Roy Hadley - What You Need to Know About Cybersecurity in Roofing - PODCAST TRANSCRIPTION

Editor's note: The following is the transcript of a live interview with Roy Hadley. You can read the interview below or listen to the podcast. 

Speaker 1: Welcome to Roofing Road Trips with Heidi. Explore the roofing industry through the eyes of a long-term professional within the trade. Listen for insights, interviews, and exciting news in the roofing industry today.

Heidi J. Ellsworth: Hello and welcome to another Roofing Road Trips from RoofersCoffeeShop. This is Heidi Ellsworth and I am road tripping cross country to talk to the experts when it comes to law, construction law for roofing, and today particularly about cyber, cyber attacks, what's going on? It is a jungle out there. So, we got a hold of Roy Hadley from Adams & Reese and said, "Hey, come join our Roofing Road Trips and let's talk about cyber." So Roy, welcome to the show.

Roy Hadley: Thank you, thank you, Heidi. It is great to be here. Great to be here.

Heidi J. Ellsworth: Well, this is a tough topic. Contractors are getting taken. I mean, all businesses, not just obviously construction. So many people and there's so much out there, so I'm really excited to talk about this. First, let's have you introduce yourself. Tell us a little bit about Adams & Reese, just so everybody knows you.

Roy Hadley: Okay, fantastic. Again, just happy to be here. Appreciate you having me on board. As you know, probably better than I do, Adams & Reese is a full service firm, but we have a huge construction law practice and do a lot with the roofing industry. I am a technology lawyer, been in companies, been in law firms, and so come at it from a little bit of a different perspective. Mine is a more business focused perspective, been doing this cyber thing for many a year now. But again, here at Adams & Reece, what really works is that with the construction practice, we have, I think over 70 lawyers, that are dedicated to the construction industry.

Roofing, we do a lot with roofing, again, you know better than I do because you were one of the founders of the National Women in Roofing. We represent and work with you all, the National Roofing Contractors Association, and many more. And so we really do have what I would say, our fingers on the pulse, not only of construction but on roofing, the roofing industry in particular, and also on cyber, and kind of what businesses need to have nowadays in order to be safer. Yeah, never a hundred percent safe, but to be safer. And some of it that we'll talk about today will be low hanging fruit that people and companies can do, and some of it admittedly will be more aspirational.

Heidi J. Ellsworth: There is so much out there. So why don't you set the stage for us. What is the business landscape look like out there around cybersecurity? What's the most recent, what's happening?

Roy Hadley: So the landscape unfortunately is pretty scary, and my children always say, "Daddy, you're so paranoid." And my come back to them is it's not paranoia if they really are out to get you. And the bad actors really are out to get you. And that's the unfortunate thing. The climate out there, because we are so electronic, we are so dependent on our computers, and our laptops, and our tablets, and our phones, and our email, and electronic signatures, and electronic payments, all of those things are just vulnerabilities. Those are areas that a bad actor can exploit to come at you. And at the end of the day, what are they really after? They're after money. It's all about the money. And so we just have to keep that in mind as we talk through this and think through it from that standpoint.

Unfortunately to the situation, I think this is just my own prognostication, is going to get worse. We've all heard of ChatGPT and AI, and that's been the big rage lately in terms of how it's going to transform business and how it's going to make business more efficient. But it unfortunately is also going to enable bad actors to be better at what they do, and more efficient at what they do, and more dangerous at what they do. And so we're going to have to put our antennas up a little bit higher and wave them a little bit stronger to really catch what's going on out there in the bad, bad world right now with respect to cybersecurity.

Heidi J. Ellsworth: I really don't trust any emails anymore. If it's anything that's just even a little bit off, but to your point with the AI and what's going on in that, it's going to start with phone calls too. I mean, they're able to replicate voices and I mean, I agree, you should be paranoid. I am.

Roy Hadley: Right. It's funny because with the phone call, one of the things that is, let's set aside ransomware for a second because that's a big issue, but phishing and social engineering is a huge issue. Here in the legal world we call it business email compromise, but it really is just phishing and social engineering. And what does that mean? What they are trying to do is convince you to do something that you wouldn't ordinarily do. And where you really see it a lot is when you're trying to make electronic payments and somebody emails you and says, "Hey, here is the payment information for that invoice", and you look at it and you pay it and send it there, and it's not the legit one, it's the bad actors.

