15. The War Room - Surviving Cyber Attacks
Welcome everybody to episode 15 of unhacked. Guys, this one's a little bit odd, and I'm not gonna lie. I'm a little bit, as discombobulated the word. I'm I'm not an English major. We so we we show up to Nashville last week, and we were supposed to do live.
Justin:We're supposed to do all these live interviews. Now a few things happened before we got there. The hotel was hacked, so that was that was cute. Yeah. And
Justin:along with that now,
Justin:I don't know, but, like, Internet was was shitty. The Wi Fi there was bad. The cell service was bad. Any, you know, or data over your cell phone. So I couldn't use a mobile hotspot very well.
Justin:And maybe that's because all of us IT guys didn't wanna use their Wi Fi. And so we're all plugging up the 4g5g networks. But I don't know why their Wi Fi was so bad because I did connect to it, and it was it was dog shot. I mean, it was just almost unteasible. So, we weren't really able to livestream anything.
Justin:Probably not a bad thing, though, because I went back and looked at the recordings that we made afterwards, and they weren't much, but it was chaos. It it was a lot of, experimenting, not a lot of rehearsing. So that said, we're gonna get started today. What we're gonna do is we're going to talk about the 5 cybersecurity experts that we spoke to and and, just dialogue around those. Before we get started, We we kinda led up to this.
Justin:There was a chance there was a slight chance. It was like 1 in 5 or whatever, that our good friend Mario here was going to walk away victorious from, from Nashville because there was this big competition. We put a 1,000 IT companies in a room, and we take the the best of that group and put them up on stage and then make them, poor bastards, go up and do their own little presentation on their company and what they did to be so amazing. And and then we all vote to see who was best. And, Mario, you wanna you wanna say who won that competition?
Mario:Surprisingly, it was me.
Justin:Well, I I don't know. It was some guy in a costume. Like, I I couldn't even tell her.
Mario:It was a Super Mario costume, and that was that was my theme was Super Mario. And, Yeah. It you know, I I put a lot of hard work into it. It it was a lot of fun. I'm glad it's over.
Mario:I bet. But, you know, I'm actually away now. I took this week off, and I went I took the family down to Aruba, just to kinda clear my mind even though I haven't been successful with that. But, it it was it was fun. It was, a lot you know, a a great experience.
Mario:And, I found out even though I was technically the underdog out of the, 5 finalists, I came out victorious, and I am victorious with a nice margin. So Yeah. I was, how
Justin:percent of the vote with 5 candidates. 40% of the vote. Jeez.
Justin:He says he
Bryan:was not he was surprised. I I wasn't surprised whatsoever.
Justin:I was I I won't say that I knew going in. I I hoped. You know? But after all the presentations were done, if Mario had not won, it would have been rigged. Like, I'd have been going back and talking to the panel or whatever and said, what the fuck?
Justin:You know, like, there there was no way he wasn't gonna win that. So Yeah. Really cool stuff. One of the things I love most about this community though is that I get to rub shoulders with people that are brighter and smarter and better than me. And that was, you know, sitting in that room with a 1000 people who are running a good successful businesses, and then knowing the guy who won it all.
Justin:Pretty, pretty good stuff. Just remember us when, you know, small people when you're rich and famous there, Mario.
Mario:I know. I'll never forget it. I actually like, I I said it, yesterday during our weekly meeting, and I I still stand by it. But, I owe a lot of, that success to you guys, because when I first joined, you know, your group, I was, you know, just starting out and, you know, I I I'm one of those people that, I listen and I try to learn as much as I can, and I I've learned from every single one of you guys and, took it back to my team and applied everything that you guys have taught me. So
Bryan:That's the key. Appreciate it.
Justin:Yeah. We can learn. I read a lot of books. I do audio books. I study.
Justin:I love to do that. Execution, though, is where it really is. You know, you can learn all day long, but you you execute. And that's that's why you won. So, Brian, any thoughts on Mario's victory there?
Bryan:Well, I mean, at the end of the day, it's an inspiring, story. And, even I learned quite a lot, and I knew what Mario was doing. But even I learned a lot while he was on stage. Went like, oh, you do that and you do that? Now, you know, now I've gotta go and do that stuff too.
Justin:Yeah. Exactly. Yeah. Good stuff. Alright.
Justin:Well, we're gonna call that our introduction. You can always go to unhack.live and get all the information that you ever wanted to know and maybe more about the 3 of us, your hosts. And, if you want one of these, vulnerability assessments that we offer every time, that's the place to get it. There's, all of our contact information is there. So with that, guys, let's go ahead and jump right in here.
Justin:We we, we attended this event. We got through the, you know, it wasn't that bad, the check-in process. Did you guys have any any major issues with the check-in process?
Mario:No. Not at all. I was surprised. It it was actually I I was expecting a long line like, what we saw with the MGM, and it was nothing like that actually. It was, pretty smooth.
Bryan:Yeah. I I was expecting a lot worse. And what I can say is, they likely learned their lesson from other people who have gone before them, and they had contingency plans. You could tell immediately. They had contingency plans, and they had planned for the eventual potential that this could happen, and it did.
Bryan:And their plan that they came up with was pretty much executed flawlessly. We were able to check-in. We were able to get into our rooms despite the fact they had no key cards, no credit card processing system, and they were still able to get us all checked in with, backup systems and, contingency plans, which is awesome.
Justin:You know, that's, incident response plans or contingency plan, whatever. This is one of the probably the most important parts of a cybersecurity and overall cybersecurity strategy. And it's probably one of the ones that gets ignored the most or, you know, if you have one, do you really practice it?
Bry:Right.
Justin:These are things that we're going to talk about in the future episode. I've I've gained a new passion for, these incident response plans watching their work. Now, when it first happened, we came there 3 days after the breach. So coming into it when it first happened, I don't know that it was really, as smooth as we experienced. There was some some chatter on Reddit that, led me to believe it probably wasn't a a super smooth transition.
