In parallel to a whole lot of possibilities brought by computer-based technology, cyber attacks and threats are prevalent. Preying to the weakness and vulnerability of most industries, hackers put coordinated efforts to achieve their nefarious plan.
Scott Fuller (00:02): I think incorporating cyber security into what it is that you're doing and making sure that that's part of the fiber of your offerings is just being a good partner.
Intro (00:15): Welcome to access points, the podcast where we discuss the tools, habits and ideas that can help you achieve and maintain the leadership mindset so you can reach peak performance. Are you ready for your all access pass? Do some of the top minds on the topic of leadership. Let's get started.
Cody Strate (00:36): Hey everybody, this is Cody straight here from access and a part of the access points podcast. I am joined with a couple of my illustrious colleagues, Mr. Scott Fuller and Mr. Mike Kelly. Before we get onto the topic at hand, let's do a little introduction. Scott, who the heck are you? What do you do here at access?
Scott Fuller (00:56): Thanks Cody. I am the chief information officer and I also wear a secondary hat of chief information security officer.
Cody Strate (01:03): Excellent. Amongst, uh, also many other personal endeavors that I still continue to give you the title of the most interesting man in the world. We can cover that. I'm sure at some point in time through the course of this and many other podcasts, but Mike, let's transition over to you. You're a perennial guest here and speaker on this podcast, but for those listeners who have not heard anything from you just yet, who are you? What do you do over here at access?
Mike Kelley (01:26): Thanks Cody. I am, this is Mike Kelly I should say, and I am the VP of sales over here at access. I wear predominantly the hat for revenue generation working with hospitals every day. So certainly happy to be here and appreciate the opportunity to come back on the podcast. Absolutely. It's funny you talk about wearing all these different hats. You know, the joys of a uh, small and medium sized business.
Cody Strate (01:48): Everybody wears a whole array of different hats as we just try to continue to move this whole thing forward. Now again, my name's Cody Strait. I'm the VP of marketing over here at access and today what we are going to be talking about is cyber security and we're going to talk about this in frankly a few different practical ways. We're going to talk about this and you know, from perspective of Scott, we want to talk with him about some of the different types of attacks that are out there from a cybersecurity standpoint. Uh, so we'll, we'll, we'll cover that. And we also want to talk about this and the perspective of, you know, the role that security plays in the context of sales and marketing and how you can actually apply that to your sales and marketing story if you're not doing it today. So, Scott, let's just start with you.
Cody Strate (02:35): Let's, let's level set now me, I'm a layman and I think a lot of these people listening to this podcast are similar to me and that, look, we know that security is obviously, it's a, it's a big deal. Cyber security, a big deal. We hear about attacks happening all the time. So tell us a little bit, if you would give us some vernacular. What are the different types of attacks that occur under the umbrella of cyber security? And you know, which ones are, those are our most prevalent. So let's walk us through that first. Give us some VAT vernacular and we'll go from there.
Scott Fuller (03:09): Okay, thanks Cody. Sure. I'd be glad to. Cybersecurity attacks, there's probably dozens and dozens of technical different types, but a lot of them fall underneath about four major categories. One is malware. Um, and that's basically malicious software that's installed a very popular version of this as ransomware and is designed to damage or control a computer system. Another type of attack is fishing. This is also very popular. Um, these tend to be fake official looking emails from a bank or PayPal or maybe even your boss. And the whole idea is to fake something nor to get information from the victim. This could be their passwords, this could be the access to different work sites that they have or just even their banking information. Another very popular type of attack you see is a distributed denial of service attack. This is basically a series of computers that are networked together that will come and overload a server with data essentially shutting it down, not allowing it to operate or conduct business in the fashion it was set up to do.
Scott Fuller (04:26): Another type is cross site scripting. This type of attack injects malicious code into a website and then either redirects that website or can actually infect the browser of the users that are using that. And then probably the last, you know, more popular type of cyber attack we see is an injection attack and injection means basically a, an SQL query or something else that is used, an online form where a user would normally fill in something. You can put in a, a series of commands that would trick the server into divulging the data that it's setting on top of that could be credit card information, usernames, passwords, or it very well could be Phi or a banking information depending on where the application is setting.
