Scott Alldridge: Zero-Trust Cybersecurity: The Key to Staying Safe | DSH #1513

Yeah, so if you go to public Wi-Fi, because there's such weak security protocols, so there's little hacks that you can put in, you can basically see the streams of data that are going on.

And then they have emulators, so you can almost literally almost emulate your screen and watch everything you're doing.

Holy crap, snip pat word, passwords, they can do all kinds of stuff.

They can even do little applets to log on to your phone or your mobile device, your laptop, and basically just make a copy of it.

Wow.

Okay, guys, we got Scott here today, cybersecurity expert.

What's new with you, man?

I know you got the book launch and you're busier than ever.

Yeah, well, thanks for having me on.

I'm really excited to be here, big fan of you and your show.

And so it's really cool.

Thanks.

But yeah,

I live in the world of cybersecurity.

That's where I camp.

Clash of two worlds right now because I'm in the entertainment business and you're in cybersecurity.

Yeah, it's a crazy world out there.

There's just so many threats and things that are going on that it's almost hard to get your head around.

The growth of, you know, the cybersecurity hacks and the ransomware stuff that we read about, you know, really almost every day in the news.

It's, it's crazy.

And it's obviously a global problem.

Yeah, because data is really valuable.

So these people or groups want to basically get all this data, right?

That's how they're hacking into these companies for the data.

100%.

Yeah, they really want the data is the value and certain types of data is more valuable than other types of data.

So, you know, they love, you know, healthcare data, not only for the healthcare, you know, kind of HR, the doctors and the nurses, but they patient data is really valuable too.

So on the dark web, which is where a lot of this lives.

And, you know, that's one of the problems, quite frankly, is it's becoming so prolific for anybody.

You know, if you're a middle schooler or a high schooler that really loves tech and you want to start hacking, just get the Tor browser, go on the dark web.

You can actually join a franchise for ransomware and to do hacking.

Wow.

So you pay $299, you get a kit, they give you some tools, some training.

And then if you go out, try to hack maybe some local businesses or whatever you can, because, you know, you're connected.

So you really can, you know, we get hacks from all over the world that come into the U.S.

and get businesses.

And the other thing is they're going way down to small businesses, but you basically can join up a franchise, crazy as it is, and they'll bring in, if you can't hack in, they'll bring in one of their experts, one of the really good threat actor guys, and they'll actually work with you and then they'll split the profits of the ransomware.

So once they get the Bitcoin, and it's a sophisticated world.

And the other thing is, is that a lot of times when they finally do negotiate and, you know, they show up with a black screen and all your networks down.

I mean, you just kind of imagine, you know, your whole thing is, whether you're a small business and a coffee business or you're, you know, a hospital, you know, your systems come to a complete halt.

So you just get a black screen of death, as we say.

It's got a text file that says, oh, by the way, we have all your data encrypted.

Please pay, you know, 50 Bitcoin to, you know, whatever, that 100 Bitcoin or whatever.

And so then in a couple of cases, we've been pulled, you know, pulled into ex post facto of ransomware.

They're ready to settle and negotiate because they didn't have proper backups and some of the things you should have in place.

And they said, oh, call our 1-800 number to our call center and they'll settle up the transaction.

So they're so sophisticated.

They actually not only have franchises, they have call centers.

Wow.

That's crazy.

A call center just for reaching settlements.

Yep, 100%.

Yeah, some of these hacks are clever.

The crypto ones are crazy because those are hard to trace, right?

Really impossible to trace.

And that's why they want to be paid in crypto too, because they can't trace the dollars, you know, the FBI or Interpol can't trace them.

Yeah.

So those ones, what can you really do, right?

There's nothing you can do unless you go into where I talk a little bit about in my book.

We talk about zero trust, which is kind of a methodology.

It's about layers of security.

But one of the big prerequisites to this method of zero trust to enhance your cybersecurity is you assume breach.

Because we look at all these big companies, even the casinos stuff, they spend millions of dollars on cybersecurity.

They have the best and the brightest people, guys that are making half a million bucks a year, expertise, all the tools, and yet they still get hacked.

So the idea of assumed breach, if you're a smaller business, and they're going downstream, and the threat actors are going for very small businesses.

You could be a business with 500K or a couple million dollars in revenue, and they're going after you.

They're going after everybody.

And it's become so crazy.

It's growing so fast.

10 trillion this year in cyber

hacks that will happen that cost businesses.

That's supposed to grow in the next three years to over 20 trillion.

Holy crap.

So it's going to double in three years.

It's crazy.

And I was just going to ask who the targets are, but it sounds like just everyday mom and pop businesses.

Exactly.

And that's really a lot of the reason that I kind of wrote the book.

There's an altruism to it that I kind of want to raise the tide that floats the boats of everybody being more aware about security.

And so my, you know, the Visible Ops Cybersecurity that we, that we, that I wrote is basically.

been pretty popular because people care about their cybersecurity.

And then realizing that the first book, you know, that's pretty big is a little technical.

And so for some of the more executive audience that need to pay attention, business owners, presidents, vice presidents that maybe are being told by their IT they're good or they have a current provider that's managing their IT and their cybersecurity, how do they really know?

So I actually wrote the executive companion that really has no geek speak, as they say.

It's really written in more plain English.

Even like examples, like there's a Dilayton Touch study of businesses, like this is what the average spend is on your IT spend.

And out of your IT spend, your information technology spend.

on your technology systems, here's how much you should be spending on cybersecurity.

