Fresh off of Cybersecurity Awareness Month in October, we’re extending the conversation with Telesystem. Ira Feuerstein, manager of cybersecurity business development for the brand, shares a number of tips, tricks and fair warnings for retailers around protecting their data and educating their employees on this always-important matter.
As mentioned during the interview, NMG Members can get a free cybersecurity analysis. Click here to request your free checkup.
Rob Stott: We are back on the Independent Thinking Podcast and just off of Cybersecurity Awareness Month. I wish we could have done this a couple weeks ago and it would’ve been in the middle of it, but you know what? Cybersecurity doesn’t only happen in a single month, so it’s nice to continue that conversation. But Mr. Ira Feuerstein, the manager of Cyber Security Business Development for Telesystem, appreciate you continuing the cybersecurity talk after the month of awareness is over here.
Ira Feuerstein: No problem. Like you said, honestly, it never ends. I mean we just try to make people aware in October just because, but the bad guys never stop, ever.
Rob Stott: No, no. It’s not like they, “Well, all right, October’s done. We’re just going to pack it up and go home and call it a year.” Certainly not the case but no, we appreciate it. Before we dive into it, because we got some great stuff on tap to talk about today about this space and the threats that are looming out there for independent retailers. But give us a little background on yourself and your path to your role there at Telesystem.
Ira Feuerstein: It’s interesting. I’ve been in technology 20 plus years and in various different areas, but couple of years back, I was in the world of telecom at the time. I was looking at that industry and I was seeing an industry that really wasn’t innovating so much anymore and it just wasn’t making the impact like it was at the beginning. So I came up with this idea of starting a cybersecurity company because you couldn’t go a day in the news without seeing something major happening. And I thought, “Okay, there’s something here so why don’t we start a cybersecurity company and let’s help businesses of all size, but really small to midsize businesses generally, help protect them against the bad guys.” That was about three years ago and the company went wild, just exponential growth. And then a couple months ago we started talking with a company called Telesystem and they ended up acquiring us September 1st, which was fantastic. So now we have 120 year old company behind us and all the resources in the world and the sky’s a limit at this point.
Rob Stott: Well, first of all, congratulations. That’s nice to see that kind of growth and then build a business to a point where Telesystem can come in and do that. So cool news for you guys for sure. Timing wise too, right ahead of cybersecurity awareness month, so you could talk about that from a different seat and like we said, it just ended. But obviously, that’s a big mark, I’m sure, on your calendar to try to get the word out there and talk about the challenges that any business faces really in the cybersecurity space. But is it something where you try to talk about everything in the industry or were you guys focusing on a certain type of message this year?
Ira Feuerstein: What we do is we try to, every day during the month, give a small little bite size topic of things that are important to any business of any size. And it’s all very easy conceptually, but it’s always forgotten in business because we have to think about it like a business, like a retailer. They’re going into the holiday season right now, so they’re laser focused on making their profitability for the year. Let’s be real, last two months of the year where most retailers make their profitability for the year. You’ve got to give cybersecurity tips and tricks to people in small bite size chunks. We covered things like, “Hey, you have to have complex passwords, you can’t just use your son’s name and the year he was born.” Things like, “Hey, understand that cyber criminals generally are coming after you through nefarious, but very real looking emails,” those types of things. It’s a very bite sized little chunks, but a lot of great content for sure.
Rob Stott: Well, the interesting thing too is timing. Well, one thing that comes to mind is the timing of it being October before the final two, at least from a retailer, seems like it’s really well timed to be talking about that because this is the time of year when I’m sure a lot of cyber criminal activity crops up and tends to happen, especially in this space.
Ira Feuerstein: The criminals really amp it up this time of year because there’s a lot of ways to prey on people. Let me give you an example. Just the other day, I got a text to my phone and the text, it said it was from Amazon and it said that they had trouble delivering my TV. Now, here’s the weird thing, it was on my mobile phone. Normally, it comes via email so that was very curious to me. And then the second thing is, I had just ordered a TV.
