe Bonanno聽
Yeah, did they can ask for if they鈥檝e had a cybersecurity assessment done, and what were the results of those assessment, of that assessment, if they could share the provider that performed the assessment so that they can verify results. In most cases, most companies would probably be hesitant to supply the actual results, but they will give you an audited executive summary of those things. Okay, so you passed on your you鈥檝e got your MFA in place. You鈥檝e got all these different pieces in place, and where you have issues might be redacted or removed, but there are ways to to certainly ensure that that company has the appropriate protocols in place, asking questions about MFA, about antivirus, about backup and disaster recovery, about all these different tools that they should have in place to be a secure work environment.
Thea Dudley
See? And 迟丑补迟鈥檚 because tech and the cybersecurity is not most people鈥檚 first language. It certainly is at mine as a credit professional, which makes the whole job a little bit more complicated now, because not only do I have to be good at I gotta know about mechanics lien rights, I鈥檝e got to know about joint checks and running checks on people and payments and collections and coaching my team, and now I鈥檝e got to be a a does you know I鈥檝e got to know these, these questions to ask. So yes, Tech has made your life easier in a lot of ways, but it鈥檚 also complicated. It from the fact that, if I鈥檓 not educated, which brings us to our fifth and last one of those trusting but never verifying, where you let maybe one new person, you maybe have a new hire. And they鈥檙e they鈥檙e just charming, and they seem really well. And they came, you know you you liked him enough to hire them, and now you鈥檙e allowing them to set up payment terms, sending out your wiring instructions, releasing orders, and you鈥檙e just, you don鈥檛 even pay attention to it. You鈥檙e like, well, we trained them. They鈥檙e good. I鈥檓 super busy. I鈥檓 buried. I don鈥檛 have time to babysit people. And that could be that guy that walked in and, you know, now all of our money鈥檚 going to Jamaica.
Joe Bonanno聽
Ongoing training and process. So we see a significant amount of business email compromise where an email is sent to an accounting group that says, here鈥檚 our new ACH information. Please update and send your next payment to the following below, it looks legit. It鈥檚 from a company that you鈥檝e worked with. In some cases, we鈥檝e seen that information added to an email chain that already exists, which means that that company already has somebody on the inside that 迟丑补迟鈥檚 doing something they shouldn鈥檛. Within the legal community, they鈥檝e now moved away from accepting wire transfers or account information over email because they were seeing emails being changed on the fly, as in, I send an email to you with my ACH information, and by the time it gets to you, it鈥檚 been changed. And those are typically man in the middle attacks. You鈥檝e got something going on. You鈥檝e already got a compromise there, and it鈥檚 frustrating for the businesses. So within the legal community, we purchased a house about a year ago, they gave us a specific portion of the wire transfer information. Then there was a code that would be given that day to complete the wire transfer. So it was an interesting solution. It would only come via that meeting, and you would have explicit instructions on who you were talking to prior and who was providing that code. So it was a verbally, face to face conversation where you were given that code and to complete the transfer.
Thea Dudley
Wow, that is, well, it鈥檚 just so amazing that that kind of leads us to, what can credit managers do to kind of stay ahead of this because you鈥檙e balancing due diligence, tech adoption, internal training, it鈥檚 what realistic tools or protocols that won鈥檛 blow the budget. And when I talk about budget, I鈥檓 talking about time, resources and, of course, money and make the poor credit person who鈥檚 doing this like have some sort of internal meltdown. If you were creating a cyber checklist that every credit department should have in totally non tech, non corporate speak, what? What would be on that list?
Joe Bonanno聽
The first thing is, for any changes to any account would be a verbal confirmation of change from a listed contact on that contract, okay, but when we put a contract in place, you have specifically a project manager, an account manager and a billing manager, if any of those terms in that contract were to change. Uh, a phone call would be warranted to confirm those changes, to confirm that any changes that were requested were legitimate, and things of that nature. So it鈥檚 a trust but verify. If you see something that comes in, we would never send to you. Hey, we鈥檙e changing our ACH information. Here鈥檚 our new ACH information. Please make sure that you handle it appropriately. And when we do receive something along lines from a client, the first thing we do is reach out to the contact that we have, not the one 迟丑补迟鈥檚 listed in the email. So in a lot of cases, you鈥檒l have a spoofed director of accounting, Director of Technology, CEO, President, hey, we鈥檝e got to get a check out. You need to change the ACH information to this. And a lot of our admins don鈥檛 want to rock the boat, because, hey, President is asking me to make a change. I go through and make the change. Well, you requested it. It鈥檚 not my fault.