So it gives like really real world examples of how do you you prioritize cybersecurity and are you budgeting enough?

And a lot of things again in the book is that really a lot of businesses need to go upstream because cybersecurity is such a threat to the business, like so many risks that really the board, you know, your board and your executive teams really need to be talking about cybersecurity.

They need to care about it.

They need to prioritize it, which means they're going to budget it, which means you need.

really smart IT cybersecurity people that are communicating in more business terms.

It's a business problem.

It's not an IT problem.

And that's what shifted.

Yeah, I really see cybersecurity on a pie chart when I look at a business of how they're spending money.

Very much so.

At my level, at least, I feel like the top companies probably spend a lot.

But when I look at six, seven, eight-figure businesses, I don't see too much spend there.

Yeah, exactly.

And that's the problem domain, I guess, at this point.

And so getting businesses to recognize how prolific and real the threat is and that they are a target is really important.

And there's a lot of people, you know, and IT in some ways is kind of its own worst enemy because a lot of times if you have pretty good IT systems, they just kind of work and everybody expects them to work.

And then when they don't, everybody freaks out, even though they'll tell you initially, well, we can handle a little downtime, it's not a big deal.

It's kind of the same as cybersecurity.

It's a little bit out of sight, out of mind.

So it's not really in the forefront of thought.

And that has to change.

And it is changing because you just read the news.

You know, it's, it's every almost every day you're reading some hack somewhere.

The other thing is, not only you're reading it like that, you know, where it's so prevalent and common, but right now the latest statistics are that seven out of 10 hacks don't get reported.

Wow.

Because you only have to

the tri-light from Therasage is no joke.

Medical grade red and near infrared light with three frequencies per light, deep healing, real results, and totally portable.

It's legit.

Photo biomodulation tech in a flexible on-body panel.

This is the tri-light from Therasage and it's next level red light therapy.

It's got 118 high-powered polychromatic lights, each delivering three healing frequencies, red and near-infrared from 580 to 980 nanometers.

It's sleek, portable, and honestly, I don't go anywhere without it.

Reported if you're under some kind of compliance or regulatory mandate, state mandates.

Sometimes they have laws in compliance.

So, you know, if you're in healthcare, of course, you got to report it.

If you're in finance, you know, certain compliance.

But if you're a manufacturing company that's completely private and you get hacked and a lot of, you know, customer information or user information gets hacked, you don't have to necessarily disclose it.

Yeah, I got hacked.

I didn't tell anyone about it.

You know, I got sim hacked.

That's a nasty one.

That is a nasty one.

Yeah, that one can end up bad, especially if you have crypto or like important logins somewhere connected to your email.

Big time.

Yeah, on the personal front,

the threat,

just using public Wi-Fi, you've even got to be careful.

You don't think it's safe to just go to Starbucks?

I log on there all the time.

You got to be careful.

There could be somebody in the corner totally sniffing your Wi-Fi.

They can hijack it really easily.

Holy crap.

So if you connect to a public Wi-Fi, what can they do from there?

Yeah.

So if you go to public Wi-Fi, because there's such weak security protocols, a lot of them aren't up to date.

So there's little hacks that you can put in and you can basically see the streams of data that are going on.

And then they have emulators.

So you can almost, they literally can almost emulate your screen and watch everything you're doing.

Holy crap.

Sniff

passwords.

They can do all kinds of stuff.

They can even do little applets to log on to your, your phone or your mobile device, your laptop, and basically just make a copy of it.

Wow.

Yeah, it's crazy.

That's nuts.

So even at like the airport, you could get compromised there.

100%.

Yep.

You got to be really careful.

It's not that you can't ever use a public Wi-Fi, but if you do, you have to make sure you've got the right, you know, security tools on your phone or your device to be using it.

That is good to know, man.

Because a lot lot of people use public Wi-Fi, like at hotels, airports, Starbucks.

Big time.

And it's, it's, yeah, they're learning that people just don't, aren't paying attention.

Yeah.

And it's easy to get that.

And that's on the personal side, you know?

So there's a lot, a lot to think about

in the whole world of, you know, cyber.

I was thinking about, you know, the, you're kind of going back to the big corporate things, you know, like the casino that got hacked here.

Yep.

MGM, right?

MGM.

Yeah, that was really interesting.

You know, they literally just called the call center, the IT, you know, support center and got a password changed.

One change of one password.

And people are still sometimes putting passwords on sticky notes and not taking it seriously in smaller businesses, especially.

But they even have protocols there, but they basically convinced, and these are some of the groups.

There's a lot of bigger groups that come together.

They're hacking groups.

And these threat actors often are kind of one of three buckets.

Sometimes they're doing it because they want to make just a statement, like a political statement.

Sometimes these hacker groups is just all about the money and there's some in between.

But in this particular case, they convinced the call center to to change a password.

One password cost them over $100 million.

They said they weren't going to pay.

They were down for over 30 days, cost the business over 100 million bucks.

And then because they got a bunch of data that was personal data, they just settled like last month for $49 million, I think it was, for the people that got their information hacked because they didn't have the right controls and

cybersecurity systems in place.

That's nuts.

They had to settle with the people that got their info leaked.

Yeah.

Yep.

Yep.

Big,

big court case that went on and that just happened.

So it's, it's not only real there, but more on the front of, you know, the person, or I should say the smaller business side, more your small to medium, you know, you're a hundred, five hundred thousand employee type business.

Those are the really the sweet spot right now that they're coming down to and they're going after.

