In this episode of Two Way Traffic wealth management advisor Darren Coleman — who specializes in cross-border financial issues — discussed IT security with his namesake, Darren Coleman. Darren is founder of Coleman Technologies Inc., which handles IT managed services and cyber services. The latter Coleman – he’s been called Canada’s top IT expert – leads a team of technicians based in Langley, BC and Dallas, Texas. He says hacking is a trillion-dollar industry and business owners should take note.
Podcast host Coleman drew parallels between financial services and cybersecurity. He said he looks for gaps in a client’s financial plan, while in cybersecurity Coleman the IT expert looks for gaps or vulnerabilities in multi-factor authentication, threat protection to ensure business resilience, and endpoint protection (cybersecurity software that protects from viruses, malware and ransomware).
The two agreed what’s necessary in both their industries is prevention and managing risk. Another point is that Canada and the US have different tax regimes, and different laws for regulatory compliance.
“The U.S. government can gain access to your data if they want it,” said IT expert Coleman. “We believe the Canadian government can’t, but there are ways they can get it too.”
Their discussion explored …
- Why clients of wealth management firms are good targets for hackers and what to do in a security breach when asked to pay a ransom.
- How multi-factor authentication can prevent 99% of email breaches.
- Why organizations devote too much security attention to senior management and not enough to everyone else.
Here is a link to the podcast …
https://podcasts.apple.com/ca/podcast/the-business-of-hacking/id1494816908?i=1000672496679
Darren Coleman of Raymond James [Darren Coleman or Darren #1 henceforth]
Welcome back to another edition of Two Way Traffic, the cross-border podcast. Today my guest is now, let me see if I pronounced your name correctly. Darren Coleman.
Darren Coleman of Coleman Technologies [Darren C #2 henceforth]
You got it.
Darren Coleman
So you and I are namesakes. You run a firm in Langley, BC called Coleman technologies and do outsourced IT infrastructure. You are a cybersecurity expert. Why don’t you take us through Coleman technologies.
Darren C #2
I am the founder and CEO. Part of my mission is to help protect a million people from hackers, so being here on your podcast supports that cause. I’ve shared my cybersecurity insights on ABC, Forbes, MSB Success Magazine. I’ve spoken at Harvard, and co-authored some books. So that stuff led my company down the road to be an expert within the cybersecurity realm. But more than that, we provide 24/7, direct-detect, flat fee, IT support to our clients. We really just become your IT department.
Are there off-the-shelf tools?
Darren Coleman
Our firm has a huge IT spend every year, but for a lot of medium and small businesses, can they not just get all the tools off the shelf?
Darren C #2
Not really. You can hire an IT professional, but you’re probably going to hire multiple people because they’re going to want to take holidays. You’re going to be looking at double the cost right there. But you can’t just buy antivirus. Antivirus isn’t good enough anymore. You need endpoint protection, threat hunting, content filtering, and audits. There are things the IT professional may be good at, but there are things you need an expert for. If you’re looking for cybersecurity insurance, the forms are 10 or 12 pages long and require things you might not think about.
Darren Coleman
When I log in and it says before you go in we’re going to send a code to your email address or phone number: is there some other piece of data that only I can receive that allows me to access the thing? It’s not just enough for a password, right?
Darren C #2
One hundred per cent. And even better, in the past, you could send it to your email or phone number. We recommend against that. Now, because it’s easy to get a business email and compromise someone to intercept that message, you’re better off using a dedicated app.
Darren Coleman
There are things making it a little more complicated, but yet not that hard, right? That’s probably the hard balance, finding a way to make it secure but also fairly easy for the user to get into.
Darren C #2
Yeah. Anytime you have more security, you have less usability.
Dealing with Deep Fakes
Darren Coleman
One of the things that’s starting to scare me is Deep Fakes. The technology exists where you could be me on one of these things, because their names are the same, but the faces could be different. When you work with a company, are you trying to protect from those kinds of threats as well, or is it just we’re going to enable your data control and access?
