A

Yeah. So if you go to public WI fi, because there's such weak security protocol, so there's little hacks that you can put in, and you can basically see the streams of data that are going on. And then they have emulators, so you can almost. They literally can almost emulate your screen and watch everything you're doing.

B

Holy crap.

A

Snip, Pat word passwords. They can do all kinds of. They can even do little applets to log on to your. Your phone or your mobile device, your laptop, and basically just make a copy of it.

B

Wow. Okay, guys, we got Scott here today, cyber security expert. What's new with you, man? I know you got the book launch and you're busier than ever.

A

Yeah. Well, thanks for having me on. Really excited to be here. Big fan of. Of you and your show, and so it's really cool. Thanks. But, yeah, I. I live in the world of cyber security. That's where. Where I camp Clash of Two worlds.

B

Right now, because I'm in the entertainment business. And you're in cyber security.

A

Yeah, it's crazy world out there. There's just so many threats and things that are going on that it's almost hard to get your head around the growth of the cybersecurity hacks and the ransomware stuff that we read about really, almost every day in the news. It's crazy. And it's obviously a global problem, too.

B

Yeah. Because data is really valuable. So these people or groups want to basically get all this data. Right. That's how they're hacking into these companies for the data.

A

100%. Yeah. They're. They really want the data is the value. And certain types of data is more valuable than other types of data. So, you know, they love, you know, health care data, not only for the health care, you know, kind of hr, the doctors and the nurses, but the patient data is really valuable, too. So on the dark Web, which is where a lot of this lives, and, you know, that's one of the problems, quite frankly, is it's becoming so prolific for anybody. You know, if you're a middle school or a high schooler that really loves tech and you want to start hacking, just get the Tor browser, go on the dark web, you can actually join a franchise for ransomware and to do hacking. Wow. So you pay 299 bucks, you get a kit, they give you some tools, some training, and then if you go out, try to hack maybe some local businesses or whatever you can because, you know, you're connected, so you really can. You know, we get Hacks from all over the world that come into the US and get businesses and the other things are going way down to small businesses, but you basically can join up a franchise, crazy as it is, and they'll bring in. If you can't hack in, they'll bring in one of their experts, one of the really good threat actor guys, and they'll actually work with you, and then they'll split the profits of the ransomware. So once they get the bitcoin, and it's a sophisticated world. And the other thing is, is that a lot of times when they finally do negotiate and, you know, they show up with a black screen and all your networks down, I mean, just kind of imagine, you know, your whole thing is whether you're a small business and a coffee business or you're a hospital, you know, your systems come to a complete halt. So you just get a black screen of death. As we say, it's got a text file. It says, oh, by the way, we have all your data encrypted. Please pay, you know, 50 bitcoin to, you know, whatever that hundred Bitcoin or whatever. And so then in a couple of cases we've been pulled, you know, pulled into exposed facto of, you know, ransomware. They're ready to settle and negotiate because they didn't have proper backups and some of the things you should have in place. And they said, oh, call our 1-800-number to our call center, and they'll settle up the transaction. So they're so sophisticated, they actually not only have franchises, they have call centers.

B

Wow, that's crazy. A call center just for reaching settlements.

A

Yep, 100%.

B

Yeah. Some of these hacks are clever. The crypto ones are crazy because those are hard to trace. Right.

A

Really impossible to trace. And that's why they want to be paid in crypto, too, because they can't trace the dollars. You know, the FBI or Interpol can't trace them.

B

Yeah. So those ones, what can you really do?

A

Right? There's nothing you can do unless you go into where I talk a little about my book. We talk about zero trust, which is kind of a methodology. It's about layers of security. But one of the, you know, big prerequisites to this method of zero trust to enhance your cybersecurity is you assume breach. Because, you know, we look at all these big companies, you know, even the casinos of they spend millions of dollars on cybersecurity. They have the best and the brightest people, guys that are making half million bucks a year expertise all the tools and yet they still get hacked. So the idea of assume breach, if you're a smaller bit and they're going downstream and the threat actors are going for very small businesses. You could be a, a business with 500k or a couple million dollars in revenue and they're going after you, they're going after everybody. And it's become so crazy, it's growing so fast. 10 trillion this year in cyber, you know, hacks that will happen across businesses that's supposed to grow in the next three years to over 20 trillion. Holy crap.

B

So it's going to double in three years.

A

It's crazy.

B

I was just going to ask who the, who the targets are, but it sounds like just everyday mom and pop businesses.

A

Exactly. And that's really a lot of the reason that I kind of wrote the book. There's an altruism to it that I kind of want to raise the tide that floats the boats of everybody being more aware about security. And so my, you know, the visible op cybersecurity that we, that we, that I wrote is basically been pretty popular because cyber people care about their cybersecurity. And then realizing that the first book, you know, that's pretty big is a little technical. And so for some of the more executive audience I need to pay attention business owners, presidents, vice presidents that maybe are being told by their IT, they're good or they have a current provider that's managing their IT and their cybersecurity. How do they really know? So I actually wrote the executive companion that really has no geek speak, as they say. And it's really written in more plain English. Even like examples like there's a delete and 2 study of businesses like this is what the average spend is on your IT spend and out of your IT spend, your information technology spend on your technology systems. Here's how much you should be spending on cybersecurity. So just like really real world examples of how do you prioritize cybersecurity and are you budgeting enough? And a lot of things in the book is that really a lot of businesses need to go upstream because cybersecurity is such a threat to the business. Like so many risks that really the board, you know, your board and your executive teams really need to be talking about cybersecurity. They need to care about it, they need to prioritize it, which means they're going to budget it, which means you need really smart IT cybersecurity people that are communicating in more business terms. It's a business problem. It's not an IT problem.