Rob Stott: That’s creepy. That’s a little creepy.
Ira Feuerstein: The bad guys knew. Now how they knew, I don’t know. Or they were just guessing and they got lucky. So that’s the thing that I think everyone needs to understand is that, during certain times of year they do amp up attacks, around the holidays. Easy to send somebody an email saying, “Hey listen, we tried to deliver your new microwave oven but no one was home so we have to reschedule. We need you to click on this link.” There’s all sorts of tactics and tricks. But I think it’s important to understand that these bad guys are not bad guys, they’re bad organizations.
It’s tough because they’re backed mostly by governments. They’re backed by the Russians, the Chinese, and North Koreans, the Iranians, those are sort of the big four and they’re run just like a retailer. They’re run just like a business. So it’s not some kid in a hoodie sitting behind a screen in a dark room, it’s real criminal organizations and they understand psychology. They have all the resources they need. They have IT people, they have marketing people, they have hackers, they have content writers. So if everyone takes away one thing from this podcast is trust nothing. At any time of the year, trust nothing. I think, I don’t know if it was Ronald Reagan or some president at one time said, “Trust but verify.” Always verify first.
Rob Stott: Well, I mean it’s interesting because that concept of understanding that it’s not just a kid doing something nefarious to try to eke a few dollars out of you, I think is important because that sort of sets the stage for understanding that it is serious, because it’s not one individual; it’s a very well-run, well-oiled machine that they’ve done this before. They know what they’re doing and not to say, they aren’t individual hackers out there that don’t know what they’re doing either. But it’s a real threat, a growing threat, and it’s turned into an industry of its own really where they’re coming after you and it’s organized crime essentially.
Ira Feuerstein: It is organized crime and it is actually bigger than the illegal drug trade.
Rob Stott: Wow.
Ira Feuerstein: It’s that serious. And one other thing I think people should take away from this is that, these criminal organizations, they don’t care who you are. They don’t care how big you are. They don’t care about anything other than can they extort money from you? And if they can’t, can they take your data and sell it somewhere and make money? That’s it. So when businesses come to me and they say, “We’re too small to be worried,” you’re the one who should be most worried.
Rob Stott: I know we’ve seen in the past stats on the fact how, of course, the ones you hear about in the news are the big boxes, the Targets, the Walmarts, that have been attacked and eked out billions of dollars of payments to get the data that was locked down back or something along those lines. But I know that a majority of what happens are those, not to call them nickel-and-dimed, because that short sells them I think. But sometimes you’ll see a situation where small business retailers ask for millions of dollars. So that’s not quite nickel and diming but it’s also to say that you’re not a target, you’re not a best buy, but they’re still going to come after you.
Ira Feuerstein: Millions of dollars many times is enough to put you out of business. That’s the reality of this. I think too often I think people become numb to, “It can’t happen to me.” Example, I’ve never had an issue with one of my cars being stolen or broken into, ever. I’ve been around 56 years, never. And in my head I was thinking, “It can never happen.” I was at an appointment with one of our partners one day at a Outback restaurant, eat dinner. I come out and I get in the car, I start the car and I look out the back window and I’m looking in my rear view mirror and I’m thinking, “It looks so much clearer than I remember it being.” Well, it was clear because the window was gone and they had taken everything. They take my passport, my laptop, everything.
It can happen to you and it will happen to you. The numbers don’t lie. 70% of all businesses get hacked and the reason they get hacked is an employee makes a mistake. They’re not trained appropriately. And the other stat that’s staggering is, it’s not a matter of if you’re going to be hacked, it’s a matter of when you are going to be hacked. It will happen to every business that is listening to this podcast, so you need to build what we call layers of security. It’s almost like a castle. I was in Poland on this trip before COVID hit and we went to this castle. It was the first time I’d ever been to a castle and it blew my mind looking at this thing built in like the year 1200 and the layers of security they had built into it was unbelievable.
