David Sun, Principal, Cybersecurity at CohnReznick, was recently interviewed by Benzinga.
CohnReznick is one of the largest advisory, tax and accounting firms in the U.S.. The company has a nationwide reach as well as offices in India and the Philippines.
Mr. Sun discussed the very real threats that come from within a company. Cybersecurity is often focused on outside threats, but much of corporate theft comes from company employees themselves. It’s critical to protect an organization from within. Certain protocols and policies can make a world of difference for a business.
CohnReznick is one of the largest advisory, tax and accounting firms in the U.S.. The company has a nationwide reach as well as offices in India and the Philippines.
Mr. Sun discussed the very real threats that come from within a company. Cybersecurity is often focused on outside threats, but much of corporate theft comes from company employees themselves. It’s critical to protect an organization from within. Certain protocols and policies can make a world of difference for a business.
Category
🗞
NewsTranscript
00:00 (upbeat music)
00:02 - Hey everyone, it's Jordan Robertson with Benzinga
00:04 and joining me today is David Sun,
00:05 Principal of Cybersecurity at Kohn Resnick.
00:08 Thanks so much for being here, how are you?
00:10 - Good Jordan, thanks for having me.
00:12 - Of course, to kick things off,
00:13 can you give the viewers an overview of your company?
00:16 - So yes, Kohn Resnick is a advisory tax accounting firm.
00:21 We've been around for many, many years
00:24 and we're, I would say, top 20 in the country
00:26 in terms of size.
00:27 We have a nationwide reach as well as offices overseas
00:32 in India and the Philippines.
00:34 - Amazing, and how big of an issue
00:35 are data leaks due to insiders?
00:38 - Oh, they're a very big issue.
00:40 Unfortunately, it's a quiet issue.
00:43 What I mean by that is it's a big issue.
00:46 Many, many companies experience it
00:48 but you don't hear about it
00:50 because most organizations don't wanna be publicized
00:54 and they try to keep it under wraps
00:56 and they usually address it internally
00:58 or sort of without law enforcement
01:01 and other public types of avenues.
01:03 So it happens quite often.
01:05 - And how can a company best protect itself
01:07 to these threats?
01:08 - Well, I mean, it's a lot about knowing your employees
01:12 and the people you are granting access to.
01:16 The insider threat is all about, unfortunately, a rogue,
01:20 it's an employee that in your accounting department,
01:23 in your sales team, engineering,
01:26 or some other trusted position,
01:28 they have legitimate access to information
01:31 but then they end up using it
01:33 because they're disgruntled, because they're departing,
01:37 they end up taking it and using it for unauthorized means.
01:40 And so you have to know who those employees are,
01:43 you have to know what their status is.
01:45 Are they disgruntled?
01:47 Are they at risk?
01:48 And what are they doing if they are?
01:50 How are they spending their time on your systems,
01:53 in your network, in your environment?
01:55 And so the first thing you can do,
01:57 it's pretty common now,
01:59 we've seen that before you hire an employee,
02:01 you'll do a background check on them,
02:03 see what their prior issues are,
02:05 whether that's reference checks or more common these days.
02:08 Now you'll do criminal background checks,
02:11 you'll do credit checks and things like that
02:12 to see if they're at risk.
02:13 We often tell organizations to have segmentation
02:17 or segregation of their systems.
02:20 And what I mean by that is somebody who is in accounting,
02:23 they need to have access to the accounting information
02:25 to do their job.
02:26 Great, no problem, make sure they have access to that.
02:29 But they don't need to have access
02:30 to engineering's information.
02:33 And so does an organization have the segregation needed
02:37 so that the person in accounting
02:39 cannot access the information out of engineering,
02:43 cannot access the information out of sales or HR
02:47 or any other department that they don't need access to?
02:49 And David, can anything else be done
02:50 to monitor these high-risk employees?
02:53 Yeah, so if you have a high-risk employee
02:56 and that high-risk employee might be,
02:59 you might deem them high-risk because of the role they have,
03:02 in which case they're always high-risk,
03:04 or you might deem them high-risk
03:05 because of something that's happened in the workplace.
03:08 Maybe they have said some things and they're unhappy,
03:12 their performance is bad and you know they might be leaving
03:14 or they've said some things to indicate that,
03:16 or maybe they got passed up for a promotion
03:20 and so therefore, you feel like
03:22 they may be unhappy about that.
03:24 So again, high-risk can be a perpetual state
03:28 or it could be a state that develops
03:31 based on workplace dynamics.
03:33 And when you have a high-risk employee,
03:36 there are some things you can do proactively
03:37 and some of them are more detailed than others.
03:41 What I tell people, what I tell organizations is,
03:45 there's definitely a proactive means that you can do
03:47 and it should be operationalized.
03:49 It should be something that organizations adopt
03:52 as part of their business practices,
03:53 which is when a high-risk employee leaves,
03:57 their information, their data should be preserved.
