Jessica Gibbs, CFP® [00:00:33] Hi, everybody. Welcome back to Off the Wall. Hi, Dave.
David B. Armstrong, CFA [00:00:35] Hi, Jessica. Nice to see you again. And our global headquarters here in Alexandria, Virginia.
Jessica Gibbs, CFP® [00:00:39] There you go. So I’m excited about today’s topic. Also a little scared. I think this is something that gives me heart palpitations, but I think in that spirit it’s important to talk about. So today we’re talking about one of the most important ways to protect the wealth that you’ve built. And that is cyber security. Because the truth is, is that cyber criminals are really good. I think we hear this all the time in the news. We hear it anecdotally from people that we know. Attacks on individuals and small businesses are prevalent these days. So as our guests today are going to be talking about it’s about resilience, not just prevention. So our first guest today is Cathleen Phelps, who is a Client Experience manager at Monument. Through the years, Cathleen has coached several clients on what to do after they found out their personal information has been jeopardized. And it’s a scary time for anyone. So having a clear course of action on what to do can help ease some of that anxiety. So Cathleen is here to share her perspective and wisdom in that regard. Hi Cat.
Cathleen Phelps [00:01:38] Thank you for having me.
Jessica Gibbs, CFP® [00:01:40] And also joining us is Bill Phelps. Most noteworthy of all, he is Cathleen’s husband. But Bill is also a cybersecurity expert and strategist, having spent the last 16 years delivering cybersecurity consulting and incident response services to some of the most sophisticated clients in the world. Bill spent 26 years at Accenture, finishing his Accenture career as the global managing director of Accenture Security. Bill recently retired from Booz Allen Hamilton as Eexecutive Vice President and Senior Partner, and he is now on the board of directors of two cybersecurity companies and is a cyber focused early stage investor with Blue Venture Investors. So welcome, Bill.
Bill Phelps [00:02:22] Thank you very much, Jessica. It’s exciting to be here.
David B. Armstrong, CFA [00:02:25] I got scared right away when Bill walked in because he said, what’s the password to your guest WiFi? And I was like, okay, it’s a test
Jessica Gibbs, CFP® [00:02:31] It’s a game on.
Cathleen Phelps [00:02:33] But you had a password.
Bill Phelps [00:02:34] There was one.
David B. Armstrong, CFA [00:02:35] Right? Right.
Jessica Gibbs, CFP® [00:02:37] All right, well, let’s dive in. Bill, I want to start with you. Hackers and scammers seem to be getting more sophisticated in their tactics. And I want to know, is this true or is this just kind of my feeling? And also, what are some of the most prevalent and emerging cyber threats that people and businesses should be looking out for?
Bill Phelps [00:02:55] So there’s always evolution in this cyber threat and the hackers will always take advantage of whatever is new in the environment. Recently, a new vector for threats has been QR codes as things that you have to point your phone at in a restaurant on a menu now can be corrupted. And if you point your phone at the wrong one, it can take you to a malicious website. But more generally, a lot of the basics work. Phishing emails work no matter how well companies train their employees, 10 to 15% will always click on the phishing email. Everyone has seen phishing texts on their phone and again, they work.
David B. Armstrong, CFA [00:03:43] When you talk about a QR code. It’s really interesting to me because there’s QR codes all over the place and is just pointing your camera and taking a picture is opening the website enough to start installing things on your phone. Or is there almost like a intermediate warning? So in other words, will somebody infect their phone or their computer with one click of a camera, or is there a little bit more to it than that?
Bill Phelps [00:04:07] There are sophisticated attacks that can infect your phone with one click. There are even so-called no click attacks, but they’re typically seen more with nation states, typically with a basic everyday fraud. You need to click the website. The thing that’s tricky, though, is oftentimes with phishing we say read the URL and see if it looks recognizable. And a lot of times a QR code attack will use a we call it a shortened URL, so it’s much more difficult to see whether or not where you are clicking is malicious or not.
David B. Armstrong, CFA [00:04:47] Yeah, it’s just scary because you go to hotels and the menus are QR codes and everything’s a QR code these days, and it starts to really scare me.
