Nonprofit Resources
Margin for Mission Podcast S1:E4 – From Pews to Passwords: True Stories of Cybersecurity Challenges – Transcript
Ken Tan:
Welcome to Margin For Mission, the CRI CapinCrouse podcast where two friends, Ken and Chris, bring you real talk about creating space for what matters most. Because when your organization has financial and operational margin, you can focus on your mission with confidence.
Chris Purnell:
We’re professionals who’ve spent years helping churches, higher education institutions, and other mission-focused nonprofit organizations manage their accounting, tax, compliance, and other challenges. We understand the complexities you face, and we’re here to make it simpler.
Ken Tan:
In each episode, we’ll dive into practical insights on leadership, operations, and the everyday challenges of running a nonprofit without the jargon.
Chris Purnell:
And we’ll talk about life too, family, faith, quite a bit of football, and finding balance in a world that rarely slows down.
Ken Tan:
So whether you’re managing budgets, leading teams, or just trying to keep your mission moving forward, you’re in the right place.
Chris Purnell:
This is Margin For Mission. Let’s get started.
Ken Tan:
Well, welcome back to the Mission For Margin podcast. Again, just by quick introduction, I’m Ken. This is my colleague, Chris. And we have a wonderful guest, who is also a fellow colleague of ours, Allison Ward, and she has a lot of great content. But first and foremost, I just want to share with everyone here how lucky I have been the last couple of days. I got an email from a person of royalty in Nigeria saying that, hey, there is a $50 million bank account that’s stuck here in the US that actually can be tied back to me, and if I just follow all the directions and follow this link, I too will also have a part of that share.
I also just got an email from another person that just said, “Hey, if you check out this link, you will win this absolute great sweepstakes for a house, a car,” and pretty much passive income for the rest of my life. And so, I’m just like, boy, I’m on cloud nine. I don’t know if you’ll see me in the next episode now. But I do know I probably need to use this money also, because I also got an email saying that one of our own colleagues is stuck in some country in the middle of nowhere, and in order for me to help them out, I just need to send a bunch of gift cards to this particular organization. So God is good because I was able to get some money and I can use it to help bless others.
So with that said, I’m just going to keep it to myself. I don’t think any of y’all got on that, so I think it’s just me. Is that correct?
Allison Ward:
Yeah, I’m pretty sure that’s right.
Chris Purnell:
Not yet.
Ken Tan:
No, I’m pretty sure most of us have had something in some way, shape or form like that. And that’s just to touch off the little highlights of what our topic is for today, which is on cybersecurity and a lot that goes into it. It’s one of those things where I think it’s going to be in our lives, day in and day out, it’s not going away, but it’s so important for us to have the tools and the resources to know what we can do to protect ourselves. And so, with that, Chris, you want to introduce Allison, and Allison, share a little about yourself to kick off some of the things about it?
Chris Purnell:
Ken, I’m stoked. Allison’s a wonderful communicator, a wonderful colleague. She does amazing work in the tech/cybersecurity space. She is very entertaining, so this is going to be a great podcast episode. I’m setting you up, hopefully not for failure, Allison. Don’t disappoint us.
Allison Ward:
You’re raising that bar.
Ken Tan:
Yeah, the bar is set all the way high.
Chris Purnell:
It’s all the way to the top.
Ken Tan:
Next episode, it’s not even you and me, Chris, anymore, it’ll be Allison from this point on.
Chris Purnell:
Just Allison. That’s right, that’s right. So Allison, I don’t know if you want to give us just a few factoids about who you are, how long you’ve been at Capin, the kind of work that you do, and then we’ll jump into some of the substance of what we’re talking about during this podcast episode.
Allison Ward:
Absolutely. So I’ve actually been with Capin forever. This is my only job. I started as an intern in high school, because I had one of those very mean dads that said I had to get a job, but yeah, it worked out. So I’ve been with Capin, intern, I started as an IT auditor, worked my way up to manager and partner the last couple of years in our division, and it’s been great. I’ve worked with a lot of different clients, all different shapes and sizes, different budgets, different resources, and really have gotten to see how the implementation of controls can look like in so many different environments and how you can mitigate certain risks in different ways, so I’ve really loved seeing that from all different angles. Other than that, I’m based in Louisiana, I’ve got a three-year-old, I’ve got a dog, a husband, that’s it.
Ken Tan:
And from a football perspective, she’s absolutely stoked.
Chris Purnell:
That’s right.
Ken Tan:
Lane Kiffin going over to LSU, so we’ll see how that season goes. We pretty much said, Allison, just so you know, we’re talking football in every episode.
Allison Ward:
Are you? Wow.
Ken Tan:
Yeah. You’re going to have to brace yourself.
Chris Purnell:
We try to.
Allison Ward:
Yeah, yeah. Y’all made it to the right person, because obviously you have football [inaudible 00:04:41].
Ken Tan:
It’s all good. We know you’re here for a great reason. And this is one of the things that I’ll just tell you all a bit myself is I may know some things, I don’t know everything, and it’s so great we have people at the firm like Allison that know it all. And that’s where part of it’s going to be so great to even hear what some of the experiences she’s had as well from the cybersecurity side, because I think one of the things that a lot of our audience folks here are going to be really tempted to listen to are all the real life stories, the things that we have seen at the firm, or even Allison has seen and interacted with, some of the threats that are probably pretty much relevant every day now. And then, of course, some of the tools that hackers are using that could easily, easily manipulate people into releasing insensitive information, and even certain things that typically, if they’re in a trusting environment, could easily go in the wrong hands.
And so, that’s one of the things that I think we would love to hear from you, Allison, are some pretty interesting stories that you probably have experienced from the cybersecurity side. So I’ll hand you the mic.