B

Yeah.

A

And that's what shifted.

B

Yeah. I really see cybersecurity on a, on a pie chart when I look at a business of how they're spending money very much on my level at least, I feel like the top companies probably spend a lot of time. But when I look at six, seven, eight figure businesses, I don't see too much spend there.

A

Yeah, exactly. And that's, that's the problem domain I guess at this point. And so getting businesses to recognize how, you know, prolific and real the threat is and that they are target is really important. And there's a lot of people, you know, and it in some ways is kind of its own worst enemy. Because a lot of times you have pretty good IT systems. They just kind of work and everybody expects them to work and then when they don't, everybody freaks out. Even though they'll tell you initially, well, we can handle a little downtime, it's not a big deal. It's kind of the same as cybersecurity. It's a little bit out of sight, out of mind. So it's not really in the forefront of thought and that has to change. And it is changing because you know, you just read the news, you know, it's almost every day you're reading some hack somewhere. The other thing is not only you're reading it like that, you know, where it's so prevalent and common. But right now the latest statistics are, is that seven out of 10 hacks don't get reported.

B

Wow.

A

Because you only have to the Trilite from Therasol.

B

No joke. Medical grade red and near infrared light with three frequencies per light. Deep healing, real results and totally portable. It's legit photo bio modulation tech in a flexible on body panel. This is the Trilite from Therassage and it's next level red light therapy. It's got 118 high powered polychromatic lights each delivering three healing frequencies, red and near infrared from 580 to 980 nanometers. It's sleek, portable and honestly I don't.

A

Go anywhere without it reported. If you're under some kind of compliance or regulatory mandate, state mandates, sometimes they have laws and compliance. So you know, if you're in healthcare, of course you got to report it. If you're in finance, you know, certain compliance. But if you're a manufacturing company that's completely private and you get hacked and a lot of, you know, customer information or user information gets hacked, you don't have to necessarily disclose it.

B

Yeah, I got Hacked. I didn't tell anyone about it. You know, I got SIM hacked. That's a nasty one.

A

That is a nasty one.

B

Yeah, that one could end up bad. Especially if you have crypto or like important login somewhere connected to your email.

A

Big time, you know. Yeah. On the personal front, you know, the, the threat, you know, just using public WI fi. You even gotta be careful. You think it's safe to just go to Starbucks? I log on there all the time. You gotta be careful. There could be somebody in the corner totally sniffing your WI fi. They can hijack it really easily.

B

Holy crap. So if you connect to a public WI fi, what can they do from there?

A

Yeah, so if you go to public WI fi because there's such weak security protocols, a lot of em aren't up to date. So there's little hacks that you can put in and you can basically see the streams of data that are going on. And then they have emulators and so you can almost, they literally can almost emulate your screen and watch everything you're doing.

B

Holy crap.

A

Sniff pat word passwords. They can do all kinds of, they can even do little applets to log onto your, your phone or your mobile device, your laptop, and basically just make a copy of it.

B

Wow.

A

Yeah, it's crazy.

B

That's not so even like the airport, you could get compromised there.

A

100%. Yep. You got to be really careful. It's not that you can't ever use a public WI fi, but if you do, you have to make sure you've got the right, you know, security tools on your, on your phone or your device to be using it.

B

That is good to know, man.

A

Yeah.

B

Because a lot of people use public WI fi like hotels, airports, Starbuck bucks, big time.

A

And it's, it's. Yeah, they're learning that people just don't, aren't paying attention and it's easy to get that and that's on the personal side, you know, so there's a lot, a lot to think about in, in the whole world of, you know, cyber. I was thinking about, you know, the, you're kind of going back to the big corporate things, you know, like the casino that got hacked here.

B

Yep. Mgm, right?

A

Mgm. Yeah, that was really interesting. You know, they literally just called the call center the it, you know, support center and got a password changed. One change of one password. And people are still, you know, sometimes putting passwords on sticky notes and not taking it seriously in smaller businesses especially, but they even have protocols there. But they basically convinced, you know, and These are some of the groups. There's a lot of bigger groups that come together. They're hacking groups. And these, these threat actors often are kind of one of three buckets. Sometimes they're doing it because they want to make just a statement, like a political statement. Sometimes these hacker groups is just all about the money and there's some in between. But in this particular case, they convinced the call center to change a password. One password cost them over $100 million. They said they weren't going to pay. They were down for over 30 days. Cost the business over 100 million bucks. And then because they got a bunch of data that was personal data, they just settled like last month for $49 million. I think it was for the people that got their information hacked because they didn't have the right controls and cybersecurity systems in place.

B

That's nuts. They had to settle with the people that got their info leaked.