And like MFA multi-factor, where we all, you know, log into Amazon, we get a code and, you know, text.

The other thing is they're really getting good at hijacking your MFA.

They can get SMS streams.

So, or if you're going like a code that's being sent to your email, which is really common, like, oh, we're going to email you code.

They first hack your email and then they will, of course, get your code just like they will your SMS.

So regular MFA, a lot of people aren't even using it.

It's still a good thing to use.

It's better than nothing.

But there's actually the next level, which is kind of an advanced MFA.

We call it in the book.

There's a chapter called Verified Credential Access.

It's one where we're using an app on your phone because that actually has a little crypto key on it.

And it's kind of decentralized.

So you're not just getting one point of a place to send you a code.

It's talking to another point, two Two different points as decentralized to authenticate and make sure that you are who you say you are while you're being connected.

It does regular check-ins.

So it knows that it's you.

These are some of the practical things that businesses really have to implement and get serious about using.

That's just one of many things.

That's like a Google Authenticator app, right?

Yeah.

Like a Google or Microsoft authenticator.

Those are really popular ones.

The other thing point I would make about that is back to kind of the zero trust, the big, you know, assume breach.

The way you defend against and put yourself in the best position as a business is you actually don't just have backups, but if you're assuming breach, you have immutable backups, which an air gap, which means that they are completely separate from your network.

So if the threat actors are very patient, they'll get on there.

They'll sit for a while, watch for a month, two, three months sometimes.

They'll see where you're streaming.

So a lot of people are like, we're streaming our backups to another location.

We're streaming them to the cloud.

We got backups.

We're good.

They'll actually watch where you're putting them.

Then they'll go encrypt where your backups are if they're not encrypted.

And so that's a really scary thing.

So a lot of people don't understand in a lot of organizations and companies that the level that you need to have in your backup strategy.

It sounds like, oh, we've got it covered.

I'm sure everybody's saying they've got good backups, but can you restore?

And are they mutable?

Really important.

And then you got to decide at what point in time do we want to restore to?

Can we lose four hours of the data?

Can we lose no data?

Can we lose a day?

And then how long is it going to take us to restore if we do?

That way, when the black screen of death, as we call it, and the text file says that we have all your files encrypted and you want access to your network, you need to pay us this amount of Bitcoin to this address.

You can basically just not pay it, ignore it.

And you know that within, you know, eight hours or maybe 24, 48 hours, you can get your business back up from your backups.

You can truly restore them because they're really immutable.

They're separate.

That is crazy.

Have you been seeing any AI hackers or anything like that lately?

Yeah, there's a lot of AI that's out there.

They're using it.

It's making it more difficult.

It's kind of like a little bit back to the old days of the antivirus.

We'd buy an antivirus software and it would protect you against most of the popular malwares.

And then they would write new malware that would go around the antivirus software.

So then you'd have to do your updates so that you got the latest anti-malware.

That's a little bit the cat and mouse that we're in with cybersecurity all the way around is that they'll figure out something with AI that they can do to try to hack people and different methods.

But then new AI deterrence, and we use a variety of different AI tools in our business that can actually do a really good job of, you know, cutting down the noise and finding some of the AI hacks.

But where it really gets tricky with AI is when we get into deep fakes and we get into this idea of really using it as social social media because still 80%, 70 to 80% of all hacks or network infiltrations that happen, it really comes from the end user.

That's the biggest threat is the person.

There's no real, if I become you, Sean, and you've got access to everything and I convince that it's you,

I have the ability to basically have access to anything I want to have access to.

So that really is one of the big, big pieces you got to look.

And so there's some certain things that you deploy in good practices that we talk about in the book and stuff that you deploy to really what we call endpoints of the end users to really make sure you protect that endpoint so it's a product called edr which is an acronym in our world but it's called endpoint detection response it's like the new antivirus software of today wow so every business should be using some form of an edr if you're not that's a really basic thing every business should definitely have good backups that are immutable completely off the network which is a little tricky to do and a plan to be able to restore them those are really foundational things I hope you guys are enjoying the show.

Please don't forget to like and subscribe.

It helps the show a lot with the algorithm.

Thank you.

That's good to know.

Yeah, I need to start thinking of how I could do that with all my footage, all my data, right?

Sure.

Yeah, you have a lot of valuable stuff.

Yeah.

And so it's important to think about it being not just on site, but off-site, but not only just off-site, but a place off-site where it can't be reached through this network.

Right.

It's like your crypto wallet.

Yeah, like your crypto wallet.

It's a great analogy.

Yeah, because if you have the regular wallet, you could get hacked easier.

Big time.

Yeah, there's a lot of threats like that.

So, yeah, there's a lot of parallels.

AI is definitely the future.

They're using back to the AI thing, they're using it to really try to fool people in so many different ways.

And it's, you know, so fast and creative and how it can convince people who they are.

And then we talk about deep fakes, right?

I mean, that's a whole scary world.

That scares me because when you think about facial recognition and voice recognition, can that even bypass that potentially down the road?

Potentially, it certainly can.

And that's why it's a big concern, you know,

as well as just all the implications, right?

I mean, if, you know,

you could deep fake, you know, Sean doing something nefarious that Sean would never do, whatever that is.

And how do you really know?

I mean, you know, and so they're, of course, writing, you know, better deep fake software than them kind of like the cat and mouse game, but then better detection.

But I don't know.

Right now, the bad guys are winning.

That's really the theme.

You know, the bad guys are winning.