Allison Ward:
Yeah, yeah, no. And it’s interesting, knock on wood, I’m going to say this and hopefully I’m not jinxing myself, the clients that we’ve worked with, year in and year out, we work with every year, luckily have not had any major issues. So I get nervous saying that. But I do still see a lot of real life things happen, because we have probably, once or twice a year, we have a new client come to us because they had an issue, something happened, and they either want to get an assessment, they want support, to prevent it from happening again.
And then, even more recently, probably in the last couple of years, just as organizations are using technology more and more, especially when it comes to creating their financials and maintaining their financial data, I’m getting pulled in a lot, where it’s not necessarily my client, but an audit team, their client has had an issue, and they’re trying to figure out how does this issue impact our audit, how does it impact the financials that we need to think about as part of that. So I’ve seen a couple of things through that.
And really one of the ones that first comes to mind, and I think it’s a good story, just because, I think especially for nonprofits, we are relying more and more on third parties. In this scenario, basically what happened was the client didn’t do anything wrong, the organization didn’t have any issues themselves, but they had a third party that hosted their infrastructure. So it was a managed service provider, had their servers, had all of their critical infrastructure, they had connections to the client’s environment to support that. And the vendor got ransomware, and basically, the bad actors stole data first., They then deleted the backups, so there’s nothing to restore from, and then deployed ransomware.
So you’ve got the vendor over here dealing with their issue, and then the client starts realizing nothing’s accessible, so who do they call? The vendor. But the vendor is obviously a little occupied and so they couldn’t get support through this, they were having issues with any kind of recovery. And so, I think it, one, just highlights that vendor reliance that so many organizations we work with have. And then also, I think it highlights for organizations, it’s not just a matter of stealing data and our data being exposed [inaudible 00:07:49] so many of our nonprofits that we work with, they have a mission and they really want to carry out and continue to provide their services, and if you go down and you can’t access your systems, how does that affect how you can serve your constituents? So that’s one that always hits home for me, just because it’s two layers.
Ken Tan:
Sure. Well, and you start even thinking about, it’s not even just the losses of finance side, it’s the time and everything they’re trying to recuperate and recover from all that. Because I started even thinking about a client that I had worked with as well and they brought me in after it happened, and this was essentially just to rebuild their accounting system. Because what happened was it was a Christian school, one of the administrators opened a link that they thought was legitimate, and it actually did ransomware in their accounting system and donor database and student database, locked it all down completely. They had insurance for the ransomware thing, and they actually did pay some sum of money via cryptocurrency to this hacker group.
But one of the things that ends up being the conversation piece is that even though you get your access back to that system, there is no guarantee that they are completely out of it. And so, that’s where part of it was essentially they had to spend the time and the money now to rebuild it versus just being able to continue on with their daily lives. And so, it’s very close to home.
Allison Ward:
Yeah, that lost time. I remember another client had another ransomware issue, and this client hosted a lot of their infrastructure on site, and they had a ransomware issue and they lost 18 years worth of data, and they were spending money, they had to postpone all of their planned audit, they had to postpone all work, just because they were spending so much time trying to figure out, can we recreate this? They were finding files from nine months ago trying to figure out, how can we recreate nine months worth of data? It was just really, really impactful to the day-to-day. Basically, it was eating their lunch, that’s all they were talking about was ransomware and recovery and all of that kind of stuff.
Ken Tan:
And you start thinking about then at that point, then you start questioning everything in terms of what’s coming through, and so now you end up being able to just feeling confident you have things in plan, in place, as opposed to now you’re being very skeptical and potentially paranoid. It’s tough, because it’s crippling, because instead of you being able to really focus on the mission and everything that comes with it with your ministry, you’re essentially just being extra careful now and spending all that additional time that probably can easily burn people out because they’re spending so much time trying to keep that from happening again. It becomes that pendulum swing, where we came from, “We weren’t worried about it,” to, “Now, we’re thinking about every moment and everyone is just worried about it,” and it essentially distracts us from the true mission that they can do too.
Allison Ward:
That’s right.
Chris Purnell:
That’s true. Every email suspect… I remember one time when I was the executive director of the legal clinic, we had a data loss issue, because our third party provider, they had a suspect that tried to come into their data, it shut down, the firewall came down. But what happened was they hadn’t backed up our data for over four weeks, and so we had to recreate essentially four weeks of data. And it got to the point where people were like, “You know what? Let’s just not use the internet anymore. The internet’s a fad. We shouldn’t store any data in the cloud anymore, there’s only villains and creeps up there, so let’s just keep it all on paper.” And as lawyers, we’re already predisposed to printing out everything anyway, so we’re printing out emails, we’re making copies and then making copies of those copies and all that kind of stuff, so it does get absurd pretty fast.
Allison Ward:
And it’s so funny you say that about how going back to paper and no internet, I just think back, when I first started auditing, we’d go into server rooms at clients and they’d have the password on the server sticky noted [inaudible 00:11:24] for it. Now, I’m like, “Well, that feels a little more secure sometimes than a [inaudible 00:11:30] that’s going to get hacked.” So yeah, I totally agree. I think it’s definitely a challenge for organizations to find the right balance of security, operations, peace of mind, all that good stuff.
Chris Purnell:
So Allison, one of the things that I think comes up here pretty often, if I’m not mistaken, is that you’re kind of Monday morning quarterbacking a lot of these scenarios, and I want to hear some more of the stories. But what are some ways that organizations can think through how to get in front of this as opposed to being reactive and trying to come back from something that’s really devastating?