A

Yeah, yeah, yep. Big, big, big court case that went on and that just happened. So it's, it's not only real there, but more on the front of, you know, the person, or I should say the smaller business side. More your small to medium, you know, you're 100, 500,000 employee type business. Those are the really the sweet spot right now that they're coming down to and they're going after and like MFA Multifactor, where we all, you know, log into Amazon, we get a code neotext. The other thing is they're really getting good at hijacking your mfa. They can get SMS streams. So. Or if you're going like a code that's being sent to your email, which is really common, like, oh, we're going to email you code. They first hack your email and then they will of course get your code just like they will your sms. So regular mfa, a lot of people aren't even using it. It's still a good thing to use. It's better than nothing. But there's actually the next level, which is kind of an advanced mfa, we call it. In the book there's a chapter called Verify Credential Access. It's more where we're using an app on your phone because that actually has a little crypto key on it and it's kind of decentralized. So you're not just getting one point of a place to send you a code, it's talking to another point.

B

Right?

A

Two different points as decentralized to authenticate and make sure that you are who you say you are while you're being connected it does regular check ins so it knows that it's you. These are some of the practical things that you know, businesses really have to implement and get serious about using. That's just one of many things that's.

B

Like a Google authenticator operate.

A

Yeah, like a Google or Microsoft authenticator is really popular ones. The other thing point I would make about that is back to kind of the zero trust, the big, you know, assume breach. The way you defend against and put yourself in the best position as a business is you actually don't just have backups, but if you're assuming breach, you have immutable backups which an air gap, which means that they are completely separate from your network. So if the threat actors are very patient, they'll get on there, they'll sit for a while, watch for a month, two, three months, sometimes they'll see where your streams lobby. We're streaming our backups to another location, we're streaming to the cloud, we got backups, we're good. They'll actually watch where you're putting them. Then they'll go encrypt where your backups are if they're not encrypted. And so that's a really scary thing. So a lot of people don't understand and a lot of organizations and companies that the level that you need to have in your backup strategy, it sounds like, oh, we've got it covered, I'm sure. But he's saying they've got good backups, but can you restore and are they mutable really important. And then you got to decide at what point in time do we want to restore to? Can we lose four hours of the data? Can we lose no data? Can we lose a day? And then how long is it going to take us to restore if we do that way when the black screen of death as we call it and the text file says that we have all your files encrypted and you want access to your network, you need to pay us this amount of Bitcoin to this address. You can basically just not pay it, ignore it. And you know that within eight hours or maybe 24, 48 hours, you can get your business back up from your backups. You can truly restore them because they're really immutable, they're separated.

B

That is crazy. Have you been seeing any AI hackers or anything like that lately?

A

Yeah, there's a lot of AI that's out there. They're using it, it's making it more difficult. It's kind of like a little bit back to the Old days of the antivirus, we'd buy an antivirus software and it would protect you against most of the popular malwares. And then they would write new malware that would go around the antivirus software. So then you'd have to do your updates that you got the latest anti malware. That's a little bit the cat and mouse that we're in with cybersecurity all the way around is that they'll figure out something with AI that they can do to try to hack people and different methods, but then new AI deterrence. And we use a variety of different AI tools in our business that can actually do a really good job of, you know, cutting down the noise and finding some of the AI hacks. But where it really gets tricky with AI is when we get into deep fakes and we get into this idea of really using it as social media, because still 80%, 70 to 80% of all hacks or network, you know, infiltrations that happen, it really comes from the end user. That's the biggest threat is the person. There's. There's no real. If I become you, Sean, and you've got access to everything, and I convinced that, you know, it's you, I have the ability to basically have access to anything I want to have access to. So that really. Is that one of the big, big pieces you got to look. And so there's some certain things that you deploy in good practices that we talk about in the book and stuff that you deploy to really what. What we call endpoints of the end users to really make sure you protect that endpoint. So it's a product called edr, which is an acronym in our world, but it's called Endpoint Detection Response. It's like the new antivirus software of today.

B

Wow.

A

So every business should be using some form of an edr. If you're not, that's a really basic thing. Every business should definitely have good backups that are immutable completely off the network, which is a little tricky to do, and a plan to be able to restore them. Those are really foundational things.

B

I hope you guys are enjoying the show. Please don't forget to like and subscribe. It helps the show a lot with the algorithm. Thank you. That's good to know. Yeah, I need to start thinking of how I could do that with all my footage, all my data.

A

Right, sure. Yeah. You'd have a lot of valuable stuff. Yeah. And so it's important to think about it being not just on site, but off site, but not Only just off site, but a place off site where it can't be reached through this network.

B

Right, it's like your crypto wallet.

A

Yeah, like your crypto wallet. Great analogy.

B

Yeah. Because if you have the regular wallet, you could get hacked easier, big time.

A

Yeah, there's a lot of threats like that. So, yeah, there's a lot of parallels. AI is definitely the future. They're using back to the AI thing, you know, they're using it to really try to fool people in so many different ways. And it's, you know, so fast and creative and how it can convince people who they are. And then we talk about deepfakes. Right. I mean, that's a whole scary world.

B

You know, that scares me because when you think about facial recognition and voice recognition cannot even bypass that potentially down.

A

The road, potentially it certainly can. And that's why it's. It's a big concern, you know, as well as just all the implications. Right. I mean, you know, you could deep fake, you know, Sean doing something nefarious that Sean would never do, whatever that is. And how do you really know? I mean, you know, and so they're of course writing, you know, better deep fake software than kind of like the cat mouse game, but then better detection. But I don't know, right now the bad guys are winning. That's really the theme, you know, the bad guys are winning. They're hacking more and more networks, getting paid tons of money, and it's very profitable. They make it very easy to do and it creates for a lot of challenges out there for businesses to properly defend and what we call really have the proper cybersecurity hygiene.

