On this episode, Pete and Julie recognize Cybersecurity Awareness Month (October) by welcoming cybersecurity expert Alex Khusid to the show to talk about the growing cyber threats to HR and payroll and its highly critical data!
The group talks about the rising threats to payroll and its continuity, how tech is playing a positive and threatening role, AI’s role in cybersecurity, and how to keep your payroll and HR operations out of the headlines for the wrong reasons. Alex also shares tips and advice for creating a secure and resilient payroll operating model.
Connect with Alex:
LinkedIn: https://www.linkedin.com/in/alex-khusid-865886a/
Payroll Resolutions: https://payrollresolutions.com/
Connect with the show:
Powered by the WRKdefined Podcast Network.
[00:00:00] Feeling kind of left out at work on Monday morning? Check out The BARF, Breaking News, Acquisitions, Research and Funding.
[00:00:07] It's a look back at the week that was so you can prepare for the week that is. Subscribe on your favorite podcast app.
[00:00:24] Welcome everyone to another episode of HR and Payroll 2.0. I'm Pete Tiliakis and as always I'm joined by the legendary Julie Fernandez. Welcome Julie.
[00:00:33] Thanks Pete. Excited to get another recording and talk to another guest today.
[00:00:37] Yeah, you know what month it is or just what's wrapping I guess you could say. October is Cybersecurity Awareness Month. I don't know if you know that.
[00:00:44] Yeah, absolutely.
[00:00:45] Apparently since 2004 that's been around. I wasn't aware of that.
[00:00:49] I think by the time this goes out we'll be talking about it after the fact.
[00:00:53] Oh easily. Yeah, definitely. It's already after the fact, right? It's November 1st just so everyone knows.
[00:00:58] Happy Halloween to everyone. But yeah, I think in the theme of scary, right, with Halloween, it's a great time to talk about cybersecurity.
[00:01:06] I literally just read something the other day that Bank of America called cybercrime the world's third largest economy, which was really surprising to me.
[00:01:13] But yeah, excited to have our guest here, Alex Husid, payroll and cybersecurity consultant and I would say fan and passionate leader about this topic from payroll resolutions.
[00:01:24] So welcome Alex. Great to have you, man.
[00:01:26] Thank you, Pete. Really appreciate it. The opportunity to really talk about a very important subject.
[00:01:31] Perfect. And I'm very excited to continue here on this podcast.
[00:01:36] So thank you, Pete. Thank you, Julie.
[00:01:38] If you want to kind of tell our audience a little bit more about what's been going on lately and I'll take it from there.
[00:01:47] Yeah, absolutely. So look, Julie, you do the honors, right?
[00:01:51] We've got a tradition here, Alex, and we want to get to know you a little bit.
[00:01:54] And then, yeah, I want to jump into some of what's going on in this world because I feel like every day I open up my email and news and there's another data breach somewhere.
[00:02:03] And a lot of it is happening in HR and payroll, which obviously is rich, rich data for thieves.
[00:02:08] So, yeah, I want to get into that. So, yeah, Julie, do the honors.
[00:02:11] Yeah, for sure. So, Alex, we know you're with payroll resolutions right now, but love to know how you got into HR and or payroll.
[00:02:18] You know, where did you start? It's probably not. It's probably like payroll or payroll listening audience out there.
[00:02:23] It's not something you go to school for and realize, like, this is really where I want to be.
[00:02:28] How did you start?
[00:02:30] Good question. Good question. So I got my start working at Intuit, supporting the online payroll and some of the white label partners with financial institutions offering their own payroll services.
[00:02:43] And from there, in 2015, I started a consulting firm to fill in on areas that are really not being addressed.
[00:02:53] There are a lot of businesses who are coming in and they were falling out of their sales funnel, so to speak, because they had issues that occurred prior to service.
[00:03:01] Now, this is really before we saw a lot of the cyber, you know, cyber attacks that we're seeing today.
[00:03:07] Back then, it was really about tax notices. It was about discrepancies, corrections, amendments, and so forth.
[00:03:14] And in the last few years, we really started paying attention to, you know, cyber attacks and cybersecurity,
[00:03:21] considering the vast amount of PII, a person identifying information, the amount of households who are living paycheck to paycheck.
[00:03:31] I have some really interesting figures that just came out recently.
[00:03:35] And just the parabolic rise of cyber attacks.
[00:03:37] We're seeing not just necessarily denial of service, we're seeing ransomware attacks.
[00:03:43] And I posted an analysis, actually, about a year ago, I think, actually, about a year and a half ago,
[00:03:50] when Silicon Valley Bank went down, of what could potentially happen if just 10% of the U.S. workforce
[00:03:56] had to go without their pay for one week.
[00:04:01] And the repercussions were disastrous.
[00:04:05] I wouldn't even call it a ripple effect.
[00:04:06] I would call it a tsunami effect.
[00:04:09] With payroll being the core of any economy, when the paycheck, when payroll stops,
[00:04:16] even for a short period of time, it affects not just that individual,
[00:04:22] and it affects the family or the household.
[00:04:23] It affects the businesses where these individuals spend money.
[00:04:28] So, and a lot of these businesses do not have the cash reserves to even go a week without revenue.
[00:04:35] And so that leads to more pressure and leads to more cyber crime and puts pressure on the justice system.
[00:04:42] And it could really, really take this to, you know, a very dangerous level, a level of national security.
[00:04:50] Yeah.
[00:04:50] So do you relate to that directly?
[00:04:52] I mean, is that what makes you stay?
[00:04:54] That's usually a part of what we ask as well.
[00:04:56] Is it, you know, like remedying that or helping control it?
[00:05:01] Or what makes you stay in this field?
[00:05:04] You know, I really love the problem-solving aspect.
[00:05:06] But lately, I've been personally affected by several data breaches.
[00:05:14] Actually, the count, I think, is now about 24.
[00:05:18] And my identity was stolen.
[00:05:20] A really good friend of mine, my identity was stolen as well.
[00:05:23] It has really messed things up for me in terms of my career.
[00:05:29] It's messed things up for me in terms of my personal, you know, personal life.
[00:05:33] And it's been very difficult to really, you know, find my way out of it.
[00:05:38] And so with the amount of information that's out there and working with different clients,
[00:05:44] it's interesting to see how many businesses understand the risks and how many businesses
[00:05:50] have taken steps to address them and how many businesses who have not.