Darren C #2
That’s part of it, part of being a managed tech department. We provide all aspects. But the biggest threat to any organization is always the employees. So what can we do? We can train the employees. Once a week we can send out a training video. You’re building knowledge. You’re keeping it front and centre and remember, hacking is a huge business. We’re talking a trillion-dollar industry.
Darren Coleman
You talked about cybersecurity insurance. I guess companies are buying because if they’re getting hacked or hit by ransomware, they can buy an insurance policy to protect against this. But you mentioned the exclusions and every policy has pages written by lawyers to get them not to pay you. So having an IT solution, how does that help the buyer be more protected?
Darren C #2
Like I said, the form is 10 or 12 pages long and they’re probably going to make a mistake. They’re probably not doing everything they need to be doing. For instance, you may say you have multi-factor authentication enabled, but where do you have it? You have it for your email. Do you have it for your firewall? Do you have it for your cloud, SaaS applications? Because the reception email is going to be breached, but maybe you only have it on your key personnel. The administrators, the partners in the company. But then the receptionist gets breached.
Darren Coleman
When you work with a company, you take them through an audit. Do you have ethical hackers that try to break in? What’s the 50,000-foot view of how you begin engaging with somebody?
Audit looks at nine areas
Darren C #2
The very first thing we do is an audit. We look at about nine different areas. We’re going to look at your backups. Your Microsoft 365 accounts. What you do for endpoint protection, your firewall, encryption, all sorts of things an organization needs to do. And we’re going a little bit deeper. We’re going to identify if you’re using Microsoft 365, do you have global administrators? Are they protected with multi-factor authentication? Do they have an email tied to their account or are they just designed to go in and make changes to Microsoft 365? Are the drives encrypted? Are your firewalls doing any content filtering? Can we pass data through? We need to understand where the client is.
Darren Coleman
I remember years ago it was do you have a backup and do you back up weekly, monthly, and do you keep a backup of your hard drive in another location? That’s comical now because everything’s in the cloud. One of the things you and I talked about which I don’t think most people are aware of, especially in Canada, is because we have a cross-border practice with differences in U.S. and Canadian tax rules and estate rules. But in the cybersecurity world and IT world there are different laws that impact where your security is held.
Darren C #2
A lot of people don’t think about the regulatory compliance between different countries. Really, it is how business has to be transparent about how they collect and use and disclose personal information with policies in place to protect this data.
Darren Coleman
This is why I have to allow cookies on every website I go to. What do I need to be aware of in terms of where my data might be held, and what comes with that regulatory compliance?
Darren C #2
Other people, the U.S. government, has access to your data should they wish to have access. You don’t expect it to be private.
Darren Coleman
That’s something that shocks us. If I’m in Canada and have my data in a Canadian server, the Canadian government doesn’t have that same ability to go in and look at my stuff as the Americans have if I had it on the U.S. server. But there are ways they can get the data too. So if I’ve got my stuff on a U.S. company’s site, just assume the U.S. government can see everything you put in there?
Darren C #2
You can choose. If you’re Canadian, you choose your data location to be in Canada. Many companies don’t give you the opportunity to choose where your data lives. Usually it is in the U.S., because it’s much cheaper to house data within the U.S. than within Canada.
Don’t wait till something breaks
Darren Coleman
One of the things you mentioned is don’t wait until things break which I think is important. We try to adopt a similar thing. We do financial plans with people. Sometimes the hackers are already in your system and you don’t even know.
Darren C #2
They’re likely on your system for 90 days or longer and they’re doing their reconnaissance. They’re laterally moving through your network and getting ready to ransom you. When an attacker asks for ransom, they already know how much to ask for because they’ve been watching you log into your banking account. They know how much they can ask for in the ransom.
Darren Coleman
They also don’t want you to go to the cops. We had one of our clients who runs a successful business. They encountered this problem and for them it was, if we don’t pay, the penalty is way too high.