Allison Ward:
Well, I think probably the first step when I think about that is you really have to understand what you have, where it is, how it connects, all of that. And I see this a lot with small organizations, again, who may be more resource-constrained, may not have the IT background or more limited resources in that area, they just don’t know, or they outsource everything and they just trust that everything is good. And so, I think if you don’t have really that good understanding of where data is, how people access it, where we’re accessing it from, from what devices, you really can’t implement security comprehensively. You may secure this system over here, but again, you have this person over here that’s accessing a different method from an unsecured device and jeopardizes everything you put in place. So my old boss used to say, “Oh, you can’t manage what you can’t measure,” and I think that’s it. You have to understand what you have, you have to be able to measure it in order to be able to manage and secure it.
Chris Purnell:
Well, that’s good.
Ken Tan:
That’s good stuff. Let’s keep it going with some more stories, Allison. I would love to hear some more of these. It’s one of those things that I always think about from a cybersecurity or even fraud, it’s always interesting to examine, but never to experience. So we’re in the examining side, we’re not the experiencing side. So keep it going, Allison.
Allison Ward:
Yep, yeah. Another one actually is a client that came to us, and this is a really frequent event we see with all sorts of organizations, it’s what they call business email compromise. So essentially, an email account, you’ll hear BEC, but essentially an email account gets compromised from by a bad actor because they don’t have multifactor authentication on it or they’re able to bypass multifactor authentication. But basically, this client who came to us, they were a small organization that did a lot of economic development in their area, so they helped a lot of small businesses when there were disasters, they provided resources, so a really great organization for this area.
And basically, their office admin, she paid the bills, she did wire transfers and all of that. For however way, the bad actor got her password and got in her email and just sat there, and they learned about her, they looked at past emails, they saw how she wrote, they saw how she communicated, who she communicated with, and they actually started communicating with her banker. They even went so far as… It’s probably one of the more advanced ones I’ve seen as far as the steps they took. But they did [inaudible 00:14:17] resolutions, minutes, basically approving them as new wire transfer people, they emailed it to the banker, they got them set up on the system.
And finally, better late than ever, the banker was like, “Hmm, something seems a little off,” and called our client and was able to stop this wire transfer from going out. But they would’ve lost a significant amount of money, very detrimental to them, so they were very lucky that it was able to be stopped. But when you think about it, there were many steps before this happened that could have prevented this issue. So we see BEC type stuff all the time, with [inaudible 00:14:51] with payroll, all sorts of stuff.
Ken Tan:
And for that one, did they experience any financial losses because of all the creations of those additional authorized signers and all that?
Allison Ward:
No. They were very lucky, because again, the banker finally picked up the phone. As a millennial, I hate talking on the phone. I won’t do it, I’m not picking it up. But we say all the time to our clients, sometimes just picking up the phone can thwart a lot of these attacks from being successful, and that’s what happened here. They finally made the verbal connection with our client and they were able to say, “Nope, that wasn’t us.”
Ken Tan:
Oh, wow. I’ll at least touch that on a similar situation that we actually encountered too with a client of ours as well. It was a mission organization, not the one that I was at, so I just want to at least make sure you preface that as well. So this organization, it was also another mission organization, and it happened to be that the COO was actually truly out of the country. And what happened was someone had accessed their account in terms of their email account, was able to impersonate themselves and send an email to the finance manager for the company and the organization saying, “Hey, we actually have this vendor. I’m out of town. I need to get this paid. I’m not able to pay in person, so can you please wire this, because it needs to be done now because it is a large sum.”
And the finance manager, I think the finance manager knew that it would’ve been better to call or contact or find some way to substantiate it, but because of the urgency, they actually bypassed their own policy and they wired the funds. And this was done about probably halfway through the year, and nothing was said or heard about it after that, it essentially got done. The only time it got caught was at the end of the year when they were trying to do their 1099s, so essentially issuing out all those forms to any independent contractors, and since this was a large amount, they were considering whether or not they needed to get a W-9 for this vendor. And when they were trying to search who this vendor was, they couldn’t find anything about it. Well, lo and behold, they look it up, turns out that was a fictitious vendor. By that time, since it was already like four or five months, zero way of being able to recoup that money, and those losses were about $50,000. So that is some real money there that got lost.
There’s some training now that’s being done at that organization, of course, and it’s one of those things where it’s like you always think about the ounce of prevention beats a pound of cure. Well, they’re trying to do that cure piece right now, and it is very time-intensive for a organization, because again, they did lose $50,000 that did come from sacrificial giving of those outside that entrusted them to handle those funds.
Allison Ward:
Yeah. We see that all the time. I mean, the vendor payment scams happen left and right. And again, people don’t think to question, don’t think to pick up the phone and confirm. We have a lot of people that we work with that are having those discussions about how are we going to verify payments, if a staff member wants to update their payroll information, how do we verify that? Even IT support, we’ve seen upticks, not necessarily with our clients, but just in the industry of fraudulent scams originating because someone calls me and says, “Hey, Allison, I see your computer’s acting funny,” or, “I’m trying to help IT. I need you to go to this website and give me access.” And if I don’t know that I’m supposed to verify that with so-and-so and they say all the right things, I’m going to that site, I’m going and letting them into my computer. So there’s just so many ways with the social engineering that actors can get [inaudible 00:18:12].
Chris Purnell:
That’s right, that’s right, yeah. And it’s one of those things where if you follow the procedures that are already in place, those are usually pretty sound. They should probably get a check-up, a tune-up, depending on the different types of scams that are happening recently, but generally pretty good. And as you noted earlier, picking up the phone can sometimes be a fate worse than death. I only pick up the phone if someone’s died or if someone’s… I’m assuming that if someone’s calling me, that someone’s died or I’m losing my job. So it’s one of those things where you do have to overcome some of those things and you have to follow policies and procedures that are currently in place, and that usually helps out quite a bit, it seems like.