They understood it back then. So as a business owner or somebody running an IT department for a small to mid-size or even a large business, you have to have layers of security. The most common or the easiest layer is you need to protect your people. People are the weakest link in the business. They cause the most errors that take businesses down. So you need to solidify your human defenses by training your people appropriately. Then you need to look at securing your devices, your computers. Then you need to look at securing your email and you just move up layer by layer, and I can’t guarantee you it will stop everything but it will make them think twice. You walk down a street in a neighborhood, there are two houses right next to each other. House number one has a security sign in the front yard, lights are on in the house, windows are closed, garage door is closed, and there’s a dog barking. House next door, dark, no security sign, garage door left wide open. A thief is walking down the street, where are they going to break into?
Rob Stott: Probably not the one that potentially attacked by a guard dog.
Ira Feuerstein: Exactly. It’s the same thing in cybersecurity. You have to have layers of defense. Not guaranteed to stop them but it will slow them down and make them think twice.
Rob Stott: Well, it’s interesting you mentioned, I feel like we’ve sufficiently scared retailers, I think. The early portion of this conversation with the fact that it’s a very real threat and I think they’ve heard that, maybe it’s something that it just hasn’t been top of mind and they’ve got so many other areas of the business they’re concerned about. But the cybersecurity’s like, to your point, “It hasn’t happened to me so I don’t have to worry about it or it’s something that I’ll deal with it if and when it ever comes up,” and obviously, that’s not the case and it can happen. You mentioned some of the preventative measures, the areas that you might want to focus on. I guess, some of the most common, you mentioned a couple examples of email or coming through text and the personal devices. Obviously, today as more employees are remote and working with their own devices from home and things like that, is there sort of a trend or areas you’re seeing where these cyber criminals are more commonly approaching a business, trying to get access to data and things like that?
Ira Feuerstein: I’ll tell you what, these organizations, they put a lot of time and effort into this and the most common method right now is something called a phishing email, and people may not know the term but I’ll describe it and then they’ll understand it. What a phishing email is, is the bad guys send out a generic email to millions of people and it looks like it’s coming from Amazon or Google or Apple or something like that. And it’s just trying to trigger you to click, is all it is. It’s generic, meaning it’s the same email, millions of people get the same email, and it’s like going out in a boat. They throw a big net in the water, they reel the net in and in the net they’ve got largemouth bass and they got sharks and they got whatever they have in the net and then they throw everything back that they didn’t want but they have some of the fish that they want.
That’s the number one tactic. They send out these emails. But the scarier one that is way bigger problem is called spear phishing. The difference in the two is phishing is generic. Spear phishing means they’re laser targeted on you and the way they know how to come after you is on the dark web, which is a criminal playground. They’re buying and selling people’s credentials. And I guarantee, every business on this podcast needs to get with us because we can run a dark web report for them free and we’ll show how many of their employees already have credentials that are stolen. But what the bad guys are doing is they’re taking that information.
Let’s say you show up on the dark web and they knew you got hacked on MyFitnessPal because that was a big breach. What they’ll do is they’ll send an email to you, laser targeted at you, because they know you used MyFitnessPal and their ability to get you to click because now they know psychologically how to trigger you is very dangerous. They send you an email, looks like it’s coming from MyFitnessPal, of course you’re going to click because you’re MyFitnessPal user. And then once you click, they can take over your whole company within two and a half minutes.
Rob Stott: That’s terrifying. And then also, I guess, something else to think about too. And not to even scare further but what that means when you say take over, that’s a business gets their data locked down, they get locked out of systems, things like that. We’ve seen examples of retailers that… I think the average downtime is about three weeks, something like that. Before you’re finding out that you’ve been hacked because it’s a whole process. You find out that you’ve been hacked and all of a sudden you get locked out. You got to figure out where the threat is coming from, who has it, how they’re going to get in touch with you, what has to go in, whether you’re going to pay them. All sorts of things have to be thought about and answered one way or the other. And before you know it, the average like we said, downtime of three weeks and that also enough to put some businesses, especially small retailers out of business that you’re not able to make a sale.