Cody Strate (05:20): Right. Okay. You've given five different types of cybersecurity threats and attacks that it can occur of which, uh, you know, whenever we see in the news, uh, you know, like, Hey, the, you know, this particular bank was packed, this Uber was hacked, or this institution was hacked or what, or this hospital was hacked. Right. Generally speaking, what type of an attack is that?
Scott Fuller (05:45): What we're seeing a lot of right now is ransomware attacks. Uh, it is just absolutely exploded within the last six months. And I think particularly, uh, during the Kobe 19 crisis, uh, part of that is a lot of businesses have had to get creative in what they're doing and they've loosened to their security controls. Also, businesses have had to shift resources away from cybersecurity and this has just opened the door for these types of attacks. So ransomware is probably the most popular type of attack we see now. And it's a pretty simple, you know, one, two, three approach for that type of attack. Step one is the user needs to be infected by the ransomware and that can be accomplished either by an email that comes in that actually has the code embedded into an attachment that could be a USB drive that is transferred from viewer to computer and a user's computer is infected with that.
Scott Fuller (06:50): Or it could even be a website that the user went to and click the link which installed some malware on the computer. Either way it happens that step one is to get the program sort of inside the veil of the corporate network. And by corporate, I mean that could even be a small business, but once it's on the inside, then the malware is activated and it basically gathers all the data in the network and encrypts it and locks it down. And then step three comes the demand to unlock the data. Uh, generally people come in, they notice they're, everything's locked down, there's messages on the screen. Sometimes they'll receive emails and they're just like, the name implies there's a ransom to be paid that you're going to pay in order to hopefully get the password you need to unlock all your data.
Cody Strate (07:46): All right. And so bring us up to speed on this because you know, for, for me, most of my exposure is either to, this is either through the news or movies or something of that nature, right? So the demand comes in and it comes in in the form of what is it as an email, like as a text value. How does that actually come in?
Scott Fuller (08:03): Well, the demand can come in really one of two ways. One, I think most of the time the process of encrypting the data, they'll put messages up on the screens and so when you come in, you turn your computers on, you will get a message saying we have your data now, you know we want X amount of money and there'll be some instructions for contacting or wiring or whatnot. There are some that will just lock it up and then separately send you an email and say, you know, we have locked up your data. We have it under our control if you want it back, this is what we're wanting from you. Right. So it's either one of the two ways I am most of the time it's usually a message on the screen from the ones I've been exposed to.
Cody Strate (08:50): So that's part of it. Okay. We're going to lock it down. We're going to put up a screen there if you want it back. Come over here. Now is there ever also like a threat associated
Cody Strate (08:56): with this? Like, you know, if you think about like a, a ransom that occurs with a, you know, human kidnapping, right? So like, give us the money or we're going to kill this person. Like, does something of that nature happen in the technology world where somebody says, Hey, we have your data. If you want it back, you have X amount of time and if you don't respond in this amount of time, we're going to delete everything. Or something like that.
Scott Fuller (09:17): I'm not aware of any that really have a threat other than a demand for payment associated with that. I'm sure that happens. Uh, there's, you know, activists out there that would probably, you know, do this for something other than money. Uh, but frankly ransomware's kind of big business. Um, there's a lot of countries that are well known for, uh, doing nefarious things on the web and ransomware's one of their latest, uh, enterprises. And really for them it's, it's just about the money. And one of the things that I've noticed is, and talking with not just, you know, small physician offices, but just small businesses in general, a lot of them feel very immune to this. And it wasn't maybe a year ago, I was talking with a doctor. It was a doctor, her husband, and they had three employees, total of five people working in this office.
Scott Fuller (10:15): They came in one morning and they were hit by ransomware and everything was locked down and there was a demand for, I believe it was $8,000, uh, for them to get the password to unlock everything. And they were just very shocked because, you know, they're not part of a large metropolitan area, they're just a small little physician's office. You know, why would somebody from a far away place like China be focusing on us? And the reality is everybody's kind of equal on the internet. If you have a IP address and you are on the internet, you're just as assessable as IBM or Google. So when people are cruising the internet looking for weak security or exploits to leverage, they don't really know where you're at or your size or anything else, they're going to take the opportunity to explore what they find and then leverage you for whatever they can leverage you for. Obviously, you know, Google could be leveraged for a lot more money than, uh, a small physician's office.