B

Also, I wonder if the punishments are enough time because I remember my friend got sim hacked. The guy only got a few years, but he got eight figures in crypto, you know what I mean?

A

Wow. Yeah, that is a problem they're still catching up a little bit with, you know, how do you track down, you know, threat. And the other thing is that, you know, it's anybody that's connected across the world. So, you know, the hacker may not be somebody that's US based. It's likely could be another country and they may or may not have stringent laws, you know.

B

Good, Brilliant. Certain countries. I know there's groups in North Korea that hack crypto. There's groups in Asia. Right. Other countries, big time.

A

Some of your biggest groups are there and a lot of them are decentralized groups.

B

Right.

A

They just come together for a common cause. Like I was sharing earlier, they have, you know, some Some cause they decide is important or something they don't like. And so then they just gang up and they'll the bad kind of franchises in a different way. There's like groups like almost businesses. You, you almost would imagine somebody literally like, you know, getting dressed, getting ready to go to work every day and they're saying goodbye to their family, but they're actually going to a complete hack shop. Like you'd seen a movie.

B

Yeah, yeah, I've seen those in India. The call centers.

A

Yeah.

B

Scam elderly people. Seen a ton of YouTube videos on those, 100%.

A

And it's a very real. And it's just a, you know, deeper, more advanced version of that that are going after a lot of the businesses, particularly here in the US they're very interested in US businesses.

B

I saw something, I'd love to know if you think this is true, but I saw some hack where a bunch of Social Security numbers got leaked. Almost everyone that lives in the U.S. did you see that?

A

Yes. Yeah. There was a huge. It was a governmental hack. There was some agency, I believe. And so I read about it. Not, not deep up on it, but they, they definitely can. And with the Social Security numbers, of course, they're going to sell that to people that are doing identity theft. So that's the real value there.

B

I think that's how I got SIM hacked, honestly.

A

Uhhuh.

B

Very possible because they probably called my carrier and had my social and then just said, can you send the SIM card to this phone?

A

Yep, yep. And so, you know, being able to authenticate people more from a physical perspective Right. On the phone, that's why you're getting. People are catching up a lot. Like your banks and stuff, they're learning. I can't just take a little bit of information. I've got to ask more questions that are very unique and discreet that only you would know. Right. So that's really important. And the same thing is kind of true as you think about, you know, rolling out better cyber into the businesses.

B

How often do you, you get hacked? Because people try to play with you, I bet. Right?

A

Yeah, yeah, we, we do get, you know, we have a lot of different layers of security in place and all the things that we talk about, we kind of joke, we eat our own dog food. We make sure that's important. But there are a lot of threats. I mean, somewhere, I think I was reading recently that, you know, there's like 362,000 on an average, you know, like network. And I'm averaging things out 360 bots that are trying to hit your firewall at any point in time.

B

A day or a day.

A

Holy crap. It's that many thousands of things. There have been some scenarios where people put what they call honey pots out there on the Internet where they purposely don't really secure things and they kind of leave it open just to see what kind of. And that's where the AI and the bots are coming in at a, you know, crazy level. And they just need one little port, one little mistake that's open. And again, kind of like the password, example, one password cost a casino over $148 million. It's crazy, you know, so imagine that to a small business. So what it can, what it can do.

B

Yeah, especially I feel like with elderly people, they just get an email, they're like, click this link and they're screwed.

A

Right? Very easy. Yeah, very easy. And again, those are, those are kind of the low lying fruit and those are kind of more your, you know, franchise hacker group. It's more the sophisticated groups. Then some are, you know, organized, some are not so organized. But they're the ones that recognize that if I can get this business to shut them down. Right. It's a, you know, like I said, it's some kind of a, even a software business or whatever. Right. I get in there, I get their data, I get their intellectual property. So anyway, it's, it's really a crazy thing that they're, it's. I don't have to make it up. You know, I sit here and talk on and on about, I mean, there's story after story. But the thing I kind of keep coming back to and that I'm really reminding people about is that we only hear about a few, a small percentage, but there's so many more that hacks that are going on and it just costs businesses so much money, so much distraction, the downtime. There's just a lot of issues around, you know, this cybersecurity world that we live in. And one of the things I talk about in my book is kind of the efficacy of IT processes. One of the things that people get kind of in love with this idea with a new tool. So if we know my IT guy said we're going to deploy this one new tool and that somehow one tool is going to put us in a better, you know, protected state. And that's just a fallacy. That's not true because you've got to have all the layers. And so we joke about a fool. The tool is still a fool. You you really, you really gotta have a strategy and a philosophy around how you're deploying and protecting your business with your cybersecurity. And it starts with leadership. And I talk about that in the book a lot.

B

Yeah, yeah. I'm sure you've heard the craziest stories, the horror stories, lost business, lost revenue.

A

A lot of stuff. Yeah. And we usually get pulled in expose facto right after the fact of the hack or the breach and they're looking for stuff and it'll cost a business between seven and ten times more money after a breach happens than if they put the preventative tools. A little bit like brushing your teeth. Right. You do the, or medical, you do the preventive maintenance stuff and you're going to avoid hopefully some catastrophic event.

B

Yeah, it's like, would you rather have you guys on hand when it, when and if it happens or after and maybe you can't even fix it at that point?