[00:05:55] For example, you know, there's clients who do not have even two-factor authentication.
[00:06:01] We can also talk about ghost employees and how they've evolved.
[00:06:05] Because sometimes the threats don't necessarily come from the outside.
[00:06:07] They can come from within.
[00:06:11] And there are a lot of ways that we can mitigate some of the damage, you know,
[00:06:16] through things like user access control and really just limiting the amount of information
[00:06:22] based on a need-to-know basis.
[00:06:25] But regular audits and monitoring data encryption and really having a solid incident response plan,
[00:06:33] something that, you know, can really be, you know, can be tested.
[00:06:38] It can be so that when something does happen,
[00:06:42] the amount of time that employees might have to go without their pay is close to zero, if not.
[00:06:50] Yeah, it has huge ramifications.
[00:06:52] I mean, payroll obviously is the worst, you know, maybe the worst case scenario for a company.
[00:06:56] You know, their PII, their, like you said, just the morale, the, there's so much, right?
[00:07:01] There's, I mean, ripple effect is putting it lightly.
[00:07:03] But why does it seem, Alex, like, I mean, and maybe this is just my anecdotal observation,
[00:07:08] but it feels like this stuff is getting more and more and more aggressive.
[00:07:11] You know, we were joking the other day in my household here with my wife and some of the other young adults,
[00:07:18] you know, my children that are living here about how often we're getting notices that our data has been breached by,
[00:07:23] say, a large retailer or more recently we've had some healthcare providers breach our data.
[00:07:28] And I must have credit monitoring into infinity from all of these places.
[00:07:34] But like, like what's the ramifications to these companies to protect our data?
[00:07:38] Because it seems like it's just kind of like, oh, hey, you know, and I've had a retailer that has probably given me,
[00:07:43] I don't know, for three or four years now, they've breached my data every year.
[00:07:47] And I have to go to them, right?
[00:07:48] They're the big box that I, you know, use for different things here locally.
[00:07:52] But like, why does it seem like it's just like, oh, sorry, we lost your data again.
[00:07:57] Here's another year of credit monitoring.
[00:07:59] Like, great.
[00:08:00] But why is it getting so aggressive?
[00:08:02] I mean, do you think it's, you know, just the advancements of technology or just, you know,
[00:08:06] the criminals are getting smarter or the data is more valuable or what?
[00:08:09] All that.
[00:08:10] There's, it's a large combination of things.
[00:08:13] You know, if you recall, you know, check fraud was a, was a large thing, you know, last decade.
[00:08:19] Something I would, I was really surprised by last 12 consultations that we've done, 11 of them were fraud.
[00:08:27] These were malicious actors who were able to get a business bank account.
[00:08:32] They're able to get a hold of an email address belonging to the employee.
[00:08:36] So they're not even spoofing emails.
[00:08:38] And what they'll, you know, be able to accomplish with that is not, not just, you know, necessarily selling the PII,
[00:08:50] but they have access to direct deposits and information.
[00:08:54] And that's where user access control really becomes important.
[00:08:59] So that one individual can't necessarily add an employee, add the direct deposit information and approve and submit the payroll.
[00:09:08] And fortunately there are safeguards, you know, payroll service providers do have safeguards to, you know,
[00:09:14] prevent something that's out of the ordinary.
[00:09:15] And they may ask, you know, for additional verification steps.
[00:09:19] But some of the malicious actors, they've really been taking their time and learning what they need to know to be able to answer those questions when it comes up.
[00:09:29] So when the payroll service provider calls and says, is this, you know, this is unexpected.
[00:09:32] We want to make sure this is you.
[00:09:35] They have been able to answer these questions very, very well.
[00:09:39] And it's scary to think about.
[00:09:43] And a client of mine, they went out of business due to a very small attack that took their systems under for about 10 days.
[00:09:56] And so their workers, you know, were not able to get paid.
[00:10:00] And they ended up stealing a lot of their equipment to kind of compensate themselves in such a situation.
[00:10:07] But when we look at, you know, larger companies, we look at Fortune 500 companies and other businesses with thousands of employees or tens of thousands of employees.
[00:10:17] We got to think about, you know, how it might.
[00:10:21] It's when there when something comes up, let's say, you know, there is a discrepancy and you see reconciled.
[00:10:28] It's often looking for a needle in a haystack.
[00:10:31] And by the time, you know, something might be discovered, it may be, you know, far too late to get that money back.
[00:10:39] So being proactive is extremely important.
[00:10:43] And then I also feel very strongly that the employees, the frontline agents, whether you're with a payroll service provider or you're within a payroll department or you're an HR department,
[00:10:56] really people are the frontline and to defense and making sure that training and education is taken very seriously.
[00:11:08] I think it's gonna be crucial because the last thing we need is a big rug pull.
[00:11:14] And the big payroll service and HRIS providers, they do have backups.
[00:11:22] But nevertheless, there's still going to be delays and there is still going to be a lot of information disseminated to, like I call them, malicious actors, but just to the hackers.
[00:11:34] Yeah.
[00:11:35] Yeah.
[00:11:35] You know, we've seen, I mean, obviously, I don't want to name names, but we've seen some of these big ransomware type breaches, data breaches by some of the big providers.
[00:11:42] And I'll tell you, as analysts, we get under the hood of a lot of the, you know, at least get tours, if you will, of the security and how many of the vendors go about there protecting their products and their solutions and their data.
[00:11:56] And it's interesting to me that, you know, the threats are obviously, what would be the word I would use?
[00:12:04] Unprejudiced, right?
[00:12:05] It's out there equally offending everywhere and equally threatening everyone.
[00:12:10] But I find it interesting that the bigger guys are having or firms are having troubles as well as the small firms.
[00:12:16] So it's almost like it's not necessarily a maturity thing.
[00:12:18] It's, I think, to your point, right?
[00:12:20] It's the people, it's the tech, it's everything that, you know, maybe they're getting the slipping one past the goalie, so to speak.
[00:12:27] But it's an everyone problem, right?
[00:12:28] It's not just a big tech problem.
[00:12:30] Yeah.
[00:12:30] Like, how do you, how do you, like, where do you start?
[00:12:33] Like, when you go in and start looking at companies and helping them, like, how do you, how do you get them on the right path?
[00:12:38] How do you sort of make sense of what they have and don't have?
[00:12:41] Where do you start?
