How to Protect Your Business from Cyberthreats – Brandon McDonald

Cybercriminals have turned their attention from large corporations and started to go after small and medium-sized businesses, especially ones here in Maine. Discover the newest scams and attacks that are impacting businesses like yours and how you can protect yourself. 

Rich: My guest today is a former software developer and tech business owner who moved to Maine in 2006. He’s worked on PC games that received a second life on the Android market with several million downloads. He now works with other small businesses through the Maine SBDC at Northern Maine Development Commission. In his spare time, he works with revitalization for the city of Presque Isle, transcribes old school video game medleys into guitar, and probably knows where to find the best poutine in Maine. 

Today we’re going to be learning how to protect your business from cyber threats with Brandon McDonald. Brandon, welcome to the podcast.  

Brandon: Thanks, Rich. I appreciate you having me, sir.  

Rich: So many important questions about cybersecurity, but my video game nerd wants to know, what were some of the games you’ve worked on? 

Brandon: Yeah. So there was a not very well known unless you’re younger, but it was called Growl Online. It was a PC game that was eventually ported to Android. It’s received a bunch of iterations. People will turn it into a Grand Theft Auto-esque online game. Really fun, very heavily inspired by Legend of Zelda from the Super Nintendo days. So a really, really inspirational game to me.  

Rich: Awesome. And secondly, what’s the best video game theme song that you’ve transcribed onto guitar. And can we find you playing it on YouTube somewhere?  

Brandon: Yeah. So I haven’t moved to YouTube yet. I have a SoundCloud, but I keep very private. And my favorite song is the Super Mario World 2, it’s called the ‘athletic theme.’ It’s just this really fun little jig from Super Mario World 2: Yoshi’s Island. Just a fun little chick.  

Rich: Alright. Okay. Nerd satiated. Let’s move on to cyber threats and cybersecurity. We’ve all heard about hacks on big companies, Verizon, Yahoo, even Hannaford. Do small and medium sized businesses really need to worry? Like, aren’t we beneath the view of these hackers?  

Brandon: No. In fact, as these bigger companies start catching on to the threats that are around them, if anything it makes a smaller company a bigger target. These large companies, they’re starting to contract with their own cybersecurity departments, larger firms that are able to neutralize threats. 

And so if I was trying to target someone for ransomware, all of a sudden going for a big company is not worth my time. I’m going to be picking on the smaller organizations. And in some cases in Northern Maine, we’re even seeing municipalities. And when you really got the cojones to do it, you’re even targeting police departments. So it can be really wide span on where these guys are.  

Rich: All right. So even though small, medium sized businesses may be smaller pickings, they are actually easier pickings right now.  

Brandon: Yeah. Yeah. If you’re going to go for anyone right now, you’re going to go for those who don’t have the armor, the protection that a large company has. 

So if I’m going to target anyone, I’m going to go to a small business that may be turning into a chain, and there’s a vulnerability somewhere in that chain. We like to think of a small business that has these openings, these pockets, and I’m able to work my way in through maybe a small vulnerability in the Wi-Fi, for all I know, and work my way up. And they’re not thinking about that. And understandably, a small business owner has way too much on their plate to worry about should I be worried about my Wi-Fi?  

Rich: Right, right. Now I know you work with a wide variety of businesses through SBDC. So what are some of the biggest threats that you’re seeing these days?  

Brandon: Yeah. So the biggest one I see is the Google My Business scam. And it’s where a company, typically a foreign call center, will end up calling businesses and soliciting them for their Google My Business information. They’ll say that their listing is outdated, they have to pay to fix it. Or their listing is wrong, and they’ve got to pay to fix it.  

In some of the most elaborate versions of the scam, a scammer will actually go and report to Google that the business is closed down. They’ll have Google report it as shutdown, and then they’ll call the business and say, “Hey by our records, you’re shut down. You have to pay us X number of dollars to get back up”. When in reality, you don’t need to go through that company to do anything like that. That’s almost, I don’t want to say a harmless scam, it’s very harmful to have that SEO against you, but it’s an easy fix. It’s one of those things that, it’s not nearly as detrimental as a ransomware attack or something like that. But it’s just painful enough to really take a couple hours out of someone’s day to go sit on hold with Google, figure out their Google My Business information, figure out where all that stuff’s at.  

Rich: Right. And if you’ve never really dealt with Google My Business, you may have no idea that you are in complete control of that. But again, that does feel like a small thing. They’re probably not extorting you for, $10,000, $20,000, $30,000. It’s done. It’s definitely a pain, but it’s not the end of your business. But we’ve definitely seen ones that that can lead to the end of a business.  