Allison Ward:
And you mentioned doing a tune-up, and I think that’s so important too to remember with this, especially just in the era of AI. We talk about phone calls and things like that and making that voice connection, but AI, can we rely on [inaudible 00:19:06] again? It’s crazy to think that the controls we put in today are probably not going to be effective long-term and we have to constantly revisit them, see how they fit the environment that we’re in, make those tweaks, make those tune-ups. So I think that’s a really good reminder too.
Ken Tan:
Hey, don’t stop me. All I was going to say about this episode is it looks like I got hacked, because suddenly everything froze and stopped and everything. So this is a perfect episode to talk about this.
Chris Purnell:
You look much less blurry now too.
Ken Tan:
I know. Hey, this worked out. Maybe-
Allison Ward:
It was a good hacker.
Ken Tan:
Yeah, it was a good hacker.
Chris Purnell:
A good hacker.
Ken Tan:
They were like, “I cannot deal with this guy’s pixelated self.”
Allison Ward:
Well, speaking of good hackers, I had to prep for this, I was just reading stories, and there was a story about a hacker that was trying to extort money from this church through cyber means, and they were like, “We’re a church.” And they were like, “Are you a person of God?” And he was like, “Yes.” Basically, they updated their website so they could prove in some way that they were a church organization, and he stopped contacting them and stopped asking for money.
Ken Tan:
Wow.
Chris Purnell:
Wow.
Ken Tan:
Yeah. I thought that was kind of interesting.
Chris Purnell:
He had an attack of conscience.
Allison Ward:
Yeah.
Ken Tan:
We’re talking about that, yeah.
Allison Ward:
[inaudible 00:20:20]
Chris Purnell:
Oh, that’s good, that’s good. Well, Allison, as you were telling these stories, and Ken, as you were relaying your stories too, one of the things that I think we were hinting around was the reputational risk that arises from things like this. You hear about Target, where credit card numbers have been leaked, or any other number of vendors that are major players, major names, worldwide names. I can’t imagine what that would do to an organization that is an organization of trust, that’s been entrusted with stewarding donor dollars, and they somehow get hacked or they somehow have information that’s leaked out to the public, credit card information or donor information, PII. So can you tell us a little bit more about what you’ve seen in that space as far as reputational risk and that sort of thing?
Allison Ward:
Yeah. I think especially for nonprofits and mission-based organizations, that reputational risk is huge, because obviously certain organizations are very specialized, but there are a lot of mission organizations that have similar missions that do similar things. And say I’m donating the money I’ve worked for to this mission, this organization, that I feel very strongly about what they do, but they can’t confirm for me that the money I’m donating is going to the good cause and instead it’s going to bad actors, why would I continue giving to that when there’s an organization over here that can give me the assurance they can do that? And again, it’s unfortunate, because I do think incidents and breaches sometimes are a matter of when, not if [inaudible 00:21:47] but that’s the reality. A person just spending their money is going to be like, “Well, I gave you my money and you didn’t do anything good with it.” So I think the reputational risk, especially for mission-driven organizations, is huge.
Ken Tan:
And do you think that it’s better for an organization if they were impacted to address it head-on versus waiting and letting it simmer over? Because I’ve seen a lot of times where there’s organizations like, “Maybe this won’t boil over anything, we can just under the rug,” which essentially makes it worse, because essentially that’s a ferment, versus essentially as an organization, we’ve seen some that, and this is even the consulting side, it’s a lot of the reputational side of how can we approach this of just saying, “Look, this happened, but this is what we’re doing going forward to reestablish your trust and confidence in what we can do too.”
Allison Ward:
Absolutely, I think that’s 100% key. And what I usually see, especially with big organizations, lots of big organizations that everyone uses have had breaches, but the organizations that are criticized are the ones that have the poor response. The organizations that notify their constituents timely, put in the measures they need to do the investigation or are transparent with their customers and constituents, whatever it may be, they’re often seen as the victim versus a part of the problem, whereas the people that conceal things, they get criticism for the response capabilities. So I think 100%, obviously you’d have to work with law enforcement or insurance and legal, all that kind of stuff, to guide you. But I do think organizations that tend to be a little bit more upfront, transparent, attack it head-on, like you said, end up faring better in the long run.
Chris Purnell:
That’s a really good word, transparency and accountability and just saying, “Here’s what happened, here are the steps that we’re taking, here’s how we’re hoping to make it right with you, the consumer and/or the donor.” That’s really sound.
Allison Ward:
Because it happens to everyone, and so again, you don’t want to be seen as part of the problem. We are the victim.
Chris Purnell:
Yeah, yeah. We were studying the Chernobyl disaster with our kids, that’s the kind of stuff that we talk about. It’s like a case study for decision-making and leadership, or in this case, lack thereof, where they had hours and hours and hours where they were just trying to keep it contained, keep it contained, keep contained, and it was not contained until the point where they just could not avoid it anymore and it leaked out to the, metaphorically and literally, out to the surrounding parts of the countryside. And by that point, it was a full-on meltdown and there was nothing that they could do. So absolutely, making sure that you’re staying on top of it, staying in front of it as far as you can after it’s happened seems like it’s the best approach, absolutely.
Ken Tan:
Well, thinking about staying in front of it too, one of the things we’ve got to even think about is just even the environment, Allison, I’m sure. And that’s where part of it is you’ve talked about ransomware, you’ve talked about the business email compromises, if you don’t mind sharing a little bit, what are some of the big ones that you’ve been seeing or the heavy trends or the most common ones that I would say ministries and nonprofits should be aware of?