Jessica Gibbs, CFP® [00:04:55] Or people are putting it in their email signature, you know, as an expedient way, or you’re at the doctor’s appointment here, connect to this form that you need to fill out. I am curious because you mentioned text messages and cause like, I think all of us are familiar with how you can mark something as junk, right? You can mark an email as junk. I mean, do you think Google and Apple like, is doing anything? If you get a text message or calls from something in you market as junk?
David B. Armstrong, CFA [00:05:19] Or Microsoft?
Bill Phelps [00:05:20] The short answer is no. I mean, they’re getting probably millions of those mark junk daily or weekly. The important thing there is that typically if you market junk, you also have an option to block that caller or that sender.
Jessica Gibbs, CFP® [00:05:41] Right, it’s more for you.
Bill Phelps [00:05:41] It’s more for your convenience and maybe makes you feel better, but it’s unlikely that anybody’s doing anything about it.
Jessica Gibbs, CFP® [00:05:50] I think another example, when we were preparing for this call that you guys talked about anecdotally, we’re all familiar with cyber scams, phishing, other things preying particularly on elderly people. I think you guys brought up an example, though, of someone you know whose young kids were being targeted, where they’re too young to kind of get all this education that you would from a workplace about phishing emails and the like, they wouldn’t know what to do or get caught up in it.
Cathleen Phelps [00:06:16] And by young kids, I don’t mean really, I mean, like high school, college age, like young adult kids who especially kids who generally follow the rules. And so if somebody says there’s fraud on your account, you need to take these steps. You need to withdraw money from your bank and deposit it here. You can’t talk to anyone because this is under investigation. Like, certain kids will be like, “I have to follow the rules. I can’t tell my parents this” and it’s really scary that that could happen. We all think about older people being very vulnerable, but really, anyone can. And all right, young adult children can be reminders all the time.
Jessica Gibbs, CFP® [00:07:01] Yeah.
Cathleen Phelps [00:07:02] But you never know. It only takes one click.
Jessica Gibbs, CFP® [00:07:05] So yet another thing for parents to talk to their young adult children about.
Cathleen Phelps [00:07:08] Yes. Have that conversation.
Jessica Gibbs, CFP® [00:07:09] You transition to adulthood. I’m like, what is a phishing email? And someone who’s trying to get your information. What’s that look like?
Bill Phelps [00:07:15] Anyone is more vulnerable. We think about certain groups of people as being vulnerable, like the elderly, but if you’re busy, you’re driving, you’re in the middle of something. I was driving the other day. I had just gotten off the phone with the CEO of one of the companies where I’m a board member, and I received a text that said, “Just wanted to confirm you got this.” I just got off the phone with them. I assumed it was legit. I said yes. 30 seconds later I get another text that says, okay, “I have an important favor to ask of you” and my radar, which is usually pretty good went off. I texted the CEO to say, did you send me this? He said, no, of course not. Yeah, but I was probably one click away from a real problem. Fortunately, I’ve seen enough of this that my defensive instincts finally kicked in.
Jessica Gibbs, CFP® [00:08:19] Yeah, but that’s amazing that you are literally a very seasoned expert in this. I think that’s a good point about being caught off guard. I think one time where I clicked on a link that I was like afterwards, I was like, oh, shoot I should not have done that was because I was multitasking and my thumb happened to hit it. It was on my phone. And then all of a sudden I’m going to another website and I’m like, oh God. Thankfully it was fine. But yeah, it gave me a heart attack for a moment.
Cathleen Phelps [00:08:39] And I think things on your phone, it’s just harder to see details on your phone. And I don’t know about you all, but I don’t even retain information I read on my phone as well as I do on screen, or especially on paper. It’s just more ephemeral somehow, and details get lost. Easy to make a mistake.
David B. Armstrong, CFA [00:08:59] I’m kind of curious about AI and what sort of role it can play in identity theft. And specifically, I get scared of the AI technology impersonating somebody’s voice. And then they call our office and they say, hey, it’s Jim Jones and I need a wire transfer. And they’re able to actually mimic that voice. And we say, okay, and we think we’re talking to the person. And I’m just wondering if you’ve heard any stories about scams, any news on that, and what can we do to protect ourselves? And what about AI being used to generate documents that can be used in identity theft as well?
Bill Phelps [00:09:37] So in the long term, AI is probably going to be a really important tool against attackers. But in the short term, the attackers usually are quicker to pick up new technology and whether it’s creating a phishing email or stimulating a person and their voice. We’re already seeing examples of AI being used to perpetrate fraud.