[00:12:41] Where do you, where do you get the ball rolling?
[00:12:43] Well, we really need to make a very fast assessment of what's happened.
[00:12:50] And with a lot of these companies, they do have an IT department and they can provide us with, you know, with information and access log so that we can determine where the threat is coming from and whether they have systems and backups in place.
[00:13:04] And if they don't, we can start moving on that quickly.
[00:13:08] You know, I've thought about different solutions to, you know, this dilemma where we might have identified some issues and we don't want to necessarily alert the bad guys as to how to do it.
[00:13:24] But at the same time, we want to make sure that the HR and payroll professionals are aware of what's going on.
[00:13:29] So it's a very careful, very careful playing field where we don't want to reveal the methods.
[00:13:37] But at the same time, we want to be able to protect our most valuable things, our employees, the companies, organizations, families, and ultimately, you know, our economy and our country.
[00:13:53] And I'm not speaking for the U.S. solely.
[00:13:55] That's where I'm based out of.
[00:13:57] But we're seeing this all over the world.
[00:13:58] And the amount of information that is easily accessible with the right tools is frightening.
[00:14:09] These tools cost maybe no more than $50.
[00:14:12] And they will allow, you know, a hacker to get into a system.
[00:14:22] Now, on the other side of the coin, we have defenses.
[00:14:27] We have things that IT departments put in place.
[00:14:32] I'll give you two quick examples.
[00:14:34] There's honeypots.
[00:14:36] Honeypot is something where a hacker will be sent in, will be, will allow them to jump.
[00:14:46] I'm sorry, let me rephrase that.
[00:14:48] It'll allow a hacker to think that they are in the system.
[00:14:50] Yeah.
[00:14:51] And it'll let them play around with false information.
[00:14:56] Meanwhile, you know, the IT department can, you know, restrict the amount of damage and be able to pull them, you know, pull or get them out of the system before anything significant is done.
[00:15:07] The other side, the other thing that we're seeing a lot are canaries.
[00:15:13] If we think about canaries in the coal mines, they were the early warning system.
[00:15:17] To the coal miners that, you know, there may be some toxic gases.
[00:15:23] In IT and cybersecurity, canaries are certain triggers that would not normally be run or operated and would tell the department that something's going wrong.
[00:15:38] I'll give a real quick example.
[00:15:40] There's a command in Linux called who am I?
[00:15:43] And it tells you what user you are.
[00:15:45] Well, as an engineer, you know, I might not really need to use that command because I know who I'm logged in as.
[00:15:51] I'm logged in as myself.
[00:15:52] So if I were to run that command, who am I?
[00:15:55] That would alert the right parties to be able to take some steps to be able to stop something before it happens.
[00:16:02] Do you think the issue, Alex, is largely because I think about like some of the companies I see getting breached, right?
[00:16:08] Again, big companies.
[00:16:09] And you think like, wow, they've got to have investments, hopefully, right?
[00:16:12] In these things to protect their data.
[00:16:13] But is it actually a people problem?
[00:16:17] Because I'll give you an example.
[00:16:18] I called you, right?
[00:16:19] You and I have conversations all the time about this topic.
[00:16:23] I know offline.
[00:16:24] I love talking to you about it.
[00:16:25] That's why I was like, you got to get on here and share with my guests, our guests.
[00:16:29] But I had a data breach, right?
[00:16:30] Where I screwed up.
[00:16:31] Someone did a phishing sort of email.
[00:16:33] It looked like it came from one of my clients.
[00:16:34] And I accepted that and went in there and actually gave it access to my Google account.
[00:16:40] And I had to go through a bunch of cleanup steps.
[00:16:42] And I thankfully solved all that.
[00:16:43] But like, I'm super alert to this stuff.
[00:16:46] And I still fell for it.
[00:16:49] Is that the problem?
[00:16:50] Is it people?
[00:16:51] Is it not?
[00:16:51] I mean, it seems like there's plenty of tools out there.
[00:16:53] It seems like there's plenty of investment.
[00:16:55] Companies appear to be doing the right things, setting up the right procedures.
[00:16:58] But is it the human element in this?
[00:17:00] It's actually the weak leap.
[00:17:02] Oh, I would say it's not the only one, but it is a very large one.
[00:17:07] And the human element is, you know, it's the front lines.
[00:17:11] And knowing what to look for, knowing what steps to take.
[00:17:19] And sometimes it means continuing the conversation with the hacker to be able to extract as much
[00:17:26] information as possible while simultaneously trying to use that information to limit any
[00:17:33] kind of access.
[00:17:33] And the emails sometimes come from the real, you know, the real email address belonging to a person.
[00:17:41] I'll give you an example in a second.
[00:17:43] They're not necessarily spoofed.
[00:17:46] Gmail does a great job of, you know, getting those off to the side and making sure that
[00:17:52] you're alerted to, you know, potential malicious email.
[00:17:57] And but in one instance, we had an email come in from a CFO who I believed was a CFO.
[00:18:05] And they were not happy with the tax part of the payment payroll services that they were getting.
[00:18:15] And four emails in, I received an attachment saying this is from our accountants and controller.
[00:18:24] And this is the email chain.
[00:18:27] Can you please take a look at it?
[00:18:28] I feel like there's something going on here, but I can't put my finger on it.
[00:18:33] And it was a dot MSG attachment.
[00:18:36] It was not a zip or an EXC.
[00:18:39] It was an MSG, which is an archive of emails.
[00:18:43] And something my gut told me, be careful.
[00:18:48] And I did a little bit of research and I found in 2015, this was used to embed a banking Trojan.
[00:18:57] And I was like, huh, OK, that was quite a while ago.
[00:19:01] But then I used a program called 7-zip and I changed the MSG extension to zip.
[00:19:09] I opened it up and I found a whole lot of files in there and I drilled into the ones that were the largest.
[00:19:15] And right next to the PDF file that I was supposed to open, there was a JavaScript file.
[00:19:20] And it was the Zeus banking Trojan.
[00:19:23] So they were not just perhaps not only just trying to infiltrate my organization, but my clients as well.
[00:19:31] And that was really startling because English was perfect.
[00:19:37] The headers and the email were perfect.
[00:19:39] It was coming from the real CFO's email.
[00:19:44] And with how many employees now working hybrid or from home or using personal devices to access work systems,
[00:19:54] we got to think about what are the added risks there?