They're hacking more and more networks, getting paid tons of money.

And it's very profitable.

They make it very easy to do.

And it creates for a lot of challenges out there for businesses to properly defend and what we call really have the proper cybersecurity hygiene.

Also, I wonder if the punishments are enough time because I remember my friend got SimHack.

The guy only got a few years, but he got eight figures in crypto.

You know what I mean?

Wow.

Yeah.

That is a problem.

They're still catching up a little bit with, you know, how do you track down, you know, threaten.

And the other thing is that, you know, it's anybody that's connected across the world.

So, you know, the hacker may not be somebody that's U.S.

based.

It's likely could be another country.

and they may or may not have stringent laws, you know,

good point.

Certain countries, I know there's groups in North Korea that hack crypto.

There's groups in Asia, right?

Other countries.

Big time.

Some of your biggest groups are there.

And a lot of them are decentralized groups, right?

They just come together for a common cause, like I was sharing earlier.

They have, you know, some cause they decide is important or something they don't like.

And so then they just gang up and the bad.

kind of franchises in a different way.

There's like groups, like almost businesses.

You almost would imagine somebody literally like, you know, getting dressed, getting ready to go to work every day, and they're saying goodbye to their family, but they're actually going to a complete hack shop like you'd see in a movie.

Yeah, yeah.

I've seen those in India, the call centers that scam elderly people.

I've seen a ton of YouTube videos on those.

100%.

And it's a very real.

And it's just a, you know, deeper, more advanced version of that that are going after a lot of the businesses, particularly here in the U.S.

They're very interested in U.S.

businesses.

I saw something.

I'd love to know if you think this is true, but I saw some hack where a bunch of social security numbers got leaked.

Almost everyone that lives in the U.S.

Did you see that?

Yes.

Yeah.

There was a huge, it was a governmental hack.

There was some agency, I believe.

And so I read about it, not deep up on it, but they

definitely can.

And with the social security numbers, of course, they're going to sell that to people that are doing identity theft.

So that's the real value there.

I think that's how I got SIM hacked, honestly.

Uh-huh.

Very possible.

Because they probably called my carrier and had my social and then just said, can you send the SIM card to this phone?

Yep.

Yep.

And so, you know, being able to authenticate people more from a physical perspective, right, on the phone.

That's why you're getting, people are catching up a lot like your banks and stuff.

They're learning, I can't just take a little bit of information.

I've got to ask more questions that are very unique and discrete that only you would know.

Right.

So that's really important.

And the same thing is kind of true as you think about, you know, rolling out better cyber into the businesses.

How often do you get hacked?

Cause people try to play with you, I bet, right?

Yeah.

Yeah.

We, we do get, you know,

We have a lot of different layers of security in place.

And if all the things that we talk about, we kind of joke, we eat our own dog food.

We make sure that's important.

But there are a lot of threats.

I mean, somewhere, I think I was reading recently that, you know, there's

like 362,000 on an average, you know, like network.

And I'm averaging things out, 360, bots that are trying to hit your firewall at any point in time.

A day or a day.

Holy crap.

It's that many thousands of things.

There have been some scenarios where people have put what they call honeypots out there on the internet where they purposely don't really secure things and they kind of leave it open just to see what kind of and that's where the ai and the bots are coming in at a you know crazy level and they just need one little port one little mistake that's open and again kind of like the password example like one password cost a casino over a hundred and you know 48 million dollars it's crazy you know so imagine that to a small business of what it can what it can do yeah especially i feel like with elderly people they just get an email they're like click this link and they're screwed right very easy yeah very easy and again those are those are kind of of the low-lying fruit.

And those are kind of more your, you know, franchise hacker group.

It's more the sophisticated groups than some are, you know, organized, some are not so organized, but they're the ones that recognize that if I can get this business to shut them down, right?

It's a man, you know, like I said, it's a, some kind of a, even a software business or whatever, right?

I get in there, I get their data, I get their intellectual property.

So anyway, it's, it's really a crazy thing that they're, it's, I don't have to make it up.

You know, I sit here and talk on and on about it.

I mean, there's story after story, but the thing I kind of keep coming back to and that I'm reminding people about is that we only hear about a few, a small percentage, right?

There's so many more that are hacks that are going on.

And it just costs businesses so much money, so much distraction, the downtime.

It's just a lot of issues around, you know, this cybersecurity world that we live in.

And one of the things I talk about in my book is kind of the efficacy of IT processes.

One of the things that people get kind of in love with this idea with a new tool.

So if we, no, my, you know, IT guy said we're going to deploy this one new tool and that somehow one tool is going to put us in a better, you know, protected state.

And that's just a fallacy.

That's not true because you've got to have all the layers.

And so we joke about a fool with the tool is still a fool.

You, you really, you really got to have a strategy and a philosophy around how you're deploying and protecting your business with your cybersecurity.

And it starts with leadership.

And I talked about that in the book a lot.

Yeah.

Yeah.

I'm sure you've heard the craziest stories, the horror stories, lost business, lost revenue.

A lot of stuff.

Yeah.

And we usually get pulled in ex post facto, right?

After the fact of the hack or the breach and they're looking for stuff and it'll cost a business between seven and ten times more money after a breach happens than if they did put the preventative tools a little bit like brushing your teeth right you do the or medical you do the preventive maintenance stuff and you're going to avoid hopefully some catastrophic event yeah it's like would you rather have you guys on hand when it went and if it happens or after and maybe you can't even fix it at that point yeah exactly a lot of times it's too far gone yeah if a hack actually happens or a breach like that one of the important things actually a lot of people is they'll just start erasing rebuilding stuff, but it's actually really important to protect the forensic data.