Justin:But whatever they got it figured out, our check-in process was was amazing. It was great. A little bit slower than normal, but it just really wasn't a big deal. We did have to hit escorted to our bedrooms because we didn't have keys. So that's kind of a pain in the neck, but whatever.
Justin:They pulled it off. So
Mario:If I can add, I mean, even even if it was the 1st 3 days were were a disaster, to recover within 3 days
Justin:Oh, sure.
Mario:For such a huge organization is actually pretty good.
Justin:Yeah. Absolutely. You
Mario:know? You know, I believe the MGM, it took weeks, you know, for them to to recover or to get to close to normal as they can possibly get. So 3 days, kudos to them, you know, for for doing that.
Justin:Systems were still down. It's not like they had recovered their systems when we got there. Everything was still down, but the check-in process was was pretty smooth. So, kudos to them for sure. And again, future episode, we are going to dive into that and really get serious about incident response plans, how to make them how to practice them, and make sure that they're actually gonna work.
Justin:So that's that. Okay. So we we show up, we get checked in. This is 3 3 plus days. Right?
Justin:Like, a little bit more than 3 days of content that we're all going through learning. And then in between sessions, we go out and we talk to some of the the security experts. So, the the very first one that we talked to was, Brian, you brought this guy.
Bryan:So Yeah.
Justin:Why don't you go ahead and just kinda do a quick introduction because, we'll we'll record we did record some of his own introduction, but tell us a little bit about, why you picked him and and, how you know him, you know, any background there.
Bryan:Yeah. So, the first presenter, the first person we spoke to is, Jimmy, Hatzel from Hats dotai. And, I've known Jimmy for probably 4 or 5 years now going to these different conferences. And he originally started off with a different company altogether, cyberQP or Quick Pass, another another vendor that we use for, for for other side. And he they're actually on this, one of the vendors we spoke to as well.
Bryan:Anyway, Jimmy was with, CyberQP and, just got along really well with him. And when he started his company, hats AI, it led me to you know? And and and we were talking about interviewing people. He was one of the first people that I thought of because AI is becoming such an important aspect of where businesses think they're gonna be going in the near future. But there's a lot of, things to consider before you just hop in blindly in dealing with AI, legal issues, some some, some some, confidential information, maybe some proprietary, information.
Bryan:Anyhow, I won't I won't dive into too much, but that's how I know Jimmy. And and that I I felt like it would have been a really it's a really good opportunity to speak to somebody who's starting a start up in AI, to help us as IT service providers provide AI to our customers.
Justin:Yeah. For sure. Okay. So with that, let me go ahead and I'm gonna play the first clip. Hopefully, technology cooperates better today than it did last week.
Jimmy:It's all about AI comes all down to data governance. Where is your data? Where is it being used?
Jimmy:Where is it being used?
Justin:Okay. So I'm I'm stopping this here on purpose because, the first thing he said and I'll be honest, I'm gonna admit my own ignorance here with AI. This is not something that I have really dug into yet. But I'm I know chat gbt or whatever. You know, you go on there and you you type in something and it'll write a an essay for your English class, for example.
Justin:You know, the the students, teachers love this, the students are are now, you know, writing their papers with it. So that model though goes out and pulls from just about everywhere. Right? What's he talking about here, Brian?
Bryan:Well, essentially, if you're using AI in business, you should be using, a compartmentalized version of AI. So, for example, with ChatJPT, if you have a per paid version, you can I'll I'll I'll say ChatJPT and Microsoft Copilot. If you're paying for it, you can essentially tell, the system not to utilize your information you're feeding it, to train the AI model. So it's essentially car compartmentalizing your information and do a silo that, nobody else can access. So for example, if I wrote a book on all things to do with MSPs and I was using AI to generate it, if I use the public AI, everything I fed into it would then be potentially utilized in their model to answer other people who are having the same questions.
Bryan:But if I fed it into a private AI or into a, version that I pay for where they they have data governance, then that information is not gonna be utilized to train the AI, and it would stay proprietary to me.
Justin:Okay. Alright. So I think Jimmy's gonna dive into that a little bit more here too. But that was honestly one of the things that I learned is that it's not that if I thought about it, I wouldn't have come up with that. I just I haven't dug into AI yet.
Justin:And I'm learning that that's a mistake, and we'll talk a little bit more about that here in a second.
Jimmy:Well, yeah, everybody's using it. About what Oh,
Justin:sorry, Mario. Go ahead.
Mario:No. No. I was saying, you know, the it's still being used differently throughout different models. So it's Sure. Every day, it is changing.
Justin:It's still being figured out, honestly.
Mario:Yeah. Yeah.
Justin:So okay. Okay. Let's see what Jimmy has to say here.
Jimmy:Data and AI actually has access to limit that to only the employees that needs to do his job. You don't want things like marketing employees setting a budget for, a marketing campaign and then factoring in the CMO salary in that campaign, spinning it back out.
Justin:So these are things you
Jimmy:need to be careful of, and it's basic data hygiene stuff that you need to be doing anyway. Additionally, you need to be know what happens to your data after it is interacting with an AI large language model or an AI model. Is it being trained in the future? There will be cases in a couple years where someone isn't following these practices and putting sensitive information in, and then people will be hacking the future versions of the large language files
Hornsby:which are
Jimmy:trained on that data. Say you have all of your tickets written in a certain format, and then they write out that format, say create a ticket. It's gonna think, hey, this looks really close to these these particular things. It could spit back real people information. So,
Bryan:obviously, with Hat's AI, you're going to, you know, solve some of that problem on how we can bring AI to our customers. So, using your product, Hatch AI, how how will our customers know that, our data their data is secured compared to just using, you know, public chat, JCP or any of the AI models that are out there now?
