 Think Tech Away. Civil engagement lives here. Aloha, welcome to Kondo Insider. Let me begin by first of all saying that all of our thoughts and prayers are with the families on the Big Island. We're dealing with the wrath of Mother Nature. We're thinking of you and we know it's a tough time, but we're certainly our prayers are with you all and hope for your safety. You know, one of the things we hear about all the time, in fact, in the recent press, we saw one of our self-managed associations lost, I want to say, around $300,000 or $400,000 due to what we call a cybersecurity interest internet issue, where someone was able to get into their bank account and move money and cybersecurity is on our minds. So I thought it would be really helpful if we brought in a cybersecurity expert and also an excellent banker, a good friend of mine named Alan Crandall. Welcome, Alan, to the show. Thank you, Richard. Why don't you just share a little bit about your background and, you know, I want to ask you that specifically, you know, I get this all the time, they say Mutual Vomaha is not a local bank. Maybe kind of talk about the bank a little bit as well. Well, first off for myself, I've been doing banking, general banking for about 36 years, and of those 36 years, about 28 have been specializing in community association banking. So I've seen it all. I started with a part-time teller logging in, blockbox receipts, and in a desk with a phone in Northern California until today. We're a Mutual Vomaha Banks community association banking group. We have about 28,000 communities across the country, hundreds of management company clients, and it's always a pleasure to come here in Hawaii, which is part of my region, and talk about what I think is the biggest threat facing community associations today, and that's cyber theft. Let me just ask some things that always come up, and we have quick bullet point answers, but number one, do you have a branch in Hawaii? Yes, we do. On one Kapilani, we have a branch there. We've had it for over 10 years now, and our parent company has been on the island for 50 years, so I would think given those requirements, I think we're local. Well, speaking of Hawaii, local, about how many associations do you do the banking for in Hawaii? Just over 700 in the state of Hawaii. So out of the 1,900 approximate associations, you're doing the banking for 700, which is, I don't know, 40, 50%. 40% in that range. So you're certainly an established bank, and just one more point is, why have you been so successful at this locally? We're successful because of the service level that we provide. It's very specialized. AOAO banking needs are not typically well handled by traditional banks because they're so unique. There's some unique loan requirements for them. Investments are really critical for them, and we need to be able to attend board meetings and explain to board members the various options that they have for investments. It's not something that you can just throw together on a piece of paper and give to a board member and expect them to really be able to function as a board member in their investments. Because I've been in the industry 25 years, I have great respect for our local banks. They're very financially solid sound, great service, great local people. But I get this question all the time, and so I think it's only fair that people know that you too are a local bank, and you specialize in association banking, and that's why a lot of management companies select you. Nothing against the other banks is just, you are part of our local family here, and you have local employees and represent a lot of local companies and associations. Correct. We thank you for that. Thank you. We hear about this all the time. Cyber security. Is it a problem, and where does it come from? It's a major problem out there. I first started speaking to this for our community association industry almost eight years ago now. We many times hear about the Sony's of the world, the big companies of the world that get hit, but the vast majority of companies getting attacked are small companies and medium-sized companies because their defenses aren't as good. One of the problems we have in our industry, the community association industry, is you have AOAOs here in Hawaii who have hundreds of thousands of dollars in reserve monies. They're managed by management companies that may have very widely differing cybersecurity ability, so you have a lot of money being overseen by relatively weak defenses, which immediately attracts these attackers. And as you saw, there was a major hit for a community here, but there's been hundreds of associations across the country that over time have been attacked, and it's a very insidious way that they do it. And who are they? Where are these attackers? Primarily out of Eastern Europe, but they can come from all over the world. What you have in Eastern Europe, you have people that were trained to be cybersecurity attackers for their military or for their government, and then when they retire or their part-time job after work is to generate cash by attacking countries that their countries don't have extradition treaties with, and you can't find them. And if you did and tried to go there to get your money back, they would just disappear. If you could take down $500,000 to a million dollars a month, do you think you could buy protection in Russia or Vietnam or Cambodia or Venezuela or some country like that that doesn't have really strong extradition relationships with the United States? Easily you can protect yourself. But I have friends who say, yeah, but I have one of the top names, I won't mention the names, security softwares, you know. I buy my security because I go buy this software or this program from some company and so theoretically my stuff's being checked when I open an email. It is, but here's the problem with it is if I'm taking down $500,000 to a million dollars a month and this is my job, my profession is stealing money through the Internet, wouldn't I subscribe to all of those too? So that when you get your update to your software, I have the same software. I get my update and then when I test my viruses, I test them against those softwares. So if there's 50 good softwares out there, I can buy and subscribe to every one of them. And then as my computer generates a new attack, I've decided to attack your community and I see that you're using X software, a computer will generate an attack and test it against that software to see if it goes through. Well, the term I hear and I'm sure there's