Well, how did the bad actors do it? What they have done, they have socially engineered over months sometimes, where they'll hack into your email and just sit there and see your email traffic, see the traffic, see the traffic, and then see an invoice come through and then email your client and say, "Hey, sorry, we changed banks, here's the new invoice." And you pay it, but it goes to the bad actors.

One of the ways that I've always historically said to mitigate that risk is if you get different payment information from a client or a vendor that you need to pay a sub and it's different than what it normally is, pick up the phone and call. Call them and verify that information. Okay, so that historically has been good, but to your point, what you just said was, now with artificial intelligence, they can replicate voices. And so you pick up the phone and you call, and you think you're calling the right number, they put a number in the email and you call that number and all of a sudden it sounds just like Roy.

And Heidi's calling and says, "Hey, Roy, just wanted to verify this. I have artificial intelligence, I can type in a response in real time, it says it." "Oh no, Heidi, sorry about that. Yes, we changed banks. It's not Truist anymore, it's Sun Trust", I probably shouldn't be calling names, but, "We've changed banks." And it's Roy's voice. And you're like, "Oh, okay, we're good." You then email that payment or wire that payment, and Roy takes it and runs with it. And so it's just getting more complicated out there to make sure that we're staying safe.

Heidi J. Ellsworth: And it kind of goes back to where I think everything goes back eventually is to the relationships, knowing who you're working with, knowing who they are, having that other cell phone to call and say, "Hey, is this you?" And not just what they're sending you.

Roy Hadley: Right, that's right. Call that known number, not a number that's in the email, or not a number that they text to you or send to you. Call that number that's in your contacts, that's been in your contacts for five years, 10 years, and verify it that way. And if you can't, then you hold on that payment until you can.

Heidi J. Ellsworth: Yeah, yeah, exactly. So what are you seeing from the government? What's the government doing to help this, or not?

Roy Hadley: Well, the government has great intentions, and when I say that, unfortunately we live in what I would call a hyperpartisan environment right now. And what that means is that we have difficulty coming together on things that we should be coming together on. A good example is if you have a data breach and the notification requirements of that breach. Well, in a perfect world, we would have a National Data Breach Notification and Response Law that didn't happen. And so what do we have? We have 50 different state laws around data breach notification.

Right now, we're starting to see that same thing with respect to consumer privacy. We don't have any federal legislation regarding consumer privacy, and so California passed their own privacy law a couple of years ago. Now you see Colorado has its own, Virginia has its own, Connecticut it's coming up, will have its own. And unfortunately I think we're going to see 50 different state privacy laws. Now, all that said though, I think the government is trying its best. And what do I mean by that? The Colonial Pipeline incident, the ransomware, I think that was a wake-up call for a lot of different industries. That's the one where hackers hacked into the colonial pipeline which supplies gas and fuel of the East coast and held their systems for ransom. Shut down pipelines all up and down the East coast, created a crisis.

That woke the government up, and so the government passed kind of bipartisan infrastructure, cybersecurity rules, and so you're starting to see the government really up their game a little bit in terms of support for it. CISA, the Cybersecurity Infrastructure Security Agency is a great organization, it's a government funded entity that I would say a lot of roofers out there, roofing companies, and any company that's listening to it, call your local CISA representative. Every state has one, every region does. They can help you to improve your cybersecurity posture real time. They can look at your networks, they can do a lot of stuff. And the greatest thing of all, it's free, courtesy of good old Uncle Sam.

So there are things like that that you can do. And so you're starting to see the government try, and if we can get past, again, our hyper partisanism, make up a word there, then I think we can see a little bit more cohesive strategy and support, more importantly coming out of the government, especially the federal government.

Heidi J. Ellsworth: Because I can tell you right now, RoofersCoffeeShop, the internet knows no state boundaries or country boundaries. I mean, everybody, we have folks from New Zealand and Australia, Canada. So we can't just say it has to be each individual, we really need a good way in order to start protecting ourselves overall.