Jimmy:Yeah. Sure. So the first thing is we can guarantee that all data is not used to train a future model. The second thing is we can have granular access on where it's exactly going. And we can tell you, this went to this data server or this, data center in, you know, Virginia, and here's exactly where it was stored.
Jimmy:Also, chat history, other pieces of, AI, we store it at a database level and not the model level. It's not being ingested into the model. Right. So these
Jimmy:are things that you can guarantee to your customers, and we can provide documentation on if they need to dig in a little bit more. Additionally, if they need to check certain boxes or meet certain compliance, requirements, we can help them do that
Bryan:with our own box. Okay. And one last question, unless these 2 have questions of their own. Why why would a business wanna implement AI today versus, you know, waiting, I don't know, maybe till next year or the year after when maybe things are a little bit more mature?
Jimmy:The impact of AI is just too big. Think about the Internet. Would you wanna be wait an extra year before you put your business online? It it you know, the first mover has had the big advantage. Your AI is moving a 100 times faster than the Internet was.
Jimmy:So you
Jimmy:can think of a month like a year in AI world. So it's just the time is now. There's new businesses being started that can use AI. In my own business, we're able to move about 20 times as fast in certain development cycle things as we would have been able to 2 years ago without the use of AI augmenting our engineering team, our product team, our UA team, all these different areas. So if you're not using AI in your business yet, somebody else in your industry or your vertical will start using this.
Jimmy:They will have a good chance at being the super winner as a first Uber advantage.
Bry:Okay. And if you could say one thing to a business out there about, with your product or AI or security in general, would that mean?
Jimmy:The future AI is gonna be all over the future. Right now, if you act, you have control over that, and you can build what your AI future looks like. If you don't, somebody else is gonna build it for you, and you'll just be forced to interact with it and learn as you go. So my advice is to build your AI future. Embrace it now.
Jimmy:Start using it in your business, and you will reap the rewards doing so.
Bry:Okay. And it sounds like if if a business doesn't put AI in place for their own business, employees are probably gonna find out, you know, their own way of using it. And, I guess I'm adding a question. What are the dangers if somebody decides, you know what? Hey.
Bry:My boss hasn't given me access to an AI platform or a chat gbt. I'm just gonna use this publicly available one and and and, you know,
Bryan:fight figure it out on my own.
Jimmy:Your employees are using Chat TV. They they are. Because if it would take them 2 hours to do a task and takes them 5 minutes with AI, they're gonna do it anyway. So if you don't give your, your employees file share, right, they just upload stuff in Google Drive and their personal folders and share links. If you don't give them email, they'd just be using their personal emails to email things around.
Jimmy:You need to have this stuff in a corporate environment, or you're risking your data and your customers' data from being, commoditized into training in these models or exposed to all different sources. Because I don't care how much you trust your employees, Somebody's gonna be using Catch EPT, and they're gonna be using the free version
Bry:because it's on paper. Right.
Jimmy:But you're paying for it another way
Jimmy:because it is being used.
Bry:And and ingest it as part of the future trading bottles of those AI.
Jimmy:Exactly.
Bry:Justin, do you have
Justin:any No. I've got one thing to sign off on, guys.
Justin:This man right here, this is one of the rare times where, what we're trying to sell you isn't prevention. It's we're talking about security, but this guy
Justin:right here can help you make money, streamline, become more efficient. And I'll tell you, if I have a passion, it's that. We do security because we have to, but my passion is helping businesses run profitably streamline. Like, that's what I love. So Yeah.
Justin:Say hi, and, we're gonna be talking to Jimmy a little bit more as this thing develops. So good stuff. Thank you. Yeah.
Jimmy:Thank you.
Justin:Thank you for joining us.
Bry:Thanks, Jimmy.
Jimmy:I appreciate
Bry:your time. And, yeah, looking forward to interviewing you again in a more less busy place.
Justin:Alright, guys. Thoughts, takeaways for Jamie. We'll try to keep this pretty short because we do have a lot of content from these guys. But, what what do you guys think?
Mario:Brian, he
Bryan:he nailed it on the head with a lot of things he was saying. You know, I don't wanna regurgitate everything he said. So just to to sum it up, if you're going to be, first of all, you should be using AI. If you're not using AI in your business, your employees are already using it or finding ways of using it in a way that could potentially put you at risk. So, create an AI plan for your business or explicitly create policies in your business to prohibit it until you are ready.
Bryan:But even then, I would hazard a guess people are still gonna use it anyway. So work towards building a plan. Work with someone like us, to put together that plan and start using AI in your business, today in a responsible and, carefully considered manner.
Justin:Alright. Mario, what do you got?
Mario:So with AI, like we said, we you know, it's still being developed, you know, more and more every day. But, and I agree, everybody should be implementing or starting to implement AI, but it's AI is not gonna be for everybody. There's gonna be certain there's use cases in every company of what you can use AI for. So just because it's out there, sometimes we may not be presenting it to every one of our clients. We what we like to do is we would set up, like, a a meeting.
Mario:You know, it could be quarterly, annually, or whatever, and we can see what, you know, we can use AI for to help them. And then we like to go back, and go and and test it fully before we, add it to any of our customers and stuff like that. So a lot of times with every vendor that we work with, we vet them first and see if this situation or solution would be perfect for them. Because sometimes, you know, not every solution is created equally. So sometimes you have to, test it and see.
Mario:And then if it doesn't work, you move on to the next one.
Justin:Right. And, actually, I've already signed up with these guys. I think Brian has to. Did you sign up with them, Mario? No.
Justin:I
Mario:haven't been in the office since,
Justin:you had other things on your mind, like winning that brand new car. So, we'll we'll let we'll let that one slide. But
Mario:but next week, I do have a a plan to meet with them and and and learn more of what we can do to to to help to have them help out some of our customers.