David B. Armstrong, CFA [00:10:03] Yeah, I feel like I’ve heard stories about mothers getting calls in the middle of the night from their kids in college, imitating the voice and everything like that. And I guess there’s just going to have to be some sort of adjustment that’s made by everybody that says, hey, I’m going to call you back on your cell phone and verify this is you. Like there’s going to have to be.
Cathleen Phelps [00:10:19] Something to do, check to see what number they’re calling from, because if it’s from an unfamiliar number, we’re going to call them back on the phone number of record. Right. Just to make super sure that we’re talking to who we think we are.
David B. Armstrong, CFA [00:10:32] But Bill, could some of this be thwarted by just like today? When I came into the office, I had to use my Microsoft Authenticator to get into my computer. Could there be a way to thwart some of these things, just through using these authenticator apps and saying like, okay, I’m going to send you a code or whatever, read me the code off your authenticator app, other things like that that will be able to be implemented to help?
Bill Phelps [00:10:53] Absolutely. I think there’s a word we’re going to be hearing more and more in this age of AI. One obviously is authenticity, but the other is provenance. Do you know where the communication came from? Do you trust that source? Is it legitimate? So whether it’s using two factor or some other type of authentication, whether you’re checking, did it come from the number that you expect your son daughter parent business partner to be calling from? Did it come from their email? And if there’s any doubt calling them back, doing something we call it out of channel. Somebody sent you a text. Call them back. If they sent you an email, text them, communicate to them in a manner that you’ve come to know and trust before believing something that looks possibly unusual or dramatic. And we all know that the key signals urgency, drama. Now someone’s trying to get you to act very quickly is a red flag, right?
David B. Armstrong, CFA [00:12:00] Yeah. I get text messages on a daily basis from both Donald Trump and Joe Biden, and they’re communicating with me personally, asking me to donate to their campaigns, everything that might hold them back. I, you know, I don’t get through and I know, yes, you don’t get through. I don’t know how they get my text messages, but they’re texting me every day.
Bill Phelps [00:12:15] Those are legitimate. They’re just.
David B. Armstrong, CFA [00:12:20] I love that. Yes.
Jessica Gibbs, CFP® [00:12:23] Back to our earlier conversation. So Cathleen, I just want to ask you some more, just based off of your years of experience of working with clients here at Monument, I’ve heard you on the phone when a client calls in and says, my information has been jeopardized. So I was hoping, can you share some, you know, not attributing to anyone, obviously, but share some real examples you’ve seen of people’s information being jeopardized? I think it’s helpful sometimes to hear what examples have happened, so that you can maybe be then on the lookout yourself.
Cathleen Phelps [00:12:51] So there are a couple of ways. One way is somebody’s information can be compromised because they shared it with an organization who was compromised in some way, like maybe they filled out a loan application somewhere, or they used their credit card at a merchant, and then that organization had a data breach. And they never know until they get usually a letter from credit card company or whoever saying so-and-so had a data breach and they give some instructions. So that’s kind of out of your control. But other times people accidentally give away access to their personal data because they clicked on a link or an attachment in an email or a text, or responded to a communication that appeared to be from someone that they know and trust, but was really from a scammer. This happens all the time and it’s, as we said, really easy to do if you’re distracted and not really taking the time when you’re reading through your email.
Jessica Gibbs, CFP® [00:13:55] Cathleen, can you talk about in that regard? I think phishing emails, like, are there a few like red flags you should look at if you get something in order to prevent yourself from being in that situation?
Cathleen Phelps [00:14:04] Yes. You can first check the email address. If you hover over the name and look at the whole email address, you can see if it came from Citibank or not. This is really basic, but you can take a minute to see if the email makes sense. If you really think it came from the organization that you think. Also, they may be asking you to do something urgently. You need to change your password. You need to confirm delivery information, something like that. You need to do it right now. Here’s a link log in here. And the chances that you really need to react to an email like that in the next 60 seconds, or even the next day are pretty much nil, right? Take your time. Does that even make sense? Are there errors and typos in this communication? Do they use the word kindly? I feel like every phishing email I receive is asking me to kindly wire money or do something, so some stuff like that just doesn’t make any sense. So take your time. You can call your bank or whoever you think this communication is from. You can go look up the phone number on your own, look up their website on your own, rather than using whatever information they’ve given you in that email, because that is a surefire way to have a problem. You think you’re connecting to PayPal or whoever, and it’s not.
