On the Money with Dynamic Funds

PARTICIPANTS

David Portal
Vice President, Systemized Solutions

Devin Kropp
Editor at Horsesmouth

David Portal: Hi, I'm David Portal with Dynamic Funds, and welcome to our podcast where we dive into the latest threats and defensive strategies to protect you and your business.

Mark Brisley: You're listening to On the Money with Dynamic Funds, the podcast series that delivers access, insights, and perspective from some of the industry's most respected active managers and thought leaders.

David: Joining us from New York is Devin Kropp, editor at Horsesmouth, co-creator of the Savvy Cybersecurity Training Program, and co-author of Hack-Proof Your Life Now! The New Cybersecurity Rules. It's a pleasure to have you with us today, Devin.

Devin Kropp: Thanks so much for having me.

David: Now you've been committed to helping financial advisors and their clients stay safe online and teaching them all about cybersecurity. Can you briefly explain what it is and why it's become so crucial for small businesses?

Devin: Absolutely. When we talk about cybersecurity, we're really talking about the practice of protecting our systems and our networks and programs from digital attacks, and that especially includes small businesses. A lot of times we're talking about personal individuals keeping themselves safe, but the reality is small businesses are actually one of the biggest targets of cyber criminals out there. That's for a couple of reasons.

Some of these criminals assume that small businesses might have a smaller budget for cybersecurity, and maybe don't have the right security in place to protect them from these attacks. Or they might think that they have a smaller IT team who's not keeping up with everything that's going on, or they're outsourcing a lot of their security to third-party vendors who may or may not be vulnerable.

We actually see small businesses being targeted a lot in these kinds of attacks. There's a stat out there that says, I think, that one in five small businesses will be a victim of a cybersecurity incident this year. We see various reactions from that, too, of what that causes for those businesses as well. It is a real threat for businesses of all sizes, but small businesses in particular are very vulnerable to these kinds of attacks that we see.

David: That is both informative and terrifying. Can you share some of the more common cybersecurity threats facing small businesses today, including a few examples of how these attacks work?

Devin: I would say probably the number one threat that we see in our work with individuals and small businesses on cybersecurity is something called phishing. Phishing are these fraudulent emails that appear to come from legitimate sources, companies, people that you may work with in your business that contain a link. That when you click on it, instead of it actually taking you to whatever it says, sometimes it's an invoice link or a Dropbox link that would be disguised as.

When you click on it downloads malware onto your device that then can wreak havoc on your network within your business. Sometimes it'll ask for a username and password and you'll think it's a legitimate company and you'll enter that and then they have your username and password to get anywhere. Typically when we look at cybersecurity incidents with small businesses, no matter what the attack is, the majority of them start with that phishing email.

With an employee clicking on a link that they shouldn't have, and either downloading malware or giving away information that's going to help these criminals get into your network. Phishing is the number one threat that we see regularly. Going along with that, but a little bit different is something called ransomware. Ransomware is typically spread through phishing emails, but it's a really specific type of phishing. When you click on that link, it downloads a certain type of malware, which then will basically lock all of the files on your computer, has the potential of spreading to your entire network.

Essentially those hackers will hold your files for ransom and demand a payment for you to retrieve those files back. I will say when we started at Horsesmouth, we started our cybersecurity program about 10 years ago now. While we were in the midst of doing this program, and we were in the office at that point and we were very vocal about it among people in the office. One of my colleagues actually fell victim to a ransomware attack while we were doing all of this research on cybersecurity. It locked up all of his files and it actually started to spread to the network.

Luckily, our IT team was able to stop it before it caused damage to our server or locked everyone else's files up. This was 10 years ago that that happened. We're seeing these attacks at an even higher incidence rate than we were then. That just goes to show like this happens to people who are really up to speed on these threats. It can happen to anyone. Then I would say the last one I would mention is something called business email compromise.

That is when hackers will impersonate, usually like a CEO or someone in the C-suite at the company, and ask another employee to do something like a wire transfer. Really that wire transfer is not going to the company account, it's usually going overseas. That money is very difficult to retrieve back. I would say phishing, ransomware, and business email compromise. Again, all of those are a vehicle of phishing. Those fraudulent emails are what is causing the next threat to come. Those are the most common threats that we see impacting small businesses today.