Roy Hadley: Absolutely, absolutely. And again, that support, it's one thing to say, "Hey, you should do this." It's another thing to have some support in doing it.

Heidi J. Ellsworth: Yeah, and say the name of the association one more time just so everybody can hear it.

Roy Hadley: CISA. C as in Charlie, I as in iguana, S as in Sam, A as in Alpha.

Heidi J. Ellsworth: Awesome.

Roy Hadley: And it's cisa.gov. And if anybody needs some help getting there, I'm always more than happy to help. More likely than not, I'll know who the CISA representative is for your particular state.

Heidi J. Ellsworth: Yeah. To have resources, that's so important. And so thinking along that lines, I think it's always good to understand too with these large corporations, like you were saying, the pipeline, other large under attack, what are some of the things that they're doing that we should be taking notice of to help reduce the risk of cyber attacks?

Roy Hadley: Right, great question. And again, having been in corporate America before in small business before, I'm going to come at it with a very pragmatic answer. We could do a lot of technological gee whiz things, but there's some low hanging fruit that we can always take advantage of. And I think the lowest hanging fruit of all, it's going to be employee training. Because we can have the best technological solutions and spend hundreds of thousands, tens of thousands of dollars putting them in place, but if our employees are clicking that link, or if they're doing things that they shouldn't, it's going to all be for nought. And so employee training is going to be the big one.

Big companies spend a lot of money on employee training and small companies should too. I'm not going to say spend a lot of money, but should put some time and effort in into it. There are some online resources that are relatively inexpensive in terms of training to help employees identify bad emails, malicious emails, to know what to do when it happens, to know what to do if you accidentally do click a link. Silence isn't necessarily the best thing. You should probably say something to somebody. And so there's a lot that you can do in the training area that is going to be the best money spent.

And then there's some things like passwords, just making sure that your employees have good passwords as a policy. What does that mean? 1,2, 3, 4, 5 is not a great password. Password is not a great password, and we see those all the time. Good passwords or things that have up upper and lowercase letters, that don't form words themselves, that have numbers in them, that have symbols in them in random patterns. A good thing to do is to get a password manager for your company. They're relatively inexpensive, they can help you come up with very strong passwords and they can also prompt you to change your password every 30 days, 90 days, so that your password isn't the same as sitting out there for years.

And so good password hygiene is going to be another one of those low hanging fruits. Two-factor authentication, when you go to log in to your computer or log in to an online cloud service, or whatever it may be, having two-factor authentication enabled. And most programs now have it, you just have to turn it on and enable it, but then that gives you a code back to your phone that then you have to put in to log in. That's going to help tremendously. Just making sure that you update your software and your apps is going to be another one of those low hanging fruits. Apple and Microsoft and Google come out with these updates very frequently, and the reason they do, is that they are addressing issues and known vulnerabilities. And so if you don't update or patch or install the latest update, you're going to be vulnerable to whatever that issue is they're addressing. And so just making sure that we have a regular patch cadence for our computers.

I would suggest turning on automatic updates for your computers and for your phones so that they automatically update with the latest operating systems and patches to apps and operating systems. Another good one is wifi. If you have wifi at your business, making sure it's a secured network. Don't let any and everybody on your network. Put a strong password on that network, and anybody that has to log in has to use that password. That's going to help. And then tell your employees when they're out in the field, don't use unencrypted free wifi. My father always told me, "Nothing in life is free." And free wifi potentially is not free, because bad actors are known to get onto those systems to hack into yours, because they're all coming at it from a trusted kind of standpoint.

So making sure that you don't use free wifi and your wifi routers at work have passwords that are strong. And again, that you change every so often. You don't have to change those as frequently as you do your computers and phones, but every so often change those and don't use the same password across different platforms. Don't have the same password for your phone that you do for your computer, that you do for your apps, and those sorts of things. And then probably the last one, I get rolling on these things, Heidi.

Heidi J. Ellsworth: I like it, I like it, keep going.