Justin:Well and and yeah. So to your point, this is something we should use in trial internally, which is what I plan to do. And then, like I said, this is this is something that we could potentially help our clients be more profitable using this. I I noticed that he said AI is moving a 100 times faster than the Internet did when it was developing. That's that's kinda weird.
Justin:I'm not sure if I love or hate that, but it does. It it almost puts me on edge. But what I really liked even more than that is that, his company and the development of it, he's able to move forward 20 times faster than he would have without it. So, you know, that that really is what it comes down to is with with everything we do. Number 1, we're trying to keep people safe so that the business they built doesn't get annihilated by cybercrime, you know, criminals.
Justin:But number 2, technology technology should be a leverage point. This is how we should be able to, put some money in and get more money back out. Right. And so I I absolutely love that about this presentation from Jimmy. So all right.
Justin:That said, let's go on. Our next guest is Mike Hornsby with a company called BlockWorks. And what I loved about this, I think I'm gonna say it. I'll this might be repeat, but, he his company kind of echoes what we do here on the podcast, which is sort through the noise and pick the best of the best and and bundle it up. So, let's let's go ahead and take a listen and see what Mike has to say.
Justin:So, Mike, what we do on our podcast is we try to and we've kind of been wandering this hall, which just has hundreds of vendors.
Hornsby:Yeah.
Justin:All of them tell us that you need my stuff or you're gonna go down. Russians have got you. Your bank accounts are drained. Yeah.
Jimmy:And
Justin:that's not only frustrating for us, but it's frustrating especially to our, our clients. Right? Our our target audience. So
Justin:tell me
Justin:a little bit about what you see as the most important thing
Justin:as far as security is going. What what's the biggest risk out there?
Jimmy:Sure.
Justin:How do we mitigate that without buying something like one of everything? It's like going to a bar and they ask you what drink you want. You say one of everything.
Hornsby:Right? Right. Not everybody could swing bad. Right? Very few.
Hornsby:But I try sometimes. Yeah. Once a year. Right? So no, Justin.
Hornsby:It's a good question. And honest answers to honest questions. We talk to a lot of partners each year that say, hey. Budgets are tight.
Jimmy:Right?
Hornsby:Like, we're in a very unique market today. Different than even 20 18, 2019.
Justin:Oh, yeah.
Hornsby:Way different. And I travel the country talking to people looking for some new tool or gadget, yet they still haven't enabled MFA, which costs $0. Right? And so it's almost to a point where Yeah. We're almost educated beyond our obedience a little bit when it comes to prevention.
Jimmy:Right?
Hornsby:So there are things
Justin:Why do you think okay. Let me pause. Why do
Justin:you think people aren't enabling 2 FA? That's free. It's easy. Yeah. It's easy ish.
Justin:Yeah. Why do
Jimmy:you have
Justin:an answer to that?
Hornsby:Yeah. I do. So there's, if we think about a scale, like, metaphorically speaking, on the left, we have accessibility. How easy it is to Right. Use or get work done.
Hornsby:On the right, we have security.
Jimmy:A lot of people
Hornsby:a lot of people pivot these together like Jedi and Sith. Right? They're opposing forces. They're complementary. Right.
Hornsby:So, like, for the same reason that my mom lives in a gate guarded community, it's a little harder to go visit her sometimes. I gotta show my ID and get in, but what are we getting for that little lack of of convenience? It's higher security. Right? Right.
Hornsby:And so if we think about them as complimentary and this is at an end user level, right, everyday employee. If I can sacrifice 5 to 12 seconds every time I log in, what am I gaining in like a force multiplier of security? But most people aren't talked to that way. Right? They're just saying, hey, it's this or the
Justin:hot way. Yeah.
Hornsby:Risk liability, Bad guys come in. Right? Like, lock your door. But, again, I think it's there's ways to communicate it better than we historically have.
Justin:Okay. So communication. Yeah. Education.
Justin:We gotta start there. Absolutely.
Justin:And I think that kinda derailed you. So back to your product. Good.
Justin:What
Justin:Tell us again, like, what do you
Justin:guys do and how do you help
Justin:the end user?
Hornsby:Yeah. So we're the black sheep of the industry, man. Everyone else out there is talking about it's not a matter of if, but, when. Right? We believe the prevention is possible if you take the right proactive precautions.
Hornsby:Right? Just like heart disease can be the number one killer in America. Yes. But there's still ways to prevent it. Right?
Hornsby:There's ways you can lower your risk. You'll never be free of risk. Right?
Jimmy:So I
Hornsby:don't wanna be
Justin:Put a number on it.
Justin:How close can you get to a 100% secure?
Hornsby:That's a loaded question, Justin.
Justin:I mean, I always tell people 97 because that's that's a number that's kind
Hornsby:of been tested. Yeah. Right? And it's it it varies by industry. Right?
Hornsby:We're seeing very much of, even from the DOD side. Right? We're seeing a emphasis recently on core infrastructure and being able to secure, right, like very like, colonial pipeline. Right? Great example.
Hornsby:Right? Nobody really realized the cost of securing it until they went to the pump and there was no fuel. Right? There are kinetic repercussions for some of these things. And so I'd say your risk can absolutely be reduced.
Hornsby:I won't say it's ever slim to none but for the same reason that, you know, maybe my dad had a a certain type of disease that I'm genetically inclined to get, I could still greatly reduce my risk.
Bryan:Okay.
Hornsby:And that's where
Justin:well, how
Hornsby:do you do that? From a technical level, you talk to your physician. Right? Your your MSP or your your service provider and say, hey. What can I do proactively to get in front of this?
Hornsby:And 99% of the time, there's absolutely gonna be steps that you can do. Right? Right. But we have to make that a little bit more appealing than we historically
Justin:have. Okay. Right?
Jimmy:Yeah.