=

David: How can employee training be effective in preventing cyber-attacks and what key areas should it cover?

Devin: We always say, and this is not employees' fault typically, but most cybersecurity incidents are at the fault of one employee doing something wrong. I say it's not their fault because most companies, especially small businesses that maybe don't have the budget for this, aren't doing proper employee training. This does cycle around awareness, knowing that when we see an email-- and these hackers love to use urgency and things that they know are going to get you to click to take action.

When you're getting these on a regular basis, you are sharpening that cybersecurity muscle in your brain to be skeptical when emails come in. That's one really important part of training is having examples or tests for people to go through. Having it be part of your onboarding for any new employees is hugely important. Talking about, what your cybersecurity policies are. You need to either work with someone who specializes in IT or a third party that's going to help you build out what your rules are. Because there are many vulnerabilities that can leave you open here.

Things like people using their own devices, insecure Wi-Fi networks, which we can get into later. It's not this thing that you talk about, when an incident happens, it's something that's part of the regular conversation. I would also say making it a regular part of your employee training on a yearly basis. Even employees who have been there for a while, refreshing them on it, having an expert come in if you feel like, you're not an expert yourself, finding someone who can come in and talk about that.

There's plenty of third parties who will do the things like send the fake emails as a way to keep that muscle sharp. Having an open line of communication around cybersecurity within your business is probably one of the most crucial steps. We say in our program, in our book, cybersecurity shouldn't just be left to the IT team. This is a full business priority. The C-level suite needs to buy into it. They need to be aware and educated. All of your employees need to be aware and educated because all it takes is one wrong click and it can, cost your business millions of dollars.

David: Now, if we were to experience a cyber-attack as a small business, what would be the first steps that they should take?

Devin: If it's something that is making your network vulnerable, right? Going back to that ransomware example I gave earlier, you want to disconnect the infected device from the network. Of course, if it's anything to do with financial, wire fraud, or someone inputting a corporate credit card into a fraudulent site. You need to be contacting your financial institution immediately and putting a freeze on your account, letting them know you've been a victim of fraud and that they need to freeze that account.

Similarly, I would say, if you have more than one financial institution you're using, I would still contact the rest to be on alert for any suspicious activity because once they're in your network, it's really easy to access anything that these hackers want. These are professionals and they know how to get in and around things. If you think it's impacting your customers, there are standards that you have to follow based on whatever country that you're in and report that to the proper authorities.

It's good to have some sort of law enforcement report on file. Usually, they can't help you with anything, but sometimes having the paper trail is helpful in, further steps. If you are someone who has cybersecurity insurance, you obviously want to contact that institution as well and see what they think the next steps should be.

David: What's your top piece of advice for owners who want to ensure the integrity of their cybersecurity?

Devin: Having your staff be really current with the cybersecurity threats that they face and know the proper protocol when things happen is hugely important. Earlier I talked a little bit about the business email compromise and how that it's usually a wire transfer request that comes in. It's an email that looks like it comes from the CEO to maybe a lower-level employee saying, "I need you to do this right now. You can't tell anyone about it, but I need you to wire transfer this money to this account."

The point being here is you need to have these conversations with employees so when this happens, they know what to do. What we say, our advice, and our program is for business email compromise, whenever a wire transfer request comes in via email, that person needs to confirm that request in a secondary method. If the request comes in via email, if you're in the office with the person you need to get up, go to their office, and say, "Did you just send me this email," and confirm.

If you're not, you need to pick up the phone and call them. Because there's so many stories about this happening where you can't retrieve that money once it's gone. You could prevent it by easily, again, picking up your phone or getting up and walking to that person and confirming that they sent you that information. Having training and also protocol in place for when particular threats happen that you know and your employees know what to do can help prevent serious damage to your business.

David: Now, looking ahead, what emerging cybersecurity threats, if there are any more, should business owners be aware of, and how can they stay ahead of that curve?

Devin: I think the biggest threat we see right now is the impact of artificial intelligence on the threats that already exist. We're not necessarily going to see new threats come out of the AI technology, but what they're going to do is that they're going to make threats that we already see on steroids. I was just saying, we were talking about the business email compromise. Let's for a second, just think about how AI could make that threat even worse. Say you have the protocol in place where that email comes in and you pick up the phone to call and confirm.