[00:19:58] We don't want to come in after the fact and try cleanup because all the damage is mostly done.
[00:20:06] We want to be proactive.
[00:20:08] And I think more and more people are becoming aware of how serious these risks are.
[00:20:16] And payroll service providers and HRIS and retirement plan providers, they're implementing new systems.
[00:20:25] However, not everybody is going to be on the same page.
[00:20:29] And not everyone is going to take these steps at the appropriate time.
[00:20:35] As we saw with the CrowdStrike outage, there was a patch that was issued.
[00:20:41] And that patch went through quickly.
[00:20:44] And unfortunately, that took out a lot of systems.
[00:20:48] So businesses have been cautious about applying patches.
[00:20:54] And that's caused another problem.
[00:20:58] Because if you don't patch a system that has a security risk, you may be the first one targeted with a spear phishing email.
[00:21:07] Spear phishing, I'm sure most of your audience know, is a particular individual and sending them to a phishing page to be able to get into the system.
[00:21:18] And so if we don't have those user access controls and someone is able to, say, infiltrate a person in HR, then we may be facing a lot of damage.
[00:21:32] Yeah.
[00:21:34] So to answer your question again, just real quickly, yeah, people are indeed the front lines.
[00:21:40] But there are some other aspects that need to be looked at.
[00:21:44] And those come from the tech space and the IT space.
[00:21:49] And education, first and foremost.
[00:21:53] And how do you feel about the education right now in payroll and HR and the industries?
[00:22:00] Do you think we are where we should be at this point?
[00:22:05] Yeah, that's a good point.
[00:22:07] Actually, I want to answer that.
[00:22:10] But I want to actually sort of build on what you were just talking about.
[00:22:13] And Julie, I think this is great for your lens.
[00:22:15] You know, when I was working as a consultant, I would say I did a lot of work with big companies in the middle to latter part of my career.
[00:22:24] And I will tell you that 90 plus percent of the organizations that we crawled around under or did due diligence on or supported and worked with had a gap of some sort in their BCP, their business continuity plan and their data recovery plan for payroll and HR.
[00:22:40] And I think a lot of times it was, well, we have this plan and it was well structured and all the details and bits and parts were there that you would want.
[00:22:48] But then it wasn't being tested.
[00:22:50] No one was actually keeping it alive.
[00:22:51] Right.
[00:22:51] It was set up at some point and things didn't evolve.
[00:22:54] Right.
[00:22:54] There wasn't this sort of living, breathing factor to that.
[00:22:59] So it was basically stale.
[00:23:01] And I also think that there was there's a large part of payroll's job that that that they don't own the cybersecurity element of this.
[00:23:12] Right.
[00:23:12] They're reliant on IT largely doing that for the company and their systems.
[00:23:16] And I think this goes back to where payroll's relationships have to be be broader than just being sort of pushed to.
[00:23:23] They need to be having open dialogue.
[00:23:25] And I think this is a great place where payroll needs to be working very closely with their leadership and their IT to be fortifying BCP and DR plans in line with and around cybersecurity and, you know, to deal with things like CrowdStrike outages and Internet outages and data breaches and that sort of thing.
[00:23:45] So I'm just curious what you're seeing.
[00:23:46] Are people getting better at this or is it still a big opportunity?
[00:23:49] And to Alex's point, is it an education thing or is it more that we've got this fragmented nature of how payroll's working with the business as well?
[00:23:58] You know, DCBR is a whole big thing in and of itself.
[00:24:01] And that usually calls into play a different set of actors, right?
[00:24:06] Yeah.
[00:24:06] Than the ones that really Alex was focusing on, whether it's the employees themselves or others.
[00:24:12] And so what I like is just the idea of the balance when you're talking about being proactive, as Alex was.
[00:24:19] There's the proactive BCDR, you know, perspective.
[00:24:22] But then there's also the more tactical, you know, payroll and HR bit like, you know, requiring users to change the logging credentials regularly or restricting payroll access or separating bank accounts.
[00:24:38] So there's only so much at risk or, you know, you know, different elements that are really more tactical and probably in the control of your HR payroll folks.
[00:24:49] Being mindful of security when an employee leaves, right?
[00:24:52] You know, what can you do there?
[00:24:54] And then I actually see on many lists, including a Forbes July 2024 one on cybersecurity and payroll, just the whole idea.
[00:25:02] And we know people come to us and say, you know what?
[00:25:04] I'm ready to just outsource payroll.
[00:25:06] Yeah.
[00:25:06] Not just the system, which is, you know, part number one, but also, you know, the managed payroll services,
[00:25:12] because there's, you know, a little bit of inherent protection in having, you know, a dedicated payroll outsourcer handle some of those items.
[00:25:23] It doesn't absolve you of everything.
[00:25:25] Especially if you have a work from home or a large work from home base.
[00:25:29] Yeah.
[00:25:30] Yep.
[00:25:31] Which we're meeting a lot more payroll leaders that are at home too.
[00:25:33] Yeah.
[00:25:34] I just see that as like two different levels, right?
[00:25:36] There's a level that's the whole, the DCBR, which you really have to have.
[00:25:41] And then there's a, actually I think I put the letters backwards, but anyways, there's that level.
[00:25:45] And then there's all just the tactical bit of, you know, who, who approves payroll, who cuts the check?
[00:25:51] Can the same person, you know, create a new employee?
[00:25:53] And, and some of the first bad actors where I thought Alex, you were saying the incidents as a fraud or on the right, I sounded very much to me like those would be employee fraud.
[00:26:06] Or former, former employee.
[00:26:08] Yeah.
[00:26:09] There's a lot of that.
[00:26:10] If you like swiping, then head over to Substack and search up work defined.
[00:26:15] WRK defined and subscribe to the weekly newsletter.
[00:26:18] If you just Google cybersecurity and payroll, a lot of them are that internal breaches or often system implementations that went wrong.
[00:26:27] But yeah, no, it's a lot of, a lot of times it's the people you'd least expect that are actually the ones causing it.
[00:26:33] Yeah, absolutely.
[00:26:36] There's, there's, there's really so many different angles.
[00:26:39] It's, it is, it is pretty scary because we don't necessarily know where it's coming from.
[00:26:43] But as long as there is, you know, good business continuity plans and they are being exercised and the employee training is there, then I think that the IT departments can, can work together with payroll.