Hornsby:Yeah. Do you
Justin:guys have any questions for Mike?
Hornsby:Yeah. Not this time. No. Okay.
Justin:Alright. Well, I'll tell you what caught my attention is that and I think you said something to the effect of that you're vetting. I don't think that's the word you use. Yeah. You're like talking to the other vendors here.
Justin:Yeah. And tell me a little bit about that.
Hornsby:Absolutely. So myself and a team of 3 to 4 engineers go through a quarterly vetting process where we essentially evaluate, demo, proof of concept, each of these tools, and we score them a sense of, you know, there are some that are more response right of boom related. Some are more prevention centric. So we're gonna scale them on what is the most prevention centric in this capability, and then we wrap up management and monitoring into that. Okay.
Hornsby:Yeah.
Justin:So you're kind of an umbrella that brings in other tools?
Hornsby:Correct. Yeah. We call it vendor diversity.
Mario:And the reason
Hornsby:we do that is because we believe that everybody in here is the best at something rather than a single vendor claiming to be or maybe saying that all you need is us. Right. They have to open it. Right? Is no.
Hornsby:There's gonna be one that's the best at this. Is it endpoint? Is it Office 365 Security? Is it firewall? Right?
Hornsby:So we go out. We believe in that simply because just like you diversify our portfolio, you don't put all your eggs in one basket. That applies from a security perspective as well. 100%. Yeah.
Justin:Yeah. That always makes me nervous about the ones that say, hey, it's us. And I'll ask that question very pointedly. I'm like, I like I I hire you guys. I bring you in.
Justin:I I deploy your tool stack. Right. What am I missing? What are my gaps? Yeah.
Justin:Nobody likes that question.
Hornsby:It's just it's an honest question and it requires an honest answer.
Justin:Yeah. They don't like the honest answer.
Jimmy:Right.
Hornsby:So we just because they basically
Justin:say we've got it covered. And then when I say it that way, it's like, well Oh, yeah.
Hornsby:Yeah. Yeah. But so in a nutshell, we have a road map called the 21 blocks. More than happy to make it available to anybody that's subscribing and listening. It's Okay.
Hornsby:Free road map doesn't cost anything. Right? So it works right on our website, blockworks.comblokworx.com/21blocks, spelled like block. Okay. And it's a form it's just simply a a road map of, hey.
Hornsby:What are some controls? Think about, like, a bingo card almost of Oh,
Bry:I like that. What
Hornsby:am I doing already so I could take inventory? But maybe what am I not doing that I could have a conversation with my IT team or admin and say, we aren't doing end user awareness training. How can we do that? Right? But it gives them a measurable road map towards prevention.
Hornsby:It exists. It's out there.
Justin:So I'm gonna find that URL. I'm gonna
Jimmy:publish shit
Justin:so that they don't have to
Justin:try to remember it.
Jimmy:I love that.
Justin:That's I mean, that sounds like a good place to end unless you have something else you wanna add. No.
Hornsby:I appreciate the opportunity. And, again, you know, it's it's the candor is is needed at a time like this
Mario:it comes to snow.
Justin:I'm the guy for that.
Hornsby:Yeah, man. Absolutely. Alright, man. I appreciate your time, genuinely.
Justin:Yeah. Alright, guys. What thoughts do you have for us on this one?
Mario:My first thought is I need to do a better job filming. I don't know why I kept having my phone in front of the other phone. But, I have never worked with, block with them, so I am not really super familiar exactly with what they do, but that is one of the things that, I'm familiar with a lot of the vendors that were there, but they were one of the ones that I I never really got a chance to talk to, especially that week. I just my mind was all over the place, but they definitely I
Justin:can't imagine why.
Mario:They're definitely on my top of the list of people that I or companies that I want to, inquire more about next next week.
Justin:Okay. Yeah. Fair enough. Brian, did you have any
Bryan:Yeah. For me, the irony is this. BlockWorks is essentially, their whole business model is, made on the fact that they're helping MSPs or or people like us, select the tools that we would need in order to protect our clients. And they exist because there's so much options available to us that even we, as experts, need help sifting through it. And so I guess my message is if if we, as experts, need help sifting through all the potential options for vendors to be able to support our clients.
Bryan:You really ought not be doing this on your own. Right, you should be you should be working with with somebody who will guide you because like the gentleman said, every vendor says they're the best of the best at what they do, but the reality is is they're not. So
Justin:Yeah. Right. And that yeah. They they say they're the best of the best. We go out and tell our clients we're the best of the best.
Justin:We all believe it, but we still come down to, you know, if if pressed, and I use your solution and nothing but your solution, where are my gaps? You know, we're gonna kinda end with that. So I'm not gonna get too far into it of how I sleep at night with that question posed to me because I can. But I'd love to ask you back
Jimmy:to the vendors.
Bryan:Our stuff. Right?
Justin:So Yeah. But I I love asking this question to vendors who are saying we we this is it. This is all you need. But then men when you press them, they they squirm. So I I I like what he said that prevention is possible.
Justin:And they say that being one of the black sheep of the industry. So, most companies, most security companies, if I go out, I use that 97% rule. That's that's kind of a standard that seems to hold true. But do we really believe that prevention is possible? He said yes.
Justin:He almost kinda took it back though, after he said, did you did you catch that? So it's like
Mario:Yes. Yes.
Justin:Damn it. You know? I I used to I've got to tell a quick story. I used to advertise a 100%. This is before ransomware or anything else, but a 100% protection against viruses, guaranteed.
Justin:Right. 100% protection against data loss guaranteed. My lawyer wouldn't let me do that, neither would my insurance company say it. Now I had a plan and I could do it. And I was confident in it, but they would not let me market that.
Justin:So it's interesting. And and these days, I I will do something similar in that, you know, we take all these things that we're gonna go out and we're gonna vet them. We're gonna build our our recipe for security. And, you know, like I always say, that'll get us to 97%. Well, we still have a 3% gap.