Never pay a Ransom but first talk to a lawyer
Darren C #2
You got to think about the reputational ramifications. If you announce you have been breached, those are huge. If you pay the ransom – I never recommend to my clients they pay the ransom – then you’re always going to be a target. They’re going to look for a weakness within your system, and they’re going to attack you again. If you pay a ransomware group and later find out they’re a terrorist organization, now you’ve supported a terrorist organization and you could be in a lot of trouble. It’s a decision you have to make, and I would advise that if you were ever in a situation like that you should speak to your attorney before making a decision. Even for us, the first step always has to be go to the attorneys, go to the insurance, find out what we can do. It’s always better to be preventative than reactive.
Darren Coleman
Some of the ways people get into stuff is frightening. I watched a podcast and one of the things I learned is you can buy a cable that looks like any other regular charging cable for your iPhone or Android or whatever, but embedded in the tip of it is a little computer that will copy all your information. It’ll copy your keystrokes.
Darren C #2
Well, definitely keystroke loggers. Those have been around forever. Everyone thinks multi-factor authentication is the answer, and it does help but if a malicious actor gets on your computer it doesn’t have to be a virus or malware, but someone’s remoted into your computer. They’re just watching and waiting for you to enter in that multi-factor code, then they can take over your session. At some point you’re going to be breached. And it doesn’t matter how many resources you put into it, because if it’s organized crime or a nation state, they’re going to get in. I just met the CEO of Kaseya. They’re a $15- billion organization. He said they’ll actually send someone out, a real person, find someone who works in IT, someone who can get into the systems. They’ll threaten their family, they’ll threaten their lives, and they’ll say, Hey, you install this malware or else.
Darren Coleman
A couple other things I want to cover are protecting yourself and cybersecurity threats, and it’s recognizing that successful businesses and wealthy people are being targeted.
Wealth Management Firms are prime targets
Darren C #2
I would say wealth management firms, your clients, are probably prime targets. They have a lot of sensitive data and are getting phishing, ransomware. We find that a lot. Like the CEOs of companies, they always want to have the most access, when really they should have the least privileged access because they don’t need it. But as the CEOs and the owners, they always want to make sure they have access to everything. Right now we’re working with some companies and pushing zero trust. We don’t trust anything. If you want to log into, say, the system, you need not just a rolling code. You need a hardware device plugged into the computer, plus a rolling code.
Darren Coleman
One of the things we tried to do with my team is go old school around protecting them, because we’ve had people try to call us and say they’re somebody else. We’ve been able to identify that was not the case because we know these people and what they sound like or look like. But that spoofing capability to spoof your voice or video is getting more real. So even if we did a zoom, it may not be the person I think it is. In one case we’ve actually been able to prevent something because we knew the client. We knew things about their family and about them, so we could just ask questions only someone who knew them would know. I think those are things we’re going to have to start embedding in our client-intake forms. We’re going to ask you a challenge word or challenge phrase. Those are some ways we’re going to have to deal with the technology that’s going so fast. One thing I’m also curious about is how to find someone of really high quality. How would somebody go and identify a really good IT specialist? Because it’s not a regulated industry, is it?
The industry is not regulated
Darren C #2
That’s true. We’re not regulated in any way. I’m sure your industry is very heavily regulated, and the banking industry is heavily regulated. If they deal with a company like yours, they have legal counsel. If the company seems a little bit too eager to sign me up, we’re ready to go without doing any sort of due diligence. If you went to a doctor and they prescribe something without doing any sort of diagnosis, you think that’s a little bit strange. The same thing with our business. It’s not just about providing a managed service anymore. It’s also about providing cybersecurity services, backup services, continuity services, response services. There’s so much more than what it used to be. If you do a random Google search or hire someone off Craigslist you’re really trusting the keys to the kingdom with a person you have invented, and it might be the worst mistake you ever make.
Darren Coleman
They could not be competent or be the bad guy.
Darren C #2
They could be the bad guy. They could put you out of business.
Darren Coleman
If you run a successful growing practice, I assume you want to work with an IT company that’s also growing. Have a lot of your clients gone through a bit of a maturation where their businesses have grown and does their requirement for security go linearly or is it more exponential?