So any other threats that you’re seeing emerge these days, or that are just common right now that people should be aware of? 

Brandon: So there’s one that actually is becoming a lot more serious as time goes on. And it actually impacted a business that made national coverage. A coastal Maine business was impacted by, they call it the ‘fake bank spoof’. And what happens is somebody who doesn’t have a lot of tracking cookies on their computer, if you’re logging into online banking for the first time, which is very common with a business owner or maybe changing banks, or someone who’s using online banking for the first time in their business. You’ll look up a business, you’ll say I want to look up Machias Savings Bank and I’ll look them up. And if I don’t click the first thing on the list, I might go down one or two or three results. And depending how SEO (search engine optimization) will push them up, I could click a fake bank website, it could be a spoof, it could be a perfect spoof. And I’ll sign in, it’ll ask me for my log-in credentials, I’ll give it to them. The spoof won’t know otherwise. So what I like to tell anyone is when you’re thinking that you’re dealing with a bank spoof, put in the wrong password on purpose once. Know that you’re putting it incorrectly once. If it lets you go forward, it’s a fake bank. It’s a spoof website. Because a spoof can’t tell whether it’s your correct or wrong password. All it really is, is a submission form.  

Rich: That’s a great tip, by the way. 

Brandon: Yeah, I love that one. And so you’ll go to your submission in your next step on this. You’ll give them your information. You might give them a two factor authentication code, which maybe we’ll talk about a little bit later on how that security would protect you. And so you’re going to give the hacker at your username, your password, your two factor authentication, maybe your birth date, something. And you’re going to feel the whole time that, oh, everything’s fine. And you’re going to a) get to the end and either it’s going to bring you back to the main page or the real bank page after you submit. And you’re like, “What happened? Oh, I’ll just put my information and again”. Or b) one of the newest ones is it’ll say, “Oh, I’m sorry. The portal is down for maintenance.” And they’ll have an elaborate scheme where someone actually calls you and says, Hey, hold off for, 8to 24 hours where we’re down for maintenance. And in that time period, you’re not going to check your bank account. You’re totally unaware of the fact that they’re going through and taking as much money as they can up to the deposit maximum or the withdrawal maximum of that bank. And that you really have no recourse until that time’s over. And hopefully your bank is able to rectify the situation with you. But business banking has different protections than consumer banking, so it’s really up to the bank’s own internal policies to rectify that.  

Rich: Very, very challenging these days. So what can we do to shore up our defenses?  

Brandon: Yeah. So I think the easiest and cheapest method is setting up some kind of multi-factor authentication, and it’s not full-proof. Nothing’s full-proof in cybersecurity. I like to think of it as any kind of home protection you can get, whether it’s cameras, locks, those big door jams you’ll put in there. If someone really wants to get into your home, they’re going to find that one window with the wiggly lock and they’re going to pry over it. They’re going to figure out a way to get in. But the better you can set yourself, the more you’re going to frustrate someone who comes in and they say, I’m looking for the easiest target, I don’t want to put more than a couple hours of work.  

If you can protect yourself with something as simple as multi-factor authentication. So I may know your email, I may know your password, but I don’t know the code that is on your phone. Or a USB drive, a physical thing that you have that you can plug into your computer or something to show that, it’s this physical thing that you have that’s hard for me to get a hold of. 

Rich: For people who don’t really understand what we’re talking about right now, you may have experienced this already. You log into an account online, and it says, ‘we’re going to ping your cell phone with a four or six digit number. We need you to enter that right now’. And that little level of irritation for you is a huge hindrance for somebody who’s trying to scam you out of all your money. 

Brandon: Yeah. For many of us who use – and I was guilty of it up there about 10 years ago – if you used the same password on more than one website, your password is hanging around somewhere. LinkedIn had a massive breach. Yahoo had an insurmountable breach. So if you in the past 20 years had your password on Yahoo used on your bank, it’s out there somewhere. 

And because your bank will ask you that question like, ‘where did you go to school’, or your kid’s birthdate, your mother’s maiden name, when they ask you that when you log into your online banking, you’re like, “Oh, not this again”, realize that really is a little bit of safer protection for you. 

But again, going beyond that. If you can get into that special code, that one-time use code, that’s even more protection. That’s probably the best free – for the most part, it’s normally a free option –  for most email servers, almost all banking will offer it. Most banks are now forcing it at this point, which again for some people seems like a hindrance, but it really does safeguard some of your money from someone who already has your password hanging out somewhere. Especially if you are one of those people who didn’t change your password up after you realized it was in a breach.  

