Life at DHG Podcast Series

Episode 43: National Cyber Security Month – Enhancing Your Online Safety

Cyber security is not a career path one might naturally think of at DHG. As part of our Advisory practice areas, we have a Cyber Security team who serve clients across the U.S. Tom Tollerton is a leader in this group and joins us to share more about this DHG career path and he even shares some great cyber security tools we can use in our personal lives to protect ourselves online. Click here to learn more about DHG’s IT Advisory practice.

Episode 43 Transcript:

AGH: Hello everyone and welcome back to another episode of our DHG Podcast series. I’m Alice Grey Harrison your host and I love this venue because we get to hear from our team members about the things that matter the most to them: flexibility, careers and of course our people.

We are celebrating National Cyber Security Awareness Month. The internet truly touches almost all aspects of our everyday life. You know, honestly for me, the first thing I do in the morning, I probably should be embarrassed to say this…This is even before I have my first cup of coffee, I reach for my phone to check my personal email, to check my DHG email, to check Facebook. What did I miss while I was asleep? Does that sound familiar? You probably do the same thing. Cyber security is a major focus area, for not only our personal lives, but for businesses both large and small.

You may be surprised to learn that we here at DHG have a cyber security group that provides services to companies all over the country. Joining me today is Tom Tollerton, a Senior Manager in our cyber security group. I think that he has one of the most fascinating jobs here at DHG.

I invited him to share a little about what this group does and at the end, he’s going to provide us with a few suggestions on what we can do to enhance our own online safety as we celebrate Cyber Security Month, welcome Tom.

TT: Thanks Alice Grey, happy to be here.

AGH: So, cyber security is not something you typically think of as a service offered by an accounting firm. I know I’ve been with the firm now for almost 10 years and I believe that we’ve had cyber security most of that time, if not all the time. Can you tell me about what you do for DHG in terms of cyber security?

TT: Absolutely. I help lead our Cyber Security Advisory services and our IT Advisory group and as a public accounting and advisory firm, we do have an area in advisory called IT Advisory.

Within that we have cyber security type services and as you stated, it’s not very common but it definitely is a service that the majority of our clients are starting to pay attention to right now and coming to ask, how can we help them address cyber security risk and build strong cyber security practices. But you know, our work covers a whole range of things in cyber security, we do really exciting technical type work like network penetration testing, putting on a black hat attacker’s mentality if you will, and trying to attack an organization.

We do compliance assessments around things like the payment card industry, protecting credit card numbers, HIPAA, security and privacy. So protecting health information for hospitals and for clinics, and then we do digital forensics as well.

We’ll investigate as part of instant response investigations, how an attacker was actually able to compromise an organization’s network and send some potential stolen data, or access confidential sensitive information.

We cover the whole gamut that someone might look for in a cyber security partner.

AGH: I think it’s so cool and your office in Charlotte looks like you are on the set of CSI investigators. It’s dark with a lot of computers- it is the coolest thing to me. Tell me, how did you get in to cyber security?

TT: I was actually fortunate to get in to cyber security right as it was taking off as a priority for organizations, big hacks started to occur. I entered the workforce in 2006 after graduating college and I worked for the IT department of a very large department store chain. I was doing their networking function if you will and so I fell into cyber security as part of the payment card industry, which I mentioned earlier.

At the department store chain, we had to deal with credit cards due to security. They needed someone to help lead that initiative for them. Back then and I was really interested in it and I had some technical capabilities, so I got started there. Then moved into more risk governance type work with cyber security, working for a defense contractor just before joining DHG.

It was easy to move into consulting as I was able to use the technical skills that I learned in my first job and then the knowledge I had related to risk and governance and leadership skills in my second job. It was a natural progression to offer those skills out to third parties in our clients here at DHG.

AGH: That’s really interesting how you got into it, it’s hard to believe that you know, 20 years ago, there really wasn’t cyber security as a focus. It is fairly new. I know you can’t discuss specific client projects but what are some of the types of cool projects that run through your group?

TT: Well, the cooler projects are definitely the more technical ones. We do a lot of the more boring compliance type audits that are important and very necessary but you know, the glamorous type projects that we do are the technical ones I described. Network penetration testing, kind of simulating that attack on a web site, or an attack on an organization’s network – trying to get in and see what they can get access too– seeing if we can actually steal information.