Justin:So we have to figure out how to fill that gap, which is incident response plan for if it if and when it does happen, an insurance policy that we know they'll pay on because we put in their protections. Know, and I I do believe that can bring us to a 100% peace of mind. Right? Maybe we're talking 99.9999% or whatever, but we can get to a place where, if the absolute unthinkable happens to us, we still have a plan. We still have a way to recover.
Justin:We still have a way to do business, And we can carry on because without that whole formula, if and when something happens, like the title of podcast, you cannot get on hacked, you're going down. And In most cases, it puts people out of business. So risky, scary stuff. I will be honest, I don't love going to these shows and talking to all the vendors and you're like, god, there's there's take a guess. How many do you think there were that were selling cybersecurity that basically does the same thing?
Bryan:At least 40 to 50. Yeah.
Mario:Yeah. At least, I I would say somewhere on, like, 70 to 80. I mean, there was over a 100 vendors there.
Justin:Oh, now let's let's take and we don't know these numbers, we're guessing. But, just from your perception, we're at a conference that is specifically for what? What are we there to learn? Cybersecurity? No.
Justin:What are we there to learn?
Bryan:Marketing. Marketing.
Justin:Marketing. Sales and marketing. A little bit of operations, a little bit of finance, you know, some other things get sprinkled in, but this is a marketing and sales convention. The percentage of cybersecurity vendors and and experts and keynote speakers is is the the largest number. So, you know, we're here we're technology experts, but God, we spend most of our time and effort and energy, just trying to keep the Russians out of our network.
Justin:So, right, just just an unfortunate reality that we deal with. Alright. Any other thoughts on what Go ahead.
Mario:Yeah. I mean, one more thing too, like, obviously, that percentage, you know, that we're saying, like, 97%, it can go you know, we can shrink it more and more and more. I mean, if you wanna be a 100%, just turn off your Internet, and you'll be you know, I can guarantee you a 100%, you're not gonna get hacked.
Bryan:Well, you don't turn off. I'll I'll
Justin:do that. You turn off your Internet, I'll hack you. I'll put money on it.
Mario:But but, also, it's it's finding the right, you know, solution for, you know, the company. You know? Obviously, you know, if it's a Fortune 500 company, you know, a lot of the solutions that we're using now is still gonna be in play, but you can throw more money into it. You can throw, you know, bigger servers that will replicate to, you know, different places and stuff like that. But, you know, nobody wants to spend, you know, a couple $100,000 a month on that.
Mario:So it's finding the right vendors that will fit, you know, the you know, small to medium size companies is which is, you know, the majority of our customers that will find the right solution to keep them as safe as possible.
Justin:Yes. Okay. So let's pause and talk about that. There's there is like, there's not a one size fits all is what I'm hearing you say. Right?
Justin:We've gotta go to our clients, and we've gotta look at their situation. We've gotta build a solution that solves their problems. Fair. Is that is that what you're saying?
Mario:The major I mean, for a lot of the security and stuff like that, if if we had a user, you know, like, a 25 user or a $500 500 user, We're still gonna be using the same AV and stuff and, you know, next gen
Jimmy:Right.
Mario:Antivirus and stuff like that. But we will be adding more. You know, it it's more layers into there as well. Mhmm. I'm not saying we would completely use something else completely different, but I think we would inject more layers into our security stack.
Justin:So what I wanna add to that or add to, push back with maybe a little bit, but it the size of organization is one of the things that I believe, at least from my experience when I go out and meet with prospects, can can lead people to feel, almost hopeless. So they look at these large organizations. I know this isn't what you're saying specifically, but it's what, you know, it kinda kick this train of thought off. You go to these large organizations that are getting breached. Like, I mean, let's look at the Omni.
Justin:How much money do they have? How many resources do they have? How much thought and planning and care have they put into preventing the breach, and it still happened? So from an outsider perspective, I'm not an omni employee. I'm not on the inside.
Justin:I don't know what their systems are. But what we do find when we get that inside information is the basics that we're talking about were never put into place. So one of the things that, Mike just said is that we're educated beyond our obedience. And and I would add to that or maybe just we're educated beyond our ability to act. So you've got employees who are just struggling to to get their work done every day.
Justin:And and, by employees, every member of the team from top to bottom. Everybody's overwhelmed. Everybody's overworked. And then on top of it, we come in and say, oh, yeah. But by the way, you need to do this cybersecurity training awareness, you know, and Yeah.
Justin:And you gotta watch a video every month, and you've gotta filter through your 1,000 emails in your inbox and look for the ones that are fakes fake spam, fake phishing attacks, so that you can be trained to find the real ones. But, like, we're just constantly on overload. So these companies that get breached, the big ones, I don't want that message to be heard that it's overwhelming, that it's super expensive, that it's impossible because the big guys can't even pull it off. Most of the time, what we find is they're not doing the basics. Would you guys agree with that?
Bryan:A 100%. 100%.
Justin:Okay. So we we can we can absolutely get to that that, call it 97%, but plus your gap preparation. You know, you can get this to a 100% at least in peace of mind and and preparation. So, anyways, I'm I'm on a I'm on a huge tangent there, but that's just something I hear over and over, so I wanted to address that. Any any final thoughts on BlockWorks?
Mario:No. Sounds good.
Justin:I'm gonna I'm gonna rein myself in here, get off my high horse, and let's let's go on. And, Brian, you you kind of almost introduced this company, CyberQP, when you introduced Jimmy because he used to work there. It it's funny because when you said that just now, I'm like, oh, shit. That's why Jimmy looks so familiar. Yeah.
Justin:We'd sit and smoke cigars down in Franklin. So Yeah. He bought the cigars. I I remember those branded Cyber QP cigars. Anyways, so, good guy.
