WIXLIB

MINNEAPOLIS/ST. PAUL BUSINESS JOURNALEFXPOERELC&C YB E RSPONSORED BYSEF R A U DU R T YITATSB18

19SEPTEMBER 18, 2015MODERATORMOLLY EICHTEN LARKIN HOFFMANMolly Eichten is an attorney in Larkin Hoffman’s intellectual property, technology and Internetdepartment. Because she worked in the IT field prior to law school, she has substantial realworld experience solving technology issues and managing complex implementations ofenterprise-wide software applications and corporate infrastructure projects. As an attorney,she has represented clients in negotiating complex IT technology agreements for credit cardtokenization, co-location, hosting and network services, all of which included significantcybersecurity considerations. She has experience drafting website terms of use, privacy andDigital Millennium Copyright Act policies. Some of her representative IT matters include draftingand negotiating agreements for a national online retailer in its acquisition and transition to adifferent co-location and network services provider, and representing a nationally recognizedhospital in its acquisition of hardware and software for technology-integrated operating rooms.For information on future Table ofExperts, please contact KathyRobideau at 612-288-2134 orkrobideau@bizjournals.com.MANUFACTURING (SOLD OUT)Publication date: 10/16PANELISTSDAVE WASSON HAYS COMPANIESDave Wasson is the Professional and Cyber Liability Practice Leader at Hays Companies. Hespecializes in identifying and assessing cyber insurance exposures and provides solutions tohelp Hays’ clients effectively mitigate their risk. Wasson brings significant experience to the Haysteam as he has managed the Technology and Privacy practice in the Midwest region for HiscoxUSA, a Syndicate of Lloyd’s of London. During his time, Wasson also successfully designed,implemented and managed their small and middle-market Cyber Liability program. In addition,Wasson served as an Underwriter in the Management and Professional Division of PhiladelphiaInsurance Companies where he underwrote multiple product lines, including Cyber Liability,Professional Liability, and Management Liability. Dave holds a B.S. in Business Administrationwith a concentration in Finance from Saint Louis University and frequently speaks at cybersecurity conferences and seminars across the country.BRIAN ISLE UNIVERSITY OF MINNESOTA TECHNOLOGYLEADERSHIP INSTITUTEBrian Isle is a senior fellow at Adventium Labs and a senior fellow at University of MinnesotaTechnology Leadership Institute. He is co-founder and former CEO of Adventium. He alsoteaches courses at TLI in information assurance and risk assessment. He supported the multiyearU.S. Department of Energy-funded NESCOR program to improve the cybersecurity readiness ofthe next-generation power grid. He held roles on several security-related research programs,including a U.S. Department of Defense program focused on vulnerability assessment for forceprotection and a Department of Homeland Security program to apply advanced cyber protectiontechnology to control systems for critical infrastructure. Isle is on a number of boards, includingthe Minnesota chapter of the FBI-sponsored InfraGard.CHRIS JEFFREY BAKER TILLYChris Jeffrey is a partner and Midwest leader of the risk and internal audit consulting group atBaker Tilly. He is part of a practice that provides industry-specialized services to organizationswithin the manufacturing, higher education, public sector, real estate, government contracting,financial services, professional services, and energy and utilities industries. His areas ofexperience include internal audit, risk assessment, financial and operational risk management,Sarbanes-Oxley compliance, fraud investigation, technology risk consulting, and organizationalgovernance. He is the lead client service partner on numerous engagements and specializesin complex global organizations. He has published several articles and has spoken numeroustimes on the topics of internal audit, internal controls and compliance.SUCCESSION PLANNINGPublication date: 10/23AGRICULTURE BUSINESSPublication date: 10/30HEALTH CARE (SOLD OUT)Publication date: 11/13EDUCATIONPublication date: 12/4NONPROFITSPublication date: 12/18FRANCHISINGPublication date: 12/25Master of Science in Security TechnologiesGain the skills to prevent, protect and respond to today’s security demands witha Master of Science in Security Technologies from the University of MinnesotaTechnological Leadership Institute.Next info sessions:Tuesday, September 22, 5:30-7:00 p.m.Monday, October 19, 5:30-7:00 p.m.TO SIGN UP VISIT TLI.UMN.EDU OR CALL 612.624.8826