Because if you are going to bring in, you know, report at the FBI or even bring in some of the, you know, smart folks that we work with and that we do to do the forensics to understand how it happened, to prevent, you know, kind of root cause, you can prevent the breach from happening again.

So it's kind of important to stop, drop, and roll, if you will, when a breach happens and not overreact, but yet you're concerned because you're trying to get your business back in, you know, back in business or back online.

And it's very, very stressful.

It's a very difficult situation.

And you really don't want to be in that situation.

What percentage, if you had a guess, of the hacks and breaches you dealt with, were you able to trace back the hackers?

So

pretty small percentage because they're pretty smart.

Like I said, they're kind of winning the game.

But I think statistically they're saying that less than 20%

you can actually get to sources.

That is small.

Yeah, there's a lot of interesting technologies, you know, like ProtonMail, which is a Switzerland-based system.

They have Proton technologies.

They really are become proxies and hiding people behind things.

You really can't,

know nobody can trace down where it's actually coming from from proton mail yeah that's that's one example there are multiple tools and solutions you know services out there that make it really easy to basically hide your ip and not be non-traceable it's pretty easy to find and on the dark web of course there's all kinds of services you can get do ip changers still work like the vpns does that still work to hide where vpns are are if you get if you keep them patched and up to date and you're using kind of the latest greatest vpn technology you're in pretty safe shape but if you're using an an older VPN, no, they're hacking them.

There's all kinds of vulnerabilities in those old VPNs.

And a lot of people, they just don't get around to updating them because IT is busy and they don't have time to do the updates or their, you know, cyber team isn't really aware.

They're working on something else.

So there's a lot of really basic kind of foundational things that you should always be doing, like even patching your systems, a little bit like even your phone.

When you get those updates, they're annoying.

But if you don't do them, you could be opening up threats even on your phone as an individual.

Same thing's true in a corporate network.

You have to keep your servers and your systems and your network devices and your firewalls and your VPNs.

You got to keep them patched and up to date.

And it's not always that easy to do.

Besides, there's downtime and nobody wants to do that or it just takes a lot of effort, effort after hours work.

It's difficult.

There's a lot to be done out there.

It's actually really great to know because I'm one of those guys that.

procrastinates the phone updates.

But now when I see one, I'll immediately update it.

Yeah, it's really important because it's often in this day and age, you can almost assume that any of those updates are blocking some security vulnerability that's on your phone or your system or your laptop or whatever it might be.

I wonder if that's ever happened with Apple if someone breached into them.

Well, I think Apple is a target.

And I think there are, again,

they would only have certain disclosure that would apply depending on what kind of breach.

But if it's just their intellectual property, then they probably aren't going to let people know.

It's a good point because a lot of companies probably don't want to ever admit that they got hacked.

Yeah.

Exactly.

It's not a comforting sign.

It's a bad signal to your customer base.

Yeah, it's not a good look, particularly if you're a financial institution.

You really don't want that to happen.

And so some of your safest, you know, where you've got a lot of compliance, a lot of people are in this fool business is that, well, we got to be compliant.

My IT guys have filled out a list and they checked a bunch of boxes.

And so there's a little bit of a false sense of security there.

Because just because you're checking boxes, that you have a security policy, that doesn't necessarily mean that you're keeping your system safe.

Right.

Right.

You got to actually back it up with what we call, you know,

attestation of controls, right?

You actually have to test those controls and know that those systems and tools are in place to really do what they say they do.

So that's, that's, again, not easy to do.

Um, difficult.

I mean, I'm on a couple of credit monitoring services and I feel like there's a hacker breach at least once a week.

Like I get a notification that my stuff's been leaked.

Yeah.

And I would say, again, that's probably only getting notified on a small percentage, which is crazy because there's already so much.

There's so many.

Yeah.

It's really a scary world.

And I'm not saying you're not to create what we call, you know, fear, uncertainty, and doubt, right?

It's, we're kind of in a world in our business space.

We've been doing it for a long time.

I started in IT 30 years ago, I was kind of a tech preneur.

I was in a software business, and we reinvented ourselves into kind of network integration.

And then we eventually spun out what they call a managed services provider.

And we built a network operations center and a niche data center, 15,000 square foot facility, and it's certified and what all that.

But then over the last 10 years, that's where we really evolved, where we lead with cybersecurity.

And we really become what they call an MSSP.

So you're a managed security service provider.

And so, that's really what we lead with because everything in management of IT really does require that you're managing, you know, all of the IT systems with a security-first mindset.

And I talk about that a little bit in the book.

Matter of fact, one of the things that's really important is kind of getting back to the processes: is that there's some older studies, and they're still true recently, that 70 to 80% of IT downtime and IT failure is correlated to like some unapproved, unauthorized, untested change.

So if you have really bad change management practices, you likely are going to have a lot of IT downtime.

And here's the quip of cybersecurity that I talk about in the book a little bit is that no security breach happens without a change or a need for a change.

Either I brute force hack something, right?

I use some tool to get in and hack in and get in your network, or I convince you to change something.

I become your social engineer you.

Interesting.

And so then I do it.

So the idea that the efficacy of IT processes, what I'm really saying in there is I'm saying you really really need to have good change management practice.

And that involves some other things you need to have in place, like configuration management, a couple of things.

But the point is, you got to have good change.

