Paul Tracey, CEO of Innovative Technologies on DIY Cyber Guy

About Paul Tracey

Episode: #85 – What Happens When A Fortune 5 Company Fails Cybersecurity 101

Paul Tracey is a recognized cybersecurity expert and CEO of Innovative Technologies, where he has spent over 12 years protecting businesses from cyber threats with a perfect track record—zero ransomware payments among his clients.

As a published thought leader in cybersecurity, Paul is the author of the Amazon bestseller “Delete The Hackers Playbook” and co-author of two additional Amazon bestsellers: “Cyber Storm” and “Compliance Made Easy.” His books have established him as a trusted voice in translating complex cybersecurity concepts into practical, actionable strategies that businesses and individuals can implement.

Paul’s mission centers on protecting vulnerable businesses from the ever-evolving landscape of cyber threats. Through Innovative Technologies, he provides comprehensive cybersecurity solutions that range from regulatory compliance to threat prevention, helping organizations of all sizes defend against ransomware, data breaches, and other costly cyberattacks.

Whether discussing the latest threat trends, breaking down major data breaches like the Change Healthcare incident that affected 190 million Americans, or sharing practical security tips, Paul brings real-world expertise and proven results to help listeners understand and navigate today’s cybersecurity challenges.

His approach focuses on making cybersecurity accessible to everyone—from small business owners to everyday consumers—ensuring that robust protection doesn’t require a massive budget or technical expertise.

Paul’s Links:

https://www.upstatetechsupport.com/
https://www.youtube.com/@Upstatetechsupport/
https://www.linkedin.com/in/paul-tracey-277a9a101/
https://www.linkedin.com/company/innovative-technologies-llc/?

Summary:

The discussion centered on the extensive cyber attack on UnitedHealthcare, attributed to the Black Hat Ransomware Group, which compromised the data of nearly 190 million U.S. citizens. David W. Schropfer detailed how the attackers gained access through stolen credentials, emphasizing the critical failure to implement multi-factor authentication (MFA). The attack resulted in a $20 million ransom demand and severely disrupted hospital operations and pharmacy services.

SOURCE: https://www.startribune.com/1-in-2-americans-affected-by-unitedhealth-cyberattack-new-disclosure-shows/601210911

Paul Tracey highlighted the increasing sophistication of phishing attacks, particularly those enhanced by AI, which allow hackers to create convincing emails that are difficult to detect. He stressed the importance of MFA for all businesses, especially small and medium-sized enterprises, to mitigate such risks.

The conversation also touched on the necessity of dark web scanning for compromised passwords and the importance of documentation in security practices to ensure compliance during audits. Paul noted that MFA is often included in Microsoft 365 licenses, with the main costs associated with its setup and enforcement. They discussed strategies for promoting their work, including creating short video snippets from podcasts to enhance visibility and engagement.

Additionally, they explored methods for identifying lookalike domains and the challenges posed by phishing attacks, underscoring the need for a proactive approach to cybersecurity. David indicated he would follow up via email regarding the edited video, reflecting a commitment to ongoing collaboration.