Rich: Yeah. And I know that some banks will actually give you a physical, digital fob that changes numbers all the time. So you put in your regular password, plus whatever is showing on the fob at that point, which changes depending on the font, it could be every minute, whatever it is. And so not only do you need to know username and password, but you have to have one of those fobs. And again, even that’s not foolproof, but it greatly increases the chances that someone won’t be able to break in.  

And to your point, just envisioning somebody looking to break into a car really easily walking down the street and seeing a low Jack or one of those old fashioned bars that people used back when I was learning how to drive, they just skip those cars because they’re not worth it. So then they just keep on moving on to that guy who forgot to lock his door and suddenly there’s a break-in. 

So more businesses are taking, or considering taking new forms of payment, including cryptocurrency, Venmo, and others. Are these more or less secure, and what measures should we consider to stay safe here? 

Brandon: Yeah. So I go back to the early days of eBay. And when you were paying via PayPal, the PayPal address had to match the shipping address. And that should still stay the same to this day. So if you’re Venmo’ing someone, the address that, whatever appears on their end should match anything that you’re shipping to crypto is its own can of worms opening up. Is it safe? Is it safe for the holder? Relatively. It’s about the same as cash. If you drop it on the ground, some people put their passwords to their Bitcoin wallet, right on the wallet. If you’re going to keep your passwords to any kind of computer metric, a wallet, anything like that, common knowledge – don’t put it on your desktop in a text file and not lock your computer up. As long as you’re smart with the password, as long as you can keep it either in your brain or somewhere where no one else is gonna find it, it’s safe. Is it safe for the business in a transaction? As long as it goes from wallet to wallet, sure.  

And at this point PayPal is starting to bring in their own Bitcoin transactions. So I can go on PayPal and I can send my wife .005 Bitcoins is what I can afford at this point. But you know, there’s different currencies that they can send via PayPal. And maybe that’s the safest way to do it. If you’re new to this, you don’t want to carry a wallet. Because when I say ‘wallet’, it’s really like this little computer that holds your digital currency. So if you don’t want to go that route, that link, then I’d say move to a medium that already offers some kind of cryptocurrency exchange through it that you can use. And that alleviates a lot of that issue.  

Rich: And I’m no expert on this, but it feels to me that if you’re like swimming and you have no idea about cryptocurrency or anything, maybe that is not the best method for you to be accepting payment in and use the methods that make sense to you. And if you find yourself in an industry where you have to, then you should be bringing in an expert who understands these and the security risks that come with any form of digital payments.  

Brandon: Yeah, I agree. Really, if you’re going to be accepting any kind of Bitcoin, it’s almost like you’re not accepting cash at that point. You’re accepting stock because Bitcoin is really this volatile currency that’s going up and down. All you have to do is check out a chart to figure out how much that can balloon out of control. So unless you as a business are comfortable taking that, I’d say stay out of Bitcoin altogether, any kind of cryptocurrency just until you’re comfortable taking that risk. A large business can take that risk because they’re okay having those holdings of currency, and that’s great. And it’s awesome to see it being widely accepted. It’s just as a small business, if you have that reliance on cash and knowing exactly what you’re going to get from a sale, stay out of it completely.  

Rich: It seems like a lot of scams we hear about in the news have some sort of human component to it. Like there’s some way that they phished the information out of us or our employees. So what type of training do you recommend we do with our staff? 

Brandon: Yeah. So I think the number one, and that’s a great question, because the number one thing I would teach them is to be observant. You’ll increasingly see your local bank will call you and my bank they’ll call me, I’ll know the person on the other end of the line because I bank local, I bank small. And if you bank local and small, you’re going to probably recognize someone on the other end of the line. If your local small bank calls you and the first dead giveaway is broken English, maybe step back a minute and say, okay, I’m going to give you a call. Call the number on the back of your card. If you’re going to a website, look at the top link.  

Really the main thing that we should be ironing into employees is to look at either the email, and so we haven’t even delved into that one. Our employees are going to be receiving emails all the time. Really it’s more of an annoyance than anything else, but there’s an Office365 phishing scam that goes around, and hopefully you don’t keep anything important in your email regarding tax documents, any kind of stuff like that. But if you fall for this, really all it is, is they say, oh, there’s a PDF you need to open and click this attachment. It’ll bring you to a fake spoof office, 365. Easiest way to not fall victim to a scam like that. You’ll go to the from and click it, and the hope is if no one else in your office has been targeted by that scam, it’s going to be an obviously fake email. Maybe there’ll be [email protected], office [email protected]. It’s not going to be [email protected] 

So really that’s the first thing is being vigilant, observant to those actual addresses. Whether it’s the word. If you’re going to Google, it’s got to be ww.google.comorthebusiness.com, or thebusiness.com, whatever business you’re at. The second that you start going .freewebs.com/, you know, you’re going into some kind of rough territory at that point. At that point, you really should be observant of what you’re doing. And again, my favorite thing to do whenever you’re in doubt of putting something into a form, put the wrong password in. If it accepts it, you’re in the wrong place.  