With AI, hackers can impersonate voices, they can create deep fakes, and they could hack into that phone line and make it sound like your CEO is saying, "Yes, I sent that." Then all of a sudden your protocol that you have goes out the window. We could see the same thing with using AI deep fakes in things like Zoom meetings where you can actually make it look like someone's saying something that they're not or videos. Maybe you get a video message from someone on the team asking you to do something and you think because that's clearly them, it must be true.

When in reality, we know that there's so much technology out there already that can make things look like they aren't. In addition to that, just generally artificial intelligence is also going to make it much easier for hackers to do more attacks in less time. A lot of cybersecurity and cyber-attacks comes down to like a numbers game. They know if they send out X number of phishing emails, X number of people are going to click. When they can exponentially send out more of those emails using AI to their advantage, more people are going to click.

I think we're just going to see a greater number of people becoming vulnerable. On the flip side, AI could also help cybersecurity teams protect businesses from these threats. We already have seen AI technologies that are helping to identify malware. I think we'll see if that help too. There's two sides of that, but I would say number one, the most emerging threat that I would keep my eye on is how AI is going to impact that.

Number two, I would also say internet-connected devices. The internet of things where we have devices other than our computer and our phones that are connected to the internet. Those are also a target for hackers right now, although that might be less relevant for small business owners. Something to be aware of if you have other devices in your office that are connected to the internet, that's kind of a emerging threat too, I would say.

David: Devin, are there any cost-effective cybersecurity measures that small businesses can implement immediately?

Devin: Yes, I think there are a good number of cost-effective steps that people can take. It may require more time on your part, but there's a lot of things you can do for free that are really going to help impact your bottom line cybersecurity in your business. Taking the time to write down those protocols that I was mentioning earlier. Thinking about what the top threats you feel, your business is vulnerable to. Coming up with an action plan for that and sharing that within the team is really important.

You definitely want to invest some money in some technology that can help protect your business. That's not that expensive. For one, something called a VPN is hugely, hugely important. VPN stands for Virtual Private Network. Essentially what it does, and this is also hugely important if you have remote employees in particular who are connecting into your network from either their home or a third-party location that is not the office. What it does is essentially takes whatever Wi-Fi they're connecting to and creates this secure tunnel between their Wi-Fi and your network.

That's really important because open Wi-Fi, say they're working from a coffee shop or something like that, hackers can get into those networks incredibly easily and see what people are doing on their computers or send malicious links. A VPN for all your employees, it shouldn't be that expensive, but it will save you a lot of headache and is, I would think, a priority. It's a must-have for all small businesses. You can also look into like antivirus and malware software for your employees to have as well.

Again, gives you a little bit more peace of mind for monitoring all of the devices that your employees are using. On that note, also having some sort of standards for what devices employees are allowed to use. Are they allowed to use their own devices to connect into your network? Does it need to be a business-issued laptop and that's it? Thinking about that is also important. I would say if you're going to invest some money as a small business owner on technology, I would say a VPN is number one and number two, looking into that malware, antivirus software as well.

David: Your tips are so practical and relatable for whether you're an employee or you're a business owner. I think our audience has really benefited from your knowledge. Thank you so much.

Devin: Thanks for having me, and everyone out there, stay safe.

This audio has been prepared by 1832 Asset Management LP and is provided for information purposes only. Views expressed regarding a particular investment, economy, industry, or market sector should not be considered an indication of trading intent of any of the mutual funds managed by 1832 Asset Management LP. These views are not to be relied upon as investment advice nor should they be considered a recommendation to buy or sell. These views are subject to change at any time based upon markets and other conditions and we disclaim any responsibility to update such views. To the extent this audio contains information or data obtained from third-party sources, it is believed to be accurate and reliable as of the date of publication, but 1832 Asset Management LP does not guarantee its accuracy or reliability.

Commissions, trailing commissions, management fees and expenses all may be associated with mutual fund investments. Please read the prospectus before investing. Mutual funds are not guaranteed. The indicated rates of return are the historical annual compound total returns including changes in unit values. Their values change frequently and past performance may not be repeated.