Allison Ward:
As far as types of attacks?
Ken Tan:
Yeah.
Allison Ward:
Yeah. So like I said, the BEC one, rampant. Social engineering too, never going away. The thing I think that’s interesting about social engineering is just how it continues to evolve. Phishing, never going away, but phishing’s getting more sophisticated. We’ve got tools like AI. I mean, Ken’s clearly going to always fall for the special [inaudible 00:25:12] but a lot of people won’t, and so bad actors know that, so they use these tools to craft much more sophisticated emails. And with these tools, you can do so much reconnaissance on people, you can learn their background, learn how the organization… They can be very targeted campaigns and attacks.
The other thing I think too is vishing, the voice phishing aspect of social engineering, huge uptick of that, even with our clients. Outside of our nonprofits, I work with a lot of financial institutions too, and we’ve had clients that have been significantly targeted, some that have lost money because their people didn’t follow procedures. And we do vishing type simulations with our clients, where we call and we’ll try to get information, and more often than not, we do.
Ken Tan:
You don’t call Allison, right, your colleagues do the calls, because you don’t want to pick up the cell phone, so you’re telling me that the-
Allison Ward:
Right, yeah, I haven’t tested it.
Ken Tan:
I was going to say, I think that voicemail I got from you, I’m guessing I should think twice about whether that’s coming from you, right?
Allison Ward:
Yeah [inaudible 00:26:08].
Chris Purnell:
AI, totally AI.
Ken Tan:
I can…
Allison Ward:
Yeah, go ahead.
Ken Tan:
I can tell y’all from… I’ll just say a friend of a friend that I know happens to be at a church that something happened very similarly, Allison, and I don’t know, I’m sure this isn’t a surprise for you, where this person received a text message that looked to have come from the pastor. And it was very innocent, essentially saying, let’s say, “Brother Chris, we have felt compelled as a church to go and open up this fund that’s going to be reaching out towards this particular mission group, and we have opened up this giving platform for you to donate these funds. Our goal is to hit this amount. Would love for you to prayerfully consider giving.” Nothing about urgency, nothing about that, but just essentially the alertness of it.
And the only reason why this church found out was because some of the congregants were just saying, “Hey, we were just wanting to double check,” which again, you want to give a lot of kudos to this church about that they had congregants that were asking. They reached out to say, “Hey, just want to make sure this was good, because we are about to give some towards this particular fund. Just want to make sure, one, it’s counted towards their giving and all.” But that’s where they realized what was happening was one of the church administrators received an email from what was supposed to be one of the pastors that was saying, “Hey, we want to consider opening up this fund. Would love to get all the information of our members in terms of their phone numbers and their email address so we can reach out to them.”
The senior pastor had to go send an announcement online, both Facebook, had to send emails and also an additional text message saying, “Please disregard this. This is actually not a legitimate link.” And that’s one of the things where they weren’t actually accessing all the data, it was just they actually pretended to be someone that the administrator trusted, and they gave that information without thinking about it, and that’s what happened there too.
I’ve seen another one, and actually, we had a couple of nonprofits that reached out about this who said, “Hey, we noticed that there are these small credit card transaction charges,” or not charges to them, but a gift to them for like a dollar or 79 cents or something like that. They were like, “Are we at risk of something?” I said, “What might be happening there,” because it is an interesting thing, “There’s a good chance that these hackers have gotten ahold of someone’s credit card, and to test it, they were going to test it on a legitimate organization,” like your nonprofit too. And that’s where you start seeing it sometimes, it’s not even the nonprofit that the hackers are targeting, but are sometimes using it as a platform to see if the credit card payments or anything they have is legitimate. So that’s one of the things I had seen also recently as well. I don’t know if you’ve seen that too, Allison?
Allison Ward:
I have. Especially when we do IT assessments, we would ask a little bit about the donations and controls to mitigate that. And some organizations had put in minimum giving amounts, they have reports they monitor for these type of micro-transactions to verify. So yeah, that’s definitely something we’ve seen.
And I think just talking, when you talk about the pastor too, he was the one used as a person of trust to get information or to get money and things like that, I just think about this all the time with churches, especially larger churches, during COVID too, posting sermons and things like that, there is so much information out there about church leaders, nonprofit leaders, the organization, that bad actors can use to gather information, and again, make their social engineering tactics more sophisticated, more targeted, better for people to fall victim to them. So I think that’s just a completely relevant point when we’re talking specifically about nonprofits.
Chris Purnell:
That’s great.
Ken Tan:
Well, I’d love to see… I know, Allison, you were actually sharing about some of those things about how people can easily be persuaded in terms of even just seeing… There’s the concept of seeing is believing sometimes, and nowadays, it’s so hard for us to even consider what we’re seeing is even true. It’s such a difficult balance of trying to be like, “Okay, what I see on the screen, is that real or not?” And I think you have a couple of things you want to share on that piece and I’m super excited to see some of that.
Chris Purnell:
A couple of examples?
Ken Tan:
Yeah, a couple of examples.
Allison Ward:
I teach several classes to some organizations here, and we always do a current cybersecurity class here in Louisiana. And last year was a bunch about AI, we talked about deepfakes and all of that, and one of my favorite deep fakes is Tom Cruise, just because he’s just a quirky, funny little guy, and so I always find the [inaudible 00:30:44] fakes of him just so… Captures his mannerisms and his quirkiness. So I’m going to share that real quick for y’all.
Speaker 4:
I’m going to show you some magic. It’s the real thing. I mean, it’s all the real thing.