Thea Dudley聽
Now, I do know a couple companies that that happened to and the poor the poor clerk. You know, the admin was just beside themselves, because they鈥檙e like, I thought I was doing everything right. It鈥檚 like, Honey, do you really think that our company president would be sending this email he doesn鈥檛 even know where our bank account is. And I don鈥檛 mean that. I don鈥檛 mean that in a totally unkind way, but 迟丑补迟鈥檚 not his function in the company,
Joe Bonanno聽 36:20
But the thing is, is he鈥檚 still the president.
Thea Dudley聽
He still has names still on the building. So it鈥檚 like, well, he asked me to do it. It鈥檚 like, yeah, we鈥檙e going to need a little little coaching with you.
Joe Bonanno聽
So the conversation I have with owners all the time, no matter what you say, your employees are going to drop what they鈥檙e doing to make sure that you鈥檙e happy. And if you say jump, they鈥檙e they鈥檙e not only going to start jumping, but they鈥檒l they鈥檙e not going to ask questions about why, and it鈥檚 empowering them to ask those questions in the appropriate format. So not replying to the email and saying why, but calling the president and saying, Hey, I just received this email from you. Is this legitimate? And we have had cases where individuals received those emails and they were sitting in the same office and turned around and said, I鈥檓 sitting right here. Didn鈥檛 need to email this to me.
Joe Bonanno聽
We laugh about it. But that was only caught because they were sitting in the same room. If they had been remote that day, chances are that it was would have been perceived as a legitimate email, and it would have been totally different, and that would have had a much different outcome had that not happened so having our administrators, our finance people, our credit overlords empowered to ask those questions and understand the processes to verify is, is crucially important, okay? And that process needs to always be followed, which, again, comes back to training.
Thea Dudley
Oh, everything comes back to training. There you go. I so this is, this is something I鈥檝e been dying to ask you, because I know we鈥檙e running a little long and we鈥檙e going to wrap it up here, but what are the top things I wish I knew before I get hacked.
Joe Bonanno聽
Well, it all comes back to it, when most people get hacked, there鈥檚 a specific reason. 80% of it is bad passwords. Verizon鈥檚 latest study, and we reference this in the article I talked about earlier, 80% of attacks start with a bad password.
Thea Dudley聽
That鈥檚 really sad news for a lot of us.
Joe Bonanno聽
And here鈥檚 here鈥檚 the wonderful thing about bad passwords. Bad passwords will always exist, but if you have MFA enabled and set up appropriately, 迟丑补迟鈥檚 going to increase your your or decrease your chances of getting breached by an order of magnitude. That鈥檚 pretty high, because now not only they need to know your password, they need to compromise your MFA and Okay, sadly, there are ways to do that, specifically with SMS authentication. Those codes can be can be caught in transition, okay, we prefer one time pass codes and computer to computer codes that are transitioned. So I don鈥檛 control the code one device prompts me, and I have to enter a number on my other device, because those things ensure that the systems are communicating with each other, and it鈥檚 not an individual 迟丑补迟鈥檚 entering it into another system. So for example, if I gave you my passcode, my my SMS, texted authenticator message, you could enter it into a system and get access if you have my password. And 迟丑补迟鈥檚 how a man in the middle attack works. Is you pretend to be me, you log into my account, and then you prompt me for. Or my code. I enter my code thinking I鈥檓 logging into my account and I鈥檓 giving it to you to log into my actual account.
Thea Dudley聽
Nice, 迟丑补迟鈥檚 where the start. Well, so here鈥檚 Joe. I hear that it鈥檚like now we have so much to think about and and we鈥檝e we鈥檝e taken already paranoid people, because credit people tend to be super paranoid anyway, where we鈥檙e like, everybody鈥檚 out to get us, everybody鈥檚 out tonot pay me. You know, you鈥檙e a good guy today, but you might you鈥檙e a good payer today, but you might not be a good payer tomorrow, and now you鈥檝e just like, dumped the steroid version of that on top of us. So if you were to give one piece of advice to credit professionals listening, where to start. You know where, if they鈥檙e they鈥檙e sitting here going, I don鈥檛 even know where to start. I feel so overwhelmed. What would be one thing you could say? Here鈥檚 something that you could do right now. And I have a feeling I know what you鈥檙e gonna say, but go for your password, yes.
Joe Bonanno聽
Go through and it鈥檚 funny, when we first adopted password managers back oh gosh, it鈥檚 got to be five or seven years ago. Now, it took me the better part of a weekend to get all of my passwords updated into the system, but once I did that, I鈥檝e got now somewhere between five and 700 passwords in my password manager, we鈥檝e moved password managers as technology has changed. There鈥檚 better methods out there. Some password managers are better than others. I certainly I don鈥檛 believe in Google autofill or any of the autofills. Autofill is not a password manager, if you鈥檙e not asked to provide credentials to access that information, but it鈥檚 being smart about our information. Have a strong password, have your computer lock, have your browser sign out of your sessions when you close it. All of those things create a more secure environment that will help protect you along the way. One of my favorite things to show is how easy it is to get your credentials. If you鈥檙e using autofill. It takes me about 15 seconds to pull up a bank website and to see what your credentials you鈥檙e entering in there just by changing a little snippet of code 迟丑补迟鈥檚 part of that browser.