lots of terms out there. They talk about phishing and spear phishing. What is that? Phishing is kind of like the long-liners out here where they just drop a bunch of hooks and they catch whatever they catch and haul it all in. So that's where somebody will buy on the Internet 10,000 email addresses and they'll send out an email saying that from a local bank that we need you to contact, click on this link and put your login information because we need to test something, there's something wrong with your account. Most people will realize that there's something that's wrong with that but if I'm doing 10,000, if I get a 1% or a 2% or a 3% that make a mistake and click on it, that's still a lot of people to try to steal money from. So it's very generalized. Spear phishing is one I've identified from a website, from a Facebook page or something, the president of a company, the treasurer of an association, the president of the association. Somebody who may have access or have the authority to instruct their bank or instruct a manager on taking some kind of action with the association funds and they get you through email, they'll send an attachment, I'll give your viewers a homework assignment, go online and just on Google and search for AOAO budgets, see what you find. You'll find that there are communities that put their budget on their website. On their website shows how much money they have, shows the big special assessment that just came in, the money that was just raised for the new roofing project. So now they know that this community has money and then I go to the community's website and there's a list of the president and their email address and their phone number and their treasurer and because they want to be open to their members which is great but they've just given targeting information, they've given an amount that the thief wants to take, they know you have it and now I know who to go for. So let's say it was yourself. So then I go to Facebook and I do a search for your name here in Honolulu, your name pops up, I go to your Facebook page and you had phishing with Alan Crandall yesterday. So all of a sudden you get an email which you think is from Alan Crandall and says Richard click on this link on these pictures that we took phishing and you think well I don't remember taking any pictures but you click on it anyways because it's your friend and we did go phishing the other day and you click on it and you just put a key logger on your system and it's through the key logger that's how they capture your password information and what that key logger does is from that point forward it is recording every keystroke that you would make on your computer and there's a little program that's looking for things that are suspected, user IDs and password and once I have your user ID and password I can now log in to your accounting system I can now log in to your computer and go to your email and send an email that everybody thinks from you instructing your bank, instructing your management company to wire money, transfer money send a check to some dummy company and typically by the time people discover this it's already too late, the money's gone and if it's in Russia or Vietnam or Cambodia or Venezuela it's not coming back so it's very important that the communities do a couple of things number one is to make sure that your insurance covers cyber theft not just cyber crime if you have a normal embezzlement where let's say the treasure of the association took the money that's an embezzlement by an officer of the corporation that's a different thing than if it's a third party pretending to be the treasurer and so when you talk to your insurance specialist you need to make sure that it covers what I call third party what they call social engineering attacks where it's somebody pretending to be you and so by pretending to be you I now can go in and give an instruction to somebody we're going to take a break in one minute but I just want to tell a very quick story before we take that break kind of going back to the phishing because I used to belong to an organization called InfraGuard which is kind of a private collaboration with the FBI looking for internet schemes and they tell the story of the controller of a state who all of a sudden they found through social media he loved endangered animals so he sent him a fake email from an endangered animal organization with a PDF attachment which really was a virus that got into a state computer and at the end of the day they were able to get into the state computer and they meanwhile set up Earn Money at Home import-export business so they could take the money from the state coffers move it to a person who was unsuspecting who thought they were making money in an export-export business we call those mules mules and they move that business to China or Korea or Russia wherever it may be and that particular state in an instant lost like $700,000 quite a payday for a little amount of work for a little amount of work so it's a bigger problem than people think it is and I want to give back to what we can do to protect ourselves we're going to take a short break for one minute we'll be right back with Kondo Insider Aloha, I'm Kili Ikeena and I'm here every other week on Mondays at 2 o'clock PM on Think Tech Hawaii's Hawaii Together in Hawaii Together we talk with some of the most fascinating people in the islands about working together working together for a better economy government and society so I invite you into our conversation every other Monday at 2 PM on Think Tech Hawaii Broadcast Network join us for Hawaii Together I'm Kili Ikeena Aloha Hey baby that's you I want to know will you watch my show I hope you do it's on Tuesdays at one o'clock and it's out of the comfort zone see you there I should do some dancing with that last commercial the girl in the body language is really kind of cool some more body language stuff anyway we're on Kondo Insider talking about cybersecurity with Alan Crandall we briefly talked about the problem of clicking on a PDF or a document who you don't really know the sender or you think it's the sender or you think it is the danger is that there are a lot of problems if you go into the internet some of you are raising we've heard about this with Facebook where some of the pop ups that you think are coming from your friend aren't from your friend it's from one of these people if you read the disclaimers that you have to sign which we all scroll down and click the box say ok we never ever read it in there it tells you that they're not going to