Darren C #2
If we look at the services we offer our clients, the cybersecurity bundle that we have, it’s not optional. It’s included. So whether you have 10 computers or 100 computers, you’re getting the same dark web monitor, you’re getting the same threat hunting, you’re getting the same email filtering. It’s because you need it, because at some point you’re going to be breached, and when you’re breached Coleman technologies is going to be remediating it. And if you haven’t given us the tools to protect you, it’s unfair to expect us to be able to remediate because if you had 50 computers and they were all ransomed, how long would that take to get back up and running?
Darren Coleman
But I imagine when you start having one person, then three people, and then three computers the complexity starts to skyrocket. My point is, this is probably a lot more complicated than the vast majority of people think, because business owners aren’t IT people generally.
Darren C #2
No.
Darren Coleman
Is that what happens? People knock on the door after they’ve had a problem because we see that when people call and say, you know, you’ve been bugging me for years to get my will done. I’m ready to get it done. Who’s the lawyer to talk to? People respond after something happens to them.
Darren C #2
They do. It’s usually after we’ve had ransomware, or we’ve lost our backups, or I had an IT guy and he went on holidays. And then they come to us, and those are the ones that understand the value in what we’re providing because cyber is not cheap. It’s ongoing. It’s always changing, and you need someone there, 24/7, watching.
Darren Coleman
How many IT professionals do you guys have, and what’s the growth of your business been like?
Darren C #2
I started 25 years ago and worked for an IT company, and that company decided to go in another direction. If you remember when the Dot.com boom happened in the 2000s everyone wanted to get into web development. They wanted to host servers. And my boss, at the time, that’s what he wanted to do. So I took over the business. As things progressed, we started doing more remotely, and then cyber became a requirement. And once cyber became a requirement, the business changed quite a bit. We needed people who are experts in the area of cyber and security and compliance. We also found that we needed a team that could operate 24/7, so we have a small team here in Langley, but we also work with a larger team out of Dallas, and that’s how we’re able to provide 24/7 support to our clients.
Darren Coleman
How many people would you have in the company now?
Darren C #2
Well, it varies. So in Langley, we have five technicians. In Dallas, we work with a pod of five Techies as well.
Darren Coleman
I imagine this business isn’t doing anything but going up, right? Because these cybersecurity problems, it’s not like they’re going away tomorrow. It just gets worse.
Managed services cybersecurity is growing
Darren C #2
Yeah, managed services cybersecurity is growing.
Darren Coleman
There are some things you see coming that we’re not worried about yet, but these are going to be threats on the horizon and specialists like you can see them, but the layperson, like me or the business person is like, I didn’t know that was going to be a problem. What should we get prepared for that we’re not prepared for right now?
A.I. threats
Darren C #2
Everyone’s really excited about AI right now and with AI there’s a lot of good, but there’s also a lot of bad. If you think about the phishing emails you get right now, you can probably distinguish which ones they are. Or your spam-filtering software can distinguish what they are. But if you think about AI for a non-English speaking person, they can go crawl in your LinkedIn and look at your connections. They can write with perfect English, perfect grammar. And instead of saying, hey, congratulations on your job promotion, here’s a $100 gift certificate. Here’s an Amazon gift card. I know you like to shop at Amazon. Say hi to the kids and they know the names, so they’re using all the information to craft a perfectly generated email. And the difference now is they can get past the spam filter because it’s unique every time.
Darren Coleman
So not these mass ones that look phony. It’s so targeted. You’re like, they must know me,
Darren C #2
Right and sometimes you can’t tell.
Darren Coleman
We’ve noticed an increase because our clients are sharing some of these things with us. They’re getting the fonts or the logos off the companies exactly. We’ve seen people receive documents that have been a PDF damn near perfect in terms of being copied from another financial institution.
Darren C #2
That’s why you can’t only have spam filtering. You need to have the spam filter monitored, monitored by a song, right? Because they have the expertise to go in and identify things that get past some of the ways we detected things in the past using patterns.
Darren Coleman
I learned a trick about setting up screen time so nobody can go in. And because I understood when people steal your phones, one of the first things they do is they change it so you can’t go back into it. So Darren, thank you for your time today. This was really helpful and a little scary.