TRANSCRIPT

0:00 – David W. Schropfer
Welcome back everybody to DIY Cyberguy. This is episode 85. What happens when a fortune five company fails? Cybersecurity 101. So this is a hair on fire two out of five. So if you are in charge of a network, this is for anybody who’s in charge of a network, whether it’s a home network, small business network, even some of the bigger enterprises or midsize enterprises, this is really for you. The big guys can get the simple stuff wrong. And when they do, it is much more costly to them than it would be for you, but it’s still crippling. So whether the dollars can cripple them and smaller dollars can cripple your company or your enterprise, it’s possible and it’s possible to miss the small stuff. So sometimes a refresher is critical. So this is about the UnitedHealthcare cyber attack, which is turning out to be one of the largest in history. There’s an article earlier this year in the Minnesota Star Tribune that talks about this attack and exactly what happened. And as the article notes, Change Healthcare, which is a subsidiary of UnitedHealthcare, has determined the estimated total number of individuals impacted by Change Healthcare’s cyber attack is approximately 190 million U.S. Citizens. That’s more than one in two people in the United States today, which is staggering. And here’s how it happened. So hackers linked to the Black Hat Ransomware Group broke into Change Healthcare Systems back in February, and they stole credentials. Credentials meaning a username and a password. These are very sensitive systems, but there was no multi-factor authentication. You know, the system where a text message gets sent to your phone, and you have to reenter that number, whatever it is, into your laptop, and that gives you access, out of band, meaning it’s using another band than you’re using to gain access. It could be email, could be a cell phone, could be something else. Multi-factor authentication, very common term. But they weren’t using that. And once the username and password were compromised, and once the threat actors got inside these systems, they locked up critical data and demanded payment, classic ransomware. And ultimately, healthcare had to pay, and I’m sorry, I’m laughing, but it’s such a staggering amount, $20 million in cryptocurrency to regain access to their own data. The damage, of course, was already done. Hospitals couldn’t process claims, pharmacies could not fill prescriptions, patient data was exposed to the black market, basically, and the deep web. All that damage was done. And of course, we know that the hackers may probably still be able to to either come back and the next thing they may threaten could be releasing the data that they copied anyway during this attack or any other things. Those haven’t happened yet, but it’s still a possibility. That means this attack is huge, terrible, and possibly crippling to the company, and it may not be over. Again, the threat actors still have the possibility of coming back. So what does that mean for you who are running the network of a small business or keeping household network up. To break all this down, we’re joined today by my guest, paul tracey. Paul is the founder of Innovative Technology Support in upstate New York. He is a cybersecurity strategy. Paul is a cybersecurity strategist and IT services expert and a trusted advisor helping organizations strengthen their defenses and recover from attacks. Welcome, paul.

5:30 – paul tracey
Hi, David, thanks for having me. Appreciate it.

5:33 – David W. Schropfer
Thanks for being here. I can’t wait for this conversation so we can hopefully point our listeners in the right direction.

6:01 – paul tracey
I’m really looking forward to this conversation.

6:03 – David W. Schropfer
So hopefully we can tell our listeners how to stay away from the big potholes that even the biggest companies in the country can’t seem to avoid. So let’s simplify this and start here. What is the most effective hacking technique used today and why are the bad guys getting better at using it?

6:25 – paul tracey
So the number and it’s been the number one for at least the last five years, and debatably longer than that, is the phishing email. We’re going to send a targeted email. And there’s different levels of this. Usually it’s to mask a, let’s say, Microsoft account. And they’re asking you to log in. And then you click their link and give them your credentials. Now they have access to your accounts, at least super superficially.

6:54 – David W. Schropfer
Okay, and why are they getting what’s what’s making them better? We talked about AI a little bit before the before we started recording. How is that affecting their the efficacy of these types of attacks?

7:09 – paul tracey
I honestly, it’s an exponential effect. And the reason is, for years, we’ve been training people on how to identify phishing emails, right? There’s usually some telltale things, we’re looking at the the that the email came from, the address, giving that a scan. And then if the language seems off or the images seem off logo, right, that usually sparks alarm. Now that hackers have AI, we’re not seeing those in the phishing emails anymore. They can go in and literally say, I’m a business owner in this location, right, and get the language and the location local dialect from AI right down to where it’s going to sound like your coworker or someone else that seems reputable. The logos are going to look pretty much perfect because they’re generated in AI. So the things that we relied on in the past to identify those emails at the human level, beyond the security tools, are pretty much gone now, which is obviously going to have a serious effect. We’re already seeing it now, but I think we’re only seeing the beginning of it. Okay.

8:25 – David W. Schropfer
So we’re in the past, you know, when you got the email from, uh, as you mentioned earlier, the Prince of Nigeria, then that was easy to say, yeah, it’s probably not true. Uh, it was filled with typos. It was filled with syntax errors, uh, for the English language. It wasn’t incorrect or you could follow it, the email, but it, But it was, you know, the words were in the wrong order. It just didn’t sound quite right based on the dialect of Americans or however we speak. So they were easy to spot. So you’re saying that they’re a lot harder to spot. And it also sounds like we’re not talking about, you know, necessarily the emails from Microsoft. We’re talking about very specifically crafted emails to get an employee to do a thing that that employee shouldn’t necessarily do.

9:13 – Unidentified Speaker
Exactly.

9:14 – paul tracey
So if you look at AI in the full scope, not just writing the email, but the research, maybe on social media, your LinkedIn page, company pages, things of that nature, prior to sending that email, it’s very quick now with AI to determine so-and-so’s on vacation, right? Because their Facebook page is open, they’re scraping that data. And so they can tailor these messages to be very specific, right? So they know that the CFO is on vacation. Et cetera. And they’re going to craft those emails with AI around those discoveries. So the speed to execution is exponential compared to what it was before to do that research and then create an end target. Okay.