A

Yeah, exactly. A lot of times it's too far gone. Yeah. If a hack actually happens or a breach like that, one of the important things actually a lot of people is they'll just start erasing, rebuilding stuff. But it's actually really important to protect the forensic data because if you are going to bring in, you know, report at the FBI or even bring in some of the, you know, smart folks that we work with and that we do to do the forensics to understand how it happened, to prevent, you know, kind of root cause, you can prevent the breach from happening again. So it's kind of important to stop, drop and roll, if you will, when a breach happens and not overreact. But yet you're concerned because you're trying to get your business back in, you know, back in business or back online. And it's very, very stressful. It's a very difficult situation and you really don't want to be in that situation.

B

What percentage, if you had a guess of the hacks and breaches you dealt with, were you able to trace back the hackers?

A

So pretty small percentage because they're pretty smart. Like I said, they're kind of winning the game. But I think statistically they're saying that less than 20%.

B

Okay.

A

You can actually get to sources that is small. Yeah, there's a lot of interesting technologies, you know, like ProtonMail, which is a Switzerland based system. They have Proton technologies. They really are become proxies and hiding people behind things you really can't, you know, nobody can trace down where it's actually coming from.

B

For ProtonMail.

A

Yeah, that's one example There are multiple tools and services out there that make it really easy to basically hide your IP and not be non traceable. It's pretty easy to find on the dark web. Of course there's all kinds of services you can get.

B

Do IP changers still work like the VPNs, does that still work to hide.

A

Where yours VPNs are? If you keep them patched and up to date and using kind of the latest greatest VPN technology, you're in pretty safe shape. But if you're using an older vpn, no, they're hacking them. There's all kinds of vulnerabilities in those old VPNs and a lot of people, they just don't get around updating them because it is busy and they don't have time to do the updates or their, you know, cyber team isn't really aware they're working on something else. So there's a lot of really basic kind of foundational things that you should always be doing. Like even patching your systems a little bit. Like even your phone when you get those updates are annoying, but if you don't do them, you could be opening up threats even on your phone as an individual. Same thing's true in a corporate network. You have to keep your servers and your systems and your network devices and your firewalls and your VPNs. You got to keep them patched and up to date and it's not always that easy to do. Besides, there's downtime and nobody wants to do that or it just takes a lot of effort. Effort, after hours work, it's difficult. There's a lot to be done out there.

B

That's actually really great to know because I'm one of those guys that procrastinates the phone updates. But now when I see one I'll immediately update it.

A

Yeah, it's really important because often in this day and age you can almost assume that any of those updates are blocking some security vulnerability that's on your phone or your system or your laptop or whatever it might be.

B

I wonder if that's ever happened with Apple, if someone breached into them.

A

Oh well, I think Apple is a target and I think there are. Again, they would only have certain disclosure that would apply depending on what kind of breach. But if it's just their intellectual property then then they probably aren't going to let people know.

B

It's a good point because a lot of companies probably don't want to ever admit that they got hacked.

A

Yeah, exactly. It's not a comforting sign It's a bad signal to your customer base. Yeah. It's not a good look, particularly if you're, you know, financial institution. You, you know, you really don't want that to happen. And so some of your safest, you know, where you've got a lot of compliance, a lot of people are in this fool businesses that, well, we got to be compliant. My IT guys have filled out a list and they checked a bunch of boxes. And so there's a little bit of a false sense of security there because just because you're checking boxes that you have a security policy, that doesn't necessarily mean that you're keeping your system safe.

B

Right.

A

Right. You got to actually back it up with what we call, you know, attestation of controls. Right. We actually have to test those controls and know that those systems and tools are in place to really do what they say they do. So that's, that's again, not easy to do. Difficult.

B

I mean, I'm on a couple of credit monitoring services and I feel like there's a hacker breach at least once a week, like I get a notification that my stuff's been leaked.

A

Yeah. And I would say again, that's probably only getting notified on a small percentage.

B

Which is crazy because there's already so much.

A

There's so many. Yeah. It's really a scary world. And I'm not saying here not to create what we call, you know, fear, uncertainty and doubt. Right. It's. We're kind of in a world in our business space. We've been doing it for a long time. I started in it 30 years ago as kind of a techpreneur. I was in a software business and we reinvented ourself into kind of network integration. And then we eventually spun out what they call a managed services provider. And we built a network operations center and a niche data center. 15,000 square foot facility, and it's certified. And so with all that. But then over the last 10 years, that's where we really evolved, where we lead with cybersecurity and we really become what they call an mssp. So you're a managed security service provider. And so that's really what we lead with because everything in management of IT really does require that you're managing, you know, all of the IT systems with a security first mindset. And I talk about that a little bit in the book. Matter of fact, one of the things that's really important is kind of getting back to the processes is that there's some older studies and they're still still true recently that 70 to 80% of IT downtime and IT failure is correlated to like some unapproved, unauthorized, untested change. So if you have really bad change management practices, you likely are going to have a lot of IT downtime. And here's the quip of cybersecurity that I talk about in the book a little bit is that no security breach happens without a change or a need for a change either. I brute force hack something, right. I use some tool to get in and hack in and get in your network, or I convince you to change something. I become your social engineer, you interesting. And so then I do it. So the idea that the efficacy of IT processes, what I'm really saying in there is, I'm saying you really need to have good change management practices. And that involves some other things you need to have in place, like configuration management, a couple of things. But the point is you got to have good change. You really focus on that, it kind of becomes a really important backstop to your cybersecurity.

B

Yeah.