Jessica Gibbs, CFP® [00:15:29] Right. Yeah, don’t look at the number that’s in the email signature. Find your own.
Cathleen Phelps [00:15:35] If it’s really important, they’ll find a way to contact you. Social security is going to mail you a letter. They’re not going to ask.
David B. Armstrong, CFA [00:15:42] IRS will.
Cathleen Phelps [00:15:43] Their mail. You come to your door.
David B. Armstrong, CFA [00:15:45] Right. But you know, when you talk about the email thing, cat that is scared me a few times too. And I know you and I have been back and forth on this because people will spoof the alias. So you’ll get an email. It says it’s from David Armstrong, but you have to hover over to actually see the email address. And I’ve caught myself getting emails from people that I know and having the alias filled in and almost like, Bill saying before, like almost responding on it like one click away from from clicking something. Because if I see something from a friend of mine, it’s like, hey, I dug up this whole picture of us. I always look at the hover over now. It’s really, really important to do that. So what should somebody do if their information has been compromised?
Cathleen Phelps [00:16:26] We usually tell people to change their passwords right away, the really important ones to your financial institutions, email, Google and Apple, social media. You want to change them to something long and meaningless. No pets’ names or birthdays and hopefully you’ll be able to do this. If you no longer have control over your account, then you’re going to need to contact that organization for help. And that can be difficult if it’s an online only organization. If it’s American Express, they’re going to help you. You’ll want to contact your financial network to let them know that you’ve had a data breach. So call your credit card companies and cancel your cards. The financial institutions where you have accounts, your financial advisor. If you’re a Monument Client, call us and we will work with Schwab to start a fraud investigation and we’ll watch your accounts to make sure nothing bad happens. And you would want to also just monitor your own financial accounts for any unauthorized activity. It’s a good idea to freeze your credit at all three credit bureaus and monitor those credit reports for anything [00:17:30]unusual. The credit bureaus are required by law to freeze your credit for free, but they also offer these paid services to do the same thing. So don’t be confused by that. Dig around until you find the free one and freeze your credit, and then just leave it frozen. There’s no reason not to. It’s pretty easy now to unfreeze it. If you want to get a new credit card or car loan or something like that. Enable two factor authentication everywhere it’s offered. This is where you can authenticate with a code to your cell phone or an authenticator app. This is really important, so somebody can’t just guess your password and then login to your account. So if you haven’t already done this, why don’t you just do it right now while you’re listening? Also, this is the hard one. If you’ve had a loss of funds or somebody has really stolen your identity and opening credit, you’re going to [56.2s] want to report that identity theft to local authorities at identitytheft.gov. And if you fell for a scam, you may feel really embarrassed and not want to tell anyone that it happened. But really, these scams are so common they’re getting harder and harder to spot. Everyone is vulnerable and chances are the police are going to say, oh yes, we’ve seen that. We’ve seen this a lot, so just please report it. Even if the authorities cannot or do not find a scammer. Those police reports are evidence for disputing incorrect information on your credit report, so it’s still worth doing even if the individual scammer can’t be caught.
David B. Armstrong, CFA [00:19:06] Right? So that website was identitytheft.gov. And we’ll try to put that down in the show notes too. But thanks for that. I do know that we’re going to talk. We have a question coming up about steps you can take in advance. But we were just talking about passwords. I just want to give Bill an opportunity to kind of jump in just real quick. But how secure are these password managers that people are using to generate passwords and store them? Seems like an obvious question, right? Like if you got all your passwords in one place, how dangerous is that? But a lot of people use those password managers, I use one. I’m wondering if you have any thoughts on that.
Bill Phelps [00:19:38] There are various sites online that review password managers, and there are several that are very highly reviewed, very, very effective from the standpoint of their own security. And there are an incredibly powerful tool in helping you secure your own passwords, because they take away the chore of remembering long and meaningless passwords. They will remind you if you’re using duplicate passwords on different sites. Many of them have additional features, like telling you if your password or user ID information has been leaked onto the dark web. There is at least one password manager that has been breached a couple of times. I’m not going to name it here. It’s easy to find and you definitely want to read the reviews, but there are several very frequently recommended password managers. They all do roughly the same thing and the good ones are extremely secure. They understand that they are holding the crown jewels for their customers.
