We recently had the chance to sit down with Michael O’Hara, Certified Information Systems Security Professional at KB Communications on The Cyber Crime Lab podcast. Michael was recently introduced as the guy “with more letters after his name than letters in his name.” We thought it might be useful to review some of those letters to give context to his great advice.
The Certified Information Systems Security Professional is an information security certification granted by the International Information System Security Certification Consortium (ISC). As of January 2022, just over 150,000 people hold this certification worldwide. It has been assessed by some organizations as the equivalent of a master’s degree.
A Certified HIPAA Professional is someone who has undergone training to enable their company to become HIPAA compliant. The course covers areas such as the implementation of policies and procedures, patient confidentiality, and security measures in line with HIPAA requirements.
The Health Insurance Portability and Accountability Act of 1996 modernized the flow of healthcare information. It stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. It generally prohibits healthcare providers and businesses from disclosing protected information to anyone other than the patient or the patient’s authorized representative without their consent.
The Certified Cyber Security Architect credential validates knowledge and skill sets in cybersecurity strategy, specifically:
Michael has been in cybersecurity for 30 years and says that the letters after his name really only drive home the fact that he’s a cybersecurity evangelist and wants to spread that gospel to all nations.
Case #1: The Fake Invoice
Michael can get called in at any stage of an attack. In the first story he shared with us, the client had inadvertently paid a fake invoice to the tune of $30,000.
The company has eight employees and $1.5M a year in revenue.
The owner was on vacation for the first time in 38 years, enjoying a cruise. His staff received an official-looking invoice demanding payment of $30,000.
With the owner finally away on a vacation, the staff debated whether to call him to verify the invoice. After some discussion, it was decided to let him enjoy his time away and the staff duly paid the invoice.
When the owner came back and realized that a fake invoice had been paid, he complained to his bank. His banker recommended Michael to him to make sure this couldn’t happen in the future.
One of the reasons the staff had been tricked was that the email “looked legitimate and official.” Michael gave them a basic rule to avoid the same mistake again: when examining an email, look at the headers to find out if the domain is a legitimate one. In this particular case, even this quick check yielded the fact that the server was located in Russia, which was not the home of any company that the owner was doing business with.
Other times, what looks to be legitimate might be just off by a letter or two and will be missed by someone who doesn’t take the time to do what Michael recommends.
Social Media Awareness
Criminals, not just cybercriminals, are watching Facebook and Nextdoor to see if people are away from home. Michael reminded the owner and his staff not to “live their life online.” In other words, if you’re having a great time on vacation, save all those pictures and post them when you get home—otherwise you give criminals an opening; they will know you are away from your home and/or business.
Case #2: Email Breach
The second case Michael shared with us was one in which the staff emails of a small warehousing company were hijacked six weeks in a row. The threat actor then spammed customers from the company accounts with links to sites that could personally compromise those who clicked.
When the company asked their managed service provider why this was happening, the MSP responded that he had recommended MFA when he took over the account ten weeks prior. But the staff had pushed back, saying, “there are too many extra steps to get into our email.”
Well, they learned that those extra steps could have saved the company a lot of reputational damage.
Multi-factor authentication requires a user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. It is an industry-wide best practice of strong identity and access management.
Michael’s take-home message is that it only takes a bit of extra effort to maintain a minimum level of security; check email headers, add MFA to password protocols, and don’t post those vacation photos in real-time. Don’t be “annoyed.” Be professional.
All your security measures should be part of (last acronym, we promise!) a WISP—a written information security program—which is a document that details an organization’s security controls, processes, and policies. This should be printed out so that a copy can be referenced in the case of a cyberattack when computers can’t be accessed.
And if you need Michael and his team to help write a WISP or convince your team of the importance of cybersecurity, reach out to him at KB Communications.
If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.
Click here to learn more about how we can help secure your business data!