be responsible for any of these things that could happen to you you need to recognize Benagon and Sony can't stop these people do you think Facebook is going to be able to stop them the answer is no they're not going to be able to stop them so you always have to be on your guard I don't recommend you click on any of these pop ups you can put a pop up blocker you can do whatever you need to do to stop some of those things the other thing is on the web links is that on the spelling of the link so for example you get something that your friend is sending you and you think it's from YouTube there's a link that you can click on that says YouTube the problem is instead of y-o-u-t-u-b-e to the internet that's day and night that's a completely different web address but when you go there it looks just like a normal YouTube address and so you think you're in the right place but you're actually not and all kinds of bad things can happen to you quick rules of thumb if you get something that you don't know who is from delete it if you think you know who is from but to suspicious call the person and ask them if they send it to you if you can't reach them delete it if it was that important they'll call you they'll contact you it can come from your information it can come from your child it can come from your wife it can come from your husband they get into your social media they get into your Facebook page they see who all your friends are they see what your hobbies are they get this background information why would they want to do that the more targeting information you've given them you've just motivated them to take more effort to get you so if on your association's website there are four million dollar special assessment in and we're all ready to do our new roof this summer you've just motivated these people to go to extraordinary length to get you you've just thrown a big bullseye on your chest and so what I tell the board members and I tell managers is that do not put stuff on there that these that will attract these thieves don't give them a reason to attack you if they really want to get you they will get you the sad thing is there's too many communities they want to be open to their members they'll put information on there because they think that the members really want it which a few will be interested the problem is is they're drawing big bullseyes on their communities when they do that so let's talk about the key steps to not make you a target obvious one of them is careful of your social media postings and I know you briefly talked about insurance let's come back to that issue because you know we had Susavio of insurance associates on them we're talking about the mandated requirement under the law to have a crime policy or slash fidelity bond but a lot of people don't realize that may cover your employees but it's not going to cover cyber theft unless you specifically buy the endorsement it's its own type of insurance it's really not that expensive eight years ago when I started there weren't very many firms that actually carried it now it's very common they have a better assessment of the risk you need to ask the question you need a constant writing will it cover these very specific things insurance is the number one thing you have to do you could have all of the other defenses in place but if they're that motivated and they're that good they will still get to you when we're the other so number one thing is to have your insurance number two is to make sure your website has no targeting information on there instead of listing all the board members have a generic address so somebody wants a question of the board they can send it to a generic address they don't know the name of the president they don't know the name of the president they don't have their personal email addresses so make sure that's off of there make sure that the any virus protection software that you have is updated regularly some people have never updated their software some people are really religious about it it needs to become a routine every Monday you check for an update if that slows your system down well then go have a cup of coffee while it's updating but you need to make sure your defenses are in place well I like to use example of a football defense you have the defensive line you have linebackers and you have the defensive backs and so it's a defense in depth so you have multiple layers of defense they get through one layer one of the other layers will stop it well what happens if you only have one everybody's moved up to the line when they get through they're through and the problem for the management companies as if association A led them to to be attacked they're going to attack the management company because that's where the accounting services are done once they get into the management company now they have access to all of that management companies communities information now they're all at risk and so my recommendation has been and it sounds harsh just for management companies who have boards who refuse to keep targeting information off the internet to let them go the risk to all of their customers is too great this is a real serious problem and people need to take it very seriously well you know the one major problem we have with associations recently where they lost I don't know the exact number let's just say 400,000 yeah and that took case they were self-managed basically using simple online banking yeah I've always been an advocate that when you're used professional management it's like having the linebackers and having the defensive backs because tell me you know because the question we get even from clients today what kind of cyber protection do you have talk about sophisticated management companies and kind of the relationship with your bank the kind of protections you have built in well that protect well this is part of what I can't go into detail as far as what our specific defenses are but I can assure all of our clients that this has taken very seriously our deposits from our community social banking division makes up over 50% of the deposits for our overall bank it is a major industry area for us so we put a lot of effort in that area but it's really a partnership between the management company and also the board to make sure this stuff is protected by dealing with experienced people they're also on the alert for it they know what to look for doesn't mean they're going to catch it all the time but they're more likely to catch it than somebody who doesn't normally deal in this world so for example the local