David B. Armstrong, CFA [00:20:41] I just have one password to my password manager. It’s password in case anybody wants to try it out. But the worst thing in the world is if something makes me hand type in the password that I have because I’ve got like 16 characters and everything, I don’t even know what the passwords are, but it seems to work really well for me. So thanks for giving us your opinion on that.
Bill Phelps [00:21:01] And any of the password managers will also require two factor. So whether it’s a biometric from your phone or another device or a code through an authentication act like Google Authenticator or sending you a text via SMS, there’s some third factor that’s being or second factor that’s being used for further authentication of your information when you’re trying to access it.
David B. Armstrong, CFA [00:21:28] I get the authenticators every day, five times a day. I’m very comfortable with them. I almost wish the passwords would go away. And just when you sign in, it just says, what’s the code? And you get on your phone and you do it.
Bill Phelps [00:21:38] Dave, we’ll see in our lifetimes and we’re not spring chickens, passwords largely go away. They’re currently a technology or an approach called passkeys, where more and more we’re seeing people’s phones being turned into their source of identity, source of authentication. Almost everyone’s phone these days has some type of biometric authentication, and you’ll see the expression passkey or passwordless access. Usually what that means is that the website or the system is using your phone as a source of authentication, and that’s getting better and better and stronger and stronger and is pretty difficult to hack.
David B. Armstrong, CFA [00:22:17] Quick, off the cuff question if you had to choose to lose one or the other way to be your phone or your wallet?
Bill Phelps [00:22:23] Oh my God. Don’t take my wallet, give me my phone.
Jessica Gibbs, CFP® [00:22:29] That’s crazy. All right, well, let’s switch gears a little bit. I want to talk more about cybersecurity for small businesses. So Bill this question is for you. Is it true that small businesses are more at risk than big businesses?
Bill Phelps [00:22:41] Generally speaking, big businesses started investing significantly in cyber defense and cyber protection at least a decade ago and in many cases, 15 years ago or more. Big businesses are often public companies, and they’re subject to regulation by the SEC, especially if they are financial institutions have historically been targets of malicious cyber actors. So I think for quite a while small businesses thought they were flying under the radar and weren’t a target. The thing that’s emerged in the last probably five years in a big way is ransomware. People have probably heard of ransomware in the news year and a half, two years ago, the famous Colonial Pipeline incident. But the amount of money paid to cyber criminals in ransomware in 2023 passed $1 billion for the first time. This is a large business. It’s extremely profitable for the cyber criminals. It’s very specialized and it’s an easy way to make money. And that is disproportionately hitting small businesses and for that matter, schools, hospitals, other organizations that have only more recently started to invest in appropriate cyber defense measures.
Jessica Gibbs, CFP® [00:24:09] Yeah, I think about this from the perspective of like, if you are a small business owner and you’re trying to build your wealth through your business, I think cyber attack could really wipe that out potentially for you. Right?
Bill Phelps [00:24:22] The organizations that have literally gone out of business as a result of a cyber attack in there are, unfortunately, some of those have disproportionately been small businesses. Large businesses typically are more resilient, but we are seeing small businesses more and more frequently have cyber insurance, take steps, use a third party to provide cybersecurity monitoring for their business. Some small businesses in industries like financial services like Monument, have regulation that is forcing them to take appropriate precautions from a cybersecurity standpoint. In my role as an investor, I’m seeing companies that are focused on providing cybersecurity services to small business is an extremely fast growing sector of the cyber ecosystem. So to come back to your original question, yes, small businesses tend to be more risk, but there’s a lot of steps being taken to help them.
David B. Armstrong, CFA [00:25:29] Cat, let’s start with you. What are some of the steps that you can take based on your experience in advance of a cyber attack?
Cathleen Phelps [00:25:37] In addition to setting up that two factor authentication that I hope you’re doing right now.
David B. Armstrong, CFA [00:25:46] And everybody that works at Monument better be hearing that too.