10:02 – David W. Schropfer
And was, was this type of phishing involved in the United healthcare attack?

10:07 – paul tracey
So, unfortunately, disclosed how the original credentials were obtained. Percentages would say that that’s likely a phishing email that got those credentials or a prior event, and they bought the credentials on the dark web from another list. They hadn’t been password changed, didn’t have the second factor of authentication on there. And so then those are now violent credentials to get into the system. Okay. Okay.

10:42 – David W. Schropfer
Now, so in your work at Innovative Technology Support, you talk to small and medium-sized businesses all day, every day, right? If one of them was sitting in front of you now, what would you tell them to learn from the UnitedHealthcare So as you alluded to when we started, the issue here isn’t resource or security tools, right?

11:16 – paul tracey
Those things are there. This is 100% preventable by having multi-factor authentication on. There are ways to get around multi-factor authentication, right? Yeah. So 99.999%. Right.

11:29 – David W. Schropfer
So I don’t want to back off of that 100 a little bit.

11:35 – paul tracey
However, those methods are much more difficult. They require much more resource and planning and so forth. If you can just buy this password on the dark web and there’s no second factor, you’re done already. You’ve already gained access to the machine. So what we tell all of our clients is our job is to make it as difficult as possible on the folks that are trying Multi-factor authentication comes in every, no matter whether you’re using Microsoft or you’re using Google, you can even get a third party app to manage that.

12:12 – Unidentified Speaker
Is it inconvenient because you got to get another code?

12:15 – paul tracey
Yes. And that’s the biggest pushback. We always say, I don’t want to have to put in the code. Well, putting in the code is a very small inconvenience compared to what we’re looking at here, which is a 20 million ransomware payment. And then the subsequent cost involved in recovering, I think they’re quoting now 2 billion as an overall cost to what happened here. So let’s break down those components a little bit. Let’s start with the password. We’ve talked a lot about passwords and how to set good passwords.

12:53 – David W. Schropfer
But one of the things we’ve also talked a lot about on this podcast is an implicit employer has no idea if the password that an employee is setting for their own account is a password that they’ve used in their personal life. Is it the same password they use on Facebook? You don’t know that. Is it a password they’ve used since 2005 over and over and over again in various other apps that they’ve opened in their lives? You have no way of knowing that. Has the password been compromised? Well, you do have some of knowing that. So can you talk a little bit about how an employer could actually look for already compromised passwords out there on the, well, on the deep web or for sale on other boards and other illegal trading systems?

13:46 – paul tracey
Yeah, so I mean, certainly for us, and I would say most other responsible MSPs, dark web scanning for credentials is mandatory. We don’t offer a managed plan that doesn’t come with it just based on that necessity and the importance, the danger around it. So for our clients, we’re constantly scanning those sites for any credentials that match the domain of their company, right? So then we would, if they are found, we would get an alert for that. And then we’re able to reach out to the client and say, you know, We’ve already done this. You got to reset your password. We’re going to reset your MFA just to be sure.

14:32 – David W. Schropfer
Yep. Perfect. And about the MFA, if one of our listeners has never used it before, never implemented before, how difficult is it? Can a typical MSP or MSSP simply put that in place for them for a cost? Is it a crippling cost? Talk more about that.

14:52 – paul tracey
So there’s really two kind of flavors here, right? When we think MFA, most people are thinking about email. There certainly are other systems that require MFA. And so generally speaking, you can use an authenticator app on most of those.

15:09 – Unidentified Speaker
Depends on the system.

15:10 – paul tracey
And so you may have to integrate or use their specific app if the vendor has their own. Own. In terms of the email portion, no. If you’re already paying for licenses for Microsoft 365, let’s say, multi-factor is included. The only thing not having it there, you’re already paying for it in most cases, is just the setup. And then making sure it’s enforced, which is the second giant step that needs to be completed. But if it’s not enforced, someone may turn it off in the organization that shouldn’t, et cetera, to specific accounts, and then you have a problem again.