Justin:Good guy. I just forgot I knew him. Okay. So next, we're gonna talk to Cynthia from CyberQP. And now was Cynthia there when Jimmy was there?
Justin:Do they know each other? Yes. Any idea? Okay.
Bryan:Yeah. They've known him for a long time too.
Justin:So so we went from brother to sister in the at least in the company family. Cynthia, now I love to talk about the fact that headlines matter. You remember when we did our episode on passwords that nobody listened to? That's that's kind of how I introduced this to Cynthia. I'm like, hey, everybody hates passwords, and you're talking about passwords.
Justin:So, say something important that people will listen to. So here we go. Let's let's see what Cynthia has to say.
Justin:Alright. So, Cynthia, we talked for a minute. We did. About a minute ago.
Jennifer:Uh-huh.
Justin:And I
Justin:said that we had an episode recently,
Jimmy:and
Justin:the title was the dumbest title I've ever come up with, which is passwords. Haven't we heard it all? Well, no. That that title drew the worst downloads of our my podcasting career. I've been doing it for a few years with different podcasts.
Justin:I've never seen one fail that bad. So, apparently, passwords are not a super exciting topic.
Cynthia:Right. Which they should be because it's like the point of entry for almost every attack.
Justin:Okay. Tell me. Almost every attack.
Cynthia:Well, I mean, it's so compromised passwords according to, I believe, is IBM threat report is the 2nd most common threat vector used Okay. To go in and breach. The first one was phishing, which most of the time phishing is just trying to get your credentials.
Jimmy:So Yeah.
Bryan:They're trying
Justin:to get your password.
Jennifer:Exactly. Exactly. So So it is important.
Justin:The bad guy goes and they get my get my password. Like, how do you guys where do you fit into this? How do you help with because passwords, not only are they not exciting Uh-huh. But if we follow every rule, as humans, we cannot create a complex password for everything we use and remember it.
Cynthia:Right. Right. Right.
Jimmy:So,
Justin:I mean, we could talk about password management and stuff like that, but Sure. That's not what you do.
Kelsey:Nope. Tell me how you
Justin:help with this stupid problem of passwords.
Cynthia:Yeah. So a couple of things. First of all, you gotta think about your admin password. Like, you know, standing privilege. Everyone has, you know, access to this admin password that's been the same for this client for 4 years.
Justin:Wait. Wait. Wait. Wait. I'm gonna pause you.
Justin:So let you're saying that some of these IT companies have one password that they use for all the endpoints that they manage, and they don't have
Jimmy:a tool
Justin:to rotate those.
Cynthia:Sometimes that happens. So it's So
Justin:is that a problem?
Cynthia:Yeah. That's a huge problem. We call that standing privilege. You don't want that. You want 0 standing privilege.
Cynthia:So really best practice is just in time accounts
Jimmy:Right. Which
Cynthia:allows you to spin up named add an access. So now you know if it was Doug or Frank that did this change.
Justin:Okay.
Cynthia:And they're only gonna have access, let's say, to active directory for this one client for 25 minutes and then it's gonna shut down. And now it is not standing privilege. It is 0 standing privilege. The other big thing that we do is ID verification. So when someone calls in the help desk and
Kelsey:says, hi, I'm Bob. I need to change the password.
Bryan:Log in
Justin:and says wrong password. That never happens.
Cynthia:Know that Bob is Bob. Right? Oh. So let's set
Justin:wanna talk about the MGM.
Justin:Sorry. Go on.
Justin:Go on. Go on.
Cynthia:The MGM, yeah.
Jimmy:And then
Justin:maybe I'm not gonna say anything about our current venue. Go on.
Cynthia:Well, yeah. We haven't heard for sure.
Justin:We don't know any yet. Happened.
Jimmy:But,
Cynthia:yeah, with MGM thing. Right? Like, your help desk, they want to be helpful. You pay them to be helpful and to be nice. All it takes is a little bit of distraction, someone sounds enough like Bob, and now you've changed the password for the wrong person, and this bad actor has gotten in.
Cynthia:So but if you had sent them over a code via text, email, or end user app, then
Hornsby:Right.
Cynthia:Then now this person is, like, oh, bad service. I gotta go back. Yeah.
Jimmy:Yeah. Right. Right. But it
Cynthia:doesn't happen. So that's how we're helping
Jimmy:them.
Justin:Okay. So I'm hearing 2 problems. 1 is for us. Now here's this is an interesting I got
Cynthia:another problem myself.
Justin:Oh, go ahead.
Cynthia:Yeah. Yeah. Yeah. So password reset tickets is, like, the base Oh,
Jimmy:that's yeah.
Cynthia:Of most help desk
Jimmy:Oh, we
Jennifer:need those. Right?
Justin:Yes.
Cynthia:So we can actually help cut down the amount of time it takes to close the password reset ticket and also the number of password reset tickets because we have a self-service, app.
Justin:They can reset their own.
Bryan:And they
Cynthia:can reset their own, and it opens like your banking app does, like, with biometrics. So, again, you're verifying that identity before it gets fixed. Listen. Okay.
Justin:Our end users, they like to get locked out, and they love when they have to call us Yes. And wait for us to call them back so
Justin:that they
Justin:can get into their system.
Jimmy:So that's not
Justin:really a perk.
Cynthia:Except now when they call, the tech can actually do everything within the ticket, and they're not having to go and log in to something else. Right? They're doing it right there. So we can cut down on the amount of time. I think the average password reset to get takes about 20 minutes
Justin:to Before your product or after?
Cynthia:Before. And we can cut that down in half.
Bry:At half.
Jennifer:At least
Cynthia:right before.
Hornsby:5 or, like,
Cynthia:still at least in half. And so now a couple of things. Right? So everything happened in the ticket. It happened faster, and you're gonna be able to show in the ticket.