Allison Ward:
And I’m a pretty gullible person. My parents love to tell the story, when I was younger, we went to the beach, and my dad convinced me there was these land sharks that would get a running start out of the water and slide up onto the beach, so I wouldn’t [inaudible 00:31:24] the water. So people like me will believe that. I mean, that to me looks very realistic. And what’s crazy to me to think about when you think about these AIs and what’s real and how the technology… This is the worst the technology is going to be, it is only going to get better, it is only going to get more sophisticated. And just thinking about what bad actors and us are going to have at our fingertips, it’s just wild to me to even fathom sometimes.
Ken Tan:
That leads me to ask a very genuine question to you both who I see on this screen, are you both real?
Allison Ward:
Maybe.
Ken Tan:
Maybe.
Chris Purnell:
I’m totally real, Ken.
Ken Tan:
Do I need to send you one of those capture verifies? Because every time I do those, I always question myself as to whether or not, did I answer it correctly?
Chris Purnell:
Am I real?
Allison Ward:
[inaudible 00:32:08] fail.
Chris Purnell:
Existential, yeah.
Allison Ward:
It’s so interesting. Thinking about even on meetings, are these people real? There’s just this one other, this didn’t happen to someone I know, but this was in the news, there was a huge… I think they were a design-based or architecture type firm based in the UK, and this poor guy, lady, I don’t know if it was a guy or a girl, got an email about a secret transaction, which he was a little suspicious about, I would be suspicious, but seemed real enough. He joined this meeting and there were maybe 10 or 12 people, the CFO of the company were on it. And basically, they authorized this transaction. He initiated the funds for 25 million. Turns out he was the only person real on the meeting.
Ken Tan:
Wow.
Chris Purnell:
Wow.
Allison Ward:
And so, it’s easy to think, because again, I feel very real right now, y’all look very real to me. But there could be [inaudible 00:32:56] and we’re hopping on and y’all are fake.
Ken Tan:
That’s true. I mean, thankfully, I got to meet you all in person at least once, a couple of times a year.
Chris Purnell:
At some point.
Ken Tan:
So hopefully, you still look the same. And that’s why I was just saying, my hope is I can believe this. And that’s where part of us, especially nowadays, you start thinking about just all the technology that’s there, it’s so easy, whether it’s a social media, whether it’s just on videos, how easily some of these videos can look just like it’s real. And then, suddenly, there’s only a small difference that’s really keeping us from being able to see, “Okay, that’s actually an AI video.”
And you start seeing that, well, what happens then for pastors who do have so much content online, all the hours of videos that have all their body expressions, their videos, the way they have their accents, some of the voices, that if they get a voicemail, how do people respond? Is that actually true? Because now, you start thinking about… What’s the concern about that with a pastor? Well, what happens if that is an actual AI-generated one of a pastor, who happens to have a stance on certain things, and now the person is impersonating as if there’s a completely different stance that they have and they’re sharing all that. Well, that’s actually reflecting the pastor, not just the AI piece, but they’re easily starting to sway people’s opinions with that too.
Allison Ward:
Yeah. And absolutely too, even thinking about Christian organizations and organizations with a mission, hacktivism is a real thing, people targeting organizations because they disagree with their mission. We see this all the time. And so, I think that’s something very relevant, that if they’re being targeted, who’s to say they’re not going to generate something that’s against the mission of the organization that looks like it’s coming from the leader?
Ken Tan:
Sure. Well, don’t you have… I remember, and I don’t know if you have it right now, Allison, but I think isn’t there a website that says, “This is not a real person”? I don’t know if you want to share your screen on that while talking about that. I remember, I think it was in one of your presentations you had that it, it was like, “This is not a real person.” Every time it flips, it looks just like a real person that I would see walking down the street. If I’m at a conference, I’d be like, “Oh, that looks like just someone I shook hands with.” And that’s one of the things where you’re just like, “Wow, it’s really getting more sophisticated.”
Chris Purnell:
Yeah, yeah.
Allison Ward:
It’s This Person Does Not Exist, and they have some… Because there were tons of scams around fake rentals and apartments and things like that, and so I think there was a This Apartment Does Not Exist or This Listing Doesn’t Exist. And you just, again, like you said, you flip and it’s a new one, and they look so realistic, so real. Yeah, it’s just crazy to think what’s out there.
Chris Purnell:
Well, and to that point, so for people of a certain age, where maybe we haven’t been steeped in AI-generated images or AI-generated voiceovers and that sort of thing for a long time, it can seem like this is super real. So how are some ways we can determine whether this is the genuine article, this is a real human that I’m talking to, this is a real human video that I’m watching? Are there some tells that we can look at? I get it, it’s a constantly evolving product, so it’s going to change.
I was showing our kids the video of Will Smith eating spaghetti circa like three years ago, bananas, absolutely bananas. All the way up to just a couple of months ago, where it’s Will Smith eating spaghetti and it looks like it’s photorealistic, the sounds make sense. He’s even doing the “haha” as he eats the spaghetti, it’s great. So what are some things we can look for? Is it just exposure therapy, where you watch enough of it that you can see what’s the AI tells? What do you think?
Allison Ward:
Well, you’re asking the wrong person, because remember, I believed [inaudible 00:36:30] yeah, it’s hard, it really is hard. And when you think about certain things and see it, I always will Google, and if I can find some other reputable sources, the same thing. I think sometimes, some of the giveaways you see when you’re watching videos, there’s usually a lot with motion with hands and things like that. In another video with Tom Cruise, he looks really realistic upfront, he’s talking about playing golf, and then he backs up and you can see that his mouth then starts to look different and things like that. So there’s always going to be little things like that at this point that can be the giveaway and maybe give you an indication that something is off. But again, this is the worst it’s going to be.