They might lock down your POS system and your website no longer is transactionable, things like that. You have plenty of layers to this thing to consider. I guess my question here being, you mentioned some of the preventative things of securing devices and education really is what it sounds like. Is there any advice or something you could say to a retailer if they haven’t been sufficiently scared at this point of the threat, that what they could do to at least, it sounds like it might be difficult to truly prevent oneself, but steps they could take to better secure their business or maybe ensure that they’re slightly more protected than the average retailer out there?
Ira Feuerstein: What I would say is that I think the biggest impact you can make on protecting your business is to implement a great security awareness training program because 70% of all breaches happen because of human error. So we have to solidify that. And I can tell you this, I speak to businesses of all shapes and size every day and a lot of retailers and 90% of them don’t have an effective security awareness training program even though that’s the biggest risk. Security awareness training does not have to be crazy cumbersome. I mean, a good training program, like the ones we do for our customers, I mean literally it’s two minutes a week. That’s all we ask of their employees. It’s nothing. Two minutes a week and that’ll solidify them over time. And there’s other things that we can do like implementing phishing simulations where we’ll send out fake emails to their people once a month or whatever cadence they want and we’ll teach the employees how to spot suspicious emails.
Things like writing successful security policies or part of a security awareness training program. I was shocked when I got into this business to find out like 90% of the businesses out there have no security policies. And one of the things that’s coming on the horizon, which really doesn’t have a lot to do with these cyber criminal syndicates but it is going to impact businesses is cyber insurance. There’s a big trend in the cyber insurance game to make it almost impossible to get a cyber insurance policy anymore because these cyber insurance companies are getting slaughtered. I talked to a CEO of a cyber insurance company just a couple days ago and he said to me, he said, “Listen.” He goes, “We’re even contemplating getting out of the cyber insurance game.”
He goes, “It’s impossible. We’re paying out so much.” He goes, “So either we’re not going to give them a policy to begin with, we’ll make it so hard we can’t give them one. Or if they have a policy, we’ll make it harder than ever to pay out on that policy. Or when it comes to the renewal, we’re going to like triple their premium.”
Rob Stott: Wow.
Ira Feuerstein: None of it’s good but you have to have security awareness training program in place. That’s one of the bullets that these insurance companies are looking for.
Rob Stott: I mean, I’ll circle back to the training because that’s obviously the key point here, but the fact that the insurance companies are realizing it’s almost, not that they’re throwing up their hand, I mean maybe they are, they’re throwing up their hands and realizing that this is just such a problem and such an expensive problem too that they’re almost, you can’t say tossing in the towel because they’re still out there, but it gives off the sense that they are because it’s just so difficult to protect and expensive, I’m sure, for them to then go and fulfill the obligations of some of those policies.
Ira Feuerstein: Correct. I mean the bad guys are growing exponentially and it’s because you’re up against nation states with unlimited funds, it’s hard to keep up. It really is. You just have to be aware that there are implications down the road to not doing things and the implications obviously are getting hacked, but even bigger implications of not being able to be insured.
Rob Stott: Right. Crazy. Well, let’s go back to the education because you mentioned some of the things that you’re doing. It’s almost sounds like aside from just going through quick trainings or completing online classes or short little sessions or bite size education type stuff, the thing that stood out to me that you mentioned is the actual, almost like a dry run of what some of these things would look like is something that’s unique because without being an actual bad actor, you’re able to see how employees respond to certain types of emails and communications and things like that. It’s almost you’re giving them sort that scare without the end result actually being hacked. Talk about some of that, the ways you go about testing these employees and companies and the impact that, that’s had.