A

So it's kind of common sense, even though it sounds a little process and techy. It's mainly just saying you got to have really good change management practices. That helps your cybersecurity posture too.

B

That's great to know because, yeah, you got to think about your employees too. If they get hacked, how much control do they have over what they could change? Right?

A

Yeah, exactly. And that's why it's super important that, yeah, you're monitoring change. You have what we call kind of detective controls. So it's monitoring something and saying, oops, something's not right. There are some old stories. I'll tell one about, you know, the target breach, it was one of the first big credit card breaches that happened. This is about seven, eight years ago now. And what happened was, is that they actually had a H VAC vendor that manages their air conditioning and heating systems that actually had a dedicated connection, VPN connection into the target network. And so what happened is they actually figured out a hacker that they had access to all these businesses. They liked the target one. They used their network to get into the target network. And it was what they call a flat network. In other words, once you're on their network, you can kind of get to everything.

B

Wow.

A

And they had a bunch of point of sale servers that were living in their data center at Target, the hq. And this threat actor put a little piece of code, a little applet as we call it, that basically allows you to just siphon data, string data to Another place, another. Wow. It put this code, it set their, the breach happened in April. They set their. April, May, June, July, August, September. And it was in a, it was November, late October, early November. They started siphoning, you know, the Christmas season for retail. And they started siphoning off all the credit cards to some, you know, data centers in another country, I think it was in the Ukraine actually. So they siphoned all of the data off.

B

Holy crap.

A

And that was one of the biggest credit card breaches that had ever happened. About has millions of customers, millions of customers. And so that's the kind of stuff that, you know, these threat actors, they're sneaky and they'll sit there, they're patient, they don't need to, you know, get an immediate reward like you might think they would. They're, they're pretty smart about what they do. So it's, that's the kind of stuff that now, smaller businesses back then, it was more of the bigger targets because, you know, there's a bigger payday, but they'll, they'll take small paydays now if you can, if you can, some, you know, half million dollars of Bitcoin, they get that out of you. Also statistically, you know, 40 some percent of businesses that, you know, get a hack or a breach in a serious way actually go out of business within a year.

B

Wow, that's actually really hard.

A

4 out of 10, which is crazy matter of fact, in that same thing, not to just fit, you know, statistics. But it's just kind of interesting that not only going to business, but a lot of companies are relying on, on cyber security insurance. Well, they're saying, well, you know, we're pretty good. I've been told we're good, but if we get hacked or something bad happens, I've got good cyber insurance. That has changed the last three years. This, the cyber insurance world has gotten really smart and now their fine print in their policies are calling out certain cybersecurity controls or, you know, tools that you must have in place. So they're basically saying if you don't have these things that are actively monitoring your network for cyber and so forth, they will actually not pay. So I think I was 40 some percent also of cyber security claims got denied last year.

B

Holy crap.

A

That's growing this year. So a lot of people, businesses, you know, are just saying, well, I've got great cyber, but be careful. You should have that cyber insurance and policy reviewed. You should be taking a look at what the fine print says. Yeah, because they're getting Smart, because they're having to pay out so much and people weren't doing anything about their cybersecurity. So you kind of understand the insurance side of the world too. But that's a real problem out there. That's a. We run into that a lot where people like, well, we want to do a little bit of a cyber. We don't want to do much because we got insurance, so we're good. It's like, well, maybe you aren't. So we actually do a, an assessment around their cyber insurance forum and it's eye opening what you, what you find that the fine print and what they have to have in place that they.

B

Don'T typically, I might have to have you look at mine because I think I have like a $10 million policy, but it might not be enough, you know.

A

Yeah. They might have certain things in there that they say that you should be doing. If we're going to pay a, we're going to pay a claim.

B

That's what happened with my, my lemonade. It was my home insurance, so my car got broken into, but they didn't give me the full amount because of some loophole. There's always something with insurance companies.

A

There is the fine. They've learned to kind of play the fine print on you big time. Yeah. And with big companies, you can imagine they're paying millions of dollars in cyber insurance. So there's a lot that goes on there, I bet. Yeah.

B

It seems like it'll always be an ongoing war though, with the hackers.

A

It is. Yeah. And unfortunately, I mean, you'd have to say pretty honestly, they're winning.

B

Right. Based off stats.

A

Yeah.

B

It sounds like they're winning by a lot right now.

A

Yeah. I think I read another stat again that I think it was 28% of small to medium businesses actually fill in a survey and it was like 20, 2500 companies actually feel like they're doing a good job of cybersecurity. So they kind of know, it's kind of learning that I don't think we're as prepared as we think we are. And a lot of your IT people, I mean, they're overworked or they're not properly budget or funded in some cases. In other cases, there can be kind of arrogant. We see that a lot where they just think that they've, you know, they've got, they're smarter, they've got it figured. They, they will think they're better than best practices. They'll use words like that and it's like, really? And Then when you start working with them a little bit, you start to realize, yeah, you've got huge gaps, huge pieces that are missing and you're really vulnerable.

B

Yeah.