Rich:  Right. And it’s interesting because every week I get an email from bill.com, which is a service we use to pay our vendors more quickly. And every week I just go and I type in bill.com, because I know that even though I trust this email, there’s always a chance that someone’s going to just randomly send me a spoof of bill.com, and I click on it and suddenly I’m giving out all my password information. So obviously that’s another thing we can do.   

In fact, I’m with you. I always check the URL that I’m at. I got something that I was not expecting, it was a Rockler gift card from “Lisa”. And I’m like, okay, I’ve never done any business with Rockler, I clicked on the link, which maybe I shouldn’t even done that. I go to a website that’s not right, and it’s like a gift card site. But then again, I don’t know what gift card sites there are. So I spent some time, and I went back and I’m like, which of my leases in my life would have sent me this gift. So finally I figured out who it might be reached out to her. She’s like, yeah. I said, okay, well, it didn’t include your last name and I did know. So, but she’s like, yeah, no, it’s legitimate. So, I will be going to Rockler soon. But anyways, these are the kinds of steps that you and your staff should be taking, because there are so many scams out there, even if it takes you a few extra minutes. It’s really worth it.  

Brandon: Yeah. That’s, that’s the number one. When we start talking about cybersecurity policy, a very small business if I’ve got one or two employees, drafting an entire policy and is great. I would if I was sitting down, and I managed something like that. But the average business owner has so much on their plate, especially a very small business. 

The number one thing is just being vigilant, observant, checking that link. Which unfortunately, now that we’re doing more of our business on mobile, it’s a lot more difficult. So whenever it involves logging into an online bank, unless you know you’re using the correct app. Which again, I’m opening all these cans of worms. If you’re using the wrong app, if you’re using the wrong website, there’s spoof apps. Use the Play store, the App store, make sure that you’re looking at something that’s been vetted, a lot of user reviews. When there’s a lot of reviews, typically you’re getting the correct thing. The Play store has been cracking down on fake apps, the App store already had some great protections in place.  

And there’s this opportunity now for some people not even after you use their, their passwords, you’ll have your fingerprint authentication. Depending on what side of the cybersecurity platform you’re on. Maybe it’s okay. Maybe it’s not okay. But I offer that. And that way I don’t have to enter my password into things where I’ve already logged in. It’s a good opportunity to teach your employees, hey, I want to stay away from a full-on policy. I just want to teach you don’t open up emails from people you don’t recognize. Definitely don’t click on any links, especially an HTML link or a direct website link posing as a PDF. Those are 9times out of 10 fake, and the only times they’re not is when it’s something like a DocuSign.  

Rich: So a lot of companies have either work from home policies, hybrid policy, something like that. When people are working from home, is that more challenging when it comes to cybersecurity? Are there different things that we should be on the lookout?  

Brandon: Yeah, so you’re going to have everyone on their own network. And the challenge from working from home is, so in an apartment setting, I know I’ve had neighbors who did it, will share Wi-Fi with each other sometimes. And when you’re doing something like that, you hope that your neighbors are good people and they’re not trying to actively phish your data. There’s an opportunity for that to happen in a large apartment complex if you’re using a shared Wi-Fi in a larger complex, there’s a chance that the guy downstairs could be doing something a little bit more nefarious. There’s a chance that if I’m going to be working from home, maybe I’m using my personal computer. And if I’m using my personal computer, there’s a chance that I was, maybe naughty, I picked up a PDF file I shouldn’t have, and now I got something on my desktop that I can’t get rid of. And if I’m opening up sensitive data, tax documents, I’m working with anything that has someone sensitive data, then I’m putting my company in a sticky situation.  

And it’s a good idea for a business, if you’re going to Institute a work from home policy, maybe do a quick check. And I know it’s hard with COVID. But maybe it’s a good idea to send whoever you have as an IT provider up and just have them do a quick sweep of the computer. Something as simple as a virus scan, followed by making sure there’s okay antivirus, maybe a good firewall, and even better a VPN provided by the company, a virtual private network. And something like that could help alleviate their concerns while also allowing the individual that flexibility from working from home. Because it’s going to, at this point, it seems inevitable that work from home is going to be almost a benefit in the next couple of months. 