Cathleen Phelps [00:25:46] And freezing your credit. I want to go back to the encrypted password manager, because we’re using your passwords with your dog’s name in it CharlieD1, CharlieD2. These are not secure. And when you reuse them on multiple websites, it’s just that much easier for them to be guessed. Use that encrypted password manager. And I know this seems so overwhelming and people don’t do it. And I finally did it a few years ago. It was a New Year’s resolution. I said, I’m going to get serious about security, and it wasn’t that bad. It was not as difficult as I thought it was going to be. You do not have to change all of your passwords at once. And once I realized that, it all of a sudden became manageable. So pick your really important passwords, your email, your financial institution passwords, and let the password manager generate those. Install that password manager on your computer and your phone, and then log in to those sites using the password manager just for those few sites so you get the hang of how it works. And then once you have the hang of how it works and you’re comfortable every time you go to a new site to log in to, say, forgot password and let the software generate a new one for you. And after a while you’re not using your list.
David B. Armstrong, CFA [00:27:16] You know that’s such a great piece advice to do the lost password thing.
Cathleen Phelps [00:27:19] That’s the easiest way to start off with a few in the beginning that you use all the time. Get the hang of how the software works and then gradually say forgot password and change at L.L.Bean and J.Crew and everywhere else you’re logging in. These password managers also allow you to share passwords with family members, so you can still share your Netflix password with your kids.
David B. Armstrong, CFA [00:27:44] You can.
Cathleen Phelps [00:27:45] Oh yea.
Bill Phelps [00:27:49] Oh, of course, only if you have a family plan on Netflix.
David B. Armstrong, CFA [00:27:52] Yes. Thank you. Disclaimer.
Jessica Gibbs, CFP® [00:27:54] Also, think about this in terms of maybe sharing passwords with your elderly parents. Like maybe you’re helping them with bill pay for like their utility bill or something cable or something like that. That maybe that’s a way that if they’re on a password manager, they can share things with you, and then maybe you’re available then to help them if they need help with things online.
Cathleen Phelps [00:28:13] It seems overwhelming, but I think the gradual approach makes it possible and I’ve never seen that written down anywhere. So someone please try this and comment on the podcast and let us know how it goes. Other things that you can do are not to use unencrypted email to send or store sensitive information. Don’t be sending your insurance card your driver’s license to somebody over your email. Don’t use public Wi-Fi like at the airport or the coffee shop to do any financial transactions. We talked about how to identify a phishing text. So just be really suspicious of phishing texts and emails and take your time. You don’t need to respond to those immediately. Don’t use your debit card for online purchases. Debit cards give direct access to your bank account, so if somebody has that, they can take actual money out of your bank account. Credit card fraud so much easier. That’s a promise to pay not actual money out of your account. So it’s much easier to reverse charges on a credit card. No debit cards online. You can also monitor your financial accounts all the time by signing up for card not present alerts with your financial institutions. I think almost all of them do this now. Sometimes they have a dollar threshold. You could say any transaction more than a dollar then me, a text or an email however you want to get that notification. So that way if somebody makes an online purchase with your credit card and it’s not you, you get this notification. So you’re going to get your notifications for audible and whatever subscriptions if you go shopping. But you’ll know what those are. And then every once in a while you’ll see something, a notification. You’ll say, I have no idea what this is. This is a way to identify fraud, right when it happens. And then you can shut your account down. And I have done this multiple times. I really like having those notifications. We have an article that summarizes this information and more that we can post down in the podcast notes. Nine steps you can take to protect yourself from identity theft fraud. It’s probably more than nine steps. Every time I look at it, I think of more but I do have some of this summarized in writing for you.
Jessica Gibbs, CFP® [00:30:34] That’s great. And then, Bill, from the small business perspective, what steps can businesses take in advance of a cyberattack?