Thea Dudley聽
You鈥檙e really bringing me down, Joe, I don鈥檛 know why I invited you here today. Thanks for almost it鈥檚 like, here鈥檚 my wrists.
Joe Bonanno
I鈥檓 just gonna go where we鈥檙e the people that are just as as feared to talk to as HR, so when, when security comes over to you, when your it comes over to you and says, We need to talk, there鈥檚 typical and you鈥檙e doing something wrong, my goal is to educate to ensure that we鈥檙e getting best practices out there and ensure that we鈥檙e creating a culture that examines these things before We just jump in. You don鈥檛 leave your doors to your doors unlocked and your windows unlocked. When you leave, you close those things up, you lock them. We need to do the same thing for our networks. We need to lock our computer under the rug. We need to create strong keys so that people can鈥檛 just break in. We need to do the things that we would do normally, just apply it to a scenario of a computer.
Thea Dudley聽
Well, so people, if they want to get a hold of you, Joe, how can they?
Joe Bonanno聽
They can go to our website. I鈥檝e got a let鈥檚 talk button so they can easily go to archetype sc.com log in, click, let鈥檚 talk or schedule a meeting, and they can select me from that, or any one of my amazing team members that can help provide solutions for them. They can call me anytime they want. I can give my phone number to you right now. 843-283-7200, I鈥檓 happy to take calls. I鈥檒l send you a link for directly to my calendar where individuals can book and learn more, and I鈥檓 happy to talk with individuals about anything they鈥檝e got going on in cybersecurity and network and application development.
Thea Dudley聽
I鈥檓 glad you clarified that where you鈥檙e like, hey, just, you know, whatever鈥檚 going on in your life, you鈥檙e bothering you that you鈥檙e this stressed out, you know, I鈥檒l just know, keep it to cybersecurity and tech well.
Joe Bonanno聽
And there鈥檚, there鈥檚 an approach to this that I think individuals need to managers need to learn. You can鈥檛 just tell people they need to do something. You need to support them and understand their situation and approach it from a point of love.聽
Thea Dudley聽
So do more better is not like tech coaching is security coaching Good to know. It鈥檚 like, do more better man, read stuff more thoroughly, get what鈥檚 wrong with you.
Joe Bonanno聽
It鈥檚 interesting. We had a an airport that we work with that implemented a program where they provided gift cards. Us to individuals that reported incidents, security incidents, so and these were, this was, it was a hugely successful implementation. They gave out about $1,500 in gift cards, none larger than, I want to say, $25 but what it did was it made it top of mind for individuals. It made it that they knew what they needed to do, to report. They knew what they needed to have, and it was a simple and cost effective way for the airport to roll out the program. So thinking about things like that, how do you reward your employees for doing things great? This is one of the ways that you can and one of those things, so an easy one to do is you get entered into a drawing every month for every incident that you report, every email that you report, all the things most of our friends in in the client space, when they see a spam message, they delete it, which is wonderful, but what鈥檚 even better is reporting it so that we can do better as IT professionals tuning your systems to catch those messages before they get to you. And there鈥檚 wonderful technology 迟丑补迟鈥檚 going to help with business email compromise, where it鈥檚 telling you what鈥檚 going on in the email and why it鈥檚 a bad email. And those things are coming, but they only work as well as the person tuning that system and reporting the messages. And again, if you click on something, there鈥檚 not much we can do about that.
Thea Dudley聽
Yeah, hitting the off button really fast, it鈥檚 like, Oh, crap.
Joe Bonanno聽
If you do click on something, say something, the sooner you say something that the quicker we can take action and and investigate and remediate.
Thea Dudley聽
Yeah, nobody wants to be that person. That鈥檚 like, I didn鈥檛 think it was important. But Joe, thank you so much for taking the time. I know you鈥檙e super busy. I love that you were able to come in and join us this week. And you know, thanks to the whole 麻豆传媒 community for spending, you know, another another Tuesday with us, and you have arrived at the place for practical strategies, for navigating trade creditin the 麻豆传媒 space. And you can find us on Apple, Spotify, YouTube any day of the week, and New episodes come out every other Tuesday. And if you can鈥檛 get enough and you miss us, in between, you can check out the back episodes. They鈥檙e available in the usual places. And in between, you can catch my friend and producer Sally Lacey on 麻豆传媒 talks social media on the weeks that you missed me, thanks for joining us. Thanks, Joe for hanging out with us for an hour. And you know, making credit look so much better compared to cybersecurity.
Joe Bonanno
You鈥檙e very welcome. Thea. I appreciate your time today, and I hope everyone has a wonderful day.