[00:26:59] And it's also important to understand that individual, individual security, not necessarily for the company is critically important to maintaining that, you know, that, that level of security on the organizational level.
[00:27:14] Because let's suppose my, my identity was breached.
[00:27:19] My Gmail was hacked into, or my kind of work email was hacked into.
[00:27:25] Tokens were stolen, cookies were stolen.
[00:27:29] And that then opens up the hacker to access all the, or potentially many of the systems that I have access to and sending emails.
[00:27:39] Right.
[00:27:39] My email address and doing that spear phishing campaign that we were talking about earlier.
[00:27:45] Oh my God, this, we should have done this for Halloween, right?
[00:27:48] Right.
[00:27:48] Right.
[00:27:48] I know it's a day after, but we should have this out as like, as our scary Halloween.
[00:27:53] It is, it is.
[00:27:54] And, you know, while we're talking, and by the way, let's, let's level set, right?
[00:27:58] We're talking about business continuity planning and data recovery, just to, just to lay out what BCPDR is, if anyone out there is choking on the, struggling with the acronyms.
[00:28:07] But one of the things that I find is, is it's, it's, it's all fine to have the best laid plans.
[00:28:13] But I'll tell you, I've had to go to a BCP and DR kind of cut over moment where we had to make some serious decisions.
[00:28:21] And I'll tell you when that plan is not fortified, it bubbles, it exposes itself very quick.
[00:28:29] And I think that's where you've got to constantly, you almost need a live data recovery, BC, you know, business continuity return to service sort of test, right?
[00:28:40] That, that, that gives you that, that real world application of that, of that thing in order to determine if it actually will work.
[00:28:48] Like, um, it's a big part of, of, I think payrolls health check is you've got to be looking at, can you recover?
[00:28:53] Are you protecting the data?
[00:28:54] Are you able to, uh, bring it back online and in some way to continue continuity and keep people paid and, and prevent these, uh, breakdowns.
[00:29:02] But maybe that's somewhat of a reactive piece, right?
[00:29:05] We want to try to prevent people from ever getting into these systems to begin with.
[00:29:08] Right.
[00:29:10] Yeah.
[00:29:10] We also have to think about the money movement side of things.
[00:29:13] So perhaps, uh, you know, uh, without being able to access the payroll system, uh, but, uh, how would we ensure that, uh, the employees are paid on time?
[00:29:25] Uh, sure.
[00:29:26] We can have air gapped backup systems.
[00:29:29] Uh, there can be multi-factor authentication, um, and all that, but we also have to think about money movement and, um, making sure that perhaps 10 or 30,
[00:29:39] or 50,000 employees or more are paid on time.
[00:29:43] And, uh, also when it comes to that, there's also, um, you know, tax payments that maybe do the next business day.
[00:29:49] So that's another thing to think about is, you know, the financial side of things.
[00:29:54] And I think that, uh, businesses are really definitely taking it more seriously.
[00:29:58] Um, there is something called zero trust architecture.
[00:30:02] I don't know if you've heard of that.
[00:30:03] No, no.
[00:30:04] Tell us what that is.
[00:30:04] It sounds a little bit scary, but, um, it, it, it, a zero trust security model is just, uh, a security model that does not assume trust for any user, a device or applications that all traffic is treated as untrusted by default.
[00:30:21] And then is allowed access to the network.
[00:30:24] If it can prove its identity and credentials.
[00:30:26] Um, it's an approach to cybersecurity that requires organizations to verify not only the S the essence of their users, but also the security posture of their devices and their applications.
[00:30:36] And I think that's really important from the work from home, uh, environment or even the hybrid environment where you have personal devices accessing organizational systems.
[00:30:46] And if you're using, uh, you know, organizational equipment, uh, to limit the, uh, the access that they, those machines may have to potentially malicious, uh, you know, malicious applications.
[00:30:59] Yeah, absolutely.
[00:31:01] Absolutely.
[00:31:01] Hey, you know, we're still in open enrollment period here as we record and maybe even as we go live with this recording.
[00:31:07] And, and I was, I'm always just, um, extremely interested in the impact on employees of this.
[00:31:13] So we've talked about the bad actors and the malaligned and then just being aware and being educated.
[00:31:17] But when there's one of these 24 security breaches that one of you said you'd had in this very year, um, I was looking at a study, Pete, I'll share the link with you for, for, uh, for right up on this session.
[00:31:30] Yeah.
[00:31:30] Um, about, uh, that was done by, uh, Poneman Institute.
[00:31:34] It was IBM funded and they actually looked at the impact on employees and gauged 79% stress, um, level, um, employees that just reported being hugely stressed.
[00:31:47] That their information had been compromised and was out there.
[00:31:51] And then almost 40% cited a time commitment, like a, a serious time commitment.
[00:31:58] You just described the same thing, Pete, and remedying your situation.
[00:32:01] And I think you alluded to it in yours too, Alex.
[00:32:03] 10 years deep.
[00:32:04] Yeah.
[00:32:05] 10 years deep.
[00:32:06] I've been doing it.
[00:32:07] Yep.
[00:32:07] Trying to fix it is just horrific.
[00:32:10] And so that impact led me to think a little bit too about something, Alex, we were talking about right before we, we started the recording.
[00:32:16] And that is, you know, just from an employee benefits perspective, the importance or the, the, the desire for employees to have, or to, um, even think about framing the value.
[00:32:29] If you have identity theft protection types of voluntary benefits or credit risk monitoring, the same study said that 63% of folks wanted identity theft protection.
[00:32:40] And almost another 60% were asking for credit monitoring, um, out of their survey.
[00:32:47] And that went right along with what you were saying before we, before we started recording here today, Alex.
[00:32:51] Yeah.
[00:32:52] Great, great point, Julie.
[00:32:53] Uh, I know that in 2023 here in the U S, um, 53% of households earning a hundred thousand a year, uh, we're living paycheck to paycheck.
[00:33:02] Uh, and in 2022, 38.2% of households making a quarter million a year living paycheck to paycheck.
[00:33:12] And since then I have a strong feeling, the numbers I've risen dramatically.
[00:33:18] And if we think about how many of those households, you know, are struggling with bills, um, who may be one missed payment away from a foreclosure, God forbid, or a repossession of vehicle or charge off on a credit card.
[00:33:33] Uh, and, um, when thinking about how, how many people are really, uh, you know, really counting on that paycheck, uh, it makes me think about, uh, a lot of the advanced, you know, the, the pay advance services, uh, that are offered the daily pay, uh, you know, type.