It’s even interesting to think about how we authenticate to systems. Authentication to systems and verification of identity is such a huge part of what we do when assessing clients and the preparedness from the cyber perspective, and even talking about how we authenticate and how that will change with the increase of AI and voice verification and retinal images and things like that, anything can be generated. So it’s just going to be really interesting, I think, over the next five, 10, 15 years, to see how all of this evolves, because it’s very difficult right now.
Ken Tan:
Sure. I think I see a lot more biometric type conversations about… Even probably most of the accounts nowadays always ask, “Would you like to just go with the biometric face ID?” And it’s making you move your face to the left, move your face to the right, move your face up and down, because I guess it’s trying to get the depth of it to make sure it looks like a legitimate person, because I guess even…
Allison Ward:
A lot of the tools, they can tell if there’s blood flowing behind the skin. Right now, if we have AI images, if it’s fake, the reflection in both eyes is not the same, because it uses a lot of images to create one, and so it’ll check to see if I’m reflecting back the same image. There’s a lot of different things they can do with those. But then you’re thinking that data’s stored somewhere, so what happens with all of my biometric data? The brain could explode thinking about it.
Ken Tan:
Yeah, easily. And that’s where even everything has to be questioned, because I was just highlighting just real quick about the voicemail side, and I think you even have ways that your own voice could easily be mimicked. I’d love to hear about some of the things that you have to share on that piece.
Allison Ward:
Yeah. I have one right here that I just pulled up, just for reference. Let’s see, where did I put it? In this class we teach, that was another thing, I just used one of these tools to basically clone my voice, it listened to my voice, and then I typed in something and it generated a paragraph, and I thought it sounded really realistic. I thought it caught some of my mannerisms and how I speak and my inflection and things like that. So I’ll play this real quick. And again, this is me, I’m not a bad guy [inaudible 00:39:26] but this is me at the very bottom of the barrel trying to play hacker, but you can kind of hear…
Speaker 5:
Hey there, Katie. It’s Allison with IT. Sorry in advance for being so rushed and panicky, but I’m noticing some really weird activity on your computer, and I don’t want to scare you, but I think your computer may have been compromised.
Chris Purnell:
Wow.
Speaker 5:
I need you to-
Allison Ward:
And we were basically doing it as a voicemail, and then it asked, “Text me your password to this number so I can do X, Y, Z.” And again, on these tools, what I was playing with, you can speed it up, you can make it more casual, you can change certain things about the way it’s displayed.
And going back to even just the tools that are available to hackers, I think about if I was implementing certain things like this or AI, I’d have to go through a process of vetting it. I’d have to ask where my data stored, ask is it secured, if we’re a heavily regulated industry in some manner. It’s not like you can just implement things. Bad actors don’t have that. So we may have these tools, they have all these tools over here that they can just test and run with. So I feel like from that standpoint, voice cloning, they’re going to be miles ahead of us. It’s really scary.
And I heard someone, I’m deviating now, but I heard someone say one time in a presentation, “We’re going to have to fight AI with AI.” And I think that’s probably it, because we’re not going to be able to identify deepfakes, we’re not going to be able to identify voice cloning and things like that, so we’re going to have to have tools that can help us fight bad actors that launch attacks through this technology.
Chris Purnell:
Yeah, yeah. Allison, as we’re talking about technology and the way that technological innovations can lead to increased risk and that sort of thing, can you tell us a little bit more about how our transition to a largely remote work environment changes things from a cybersecurity perspective? Is it still kind of the same as far as the difference between being in a physical location, like an office and that sort of thing ,versus people mostly being in their homes, or are there special considerations that organizations should keep in mind?
Allison Ward:
Yeah, definitely. So it’s interesting, because I think a risk is a risk no matter what. Unauthorized access is a risk whether you’re onsite or you’re at home in your office location, and how we mitigate that risk is what evolves. And I think the thing I usually see challenges with when people move to a more remote environment is they lose that visibility. So if they have a fully internal network, everything’s there, someone’s having an issue with a computer, they can walk over and touch it, or they can quickly remote into it and see what’s going on. And I think the decentralization of implementing remote work or hybrid workforces or external connections with vendors is that lack of visibility.
And so, people are having to shift the technology they have, the controls, so that they can see into endpoints regardless of where they are. And I do think that is where a lot of organizations are going, they’re looking for tools and technologies that can manage and treat every endpoint the same regardless of where it’s located. Essentially, even if they’re at an office location, it’s like that office of the public internet, it’s like that person’s accessing it from home. And so, that’s a real trend I’m seeing with organizations, shifting to that trust no one, verify always methodology.
Ken Tan:
Yeah. And it’s one of the things that’s interesting there, because as I travel a good bit… And that’s probably going to be a tenet of some of our episodes is where’s Ken this time around?
Chris Purnell:
That’s right.
Ken Tan:
This is where part of this, when I interact with folks, I’ve noticed, and we talk about AI a lot, we talk about how that’s even becoming a bigger thing, that even in churches and ministries, there’s actual sermons being built by AI. You still have to be careful because of the hallucinations that come in terms of what is true even coming out of that. And I ask them, “What does that do for the congregation? What does that do for people that are interacting there?” And don’t check this into the bank yet and cash it yet, but I think one of the things that’s going to be a response is over time, I think people are going to be craving more of an in-person interaction as opposed to just virtual.
I know ever since COVID, we’ve gotten very comfortable… I mean, think about this right now. We’re all in three separate locations around the US right now talking, having a great conversation over the use of technology. But because of the questioning of what is real, what can we actually do to feel that comfort that we actually can genuinely see that? We’re probably going to see congregations wanting to have more of an in-person interaction in the future. It may not happen overnight, but because of all these unknowns about AI and what it’s doing in technology and what we see on the screen, I think a lot of times, our own human instincts, and this is just from the conversations I’ve had with some other folks at these conferences, there’s going to be a shift and a desire for a lot of congregants to shift from being an online viewing, even for sermons, to go more in-person, even in services and worships and all. And that’s one of the things I’ll be interested to see what may happen in the future too.