You really focus on that.

It kind of becomes a really important backstop to your cybersecurity.

So it's kind of common sense, even though it sounds a little.

process and techie.

It's mainly just saying you got to have really good change management practices.

That helps your cybersecurity posture too.

That's great to know because, yeah, you've got to think about your employees too.

If they get hacked, how much control do they have over what they could change, right?

Yeah, exactly.

And that's why it's super important that, yeah, that you're monitoring change.

You have what we call kind of detective controls.

So it's monitoring something and saying, oops, something's not right.

There's some old stories.

I'll tell one about, you know, the target breach.

It was one of the first big credit card breaches that happen.

This is about seven, eight years ago now.

And what happened was.

is that they actually had a HVAC vendor that manages their air conditioning and heating systems that actually had a dedicated connection, VPN connection into the target network.

And so what happened is they actually figured out a hacker that they had access to all these businesses.

They like the target one.

They used their network to get into the target network.

And it was a, what they call a flat network.

In other words, once you're on their network, you can kind of get to everything.

Wow.

And they had a bunch of point of sale servers that were living in their data center at Target at the HQ.

And this.

Threat actor put a little piece of code, a little applet as we call it, that basically allows you to just siphon data, string data to another place, another point.

It put this code, it set their, the breach happened in April.

They set their April, May, June, July, August, September.

And it was in

November, late October, early November.

They started siphoning, you know, the Christmas season for retail, and they started siphoning off all the credit cards to some data centers in another country.

I think it was in the Ukraine, actually.

So they siphoned all of the data off.

Holy crap.

And that was one of the biggest credit card breaches that had ever happened about seven years ago.

So Target has millions of customers.

Millions of customers.

And so that's the kind of stuff that these threat actors, they're sneaky and they'll sit there.

They're patient.

They don't need to get an immediate reward like you might think they would.

They're pretty smart about what they do.

So it's, that's the kind of stuff that now smaller businesses back then, it was more of the bigger targets because, you know, there's a bigger payday, but they'll take small paydays now.

If you can, if you can summon, you know, half a million dollars of Bitcoin, they can get that out of you.

Also, statistically, you know, 40-some percent of businesses that, you know, get a hack or a breach in a serious way actually go out of business within a year.

Wow.

That's actually really hard.

Four out of 10, 10, which is crazy.

Matter of fact, in that same thing, not to just pit, you know, statistics, but it's just kind of interesting that not only go out of business, but a lot of companies are relying on cybersecurity insurance.

Well, they're saying, well, you know, we're pretty good.

I've been told we're good, but if we get hacked or something bad happens, I've got good cyber insurance.

That has changed.

The last three years, the cyber insurance world has gotten really smart.

And now their fine print and their policies are calling out certain cybersecurity controls or, you tools that you must have in place.

So they're basically saying if you don't have these things that are actively monitoring your network for cyber and so forth, they will actually not pay.

So I think it was 40-some percent also of cybersecurity claims got denied last year.

Holy crap.

That's

growing this year.

So a lot of people or businesses are just saying, well, I've got great cyber, but be careful.

You should have that cyber security and policy reviewed.

You should be taking a look at what the fine print says because they're getting smart because they were having to pay out so much and people weren't doing anything about their cybersecurity.

So you can kind of understand the insurance side of the world too, but that's a real problem out there.

That's a, we run into that a lot where people like, well, we want to do a little bit of a cyber, we don't want to do much because we got insurance, so we're good.

And it's like, well, maybe you aren't.

So we actually do an assessment around their cyber insurance forum.

And it's eye-opening what you, what you find that the fine print, what they have to have in place that they don't typically.

I might have to have you look at mine because I think I have like a $10 million policy, but it might not be enough.

Uh-huh.

Yeah, they might have certain things in there that they say that you should be doing if

we're going to pay a claim.

That's what happened with my

lemonade.

It was my home insurance.

So my car got broken into, but they didn't give me the full amount because of some loophole.

There's always something with insurance companies.

There is.

They've learned to kind of play the fine print on you big time.

Yeah.

And with big companies, you can imagine, they're paying millions of dollars in cyber insurance.

So there's a lot that goes on there.

I bet.

Yeah, it seems like it'll always be an ongoing war, though, with the hackers.

It is.

Yeah.

And unfortunately, I mean, you'd have to say pretty honestly, they're winning.

Right.

Based off stats.

Yeah, it sounds like they're winning by a lot right now.

Yeah, I think I'd read another stat again that I think it was 28% of small to medium businesses actually feel on a survey.

And it was like 2,000, 2,500 companies actually feel like they're doing a good job of cybersecurity.

So they kind of know, it's kind of learning that I don't think we're as prepared as we think we are.

And a lot of your IT people, I mean, they're overworked or they're not properly budgeted or funded in some cases.

In other cases, they can be kind of arrogant.

We see that a lot where they just think that they've, you know, they've got, they're smarter, they've got it figured.

They, they will think they're better than best practices.

They'll use words like that.

And it's like, really?

And then when you start working with them a little bit, you start to realize, yeah, you've got huge gaps, huge pieces that are missing, and you're really vulnerable.

Yeah.

So it's a big, it's a big deal right now.

And so a lot of people, you know, the executive suite is kind of fooled into thinking because those guys want to protect their jobs too.

So they're telling them, no, no, we're good.

We're really secure.

We've, we just deployed the latest tool, whatever tool that is, but back to my fool with the tool could still be a fool.

So it's kind of interesting to see it from that perspective too.