Ira Feuerstein: It’s interesting, we look at a lot of statistics in our business and one of the things we always look at is, when we first get a brand new customer for security awareness training, what we do is we’ll send out one of these fake emails before anyone gets a welcome email from our platform because we want to see what’s the reality like, of a hundred people, how many of those people would click on a fake email right now? And generally, when we start out with a new customer, it’s 10% to 15% of their employees will click on a bad email, which that’s a recipe for disaster if it was a really bad email, it’s just one of our fake ones so we don’t do anything. So 10% to 15% generally at the beginning. Then once I implement our five piece security awareness training program, which is ongoing, it never stops.
It can’t stop because the bad guys are constantly changing their tactics. But generally after a year or maybe 18 months, we’ll see that 15% click through on those fake emails drop down to like 3% and then in another year we’ll see it drop down to 1%. And generally, that’s where we’ll see companies land around that 1% to 2% range. Which makes sense because a lot of times you have new employees coming in, it’s not a stagnant same employees over the whole time. So you have people leaving, you have people coming. So it’s going to constantly kind of balance itself out. But that’s the impact that can happen, is taking them 15 fold down in the number of clicks on these bad emails.
Rob Stott: No, that’s impressive. And obviously I think it goes to the education and things you’re able to do. It’s basically opening their eyes and making them just a bit more skeptical online. Wish you could have that for the social media comment sections and things like that as well, but we could only be so wishful for what we were able to accomplish. But cool to see that you’re able to have that impact on businesses and that has very real implications as far as potentially avoiding hacks and these situations. I mean, it’s cool to see.
Ira Feuerstein: One other thing I was just thinking about, we’re just kind of off the point here, but I think I want to get it out there. Retailers are highly targeted, highly targeted because you all have a tremendous amount of information and that’s what these guys are after.
Rob Stott: Customer data, all sorts of stuff.
Ira Feuerstein: Customer data, credit card numbers, purchase patterns, all that stuff. One of the things that the bad guys will tend to do in retailers because it’s so easy, is I can walk in, I don’t know if you can see that little USB thumb drive and I could take this and just drop it on a counter where there’s a register and a computer knowing-
Rob Stott: Someone’s going to plug it in.
Ira Feuerstein: Somebody’s going to plug it in or they’re going to take it home and plug it in. This little baby could have ransomware on it, plug it in again two and a half minutes, they encrypt everything on your network and you’re out of business. And that’s what they do. Now, if employees don’t know, you’re in trouble.
Rob Stott: Right. It’s that simple and just kind of a nice sort of go home message too that whether it’s emails or texts, you got to be aware and careful about these things especially in a world we saw it sort of exponentially increased during the time of the pandemic as people were home. I think it catapulted to over a trillion dollar business, the cyber criminal wave of activity, just how much it was costing businesses and things like that. The more we can be aware of it, obviously the better and happy to have a partner like Telesystem and you, Ira, around to educate us and our members. It’s been fun chatting and I think that we’ll have more of these conversations because this is obviously, even though we’re outside of October now, a conversation, like we said at the top, that needs to happen frequently so that retailers and all businesses out there understand just what they’re up against and what they can do to protect themselves.
Ira Feuerstein: Absolutely. I would leave it at this from my side of things, if you’re a retailer of any size, you should hit up NMG and us to get at least get a dark web report. It’s not going to cost you anything, but it’s going to really open your eyes to what the risk is against your organization. Because 95% of the time, we’re going to run that report and we’re going to find a load of your employees that have already had credentials stolen. We’d be happy to run that complimentary and go over that report with you and talk about how you could remediate that stuff. That’s our give back to your viewers.
Rob Stott: I believe if I know right Mr. Sindelar has that information, we might even be able to drop a Jotform link into our description here or however he runs this, to make sure that if you are listening to this and you’re an NMG member, you can go just click the link below and you go get that free report. We appreciate it.
Ira Feuerstein: Awesome.
Rob Stott: This was a lot of fun, very eye opening and enlightening for sure. We’ll certainly circle back with you and have a few more of these learnings throughout the year, for sure.
Ira Feuerstein: Sounds good. Thanks so much for having me. I appreciate it.
Rob Stott: You bet.