15:52 – David W. Schropfer
And if the president of such a company is listening right now and saying, hey, we pay for that Microsoft suite, and I didn’t know it was in there, how do they make sure that it’s enforced? Is it something that any MSP should be able to tell them off the bat, or just talk to their IT department, what does that look like,

16:14 – paul tracey
So if they have internal IT, it should be fairly easy to tell. The number one indicator is if they can log into their account without putting in a secondary code on an app on their phone, well then they don’t have multi-factor authentication in place.

16:32 – Unidentified Speaker
Certainly any MSP can tell you that.

16:34 – paul tracey
You should actually be testing at the very minimum annual right, a security assessment to make sure that those things are in place. Um, certainly for those of us in New York state, it’s mandatory under New York state shield act. So, you know, these are very basic, as you mentioned before, security one-on-one type of issues, um, that aren’t cost heavy, the amount of implement implementation time and the minor inconvenience of putting in the code is nowhere near equal. To the cost of not having it and going through a breach because of it.

17:14 – David W. Schropfer
So give our listeners the actual language to use or the actual Google search to use to try to figure out if they have these systems in place or what to ask for from an MSP to make sure that this particular mistake of allowing users to use compromised passwords that have already been bought and sold out there, or mandating that all sensitive systems or perhaps all systems have some sort of multifactor authentication attached to it. What should that person say to either Google or to an MSP to make sure that happens?

17:51 – paul tracey
So it’s, if you go from the top down on this, because for a smaller company, if you have five or six employees, you know, you can probably go through the office and determine that pretty quickly just by checking Right. The, the overlying log into the system. Let me, let me see you do it.

18:09 – Unidentified Speaker
Oh, you didn’t, your phone didn’t light up. You had no email to go check that type of thing.

18:15 – paul tracey
Correct. And so on the next step up, you know, a lot of times we hear, well, talk to your provider and make sure that NFA is, or MFA is enabled, right? It’s not enough to be enabled. The question you want to ask is multi-factor authentication enforced all of our accounts, full stop. If the answer to that question is not a resounding yes, and here’s the reporting that proves that, second step, very important. To me, there is no self-attestation in security. It’s either documented or it’s not. And when you have a breach and you get regulatory agencies involved, insurance companies, et cetera, believe me when I say their outlook is exactly the same. If it is not documented, it doesn’t exist, right? So we want to make sure that MFA is enforced on every account and that we can document it. Now we’ve covered that base. Perfect.

19:48 – David W. Schropfer
paul, it’s been great having you on the show today. Thanks for all these answers and these great tips for our listeners. Where can people find out more about what you do. So a couple easy places there.

20:01 – paul tracey
And first, I just want to say thank you for doing this. It’s vitally important to our economy and small business that these conversations are had. So I certainly appreciate you having me on and that if you want to find out information about the company, it’s upstate tech support.com. If you want to reach out to me personally, you can DM me on LinkedIn. I answer those myself. There’s no automated anything. It’s actually me. Quick search and, you know, picture on my profile probably looks like I do right now. So not hard to find there. Excellent.

20:36 – David W. Schropfer
So they would search for paul tracey, that’s T R A C E Y, and your company name, Innovative Technology Support. And that should pull up your profile on LinkedIn pretty certainly. Pretty quickly.

20:47 – paul tracey
Yes. Yeah. Okay. Fantastic. Thanks for being on the show, paul.

20:51 – David W. Schropfer
All right.

20:52 – paul tracey
Appreciate it. Thank you so much.

Published by

Unknown's avatar

David W. Schropfer

David W. Schropfer is a technology executive, author, and speaker with deep expertise in cybersecurity, artificial intelligence, and quantum computing. He currently serves as Executive Vice President of Operations at DomainSkate, where he leads growth for an AI-driven cybersecurity threat intelligence platform. As host of the DIY Cyber Guy podcast, David has conducted hundreds of interviews with global experts, making complex topics like ransomware, AI, and quantum risk accessible to business leaders and consumers. He has also moderated panels and delivered keynotes at major industry events, known for translating emerging technologies into actionable insights. David’s entrepreneurial track record includes founding AnchorID (SAFE), a patented zero-trust mobile security platform. He previously launched one of the first SaaS cloud products at SoftZoo.com, grew global telecom revenue at IDT, and advised Fortune 500 companies on mobile commerce and payments with The Luciano Group. He is the author of several books, including Digital Habits and The SmartPhone Wallet, which became an Amazon #1 bestseller in its category. David holds a Master of Business Administration from the University of Miami and a Bachelor of Arts from Boston College.