And then a lot of them have providers.

So like, well, we pay X, Y, and Z company, like my company, an MSP or an MSSP to deliver a certain amount of services.

But how do you know?

Are they giving you regular reporting to provide, again, back to kind of attestation?

So one of the things we do is we use a full third party.

Then we can't be the people managing your cybersecurity, but then telling you that we're doing a good job.

So we use a complete third party.

It's actually called Galactic Partners, great company.

And we use them to actually do regular penetration testing which is more than vulnerability testing a lot just vulnerability is a pretty typical simple thing that used to be okay now you have to actually use tools that try to penetrate the network to emulate things like ransomware attacks and do those kinds of things so that that's one of the tools that we use have you ever you don't have to say the company but have you done a penetration test on a large company and they failed before big time

I would say hundreds and we're seeing tons and tons of them, you know, and some bigger companies, some enterprise-ish type companies.

We don't typically work with the Fortune 1000s.

We're working with a lot of SMB, you know, so a lot of them are, you know, 250 employees, 500,000 employees.

That's a lot.

But yeah, and they're still fairly good size.

And we have a few, you know, customers that are in the 100 employee range.

But yeah, I would say that's where we start usually when we engage with the customers.

We'd like, hey, let's run a penetration test first.

And let's take a look and just see what gaps exist.

And the report does a really good job.

It's not even the, there's five levels of pen test.

We're actually just doing a one, but, and usually it's only sampling like 10% of the network.

They'll run this little tool on a few workstations and it goes out and automatically creates a bunch of great penetration data that it's testing.

And the gaps are unbelievable.

It's like shake your head.

I mean, you're like crazy some of the stuff.

And for people watching this, you got a deal on that, right?

Yeah.

Matter of fact, yeah, I was going to share with your, with your audience that a couple of things.

One is that we have my book, The Executive Edition, that's kind of the non-geek speak.

That's on sale for Amazon for like $17.95.

You can can order.

But my team, if you text me, they will actually send you out a complimentary e-copy of that.

But even to go a little further,

I would like to offer a free, if you will, no cost on qualification, but a penetration test.

We'll do a pen level one test through our partner, our third party.

So it's not us telling you that your security is bad and all that.

And really, you can use it for internal.

You can go Google it.

They're $2,500 to $10,000.

They're not cheap, even for a basic pen test.

And they'll give you great data.

You can take it back to your IT team, to your cybersecurity provider, whatever it is, and help fill the gaps that it finds.

Or obviously, if we find things and you'd like to improve your cyber, we'd love to talk to people about how we can bring our solutions to bear as well.

I love that.

Yeah, check out the link, guys.

We'll link it in the video.

And if you're watching on audio, check the description too.

Yeah, my text is 541-359-1269.

That's a business text line.

541-359-1269.

And if you just text like Secure25 or Secure, we'll know where that's coming from.

My team will reach out.

We'll get you set up.

What are the text messaging apps you use?

I heard Signal is good.

Is Telegram good too?

Yeah, and those are both good.

WhatsApp's pretty good too.

WhatsApp is a really fully encrypted end-to-end communications.

Okay.

If it's set up properly.

That's good to know.

So, yeah, those are all decent.

What about regular iMessage?

Can that ever get weird?

You know, there were a lot of hacks back in the day we heard about where people were going to iMessage, getting into iCloud, and doing different stuff.

They've tightened it down pretty good.

So iMessage actually has some encryption services as well.

You really kind of want more end-to-end encryption anymore.

It's just even a standard.

Could you explain that for people that don't know?

Yeah, so encryption is where it's basically using an algorithm, you know, some kind of a software program to basically turn data into a bunch of ones and zeros when you get right down to it.

And different methods of

types of encryption actually that are out there.

Some are stronger than others.

But being encrypted is basically just making garbly gook, if you will, out of all of your data.

So if it does get hacked or stolen, if they don't know how to de-encrypt or have the encryption keys, they won't know what the data is.

And they wouldn't have those if it's encrypted properly.

Interesting.

Yeah, I remember when I think it was Snapchat got hacked, their photos weren't encrypted or something.

Yeah.

So everyone's info got leaked.

Totally.

You know, and what's a little scary about that, and

pivot a little bit, is this whole idea of quantum computing, right?

I mean, quantum computers are crazy what they can do.

And so there used to be like this standard, they used to call it 256-bit, they still call it 256-bit encryption.

A quantum computer, and that is like a standard.

In fact, a lot of government, you know, compliance standards, NIST and some of these things, you know,

CIS, the Center for Internet Security, they'll all say, you know, 256 encryption minimum, some 512.

A quantum computer can break that usually in less than seven days.

Holy crap.

And they're coming on right now, big time.

And so this whole PQC is what we call it.

I talk a little bit about my book.

It's post-quantum cryptography.

And so you've got cryptography or cryptography in place that will actually defend against those things.

Imagine the bad actors getting a hold of that.

And so, you know what they're doing right now?

They're harvesting data.

This is how smart they are so they're going out and they're just getting data they can get they don't care if it's encrypted because they're waiting until they get access to the quantum computing wow and even three or four years from now your social security number is still going to be the same they're going to just go then you know decrypt it with the quantum computing capabilities

and they're going to have all the data so there's this whole crazy thing going on where there's a race to 2030 where a lot of mandates that you're going to have to have quantum post-quantum cryptography in place to protect yourself because these quantum computers are so powerful it's amazing so there's a whole it's only getting started how scary it's going to get.

That is scary.