Mike Kelley (11:21): Just to tack onto what Scott was saying was we are in a business where we're selling and supporting hospitals and certainly it's, it's kind of the going joke in our industry that hospitals are 20 years behind everybody else in terms of their it infrastructure. Um, and obviously cybersecurity would go along with that. I think the, the interesting point that Scott just made is that because healthcare is notoriously struggling with what's called patch management, that the security gaps exist and because of their existence, they create the opportunity. Now in terms of the motive, you know, for this type of behavior or these hacks that are going on, I think it's, you know, important to understand that, that it is a big, big business. It's represents huge revenue opportunity for these hacking groups. Um, whether or not they're state sponsored or they're on their own or whatever, but a hacker is not the guy sitting in the basement or the attic of his home. Just, you know, being nefarious about things there. These are, you know, coordinated, extremely professional corporate attacks on hospitals are out there that represent opportunity. I, I say this a lot too to number of different, you know, places where we're going into, but there's only two types of hospitals out there. There are hospitals that have been hacked and hospitals that don't know they're being hacked. And it's truly what we're starting to see. The opportunity is there and when the opportunity exists, you're going to find somebody that's going to explode it
Cody Strate (12:51): well, where there's money available that you can, uh, that you can get. There's people that are going to put a coordinated effort towards achieving that, obviously. So, alright, so Scott, look man, as far as the types of attacks, uh, okay, now, now we're all officially informed about what we should be scared about, right? And what you also said is that it's not just the big companies, it's even the little company. So every, frankly, here's all the things that you should be scared about and everybody should be scared that, okay, so now we're officially terrified. I appreciate that. With that being said, now, how is it and give us if you could please two different viewpoints, because again, this is, this is all about, you know, leadership mindset and, and how people should be thinking about things. That's what this podcast is all about. We cover an array of subjects along those lines.
Cody Strate (13:36): And so in the context of cybersecurity, if you are a business owner or an or an executive at a company, how should you be thinking about cyber security? Are there parallels between, again, like the way people should be thinking about this as a large company, as a small company, is there any difference in strategies? Um, you know, both, you know, health, they should be thinking about it, preparing for it as well as communicating with their people. Because it sounds like, you know, these institutions, a lot of Matthys, these big firewalls in these big protective boundaries and borders, but you know, you have a situation like fishing that goes on the inside, right? And so you have to communicate with people to be vigilant. Um, you know, uh, if I'm not mistaken. So how is it that business leaders should be thinking about that? And then if you would give us some insight after that into how companies like such as ours, we're a technology provider where we're a vendor providing software solutions to customers in this case, hospitals. So how is it that we should be thinking about not just developing cool new products, but factoring in security into that? And then Mike will get into speaking about from a sales marketing perspective, how we bring insecurity into the discussion. So first and foremost, Scott, over to you please. Again, we're all, we're all scared. Okay. So what do we, what do we do about it? How do we think about this as a business owner?
Scott Fuller (14:58): Well, I think as a business owner, every business needs to decide their level of risk tolerance. Uh, if you want to be completely safe, you disconnect yourself from the internet. Uh, go to paper and pencil and you know, live with the inefficiencies, right? So every business needs to spend a little bit of time evaluating, you know, what kind of risk is acceptable to them. And it's something that needs to be revisited all the time because there may opportunities may come along that may require a little bit more risk and you need to understand what you might need to build towards to make that risk acceptable and that you don't need to be a really large company to and have a risk management department to have that kind of mentality. A small office can look at this and say, well, you know, I'd like to have my accounting people connect remotely to my system to offload my invoices and look at other yeah.