[00:33:51] Uh, and there really are, uh, essentially an advance, uh, uh, of, of individual's paycheck.
[00:33:58] Uh, and I think that's something that's also been asked for, um, you know, by employees or, you know, um, workers.
[00:34:07] But, uh, I think that, uh, ultimately, uh, so there's not really going to be one, you know, clear cut solution.
[00:34:15] Um, I think there's really not a whole lot of regulation, uh, when it comes to, uh, oversight.
[00:34:24] Uh, when we think about money movements in all these different areas, uh,
[00:34:28] uh, uh, cash checks, wires, uh, retirement accounts, uh, name it.
[00:34:34] There is, uh, you know, uh, uh, trade, you know, uh, the stock markets and trading.
[00:34:39] We've got the SEC.
[00:34:40] Uh, we have so the FDIC, uh, we have so many organizations that are overseeing, uh, that type of money movement, but we really don't have a whole lot when it comes to payroll, when it comes to direct deposit, when it comes to ACH.
[00:34:53] Um, there, there are organizations, but, um, there really aren't a whole lot of, uh, quality control steps that are being taken in terms of maybe audits, uh, in terms of helping, um, you know, businesses shore up their, their security and doing penetration testing or pen testing.
[00:35:13] Um, you might've heard of that.
[00:35:16] Um, and, uh, there are some businesses out there that will send out phishing emails or like test emails to their employees and see if they'll respond.
[00:35:25] If they do respond to it, uh, then it's an opportunity for additional training.
[00:35:30] Um, I think.
[00:35:31] It's an opportunity.
[00:35:32] You drafted.
[00:35:34] Yeah.
[00:35:35] What's that?
[00:35:36] Talk about a honeypot.
[00:35:37] I said, yeah, there's a honeypot for you.
[00:35:39] You get drafted.
[00:35:40] It's not an opportunity.
[00:35:41] You get sent to like training school.
[00:35:43] Yeah.
[00:35:43] Yeah.
[00:35:44] Back down in Siberia.
[00:35:45] Yeah.
[00:35:46] So Alex, that's actually a really good point though.
[00:35:49] Like what are some of the sort of emerging, um, practices you see companies that are doing this well adopting that maybe payroll and HR ought to be thinking about?
[00:35:58] So, uh, I really like Rippling.
[00:36:02] Rippling has, and I've, I've, I've, I've mentioned this before, uh, and I've watched them grow from a small company and they've made a lot of really good.
[00:36:11] Good strategic moves, uh, to position themselves as, you know, one of the, uh, one of the leading, um, one of the leading payroll companies when it comes to security.
[00:36:21] Uh, they, what they have done differently from, uh, some other, uh, providers is they have helped their clients consolidate their data, um, and consolidate their services onto one platform.
[00:36:35] And what that means is that there are fewer and fewer, uh, end points or access points accessible to the internet.
[00:36:44] Uh, they would be able to bring in a company using a combination of ADP workday and any other number of systems through their, their APIs, but ultimately trying to bring them into, uh, using one system.
[00:37:00] So all that information is stored internally and does not need to be community.
[00:37:05] It does not need to be sent between one, uh, one system and another, because remember the move it, uh, transfer protocol.
[00:37:13] And what happened there?
[00:37:14] Uh, no, wait, wait, sorry.
[00:37:16] What are you referring to?
[00:37:17] The move it.
[00:37:18] Uh, so move it, um, was a, a file transfer protocol and there was a major hack.
[00:37:26] It was the biggest hack of the year in 2023.
[00:37:29] And, um, I believe it started, um, I believe it started in, uh, the UK originally.
[00:37:38] And, uh, I made a blog post and I looked to see how many, uh, companies are using move it transfer services.
[00:37:45] And the number was at least 10 times higher in the U S and, you know, I made a post, but really, um, that wasn't, uh, necessarily the, uh, the, the, the solution there.
[00:37:58] Um, the Klopp ransomware gang, if you remember CL zero P, they had been exploiting this move it system as far back as 2021.
[00:38:10] They were sitting quietly gathering information, not to alert, um, you know, the it departments as to what was going on.
[00:38:18] And when they had, uh, you know, when they had what the information they needed, they executed the attack, uh, in parallel to what was called a, there was a go anywhere event.
[00:38:29] And, um, they, uh, demanded ransom.
[00:38:33] They, uh, I can't remember off the top of my head, but it's probably around somewhere and the hundreds of millions of dollars.
[00:38:40] And, um, when a business, you know, of 50,000 employees has their systems shut down and it's a matter of 48 hours, maybe even a week to get their employees paid.
[00:38:54] Um, that may be too long.
[00:38:57] That may lead to a loss of employees, a loss of trust in the company.
[00:39:03] Um, and much more, um, there's probably a lot of things I'm thinking about, but, but really that brand, that reputation, uh, even what we saw with CrowdStrike is really important.
[00:39:14] And so, um, that could spell the end of, you know, uh, a fortune 500 company very easily.
[00:39:21] Can I come, can I come back to your, to your response to my question about the, about the different, you know, sort of differentiated things that companies are doing.
[00:39:28] So are you suggesting that an all-in-one platform is more secure than having, you're saying a partner who has multiple integrated solutions?
[00:39:35] Is that kind of what you're pointing out there?
[00:39:37] Yes.
[00:39:38] Um, because that information is not, is not as easily acceptable, accessible to, um, to the worldwide web.
[00:39:47] Um, and so with having these, you know, the file transfer systems, uh, the more applications there are communicating using APIs, uh, using different programming languages, the more there is.
[00:40:02] Yeah.
[00:40:03] Yeah.
[00:40:03] Interesting.
[00:40:03] So, but, but, but, but in terms of, but beyond that, right?
[00:40:06] Like in terms of just methods and sort of, uh, methodologies or frameworks, are there anything evolving out there that you're seeing companies adapt to?
[00:40:13] There are a few companies in stealth mode right now, um, that I can't really comment on.
[00:40:18] Not providers, not providers.
[00:40:19] I'm talking about end user companies that the practices that they are putting into place to, to sort of, uh, mature.
[00:40:26] Yeah.
[00:40:27] So, um, that blockchain is one of them, uh, air gap systems, which means this, the air gap backup would be a system that has no connectivity to the internet.