Bill Phelps [00:30:42] So in terms of a small business or really any, any small organization, we’ve already talked about some of the steps they can take to defend against a cyber attack, many of them similar to the individual in terms of using password managers, using strong passwords, training people not to click on phishing emails. But it is almost inevitable for the individual and for an organization that there will be some type of cyber incident they need to respond to. If I’m a small business, one of the questions is who do I call? Typically, if you have cyber insurance and I strongly recommend that you talk to your insurance broker about whether or not it’s an appropriate product for you, they can save you a lot of money. But if you have cyber insurance, it’s probably a call to your broker. It might be a call to your lawyer. It might be a call to your IT provider if you’re a small business and you have a managed service provider. It may be a call to the managed service provider. You should be checking with them and going through and making sure that they know what to do. There’s a technique that we use a lot with really organizations of all sizes. We call it tabletop exercise, and it’s really just going through and saying, imagine there’s been a cyber incident of some type, we’ve received a ransom notice, somebody has clicked on a malicious link and their accounts been taken over. Do we know what to do? Do we know who to call? Do we know how to reset passwords? We haven’t talked about this a lot, but do we have backups? A lot of times a ransomware operator, what they’re doing is they’re locking up your data. If it’s already backed up in a way that can’t be accessed, you are much more likely to be insulated against that type of attack. But I would come back and say, the most important thing is to know what are the immediate steps that you take? Who do you call? Who are your service providers in the event that you have a cyber incident?
David B. Armstrong, CFA [00:32:46] One of the things I’m curious about is for small businesses. We have people that travel, go to conferences, things like that, and even working from home or people go on vacation, they take their laptops with them and we use a VPN. Do you have any advice or thoughts on whether our VPNs are effective, or are they things that people should be using all the time, even if they’re on their home Wi-Fi? When are they good? When are they not necessarily something that you have to have?
Bill Phelps [00:33:11] They’re generally a great idea. In my most recent prior corporate employer, they were a requirement when you were traveling. There are some different techniques that are in place now that in some cases make them easier to use, but especially if you are in a role where you need to be in a hotel or you need to do work from an airport, you really ought to be using a secure connection of some type, not open Wi-Fi, and a VPN is a great way to do that.
Cathleen Phelps [00:33:46] VPN stands for Virtual Private Network. Sorry, in case anybody was wondering.
David B. Armstrong, CFA [00:33:51] Yes, we use them here and I actually have installed it on my laptop, and it is more of an effort to turn it off than it is to just use it. And I made it purposefully hard on myself to use it. But it’s on my phone, it’s on my laptops. And once you click connect and you could I don’t even notice a difference. So to me, from my perspective, they’re pretty easy to use and they’re not really an impact.
Bill Phelps [00:34:11] They’ve got a lot easier to use and it’s a lot more secure. Yeah.
David B. Armstrong, CFA [00:34:14] That’s great. Thanks.
Jessica Gibbs, CFP® [00:34:16] All right. Well that was a lot to digest. And hopefully people kind of came away with some useful tidbits. I’m sure there’s things that maybe you’ve heard about, hopefully some things that you haven’t heard before. I also think, like as an employee, even the things that you were talking about as a small businesses like you should know, like who is in charge of cyber security at your company, and you should know how to report these things or what to do if there is suspicious activity. Because I think the point I’m kind of getting is that it takes this kind of constant vigilance. Gosh, it sounds terrible, but sounds like, yeah, I was like very vigilant. But it does take that having your guard up, which is unfortunate to have to live that way, but I think that is where we are right now. And I’m really hopeful, Bill with what you said about AI at some point catching up AI for the good guys, I should say catching up and being a useful tool and helping protecting consumers and small businesses. So thank you both. I really appreciate you guys sharing your expertise and your different perspectives on this problem and having worked with actual clients.
David B. Armstrong, CFA [00:35:14] Thanks for coming to our global headquarters here.
Bill Phelps [00:35:18] Thanks for the opportunity. It’s been a great discussion, and I’ll just end by saying that, as Cat said earlier, if something happens, don’t be embarrassed, especially if you’re an individual. Almost a third of people have been victims of account takeover, which is where somebody is able to obtain your user ID and password and get into your bank account or your Amazon account, or in my case, my Spotify account. These are things that happen commonly to people. Tell somebody about it who can help you get through it. If you don’t know what to do yourself, don’t hide it.
Jessica Gibbs, CFP® [00:35:54] That’s great advice. As a reminder, if you’re listening to this, you can keep up with new episodes of Off the Wall as well as our weekly market updates by signing up at monumentwealthmanagement.com/blog. You can also follow Monument Wealth on LinkedIn, Instagram or Facebook for our wealth management tips. So all right, till next time, Dave.
David B. Armstrong, CFA [00:36:14] Thanks.