Scott Fuller (16:00): At other things. And so you may have to look at that, you know, for the convenience, for the cost savings of perhaps having then house employee the seems like a good thing to do. What is the downside? Well, how do I need to protect myself in policies? And procedures as well as maybe spending a hundred dollars on a better firewall in the server room so that there is something for, for everybody. But you touched on it too, there is a parallel that goes through all businesses and that is the reality. Almost all cyber attacks, 90 some percent all start with email. And the reason why they start with email is they're preying on people to click something, download something and go somewhere. And you know, that's why phishing attacks work. Uh, because somebody sees something and Oh my gosh, there's a Prince in Africa that needs my help and all I've gotta do is give them this and I, I'm going to be a rich man
Cody Strate (16:57): t Prince needs to get his act together. By the way, at this point in time, seriously, like I'm tired of hearing about it. Like get your act together. You've gotten the funds that you need. Please, if you can't figure it out now, then just stop.
Scott Fuller (17:08): I'm glad you gave him your 401k to help him out. That's do what? I can wait waiting for your check at the post office. Well, the weak link is always going to be the individual. You know, employees will make honest mistakes. People that are maybe a little bit more trusting may tend to click on an email to see what it's about versus saying, well, wait a minute. I don't know what this is. So one of the things that you can really do that and it doesn't cost a lot and you're not buying, you know, big chunks of expensive software or hardware is make sure your people are trained in a lot of industries, banking and healthcare. Everyone's required to go through annual training and it's security awareness training as well as like in case of healthcare, HIPAA training. And it's not that there's that many new things that come out every year that everybody needs to be educated about.
Scott Fuller (18:03): It is just addressing the fact that human nature, people need to be reminded constantly. Hey, remember you're going to get emails that have links in. Your gut reaction should be, I'm not going to open this. I'm going to send it over to the it department or talk to my it guy to see if this is something legitimate or not. I'm not going to investigate it myself. And little things like that can be done really across industries than really, it doesn't matter how large or small your organization is. If you can keep the people who are using the systems well-educated and focused on security first, you'll do well.
Cody Strate (18:45): So let me ask you this to me, add this piece on in that, okay, great. Ransomware is the one of the biggest cyber security threats usually that happens by virtue of, you know, some sort of a phishing scam and email comes to somebody, they trust it, they click on a link somehow or another, some texts and some sort of malicious software gets embedded inside of the firewall and then it, it does its thing and it locks things down. Right? So the question I have for you, uh, and, and it makes sense, uh, that, okay, great. We need to make sure that we train our employees to be vigilant about that. Make sure that everybody is aware of it. And, and, you know, takes the appropriate common sense precautions. Now is there any new aspect or angle that people should consider considering that, you know, we've had this global pandemic, okay.
Cody Strate (19:37): A lot of businesses, uh, in an effort to continue to operate, let people work from home. And that's a new thing for a lot of people. And so that brought about this whole new world of challenges to businesses about how are we going to let our employees continue to work at home? How are we going to do that from a, and continue to have that same level of productivity? How are we going to continue to have the same kind of meetings, you all, all that stuff that we hear about, you know, okay. You use zoom meetings or use teams or Hangouts, so you do all that. Uh, but, but is there any additional security threats, uh, that are here now by virtue of somebody working from home that perhaps weren't there before? Is there, is there, is there any new mindset that we need to have as we get on the backside of the pandemic?
Scott Fuller (20:18): Yeah, certainly. I think when you have employees go to work from home, not every one of them were allowed to bring their work computer home. So their own personal device, they might be using that to log in to certain things like zoom or office three 65 so they can access their one drive and, and continue to work on documents. But if the company doesn't really have control of those computers, you really have to assume the worst. You have to assume they're probably infected with something and you have to guard against that. And so certainly, you know, this whole pandemic sending everybody home, working from home I think has really opened a lot of people's eyes to, you know, the benefit of cloud computing and you know, having everything distributed and really how powerful a lot of the solutions are that enable people to work virtually.