A

So it's a big, it's a big deal right now. And so a lot of people, you know, the executive suite is kind of fooled into thinking because those guys want to protect their jobs too. So tell them, no, no, we're good, we're really secure. We've, we just deployed the latest tool, whatever tool that is. But back to my fool. The tool could still be a fool. So it's kind of interesting to see it from that perspective too. And then a lot of them have providers. They're like, well, we pay X, Y and Z company, like my company and MSP or an MSSP to deliver a certain amount of services. But how do you know are they giving you regular reporting to provide? Again, back to kind of attestation. So one of the things we do is we use a full third party. Then we can't be the people managing your cybersecurity, but then telling you that we're doing a good job. So we use a complete third party call. It's actually called Galactic Partners. Great company. And we use them to actually do regular penetration testing, which is more than vulnerability testing a lot. Just vulnerability is a pretty typical, simple thing that used to be okay. Now you have to actually use tools that try to penetrate the network to emulate things like ransomware attacks and do those kinds of things. So that's one of the tools that we use.

B

Have you ever, you don't have to say the company, but have you done a penetration test on a large company and they failed before?

A

Big time, I would say hundreds. And we're seeing tons and tons of them, you know, and, and some bigger companies, some enterprise ish type companies. We don't typically work with the Fortune 1000s. We're working with a lot of SMB, you know, so a lot of them are, you know, 250 employees, 500,000 employees.

B

That's a lot.

A

But yeah, and they're still fairly good size. And we have a few, you know, customers that are in the 100 employee range. But yeah, I would say that's where we start. Usually when we engage with the customers we'd like, hey, let's run a penetration test first and let's take a look and just see what gaps exist. And the report does a really good job. It's not even the, there's five levels of pen tests. We're actually just doing a one but and usually it's only sampling like 10% of the network. They'll run this little tool on a few workstations and it goes out and automatically creates a bunch of great penetration data that's testing and the gaps are unbelievable. It's like shake your head. I mean you're like crazy some of the stuff.

B

And for people watching this, you got a deal on that, right?

A

Yeah, matter of fact, yeah. I was going to share with your, with your audience that a couple of things. One is, is that we have my book, the executive edition, that's kind of the non geek speak that's on sale for Amazon for like 1795. You can order. But my team, if you text me, they will actually send you out a complimentary copy of that. But even to go a little further, I would like to offer a, a free if you will, no cost on qualification, but penetration test. We'll do a pen level one test through our partner, our third party. So it's not us telling you that your security is bad and all that. And really you can use it for internal. You can go Google it. They're 2,500 to $10,000. They're not cheap even for a basic pen test and they'll give you great data. You can take it back to your IT team, to your cybersecurity provider, whatever it is, and help fill the gaps that it finds. But, or obviously if we find things and you'd like to improve your cyber, we'd love to talk to people about how we can bring our solutions to bear as well.

B

I love that. Yeah, check out the link guys. We'll link it in the video and if you're watching on audio, check the description too.

A

Yeah, My text is 541-359-1269. That's a business text line. 541-359-1269. And if you just text like secure 25 or secure, we'll know where that's coming from. My team will reach out, we'll get you set up.

B

What are the text messaging apps you use? I heard signal is good. Is telegram good too?

A

Yeah, and those are both good. WhatsApp's pretty good too.

B

WhatsApp?

A

WhatsApp is a really fully encrypted end to end communications if it's set up properly.

B

That's good to know.

A

So yeah, those are all decent.

B

What about regular imessage? Can that ever get weird?

A

You know, there were a lot of hacks back in the day. We heard about where people were going into imessage. Getting into icloud and doing different stuff, they've tightened it down pretty good. So imessage actually has some encryption services as well. You really kind of want more end to end encryption anymore. It's just even a standard.

B

Could you explain that for people that don't know?

A

So encryption is where it's basically using an algorithm, you know, some kind of a software program to basically turn data into a bunch of ones and zeros when you get right down to it. And different methods of, of types of encryption actually that are out there, some are stronger than others. But being encrypted is basically just making garbly gook, if you will, out of all of your data. So if it does get hacked or stolen, if they don't know how to decrypt or have the encryption keys, they won't know what the data is. And they wouldn't have those if it's encrypted properly.

B

Interesting. Yeah, I remember when I think it was Snapchat got hacked, their photos weren't encrypted or something.

A

Yeah.

B

So everyone's info got leaked.

A

Totally. And what's a little scary about that and pivot a little bit is this whole idea of quantum computing. Right. I mean quantum computers are crazy what they can do. And so there used to be like this standard they used to call 256bit. They still call it 256bit encryption, a quantum computer. And that is like a standard. In fact a lot of government, you know, compliance standards, NIST and some of these things, you know, CIS the Center for Internet Security, they'll all say, you know, 256 encryption minimum, some 512 a quantum computer can break that it usually in less than seven days. Holy crap. And they're coming on right now big time. And so this whole PQC is what we call it. I talk a little bit about my book. It's post Quantum cryptography. And so you've got cryptography or cryptography in place that will actually defend against those things. Imagine the bad actors getting a hold of that. And so you know what they're doing right now? They're harvesting data. This is how smart they are. So they're going out and they're just getting data they can get. They don't care if it's encrypted because they're waiting until they get access to the quantum computing. And even three or four years from now, your Social Security number is still going to be the same. They're going to just go then, you know, decrypt it. With the quantum computer capabilities and they're going to have all the data so that there's this whole crazy thing going on where there's a race to 2030 where a lot of mandates that you're gonna have to have quantum post quantum cryptography in place to protect yourself. Because these quantum computers are so powerful. It's amazing. So there's a whole. It's only getting started. How scary it's gonna get.

B

That is scary. So does having a longer password help with the quantum computing?