We also do a lot of social engineering type work as well. So if you have ever seen a phishing email, those phishing emails often lead to the installation of malicious software. If you clicked on a link or double clicked the attachment. We test organizations’ security awareness by simulating those phishing attacks and so we will send out phishing emails to the accounting type personnel or finance personnel and see if they’ll click on that link and actually let us in.

We always had a lot of success with that and then the forensics work is really a lot of fun as well. It’s really unfortunate, frankly, for our clients if something really does happen to them. But it’s definitely fun for us to get in and to see exactly what happened. Put together a timeline of events, see what methodology an attacker may have used to compromise that network.

It’s really valuable for our clients as well because they have reported obligations if a breach did occur. They have to obviously understand the impact and scope of potential breach. So it’s exciting and really valuable for our clients all at the same time, so it’s exciting work.

AGH: And that’s where I see you on the scene of something like CSI, like putting all the pieces together, figuring out how things can happen. I think it’s totally fascinating that you simulate the emails with Malware. I get them all the time, not all the time because we have really great security, but I do get them from time to time and I think it’s really fascinating. Now I am going to send it to you and ask, “Did you send me this?”

TT: That’s just fine.

AGH: Okay, so since we are celebrating Cyber Security Awareness Month, I thought that it would be interesting if you could give us a few tips regarding things that we can do to protect our security.

TT: Sure, absolutely and frankly what we find Alice Grey is that the basics are really effective at helping to mitigate the likelihood of an attack. So just very basic things like making sure you use your own passwords. Don’t use a blank password if that’s possible. Don’t use a weak password, meaning like a simple dictionary type word. Don’t use 123456. It doesn’t have to be overly complex but use for all of your accounts certainly ones that are critical to you.

The password is at least eight characters, use a special character, use a number, vary it up a little bit and don’t use the same password for all of your accounts because if one of your accounts is compromised, let’s say that your bank account you used one password and that password is compromised an attacker could potentially use that same password in other accounts that you have.

So it’s really important to not use the same password as well. And to help you with that, we always recommend a password management app for your phone. If you go to the app store on your smart phone, you can just search “password management” and several options will come up. They’ll help to store your passwords for you and then you only need one, ideally, super complex password to remember to unlock all of your other passwords. So I definitely recommend strong passwords and good password management.

For a personal computer standpoint, if you work for DHG you typically have pretty hard systems but always make sure that you have an anti-virus solution on your computer and that the signatures are up to date. Always make sure that you’re getting the latest security patches for Microsoft and Adobe and the other application for the applications that you use.

Windows 10 is really good about making sure that that occurs by default but if you use earlier versions of Windows, like Windows 7 and Windows 8, in some instances it’s set back and sometimes slip through the cracks. So make sure that’s set up on your personal workstation.

And then third and finally, keep an eye out for those email phishing attacks. They are getting really sophisticated. The ones that we see out of the wild. Attackers are getting very creative in how they can trick you into thinking that an attachment or a link is legitimate. Something that is either very interesting to you, like you would actually want to open it. Or coming from and sourced from a legitimate source. Someone that you know and you just think automatically that whatever that person has sent you, must be okay to open.

They’re getting good about simulating – being someone that they’re not. So definitely keep an eye out for those.

AGH: Very good. So this podcast will be shared on our career’s website. So if somebody were listening and they thought “This is interesting, I might want to go this route for my career.” What would they do? How do you get into cyber security?

TT: Great question. You know it is a lot easier now then it was when I got started frankly because a lot of universities now have or are starting to build cyber security focused programs, whether it’s in computer science or their business school. There are majors and minors in cyber security. So if you are in school right now, I would certainly say take a look and see what classes or what concentrations are available in cyber security.

And second I would say that cyber security is really one of those career focuses where you’re all in. You can’t split cyber security with accounting and that sort of thing. It’s a constant learning, career, where you constantly need to learn new technology, new techniques, keep up with the latest compliance frameworks.

There is definitely a focus. You have to have a focus and you have to have a desire to learn to be in cyber security. So I would definitely encourage you to evaluate and think about whether that’s something that are characteristics of your personality and just read up, just learn as much as you can.

AGH: Very good, well Tom thank you for joining us today.

TT: Absolutely, happy to do it Alice Grey.

AGH: And thank you all for listening to Life at DHG, our premier podcast series. If you like what you just heard we hope you’ll tell your friends and colleagues. Be sure to check out our DHG blog for more great stories about our Life Beyond Numbers.

Join us next time for another edition of Life at DHG.