Scott Fuller (21:17): But on the same side, you have to, you know, look at that little risk needle that I was talking about before. Okay, you know, I need to do this to keep my business open. I've got to send my employees home. I, you know, I can't afford to issue them all company laptops for them for their use. So they're going to have to use their own machines. So you're going to have to, you're, you're, you're pushing that risk needle a little bit further over. So now you kind of need to close that gap with the appropriate security measures. And so I think it just really goes back to just constantly assessing your, your risk tolerance and what you're doing about it. It's OK to take a risk, uh, that's how businesses survive, um, it and, and grow. But you need to always try to fill in that the backside of that curve.
Scott Fuller (22:08): If you are going to take a risk, how am I going to make sure my bases are covered, uh, to, to where, you know, I don't trip and fall on my face. And I think these pandemics, you know, they forced a lot of organizations to do things to think outside the box and, and you know, the way restaurants are working now, everything is much different than it used to be. Um, even within healthcare for example, you know, we see a lot of people in the parking lot with tablets filling out forms that you didn't have that before this pandemic. And now people are doing preregistration kind of stuff with tablets in the parking lot. And you know, that just kind of exposes some, some new unique challenges. But there's really no magic, you know, you can say, Oh, well this technology will guard everything against that.
Scott Fuller (22:56): It's keeping your users educated so they're, you know, they're thinking about security all the time. Um, secure a security culture in our organization is a very strong thing. And really what security culture means, at least to me, is that every employee sees themselves as a link in that chain. And the minute you have one employee that says, well, you know, that's, that's the it departments thing, you know, um, you know, I'm just a nurse. I know nothing about cybersecurity. That's kind of a nerd thing. Now you've got a missing link in your chain and you've got a hole that can be exploited. But when you can get your entire organization to see themselves as part of cyber security and each person realizes they have a role based on the fact that they're holding that, that iPad or you know, they're in charge of that workstation. Anytime there's a printout and they walk around with that information, realizing how important it is that it ends up in the shred bin versus ending up, you know, just throwing them to dumpster with everything else. Those are the things that can really help guard against any kind of further problems that people have during pandemics. It's just keeping your mind on those risks at all times.
Cody Strate (24:09): So my game and Mike's game of course is sales and marketing. So if you were to have like an internal message to your employees, something to the degree of what you're saying of red Rover, red Rover, don't let the Eastern European hackers come over like something like that, I think is what you're suggesting. Okay, so guys go with that. Again, that's it. This is all about business in leadership. But no, seriously, that makes sense though because you know, everybody that is an employee in an organization and that has rights, privileges, access to that inner sanctum of technology that they could be a conduit to give somebody access to that. So make sure that everybody understands that they have a role to play to make sure that they remain vigilant and uh, don't inadvertently expose their system to, to, to malware. Now, uh, Mike, I'm really anxious to get over to you as we start talking about, you know, the sales and marketing side of things, but to, to transition over towards that.
Cody Strate (25:06): Scott, you know, you've, you've done a good job so far laying out the landscape of the types of attacks. You know, everybody's really at risks. What can people do about it? Um, you know, without going full Kaczynski and going into the your shed and working on your manifesto for years and did totally disconnecting, uh, here's how you deal with this in the real world right now. Put on your different hat. Here you are at our company. You're the chief security information officer. You're also in charge of development. So you are, as we develop new solutions, solutions to problems, every angle that I've worked with you on any solutions, you're saying, okay, how, how can it be secure? Make sure that we're not exposing risks, that we don't have vulnerabilities and things like that. So from a company standpoint, as it pertains to their products that they are producing, how should they approach this from a mindset standpoint to make sure that they're appropriately, uh, not just solving business problems, but they are incorporating a security strategy into their product so that they're not putting their customers at risk? How should they be thinking about that?
Scott Fuller (26:11): Well, frankly they should be thinking about it as an obligation. I think it's, it's just paramount for us and really anybody that develops software for healthcare to be making that part of their process. The healthcare organizations are entrusted with their patients to all sorts of personal information and the healthcare organizations then have business partners, whether it be a software vendor or any other kind of vendor that they also bring into this little circle of trust and everybody that's involved, it needs to do their part. And like, you know, my analogy before about a security culture within our organization, you know, the hospitals looking for their business partners to also be part of that security culture. And so when I look at what we're doing with software development, we have normal features that we want to put out and it's normal to have a QA process associated with those features to make sure you understand performance, uh, issues and any other kind of interoperability issues.