Roy Hadley: [inaudible 00:18:02] comes out, but probably the last big one is just to have an incident response plan. Know what you're going to do in case something happens, if something gets locked up. What do you do if an incident happens, say an employee clicks a link and all of a sudden their computer starts going haywire? What do you do so that you can respond? I think it was, I forget who it was, it was some famous criminal, but they said, "The best time to figure out what to do about bullets flying past your head is not when they start flying past your head."

Heidi J. Ellsworth: Yeah, yeah.

Roy Hadley: You have to have a plan. And I know it was Mike Tyson that said, "Everybody has a plan until you get hit in the head." And so you want to have that plan and make sure that you understand what you're going to do in case something happens. And then the last one, I promise, the last one, it's just have backups. Back up your stuff and have good backup hygiene, because if something does happen, hopefully that will allow you to get stood back up quicker and more efficiently than if you didn't have backups.

Heidi J. Ellsworth: I'm feeling actually semi pretty good because all those tips, I think we're doing, I think there's a couple, I mean me personally, I probably could do a better job with my passwords. But we are doing training with our employees right now, Roy, same thing on how what to do, but also having that plan, that final one is so important. So as the contractors, those are just great tips. I hope for all the roofing companies out there as you're seeing this, these are things that are going to really help you with obviously the ransom, the attacks, sending money to the wrong places, all the phishing. Oh my gosh, it drives me crazy. I kind of like, "Get a job." I mean, why are bad actors doing this, right? They could be doing great things to help us.

Roy Hadley: Right. But to your point, and you hit on it, and this is what I remind people all the time, that is their job. They're good at it, they're doing it 10, 12 hours a day. They show up every morning and they log in and do their job, and they're good at it. And unfortunately, I think artificial intelligence is going to make their job even easier, because it's going to allow them to tailor messages very specific to you.

Heidi J. Ellsworth: Scary.

Roy Hadley: That makes it even more believable.

Heidi J. Ellsworth: So that training is so important. So okay, I want to talk about something a little bit different too, but I've been hearing from contractors, and that is they are actually having their equipment hacked. So they've had drones hacked, they've had some of their equipment on the job site. Talk about that.

Roy Hadley: Yeah, and it's funny because the equipment hacks are, again, one of those things that you're starting to see more and more. A lot of it is just malicious. There's not really a lot to gain from making somebody's drone crash and destroy it. But there is a lot to gain potentially from seeing what that drone camera is taking pictures of to see where that contractor is and what they're doing. A lot to be gained from that. Competitive advantage. If I can attack your equipment and make it so it doesn't work, or lock it up and you have to buy new equipment, boom.

Heidi J. Ellsworth: Wow, I didn't even think of that.

Roy Hadley: All of a sudden you're on your heels. Again, though, a lot of the things we talked about, and that equipment thing, especially the drones, is becoming more and more prevalent. And again, those are usually malicious actors. They're not really looking necessarily for a payment, they're just malicious, those activities. And so some of the things that we talked about earlier are going to be the same keys to mitigation for your equipment. So making sure that you update your equipment, operating systems and all of that, because most equipment, electronic equipment that you can control from your tablet or from some kind of remote device, is connected to the internet. It's going to be receiving from the manufacturer, updates regularly. And so you want to make sure that you're applying those updates and applying those patches as they come out to keep yourself more secure.

Another thing with equipment, and this kind of goes to the house too, the internet of things, and you've got remote. Now you can hook your refrigerator up and you can hook your washer and dryer up and your coffee maker up to the internet, and you can also hook your cameras up, your security cameras up at work, and you can hook up all sorts of things now and control them remotely. What does that mean though? That means you really do need to be more vigilant about those passwords. People install security cameras all the time and they come with default passwords, usually password or password one or 1, 2, 3, 4, 5, 6. And if you don't change those passwords immediately when you hook up that equipment and turn it on, you're vulnerable.