Allison Ward:
How it shifts, yeah. No, I totally get that. Again, as a very introverted person, I don’t leave my house. But I remember going to a client recently and they put me in an office, I worked there and I had people walking in and out, I was like, “This is kind of fun. I have a real life [inaudible 00:44:36] in front of me.” And so, yeah, I totally see that trend. I mean, I think we went so far with the remote aspect after COVID that… And we see this with a lot of trends, you go so hard one way, it ends up circling back, and then everyone’s going to be in office again until we find that right balance of remote/in-person.
Chris Purnell:
That’s right.
Ken Tan:
Yeah. Well, Allison, I know we talked about some of the ways to safeguard ourselves in terms of an organization, I was curious, what are some of the things that if you just had to, in terms of even just landing the plane in terms of this conversation… Because for all the ministries and nonprofits we serve, we serve some really large international nonprofits, mission organizations, but we also serve the local church and the local ministry as well, so again, budgets can vary. And so, there are just some things, I’m just curious, just from a practical perspective, that doesn’t even have to require thousands of dollars of investment, what are some of the things you feel like could just be helpful just to raise awareness as to what even ministry leaders and their team can consider, just to help protect or even just reduce the risk of some of the issues in cybersecurity?
Allison Ward:
Yeah. I mean, honestly, if I had to tell an organization to do anything, I think it’s the culture of security, security awareness training, regular reminders, finding the way to reach your user base in the way that makes sense for you and them, because everyone operates differently. Some people need face-to-face interactions, some people are good with online training. But I think that awareness, that culture security, is so key, because again, you could put all these fancy controls in place, but you get that one person who’s in a rush, you get the one person who’s not paying attention, that clicks a bad link and basically jeopardizes everything.
And I think for a lot of organizations, sometimes they hear training and they feel like that’s so daunting, but there’s so many resources out there. Some of the ones, even just subscribing to newsletters, like SANS has an OUCH! newsletter that has a lot of good reminders. KnowBe4 is a very well-known training platform, a lot of our clients use it for cybersecurity awareness training, but they have great newsletters too, especially around social engineering, because that’s what they focus on. And we have clients, when there’s a new event in the world, they’ll say, “Hey, be on the lookout for scams like this,” they’ll give you a heads-up, and you can pass that information on to your team. So I think things like that, a great starting point to just, again, increase the awareness, help people realize cybersecurity is not an IT problem, it’s a business problem, it’s an organization, it’s a church problem, it’s our issue, and we’re all part of that control framework.
Ken Tan:
I like the way you put that. Pretty much we cannot live under a rock, because even that rock could be AI-generated now. I’m just kidding. Yeah, nature doesn’t tell.
Chris Purnell:
A simulation.
Ken Tan:
It is all a simulation. It’s going into the Matrix, Chris. Maybe another episode, right?
Chris Purnell:
Totally, totally. Well, and Allison, you bringing up culture, this is something that Ken and I talked about in a prior episode, this idea that so much hinges on a culture where, from the top, the leader is also engaged in making sure that people know about cybersecurity threats, because things can happen for all kinds of different reasons. People are in a rush, they’ve got too much on their plate, or they’re just trying to do a good job, or maybe they’re new at their job and they want to please their boss, whatever it is, all of these different entry points can lead to cybersecurity devastation, so that’s a really good word.
Ken Tan:
Well, thank you again, Allison, for hanging out with us on this. Again, we’re so grateful you’re a colleague of ours too, and this is where part of it has been just the fact that you have been able to be a resource for our ministries and our nonprofits and organizations across the country. It’s one of those things that I know that even in times like this, it’s just so helpful just to hear about some of the things in terms of awareness of it’s not all doom and gloom because of what’s happening from technology, technology can be used for good, but then the encouragement that there are ways for us just to protect our own organizations too. So appreciate you and everything you have been doing for us too as well in serving those whose outcomes are measured in lives changed too.
Chris Purnell:
Thank you.
Allison Ward:
It was fun.
Ken Tan:
Absolutely.
Chris Purnell:
This is not a CPA firm. Assurance, attest and audit services provided by Capin Crouse, LLC. Carr, Riggs and Ingram and CRI are the brand names under which Carr, Riggs and Ingram, LLC, CRI Advisors, LLC, and CapinCrouse, LLC, and CRI CapinCrouse Advisors, LLC provide professional services. CRI CPA, CapinCrouse CPA, CRI Advisors, CapinCrouse Advisors, Carr, Riggs and Ingram Capital, LLC, and their respective subsidiaries operate as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CRI CPA and CapinCrouse CPA are licensed independent certified public accounting firms that separately provide attest services, as well as additional ancillary services to their clients. CRI CPA and CapinCrouse CPA are independently owned CPA firms that provide attestation services separate from one another.
CRI Advisors and CapinCrouse Advisors provide tax and business consulting services to its clients. CRI Advisors and its subsidiaries, including CapinCrouse Advisors, are not licensed CPA firms and will not provide any attest services. The entities falling under the Carr, Riggs and Ingram or CRI brand are independently owned, and are not responsible or liable for the services and/or products provided, or engaged to be provided by any other entity under the Carr, Riggs and Ingram or CRI brand. Our use of the term CRI, we, are, us, and terms of similar import, denote the alternative practice structure conducted by CRI CPA, CapinCrouse CPA, CapinCrouse Advisors, and CRI Advisors as appropriate.