20MINNEAPOLIS/ST. PAUL BUSINESS JOURNALBY ELIZABETH MILLARDContributing writerThe Minneapolis/St. Paul Business Journal held a panel discussion recently, featuring three expert panelists to explore topics about fraud and cybersecurity.Panelists included Dave Wasson, cyber liability practice leader at Hays Companies; Chris Jeffrey, partner of risk advisory services at Baker Tilly; and BrianIsle, senior fellow, Technological Leadership Institute at the University of Minnesota.Molly Eichten, a shareholder at Larkin Hoffman, served as moderator.Eichten: Let’s start with discussing themost common types of fraud schemesand how these schemes are beingperpetrated within the world of thecybercriminal.Jeffrey: One of the most common fraudschemes that we see is anything where thecompany actually cuts a check. This canhappen in areas like payroll and accountspayable. Related to cybersecurity, oneof the schemes that we’ve been hearingabout are incidents similar to a “phishing”scheme where someone is reaching out toan executive and asking for a fake paymentto be made.Wasson: We have seen a significantnumber of phishing schemes. A majorcause often relates back to an organization’s inter nal controls that are periph-eral to cyber security. For example, anorganization would ideally stop a phishing email before it comes in. But if it doesget through, an employee may simply notnotice small changes in the email addressand it may fool them into acting at thesenders direction. In a situation like this,callback procedures to verify the identity of the sender behind the email communication could have easily stopped thescheme.Isle: The Verizon Breach Report did atargeted selection of phishing emails andthey found that 23 percent of the people opened them, and of those, 11 percent clicked on the attachments. The firstresponse was within 22 seconds.Jeffrey: We’ve also seen that executivesare not immune from opening phishingemails. In some cases, they’re more apt toopen them than other levels within thecompany.Wasson: Yes, in some instances youmight have a controller that requests anorder to transfer money and nobody wantsto question the chief financial officer. Theywill see that email come in and send themoney, because they think it is comingfrom the chief financial officer.Isle: But it turns out the email isn’t fromthe CFO. It’s really easy to fake an emailfrom somebody. The bad guys get the credentials and pretend to be someone else.Jeffrey: In these cases, the hackers aresimply monitoring email traffic and looking at everything to get a sense of how theCFO, or another executive, might communicate with employees, so they can dupli-Risk you can manage.Results you can measure.That’s the Hays Difference.700 Risk Management Advisors 35 Offices Across the Countrywww.hayscompanies.comcate an executive’s request.Isle: What I advise is that you shouldassume that every email you send is beinglooked at by multiple people. Every text,every attachment, is being watched. Ifyou send a contract to your favorite client over email, assume that seven otherpeople have read it. And some of them arelooking to steal money from you.Eichten: What are the most commonways that fraud schemes are uncovered?Jeffrey: The Association of CertifiedFraud Examiners, which is the primaryindustry association around fraud prevention and detection, reports that employee tips are the most common way fraudis detected. Their most recent Report tothe Nations in 2014 found that of all the

21SEPTEMBER 18, 2015fraud schemes that were reported on, 42percent were uncovered through employee tips. The second most common waythat fraud was uncovered was throughmanagement review (16 percent) and thethird was via internal audit (14 percent). Ithink those are important statistics whenit comes to cybersecurity, given the needto train employees. It’s important to teachpeople what to do in the event of a phishing attack. Another important point is thatcompanies should have a fraud or ethicshotline in place. As a best practice, thesehotline numbers should be available notonly to employees, but also to customersand vendors.Wasson: Even before you get to the fraudhotline, we see more and more companieslooking to underwrite their controls andpractices.Isle: Just because we have noncyberpeople here, please describe what wemean by “controls.”Wasson: Depends on the situation.One of the major issues is how companiesprotect their data, particularly on mobiledevices like cell phones and laptops. Ifan employee has a laptop and is travelingwith it, the company should make sure thedata is encrypted or utilize data-loss prevention software.Jeffrey: And everybody forgets that alaptop is still a mobile device.Wasson: Right, and it can be a tickingtime bomb of data. Laptops have lots ofstor age, and people have poor controls.For instance, they stick them in overheads, or leave them at the table at a coffee shop. But the oth er issue is updatingpatches. Sometimes you are in the mid-dle of something and you do not want torestart your comput er right then. But it’simportant that you get those updated. Alsoimportant is role-based access control, sonot everyone can see everything. That is away to stop inter nal fraud. You just wantto have a system of checks and balances.Isle: So, control could be any means ormethod of preventing unwanted exfiltration of physical assets or information. ForIT folks, a control is something they canimplement to measure the security statusof a certain asset, like a server or network.All of these controls are important.Wasson: We are starting to see morecompanies focus on that for employeetraining. They might have monthly or justrandomly selected training for employees,because they realize they purchase moresecurity and money only goes so far, andyou only get a certain level of security.From that point, the only way to increasesecurity is to train people to recognizethreats.Isle: The leading organizations in ITbuild security into the culture of the organization. When they have a staff meeting,they talk about where they’re at in termsof cyberattacks. The people who get it havesecurity at the top of their minds. Theyknow they’ll get attacked, they acceptthat, so they think about how they’llrespond. The really advanced companieshave moved to that point. Not only havethey increased the prevention part, but thereaction part is much stronger.Eichten: We’ve been talking aboutcompanies and fraud schemes, but arethere certain steps that individuals canNANCY KUEHNFrom left: Dave Wasson, Hays Companies;Molly Eichten, Larkin Hoffman; BrianIsle, University of Minnesota TechnologyLeadership Institute; Chris Jeffrey, Baker Tilly