bank may not realize that it's not a it's not usual for the community to be wiring money to Brazil right it is in our world but without giving away any secret stuff we could say that and major management companies working with major banks and with yours included that you use things like standalone computers and tokens and things like that which is correct a level of security which any cyber thief would know about but the fact that technology so tell us what tokens are what a token is is a separate device sometimes it's actually on your computer it generates a number the number changes every 30 seconds so when you log in you put in your user ID you put in your password and then you put in the token number and then that is the last step of the security to let you in but even that's not 100% safe because I can write a program because I know you use a token that has all of your account information where they're going to send it the wiring instructions and it's set up like a time bomb so when you log in your user ID and password it knows right after that are going to come some digits which are your token and it immediately sets it off so it slows them down but it's not 100% foolproof the only way it's 100% foolproof is if you and the boards and the management company everybody are off the internet well that's just not practical nowadays so you have to do multiple defenses so there's that with the tokens it's important from the standpoint of the staffing themselves that they do regular training we make regular training available for all of our management companies I have a program designed to teach seminars like the one I'll be teaching on Saturday that are much more in depth than I'm able to do here in a shorter period of time but we also have programs that we call Lunch and Learns for the management staff in particular the accounting staff where we can sit down with them and go through some of these things so that they're also more aware of what to be on the look for and just to elaborate on that and I think I'm right when I say this is that I know from our perspective that we use your bank and very happy with your bank that the computer itself the standalone computer has a registry number so you have to be on that computer and then you have to have the token like you said the numbers change every 30 seconds so now we get an instruction to move money from the operating account to somewhere there's a steps where after that notice comes in this program it has to go to a supervisor for validation so there's a lot of in the more sophisticated companies I'm not saying it's foolproof there's a lot of checks and balances that make it difficult yeah Richard the key is particularly for wires is that you verbally call and verify that you are what they take place and I'll give you a quick story this happened to not one of our clients but somebody in Texas our president gets a call on the golf course saying well I'm ready to send out this wire for $100,000 and I'm just calling to do the verbal confirmation and the guy said what wire there had been a conversation in emails going back and forth including documents to be signed the problem is the cyber thief had gotten into the president's computer had access to documents which had examples of his signature he just cut and pasted on the form that the accounting person had sent to him all the communication was by email the email was his computer the email was from his IP address so all of those defenses looking for specific IP addresses still were working just fine they got around it by going through his computer they didn't break into the association's computer they didn't break into the management company computer they got into the president of the association's computer and they figured out who the president was because his name and email address was prominently displayed on their website we have a couple minutes left but I want to expand that further if you can briefly tell which I think is a fascinating story the fish tank the thermometer yes this is something relatively recent I'm going to go into more detail on Saturday but there was a casino in Las Vegas that was cyber attacked and the way they got in was they had a large fish tank a very expensive fish tank and they had a very sophisticated heating system and the heating system had a controller and the controller would communicate wirelessly to the computer that the association that the casino had they were able to get in through the heater into the computer like a slim edge of the wedge and from there were able to start manipulating the security protocols within the computer that they got in were able to access private information well some people believe that the next war is going to be cyber not bombs and bullets because so much destruction we made both financially power grids that the cyber security would be a great threat across the world absolutely I'll give you another example the hydroelectric power jams those 60 ton generators are computer modulated so that they stay in phase if you throw those out of phase it burns them out so what happens to the power grid for all of Southern California if all of the hydroelectric jams on the Colorado River don't work and then you have a cascading effect across the rest of the country as it crashes the United States has been technologically advanced and because of that it is the most technologically vulnerable so when they talk about infrastructure improvements for cyber security the military has been ahead of this for a while the private sector is way behind well as you wrap up the show I'd be remiss if I didn't say you're a featured luncheon speaker this Saturday with the Hawaii Council of Community Associations well we've talked about in 28 minutes you're going to get a lot more information on Saturday and it's not too late to sign up if you go into hcca.org Hawaii Council of Community Associations and sign up for the Board Member Training Seminar this Saturday at Hale Koa Hotel and lunch is included and you'll get to hear a lot more about cyber security and so your number one piece of advice is make sure your insurance covers cyber theft ok and so next week we're going to have Jane Sougi and we're back as we talked about before the 2018 Legislature is over we're going to discuss the three bills that were adopted and passed and we think will be signed into law plus we're going to review the final final bill 69 from the City Council on the fire sprinkler requirements and so we look forward and hope you'll join us next Thursday at 3 o'clock for Kondo Insider, Mahalo