A

It does. It, you know, makes it to, you know, strong passwords as we call them. Every business should be using a password manager so you're not repeating matters and they actually make it pretty easy anymore. It'll pop up when you're in a browser, make it eas, you know, you have one kind of central secret pass strong password. Then you can have access to your other apps. That's really important. But yeah, strong passwords are important. They help. But the quantum computing is more about the type of cryptography. So strong passwords being encrypted by 256 type encryption bit encryption is still breakable.

B

Wow.

A

So you, you really are going to have to have strong passwords in a stronger cryptography. A type of cryptography that will defend against the quantum computers. They can't break.

B

That's not so like special characters.

A

Special. Yeah, special characters. And the cryptography is more actually technical than that. So we won't get into the details, but there's things like lacing cryptography and different stuff where it's constantly evolving and moving. So hardly ever be hacked.

B

That's crazy.

A

That's the kind of, I mean it takes, you know, an infrastructure. You got to have the right, you know, devices that can actually do that. So a lot of the big corporate networks and big businesses, banks and stuff, they're spending millions right now to try to get ahead of the curve. Because you can imagine if, you know, in just the next three years we're going to be able to break some banks cryptography because they aren't using the latest opposed quantum cryptography, then the exposure is unbelievable. And think about medical and how they're already getting hacked and they're already not ready for it. So again, not to create a bunch of fear, uncertainty and doubt. But it's getting more sophisticated, they're getting smarter. The power of computers will be used for both good and for bad.

B

Yeah, I mean I've seen some of the systems these banks and medical uses. It's archaic. It's from like the 70s, the 80s crazy. Some of them still use the square computers. You remember those?

A

Yeah, yeah, exactly. Terminals. Yeah, yeah. It's a, it's a really is a problem. And the other thing, you know, not to get on this subject, but you know, really in terms of the geopolitical, as we talked about countries hacking countries, you know, China, Russia, these are big, you know, Ukraine, there's a lot of independent ones, but there are big countries that don't really regulate a lot of that stuff. And they really have infiltrated infrastructure. There's this kind of old system like you're talking about called scada. And that's what a lot of the dams and the electrical systems in our country are. They're on the SCADA systems and they're already hacked. Holy crap.

B

And they're never seen that in the news.

A

Yeah, they're already a hack. They're already there. They can basically do different things they want to and they're working very quickly over the last year or two and getting there to try to come up with defenses, to be able to isolate that so that those hacks obviously won't cause crazy effects like, you know, taking down a water system or whatever it might be, or an electrical grid.

B

I think that's the future of war. It's going to be all cyber big time. I don't think it'll be troops on the ground as much as it used to be.

A

100%, yes. Yeah, I believe that completely, that that is the big threat. And of course there's a bunch of things that go into that, you know, where they talk about, you know, different technologies that can freeze electronics, you know. Yeah, they've got technologies where they can basically disperse a blast. It's basically a burst that will freeze all electronics, sometimes scramble them, make them incapable of being used. So there's a lot of the. In the cyber warfare world, there's a whole nother discussion. But for now we're just trying to get small to medium businesses, really is our focus and really help them improve and get better. You know, cyber security, hygiene, deploy things and it's really, it's not cheap. But to be honest, you do have to invest, but it's also not crazy expensive. If you're looking at the ROI going, look, if we invest a little bit now and we avoid having to pay, you know, a half a million, 2 million, 5 million in crypto that we don't even have, we have to go to a call center. But if we can avoid that or even just having something leaked data, one of the things they call is data loss prevention as a service that we work around where people just stream data, even employee innocently. I'm going to move this to my Google Drive. I'm going to move this where it's not secure and it's not safe. Taking data off the network, that's another huge problem. And opens up intellectual property. Could be recipes or code or personal information that shouldn't be there. So there's just all kinds of ways that data can be hacked, stolen and used nefariously.

B

Yeah, I mean, for me, like as a business owner, I want to be able to sleep at night. So I'll hire the best lawyers, I'll hire the. I'll get the best insurance. I'll get something like this because I'd rather spend a little more because I know I can. I did everything I could on my end because there's a lot you can't control.

A

Yep.

B

But at least I did everything I could on my end. And if something happens, hopefully I'm ready.

A

Yeah, absolutely. And you know, if I was talking to you, I'd say let's make sure you have good backups and that they're fully immutable.

B

Yeah, I need to work on that because yeah, right now we just have it on Google Drive, but we're working on hard storage.

A

Yeah.

B

The footage, because there's 2,000 episodes. So.

A

Yeah, that's a lot of data and needs to be protected.

B

Yeah, yeah, for sure, man.

A

Yeah.

B

Well, Scott, this has been real fun. Anything else you want to close off with here?

A

No, again, I would kind of circle back, you know, willing to, you know, get a hold of me, text me at the 541-359-1269. My team will get you a copy of the book out Amazon. You can get the full book if you want to do a 405 page cybersecurity read. Love to have you read our book. We've sold about 350,000 doll thousand copies of that book in the series. This one just sold several hundred copies. A few thousand, I guess. But we're, it's growing. But there's a series of books that it's tied to that we've released. And then the executive edition will get that out to you. And then of course, more importantly in the real value, they want to jump on it. I'm happy to offer that up. Is the, you know, penetration test that we'll offer up. Perfect. So again, just text us and we'll, we'll get you set up. My team will get you going.

B

Awesome.

A

Thanks for your time. Yeah. Thank you. Appreciate it.

B

Yeah, soon. Next time.