So does having a longer password help with the quantum computing?

It does.

It makes it to strong passwords, as we call them.

Every business should be using a password manager so you're not repeating mash.

And they actually make it pretty easy anymore.

It'll pop up when you're in a browser, make it easy.

You know, you have one kind of central secret pass, strong password, then you can have access to your other apps.

That's really important.

But yeah, strong passwords are important.

They help, but the quantum computing is more about the type of cryptography.

So strong passwords being encrypted by 256 type encryption, bit encryption, is still breakable.

Wow.

So you really are going to have to have strong passwords in a stronger cryptography, a type of cryptography that will defend against the quantum computers that it can't break.

That's nuts.

So like special characters.

Special, yeah, special characters.

And the cryptography is more actually technical than that.

So we won't get into the details, but there's things like lacing cryptography and different stuff where it's constantly evolving and moving.

So it can hardly ever be hacked.

That's crazy.

That's the kind of stuff.

I I mean, it takes, you know, an infrastructure.

So you got to have the right, you know, devices that can actually do that.

So a lot of the big corporate networks and big businesses, banks and stuff, they're spending millions right now to try to get ahead of the curve because you can imagine if, you know, in just the next three years, we're going to be able to break some banks.

cryptography because they aren't using the latest up post you know yeah quantum cryptography then you're the exposure is unbelievable and think about medical and how they're already getting hacked and they're already not ready for it so again not to create a bunch of fear uncertainty and doubt, but it's getting more sophisticated.

They're getting smarter.

The power of computers will be used for both good and for bad.

Yeah.

I mean, I've seen some of the systems these banks and medical uses.

It's archaic.

It's from like the 70s to 80s.

Crazy.

Some of them still use the square computers.

You remember those?

Yeah.

Yeah, exactly.

The terminals.

Yeah.

Yeah.

It's a, it's a, really is a problem.

And the other thing, you know, not to get on this subject, but, you know, really in terms of the geopolitical is we talked about countries, hacking countries, you know, China, Russia.

These are big, you know ukraine there's a lot of independent ones but there are big countries that don't really regulate a lot of that stuff and they really have infiltrator infrastructure there's this kind of old system like you're talking about called skata and that's what a lot of the dams and the electrical systems in our country are they're on the skata systems and they're already hacked holy crap and they're never seen that in the news yeah they're already hacked they're already there they can basically do different things they want to and they're working very quickly over the last year or two and getting there to try to come up with defenses to be able to isolate that so that those hacks obviously won't cause crazy effects like taking down a water system or whatever it might be or an electrical grid i think that's the future of war it's going to be all cyber big time i don't think it'll be troops on the ground as much as it used to be 100 yes yeah i believe that completely that that is the big threat and of course there's a bunch of things that go into that you know where they talk about you know different technologies that can freeze all electronics you know yeah they've got technologies where they can basically disperse a blast it's basically a burst that will freeze all electronics sometimes scramble them make them incapable of being used.

So there's a lot of the, in the cyber warfare world, there's a whole nother, you know, discussion.

But for now, we're just trying to get small to medium businesses really is our focus and really help them improve and get better, you know, cybersecurity hygiene, deploy things.

And it's really, it's not cheap, but to be honest, you do have to invest, but it's also not crazy expensive.

If you're looking at the ROI going, look, if we invest a little bit now and we avoid having to pay, you know, a half a million, two million, five million in crypto that that we don't even have.

And we have to go to a call center.

But if we can avoid that or even just having, you know, something, you know, leaked data, you know, one of the things they call is data loss prevention is a service that we work around where people just stream data, even employee innocently, I'm going to move this to my Google Drive.

I'm going to move this where it's not secure and it's not safe, taking data off the network.

That's another huge problem and opens up, you know, intellectual property.

It could be recipes or code or personal information that shouldn't be there.

So there's just all kinds of ways that data can be hacked, stolen, and used nefariously.

Yeah.

I mean, for me, like as a business owner, I want to be able to sleep at night.

So I'll hire the best lawyers.

I'll hire the, I'll get the best insurance.

I'll get something like this because I'd rather spend a little more because I know I can, I did everything I could on my end because there's a lot you can't control.

Yep.

But at least I did everything I could on my end.

And if something happens, hopefully I'm ready.

Yeah, absolutely.

And, you know, if I was talking to you, I'd say, let's make sure you have good backups and that they're fully immutable.

Yeah, I need to work on that because, yeah, right now we just have it on a Google Drive, but but we're working on hard storage.

Yeah.

All the footage because there's 2,000 episodes.

Yep.

That's a lot of data and needs to be protected.

Yeah.

Yep.

For sure, man.

Yeah.

Well, Scott, this has been real fun.

Anything else you want to close off with here?

No, again, I would kind of circle back.

I'm willing to get a hold of me.

Text me at the 541-359-1269.

My team will get you an e-copy of the book out.

Amazon, you can get the full book.

If you want to do a 405-page cybersecurity read, love to have you read our book.

We've sold about 350,000 copies of that book in the series.

This one just sold several hundred copies, a few thousand, I guess, but we're it's growing.

But there's a series of books that it's tied to that we've released.

And then the executive edition will get that out to you.

And then, of course, more importantly, and the real value, if they want to jump on it, I'm happy to offer that up is the penetration test that we'll offer up.

So, again, just text us and we'll get you set up.

My team will get you going.

Awesome.

Thanks for your time.

Yeah, thank you.

Appreciate it.

Yeah.

See you next time.