04:01 So that means all their emails,
04:03 make sure their emails and the emails they sent
04:05 at work are preserved.
04:06 That's a pretty common thing for people to do
04:08 just because of business operations.
04:10 But when I say preserve, I mean preserve it in a way
04:12 that it isn't touched or modified by anybody.
04:13 So make a copy, don't just leave it on the server,
04:16 but make an actual copy and freeze that copy.
04:18 What I also tell businesses and organizations to do
04:21 is take their computers and make a copy of their computers
04:24 and it should be a forensic copy,
04:26 which is something that a lot of organizations don't do,
04:29 but can be done and can be done fairly inexpensively.
04:33 But you make a forensic copy
04:34 and then just hang onto those things.
04:35 Put them in a cabinet, so to speak.
04:37 Put them on a shelf for six months, nine months
04:39 and just have it there in case something does happen.
04:43 Because so many times I've been brought into situations
04:46 where an organization had an at-risk employee leave
04:50 and they found out six months later
04:52 they went to a competitor
04:53 or started a competing organization
04:54 and started doing things, taking clients, taking employees,
04:58 and things that led those clients to believe
05:00 there were some malfeasance going on.
05:02 And I asked, "Well, where's their laptop?"
05:04 And unfortunately, the answer more often than not
05:07 comes back, "Oh, well, IT repurposed the laptop,
05:10 "erased it, wiped it, and reissued it to the next employee,"
05:14 causing us to lose a lot of evidence,
05:16 a lot of information to work off of.
05:18 And then we have organizations that come to me
05:21 or have employees who become at-risk.
05:24 Again, this is that disgruntled employee,
05:26 person who got passed up for promotion situation.
05:29 And if you really suspect that there may be an issue there,
05:33 I do work with organizations
05:34 to implement monitoring software.
05:37 And these are tools that we can put in place
05:40 that monitor what these people are doing
05:43 on their computers, on work computers and work systems.
05:47 And we can monitor and know exactly what's going on.
05:49 And we can review that
05:51 and know what documents they're downloading,
05:54 what emails they're sending,
05:55 again, what they're doing on work devices and work systems.
05:58 That would be sort of borderline
06:00 into a sort of an investigation type of situation
06:02 where we think there are these employees,
06:04 specific employees might be doing something bad.
06:07 - And are there more indirect ways
06:09 companies can protect themselves?
06:11 - The things that I tell most people do
06:14 are gonna be the proactive pieces,
06:16 the background investigations and things like that.
06:19 And then the proactive IT policies.
06:21 Those tend to be fairly simple ways to protect themselves
06:26 and to sort of have an idea of what's going on
06:29 that work out for organizations.
06:32 - And last question, David,
06:33 how much does culture, for instance, play a part?
06:36 - Culture definitely does play a part, right?
06:38 It's important to make sure
06:41 that organizations educate their employees.
06:43 What I mean by that is first,
06:45 make sure employees realize
06:47 that what they do on their work systems and on work time
06:51 and at the behest of their employer is owned by the company.
06:55 I think there's a cultural piece there
06:57 where some people don't recognize that this is all done.
07:00 You're being paid to do this.
07:02 You would not be doing this
07:03 if you weren't being paid by your job.
07:05 You would not have this information.
07:06 You would not be creating these documents
07:09 or this work product.
07:10 And so because you're doing it,
07:12 solely because the work is telling you to do it,
07:14 you're being paid by work to do it,
07:17 it is owned by the company.
07:18 And I think that there's a cultural piece there
07:20 where people don't really recognize that.
07:23 They feel somehow entitled
07:24 to taking some of this with them when they leave.
07:27 And so I think that's a huge cultural piece
07:29 that we need to address for staff and employees.
07:34 And then on the other hand,
07:35 cultural is we don't want companies
07:38 to make employees feel like they work in a police state
07:41 where all their computers and every button they click
07:45 is being surveilled and scrutinized.
07:47 And we don't necessarily wanna do that either.
07:49 But again, it's important to make sure
07:52 that these policies and processes are put in place,
07:56 the staff is educated and communicated
07:58 on what these policies are
08:00 and when things happen and why they happen.
08:03 And so they understand the boundaries and what goes on
08:07 and why something might happen.
08:09 And if they don't do certain things,
08:12 then it's unlikely to have to worry about things happen.
08:15 So again, make people comfortable at work
08:16 and feel like they're valued and that they're trusted,
08:20 but also at the same time, make sure they know
08:22 and recognize that if they do things
08:24 that causes the employer to feel like
08:27 they're violating that trust,
08:28 then there's going to be some monitoring that goes on
08:31 and some investigating or some checking into
08:32 their activities that goes on.
08:34 - Absolutely.
08:35 Well, that's all I have for today, David.
08:36 Thank you so much for your time.
08:37 I hope to see you back real soon.
08:38 - Sounds great.
08:39 Thanks, Jordan.
08:40 (upbeat music)
08:42 (upbeat music)
08:45 (upbeat music)