Rich: VPN, can you just give us a quick breakdown of what we should know and what we should consider if we’re thinking about rolling out VPN to our remote employees?  

Brandon: Yeah, so I like to look at the VPN as like a stunt double, a body double for you. So a VPN is going to spoof your connection as coming in from somewhere else. And it used to be connected with more nefarious things, but it’s not anymore. Really a VPN could be utilized by all of us. And really all it does is just tells the host of a website or the individual looking to access our data, that we are not who we claim we are. And that’s fine. Sometimes you don’t want that website knowing your location, or your data, or your tracking habits. There’s the ability for a business to use a VPN to protect their business holdings. It’s just a great opportunity for them to spoof their connection. That’s really what it is. It’s spoofing a connection. That’s making it seem like you’re coming in from somewhere you’re not. And it just hides your data to the point where if I was looking to do something negative with it, it’d be very difficult for me to do it without again, installing something on your computer. Which web platforms like Google have made a lot more difficult to pick up something like that on Chrome, just because they’ve made those safeguards. So it’s hard to pick something up without willfully clicking, downloading, putting it on your computer. And the VPN just really stops you at that point. Unknowingly, you won’t know, it stops the connection from tapping into you as the individual.  

Rich: Okay. So it’s a piece of software or a service or something physical that we connect to the computer? 

Brandon: Yeah, so you can have, it can be a portion of all three. So there’s yearly subscriptions, there’s lifetime subscriptions. And for some people it’s built right into maybe a router or something that they’re already using. 

I’m not gonna plug any VPN today, but I would say find one that’s reviewed very well. Most of them operate on a similar kind of architecture, at least on the software side, and really what it is is it’s just connecting in through a server and that server is going to bring the traffic back to you. So finding a VPN with a good, reliable server. I guess reliability would be what it is.  

Rich: It’s an extra level of protection, an extra level of encryption for most people working from home. Awesome.  

We may have already touched on it, but what would you say the biggest mistake businesses in Maine are making right now when it comes to cybersecurity? If they could only walk away after listening to this episode and do one thing better, what would that be in your mind? 

Brandon: Don’t be afraid to hang up the phone, to close the email, to exit out of any kind of conversation and call whoever they’re claiming to be directly. It’s not rude. You can excuse yourself just by simply saying, it could be something as simple as, “I’ll give you a call later. Or you could be blunt. I would like to confirm that this is who they say they are. Hang up the phone. Turn your card around your credit card around. Go look at your bank statement, go to your bank directly. Work with Google directly. Do not take an unsolicited phone call, especially when anything feels fishy about it. Giving out that data over the phone. And this seems like something that we’ve gone beyond, but it’s really not, and we have people falling victim to it daily. So really, if you have any chance of smelling something that’s off, end the conversation, call them directly.  

Rich: Awesome. Brandon, we always like to finish up with this question we ask all the experts we bring on the show. What one thing would you change if you could to improve the business ecosystem here in Maine? 

Brandon: That’s a good one. So one of the things that, and I believe that we’ve been doing a lot more effectively, but I want to continue seeing us go down that road. I’d like to see a lot more input from the businesses at the legislative level. It’s great to see the input that’s going in now. And I want to see that continuing. We’ve had an administration that’s been very welcoming to that input and I’d love to see that continue down the. Businesses feel like they’re being heard, and no matter what kind of situation is, whether it’s something as small as cybersecurity or something as large as a legislative input on a bill. So I love to see that action continue in the future. And I, again, I applaud what’s been going on so far. 

Rich: That’s great. And for anybody’s at wondering well, how do I do that? We actually interviewed the Honorable Amy Volk a few months ago, you can go find that episode. We’ll link to it in the show notes as well. And she will literally walk you through all your best opportunities for getting your thumbprint on upcoming legislation.  

Brandon, this has been great, very informative. Where can we find you online? 

Brandon: Yeah. You can find me at mainespdc.org. So mainesbdc.org. We do business advising, where we’re a jack of all trades, although we have certain special specialists on tap. We work with a lot of amazing partners through the state. We’ve got a lot of SBA resource partners, whether it’s VBOC, the Veteran’s Business Outreach Center. We’ve got SCORE mentors that we work with. We’ve just got a host of resources we love working with, we work together very well with them. We’re always happy to reach across the aisle and get businesses the assistance they need. And the best part of all. We’re not going to ask you for your credit card number and make you go to a shady website, because everything we do is free.  

Rich: Brandon, this has been great. Thanks so much for your expertise today. 

Brandon: Appreciate you, Rich. Thank you, sir.