[00:40:38] And, uh, being able to place payroll, um, and, HR is or HR, uh, systems on blockchain helps, um, how would I put this?
[00:40:50] It helps simplify things.
[00:40:52] So if we're able to catch a single variable, uh, and embed that variable into an impenetrable ledger, uh, which would be the blockchain.
[00:41:01] And we have verified nodes.
[00:41:04] So looking at Bitcoin, anybody can be a node and verify information.
[00:41:08] What we don't want to have happening here.
[00:41:11] We want to have trusted nodes, uh, who are verifying information, but each variable essentially is assigned to this ledger.
[00:41:18] And it's then, uh, moved over to a air gap system so that if something were to happen, um, not that much data would need to be transferred over as if we were comparing it to the entire system.
[00:41:32] So it can be done more frequently.
[00:41:34] And as we know, payroll is, you know, chronological and, uh, be able to pick that up, uh, rather fast.
[00:41:41] Um, that's one of the, one of the things that, uh, you know, is, is happening right now.
[00:41:46] Um, there are some other, uh, systems that are being used by, you know, ADP by Intuit, uh, to protect information.
[00:41:54] And, uh, I don't really want to go into too much detail as to how, you know, how it's being done, but it definitely is being done.
[00:42:02] Yeah, that's great.
[00:42:03] That's good stuff.
[00:42:04] So one, we, we certainly, obviously we're, we're getting a little bit later on time here.
[00:42:08] I want to ask you, we, we would be, uh, we, we, we have to talk AI, right?
[00:42:13] Um, yes, obviously it's created a whole new world.
[00:42:16] I was watching something on the local news the other day about, uh, obviously deep fakes and, um, various different phishing activities, right?
[00:42:23] It's someone you trust talking to you.
[00:42:25] That's asking you to take some sort of action that, you know, just like an email, but, but more, uh, real, right?
[00:42:30] Like a video or maybe, maybe some sort of a message, uh, audio message.
[00:42:34] Um, like what are your thoughts on that?
[00:42:36] Like just from the threat perspective that AI is bringing, but then how can we use AI to, to prevent this stuff?
[00:42:41] Right.
[00:42:41] And help us out.
[00:42:42] Yeah.
[00:42:42] It's, it's very interesting because it's on both sides of the fence.
[00:42:46] Uh, so as you know, uh, open AI and chat GPT, there have been a lot of, uh, restrictions put on prompts so that it doesn't necessarily generate, uh, you know, malware source code.
[00:43:01] However, people keep trying to find ways to break it.
[00:43:05] And just most recently they sent, they put out a patch because, um, there were people who were able to, uh, break into or allow, uh, have chat, chat GPT generate, um, let's say a virus, uh, by inputting the information using hex or hexadecimal, uh, hexadecimal input.
[00:43:28] And, uh, you're familiar with hexadecimal?
[00:43:31] Mildly.
[00:43:32] Yes.
[00:43:32] So it's just, uh, you know, we have, um, uh, instead of having 10 digits or 10 symbols for zero through nine, we add A through F.
[00:43:42] So there's 16 symbols in total.
[00:43:43] And so by communicating with, uh, chat GPT, uh, they are able to have it, uh, create, uh, you know, create malware.
[00:43:51] Now at the same time, there are other systems, uh, and, but all in all, I think that, uh, the, the ones that are available, um, on the clear web, they have implemented really strong, um, protections.
[00:44:06] However, there is a, on AI on the dark web and AI on the dark web, uh, helps facilitate, uh, you know, creation of, uh, viruses and creates, uh, you know, various different information stealers.
[00:44:20] And it creates things, um, I'll give you an example of something I came across recently.
[00:44:26] Um, it is something I would call a self morphing, um, self morphing malware.
[00:44:35] So it obfuscates, it basically obfuscates the source code, uh, which means let's say there's, uh, you know, some code and that code is then mapped to the words.
[00:44:49] Hi Pete.
[00:44:50] Right.
[00:44:50] And so you'll see a file and it'll say, hi Pete.
[00:44:54] And then it'll say, uh, let's go get some coffee or it'll say a string of numbers and digits.
[00:44:59] And it does not make any sense.
[00:45:01] Um, however, with an obfuscation map, it then converts that back to code.
[00:45:07] And every time it's run, it's run with a different obfuscation map.
[00:45:13] Um, and what that allows it to do is to bypass, um, antivirus, anti-malware systems.
[00:45:21] Um, there are a lot of systems out there and they rely on what's known as a checksum.
[00:45:27] The checksum essentially verifies, um, a file is what it is.
[00:45:33] And individuals and businesses submit, uh, malware to sites like virustotal.com.
[00:45:40] And they use the checksum, um, which is kind of like a hash, uh, like an algorithm.
[00:45:46] And to see if that's known malware.
[00:45:49] And this system allows, uh, or this, this, this particular malware, um, allows you to
[00:45:58] bypass or get around all the, um, antivirus, anti-malware systems that are currently out there.
[00:46:04] And we, uh, all know, you know, be careful opening PDF files, um, or executable files in
[00:46:11] your email.
[00:46:11] Um, however, it's also possible to have a TXT file.
[00:46:17] It's a plain text file, uh, then run an executable and a DLL.
[00:46:22] And it's scary to think about that something so simple, um, and something so plain can,
[00:46:28] can do that.
[00:46:29] But yes, it definitely can.
[00:46:31] Scary.
[00:46:31] Can we, so are, are we, any good examples of how we can use AI to, uh, fight AI?
[00:46:37] Um, yeah.
[00:46:38] So I would say AI, uh, would be.
[00:46:42] Or protect us against mal, you know, malicious AI, I guess.
[00:46:45] Absolutely.
[00:46:45] Absolutely.
[00:46:46] So AI would be able to do, would be able to monitor things in real time.
[00:46:50] It would be able to alert, uh, individuals within the organization that, you know, there
[00:46:55] may be, you know, something going on and be able to measure the risk.
[00:46:59] Uh, and if whether, whether or not, you know, an immediate response is required, um, with
[00:47:06] the amount of AI that's coming out there, it's also important to, um, remember what information
[00:47:11] are you feeding it?
[00:47:13] What information does it store?
[00:47:15] If you're using chat GBT, you can ask it, what information do you know about me?
[00:47:19] And, uh, it was really interesting when I put it in, what it knew about me and, um, using
[00:47:25] AI, uh, there are, um, a lot of use cases for it.