Scott Fuller (27:17): Every time you introduce a new feature that's just part of good software development, having a QA process, but you know, going a step further and adding a security component to that as well as having a third party code review at least once a year to where you're just looking for vulnerabilities and you have people who have specialize in how code can be exploited and everything else. Looking at your code to make sure that, you know, not only are you putting out software that has features that your customers want, but are features that work well, have good operability and don't introduce any kind of security issues. And so we have to take that, you know, I think very seriously and one of those types of tax I had mentioned before to SQL injections, attacks of, that's generally done via web form. And so for electronic forms, I want to make sure that any field that we have on a form is immune to any kind of injection that comes in through that.
Scott Fuller (28:21): And we need to make sure that, you know, when we're giving our solutions to our clients that they can feel assured that we have looked at that, that we have had even third parties review, you know, the code behind those fields and that we're filtering for any kind of injection or any, any other kind of security exposure there whatsoever. And then also too, I think with our operations going through a third party SOC audit, having our processes and our controls looked at by a third party auditor, making sure that we meet the same standards that our customers do in terms of security, helps us understand the world that they live in because we're holding ourselves to the same standards that they are as well as making sure that, you know, we're not a subject to anybody being inside of our network. To me, you know, worries me is, you know, some hacker coming in and being able to inject code right into our code base and then, you know, we're happily distributing their code out to our customers. That can't happen and won't happen because we're making sure we have all that covered
Cody Strate (29:31): right. Well. And, and, and that plays really heavily with us of course, because once again, we live in the healthcare world, right? So we're, we're providing technologies to healthcare
Scott Fuller (29:42): institutions and hospitals and whatnot. So you're dealing with regulated data there. And if those businesses don't function optimally, then people's lives are at stake. So like you said, that certainly can't happen. Got Mike. Anything else you guys have to add?
Mike Kelley (29:55): To Be a good partner with someone. You have to take what concerns them as your concerns and the way cybersecurity is right now. You have to take that in consideration. So I think incorporating cyber security into what it is that you're doing and making sure that that's part of the fiber of your offerings is just being a good partner.
Scott Fuller (30:21): It's a requirement. It's an obligation. I like that.
Mike Kelley (30:24): And for our listeners, you know, again, we're always looking for feedback on this podcast. Hit the subscribe button. Give us some critical feedback, how we can make this thing better. Go to our website at accessefm.com. Check us out there. Find us on Twitter. Find us on Instagram. Find us on Facebook. Give us a light. Give us a tweet, give us a thumbs up and appreciate you guys listening.
In today’s episode of Access Points Podcast, Cody Strate shares a conversation with the guys from the leadership team of Access, Mike and Scott, about the different attacks that occur under the safeguard of cybersecurity, how infiltrators work to paralyze your operation, and what businesses can do to prevent the risks.
Scott Fuller is the Chief Information Officer of Access. He helped thousands of organizations understand, confront, and overcome significant security challenges. Through his leadership, the company is well-positioned to develop secure high-quality technology solutions to meet the evolving needs of healthcare.
As the Vice President of Sales, Mike Kelley understands people’s problems and align customers with the proper solutions. Skilled in Healthcare Sales, he develops and implements a vision of achieving truly memorable solutions for hospitals.
“I think incorporating cybersecurity into what it is that you’re doing and making sure that that’s part of the fiber of your offerings is just being a good partner.” -Mike Kelley
In today’s Episode:
2:56 – Different types of attacks that occur under the umbrella of cybersecurity
5:20 – What cyber attack most businesses suffer during the COVID 19 pandemic
8:03 – How perpetrator demands to restore your data
11:21 – Why hospitals frequently fall victim to cyber attacks
14:58 – Practical approach in assessing risk for business owners
17:32 – Best method to protect your industry from cybersecurity threats
20:18 – Computer vulnerability from working at home due to the pandemic
23:06 – The importance of every employee’s involvement in the security chain
26:11 – How incorporating a security strategy to products and services be perceived
How to get connected:
Click here to listen with Access Points Podcast