Physical security people don't think about in terms of cyber, but if your premises aren't secure, then in theory, potentially your cyber isn't secure either, because if I can get on your premises and get to your wifi router, I can more likely than not change that password. And so you just have to think about those sorts of things. Your drones, drones have passwords to them that allow access to them. So again, change those passwords and make sure you regularly change those passwords with very complex passwords. And again, if you can't remember passwords, get a password manager. There are little programs that help you generate those random passwords and help you secure and remember those random passwords. So equipment is going to be a growing problem, and again, that's just maliciousness. But from an infrastructure standpoint, if you can lock up equipment, then you could do a lot of harm and a lot of damage.

Heidi J. Ellsworth: Yeah. Well, it's really interesting too, and for everyone listening out there, we've been through this. So in the last two years we've brought in a password management system called LastPass, and I'm just going to be a hundred percent honest, for some people, easy-peasy. For myself and for some of the other folks, totally annoying. But it's so important and I'm making myself use it. I'm still very paranoid, Roy, about banking information stuff. I don't want to give that to LastPass and I'm not going to. But overall, I think there is a lot out there, and for a Gen Xers who are business owners out there, or even millennials who are business owners, this is a lot to take in. I'm really lucky on my team, I have some young folks who have taken this on as an initiative, and they kind of understand it a little bit better, and they're making it happen. And so something to think about, I think. It's easy to say all these things, but sometimes it's not that easy to do them.

Roy Hadley: Right. And I'm kind of like you, I don't use password managers, especially for my banking stuff. But again, a good suggestion also is, I have a different laptop that I use for banking. And that's all I use it for. It doesn't have to be all that expensive, the one I got was like 400 bucks, and that's all I use it for. I don't have any other apps installed on it, I don't surf the internet on it, don't do Microsoft work, I just use it for banking. Because that way I'm more assured that I haven't clicked on something malicious, or downloaded something by visiting a website that I shouldn't.

And businesses might want to consider doing that, and just having a one system that they're using for banking information, and then use another system for everything else. And so those kinds of things, not expensive to do, but can make your security profile and your security hygiene much higher.

Heidi J. Ellsworth: Wow. Well, Roy, I can't believe how fast this podcast has gone. Such great information, I absolutely love it. I hope you'll come back again in the future and we can talk more about, maybe even get a little bit deeper on some of these issues, because as we keep having the contractors, they keep asking us questions. So I'm ready to come back and ask you some more of these in the future.

Roy Hadley: Absolutely. I would love to come back. And we mentioned it before, that AI thing, that artificial intelligence, I think that's going to be a big, big deal, both from a business standpoint and how your business operates, but also from a security standpoint. And I know again, ChatGPT came out last fall, everybody's heard about it, but we've been using artificial intelligence for a long time. In the roofing industry, the ability to estimate surface areas of ruse by drones, by satellite images, things like that, a lot of those are driven by artificial intelligence. And so it's not something that's new, it's something that will probably transform the industry and a lot of industries, but it's just something that we need to be aware of and get our hands around from how we're going to do it with business and how we're going to do it from a cybersecurity standpoint.

Heidi J. Ellsworth: It doesn't control us. There we go.

Roy Hadley: Right, that's right. It's a tool. Tools like anything else, we just have to make sure we manage them appropriately.

Heidi J. Ellsworth: I love it. I love it. Well, Roy, thank you so much for being on the show today, we will be seeing you again. And for everyone out there, we are getting so much information from Roy and the experts at Adams & Reese that it is on RoofersCoffeeShop. So please visit Adams & Reese directory on RoofersCoffeeShop to get more info information about Cyber, on protection, how to reduce your risk. Cyber insurance, there's just so many things out there, but you can find it all on RoofersCoffeeShop.

Roy, we will be seeing you soon.

Roy Hadley: My pleasure. Thanks so much for having me, Heidi. Enjoyed it.

Heidi J. Ellsworth: Thank you so much, and thank all of you for being here today. Please, like I said, check out the directory for Adams & Reese, but also check out all of our podcasts under the read list and watch navigation under podcasts and Roofing Road Trips, or on your favorite podcast channel. Please subscribe and hit those notifications so you don't miss a single episode. And we'll be seeing you soon on the next Roofing Road Trips.

Speaker 1: Make sure to subscribe to our channel and leave a review. Thanks for listening. This has been Roofing Road Trips with Heidi from the rooferscoffeeshop.com.