[00:47:30] I think, um, we're going to be seeing a lot more of it in HR and payroll.
[00:47:36] Um, and I think that, uh, it's something that payroll and HR may not be, uh, may, it may
[00:47:45] not be ready for, in my opinion.
[00:47:47] I think we are, we're, we're in the, we're heading the right direction.
[00:47:50] Um, but I think it also is important so that it's, uh, the importance is recognized from
[00:47:55] a leadership perspective and that it is, um, that, uh, the return on the investment is
[00:48:02] worthwhile because really the return on the investment is not going to necessarily be additional
[00:48:07] revenue.
[00:48:08] Although it could, it could, um, it's really preventing, you know, um, something that could
[00:48:13] be catastrophic.
[00:48:14] Yeah.
[00:48:15] Agreed.
[00:48:15] I mean, I think, you know, Julie, I think you would probably agree.
[00:48:18] I mean, I think this is just another one, one more, you know, case, cybersecurity, business
[00:48:23] continuity, data recovery, all just one more case, uh, for why a modern infrastructure
[00:48:28] or maybe even a partner to help you enable that modern infrastructure is really important
[00:48:32] to put your organization in the best position to fend this stuff off.
[00:48:35] Right.
[00:48:36] It's, it's, it's hot and heavy.
[00:48:37] It's not going to get any easier.
[00:48:38] Um, and I think this just makes another case for why modernization is critical.
[00:48:42] Yeah, absolutely.
[00:48:43] And you have to start with the underlying components and the way the pieces fit together
[00:48:46] first.
[00:48:47] So, you know, how to, how to protect yourself and how to, where your weaknesses are.
[00:48:52] Right.
[00:48:52] Yeah.
[00:48:53] Yeah.
[00:48:53] Alex, just to close this out, man, any, any tips to, uh, organizations out there that may
[00:48:58] be, um, not in the best position right now with their, with their cybersecurity around payroll
[00:49:03] in HR or just in general, any, any, any suggestions for how they may be, um, you know, get a good
[00:49:08] understanding of where they are and what they need to do next to fortify that.
[00:49:12] Um, there's, there's a lot of ways to approach that, but I think really it's, uh, it should
[00:49:16] really start within the company's culture, uh, and leadership, uh, leadership understanding
[00:49:22] of, you know, the risks that are out there and how severe those risks are, uh, and what
[00:49:28] the repercussions could be.
[00:49:30] Uh, and from there, I think, uh, each organization, you know, will likely take, you know, to take
[00:49:35] their own individual approach.
[00:49:37] Uh, but I definitely think that outsourcing some of these services is, is definitely, um,
[00:49:43] is definitely a good idea.
[00:49:45] Um, reduce the amount of, uh, you know, reduce the amount of, um, expenditures in terms of hiring
[00:49:53] and be able to bring things up quickly.
[00:49:54] Um, there's a lot of vendors that are out there.
[00:49:57] Um, and, uh, I rec, and depending on where you are in the world, what systems you're using,
[00:50:03] uh, and, um, you know, your budget, uh, there's, uh, you know, if, uh, you know, uh, five minutes
[00:50:09] of research will provide you with a lot of options.
[00:50:12] And, um, I think, you know, a 30 minute phone call with one of those providers will give you
[00:50:17] an, uh, a good idea of what services they're able to offer.
[00:50:20] Um, you know, anything from penetration service, penetration testing, uh, services.
[00:50:24] Uh, through, um, you know, various exercises and helping the organization as well, uh, in
[00:50:31] terms of being able to respond to them effectively.
[00:50:35] Yeah.
[00:50:35] Yeah.
[00:50:35] I love what you said about culture, man.
[00:50:37] I think it does.
[00:50:37] I have seen that myself in my consulting days of just how culture can have a lot to do with
[00:50:42] how a company looks at these sorts of challenges, um, and how they rally around that.
[00:50:47] Right.
[00:50:47] And, and, and focus on, on, you know, uh, protecting, putting a shell around the whole,
[00:50:52] whole organization.
[00:50:53] So I love it.
[00:50:55] I love it.
[00:50:55] Alex, I, yeah, go ahead.
[00:50:56] Go ahead.
[00:50:57] When this goes live, uh, there will be a lot of, uh, a lot of, uh, posts on, uh, the
[00:51:02] pair resolutions.com, uh, website on the blog post.
[00:51:05] Uh, so I welcome, uh, folks to take a look, um, on there.
[00:51:09] And, um, there's also one more individual I wanted to, uh, mention, um, his name is Colby
[00:51:15] Clark and he is, um, one of the foremost experts when it comes to, uh, cybersecurity
[00:51:22] and incident management response.
[00:51:25] Uh, he has some really good books that are out there, uh, and just wanted to, to give a
[00:51:31] shout out because he's really helped, uh, you know, helped my company along the way.
[00:51:34] And I think, uh, I think he has a lot to offer.
[00:51:38] Yeah.
[00:51:38] Awesome.
[00:51:39] How, how can everyone get in touch with you, man?
[00:51:40] Where, where do we find you at?
[00:51:41] I'll make sure we share the links.
[00:51:43] Payrollresolutions.com.
[00:51:44] Uh, and, uh, there's a contact us, uh, link there.
[00:51:48] Uh, and, uh, I'll, I'll give you my email, uh, and, uh, we can include that in the, uh,
[00:51:54] in the post credits.
[00:51:56] Yeah.
[00:51:56] Awesome.
[00:51:56] I really appreciate it, man.
[00:51:57] I get like, uh, like I always say, man, I can keep going on and on.
[00:52:00] I love your passion for this.
[00:52:01] Um, keep fighting the good fight, man.
[00:52:03] We need to, we need to protect payroll and HR and, um, yeah, we just bring this awareness.
[00:52:07] I think it's outstanding.
[00:52:08] So thank you.
[00:52:09] Thank you, Julie.
[00:52:11] Really appreciate the opportunity to, uh, you know, talk about this.
[00:52:14] Yep.
[00:52:15] Likewise, man.
[00:52:15] Till next time, everyone.
[00:52:16] Take care.
[00:52:28] I get it.
[00:52:29] The podcast just isn't enough.
[00:52:31] That's all right.
[00:52:32] Head over to your favorite social app, search up work defined, W R K defined and connect with
[00:52:38] us.
Sponsors