Cynthia:Hey, I verified their identity before I did this. So you're helping with your compliance and, you know.
Justin:This is a lot of
Cynthia:taking your ass.
Justin:Yeah. Yeah.
Cynthia:You told me you told me to
Justin:Oh, you can swear. I I
Cynthia:So I did.
Justin:Swear like a sailor. Okay. These guys don't. I can't ever get them to swear.
Jimmy:I would try.
Justin:And I I said
Cynthia:so good.
Justin:We'll bring him around. Okay. So it is not a family show.
Justin:No.
Justin:We've got an issue where I I wanna zero in on this just for a second.
Jennifer:Okay.
Justin:We have talked before about how the IT world, us, IT providers, cybersecurity experts, we can all say that about ourselves with no credentials, no training, no certification. So we could have IT vendors, security experts who are out there doing what you said, putting out passwords, probably the same password on every computer, which is 100 or 1,000 that they manage. Uh-huh. An employee leaves, guess what? Yep.
Justin:We gotta walk around to every computer and reset that password. I The local admin password You need
Cynthia:a magic magic.
Justin:You need and you're the magic button.
Cynthia:I have a magic
Justin:button. And without this, I'm going to theorize that a lot of those passwords don't ever get changed.
Cynthia:Well, right. And then, like, so you have to let a tech go, they leave with their, like, posted note of anger and now you're up half the night trying to decide, like, okay, god, which which admin access, like, Q Day have maybe had the password for? Or you have Q Guard, you pop in there, you hit the button, boom.
Justin:And they're gone.
Hornsby:Okay. I love that.
Justin:Okay. So you make our lives easier.
Cynthia:I do.
Justin:You make the client's life easier because they don't have to have those really exciting phone calls with us saying, hey. I can't get into my system. Oh, sorry. I'll have somebody call you back here in 20 minutes or whatever it is.
Cynthia:And we're talk 2, talk 2, certified.
Justin:Okay. That doesn't mean anything to my
Hornsby:end.
Cynthia:But it probably means something to you.
Justin:It does mean something to me. Yes.
Cynthia:Said, like, hey, you know, all these IT vendors, maybe they, you know, are certified or this or that.
Justin:Oh, there is certification on
Jennifer:your end.
Cynthia:Okay. Okay. So we are SOC 2 type 2, certified. We had a VP of cybersecurity that came from Datto, actually. Amazing.
Cynthia:We do internal pen testing and external pen testing. We take a lot of time to make sure that the product that we're offering is secure.
Justin:Which I would hope so because this is a big one if it got hit. Right? This will be a problem. But SOC 2 type 2, just for talking to people who know nothing about had to come in and audit you, basically.
Jimmy:We have
Cynthia:to yeah. It's a lot of auditing.
Justin:You self audit, but somebody has to check your
Jimmy:Yes.
Justin:And then they sign off on it, but they're a 3rd party, an outsider.
Cynthia:And there's a type 1 and then you get
Justin:your 2.
Jimmy:Right.
Cynthia:Yeah. Okay. And it takes a lot
Jimmy:of work. Yeah.
Jimmy:And it
Cynthia:takes a lot of work to keep it too. Right?
Jimmy:Like, you
Cynthia:can get it, but then you gotta keep it. Yeah.
Justin:Okay. Alright, guys. Anything for Cynthia?
Bryan:It is a
Justin:good idea. Right? It is
Jimmy:a yeah. It sounds like we've got a lot of AI
Hornsby:to create a voice in the sky. Yeah. It's
Jimmy:So we're gonna
Cynthia:help you with the, like, the robocalling and the spoofing and all of that.
Mario:Mingle all the vendors there.
Justin:I think so. I think so. Alright. Thank you very much.
Cynthia:I appreciate it. Bye.
Justin:I'll tell you what. She's got way more energy than I do. And I I liked her little dance at the end, her little sign off.
Mario:Yeah. That was cute.
Bryan:With energy.
Justin:Mario, you asked her a question at the end there. That was your audio was pretty hard to hear. Do you wanna do you remember what you asked her?
Mario:Yeah. So it was pretty much, you know, out of the first three vendors that we were talking about, one was AI, which
Justin:Right.
Mario:Hackers are using to now disguise their voice or, you know, be able to call into a help desk and be able to ask for a password reset. So with the first vendor that we talked to, she tells us, okay. We can actually help you create something like that. And then, you know, with, CyberQP, they can actually help prevent stuff like that. So, it was actually pretty funny that we we spoke to 2 vendors that literally, I don't wanna say contradict each other, but, you know, could kinda fight each other if if left alone.
Mario:You know? Right. Which I thought was pretty funny.
Justin:Brian, your thoughts on that since you brought in the AI guy?
Bryan:Well, I I mean, it's it's becoming more of and more of an issue. We've seen it recently. There was a, a fellow. I can't remember exactly where, but, was invited to a, conference on Zoom, and they used, the criminals used AI to impersonate the CFO and the CEO and a few other people at the company, and it looked like it was them. And to the person who joined the zoom session who was on the financial side thought he was talking to his bosses which he could see and he could talk to and it sounded and looked like them, but it turned out it was criminals who were impersonating him.
Bryan:And, and he was able they were able to get him to transfer, wire transfer funds out to, obviously, a third party. So, you know, authenticating, like, I guess what I'm getting at with that is if if that's happening at that level, it's definitely happening where people can impersonate your employees calling in for IT support. And unless there's those precautions in place, where they're authenticating, via, you know, either a phone call or or a text message with a code, then, they're definitely you're definitely at risk. So it's something to look at that implement, if not now, then ASAP. Yeah.
Bryan:Yes.
Mario:Actually Okay. I wanna add one more thing too. I this morning, I actually read an article, where it was saying if you're getting these spam calls or whatever, they're asking you questions like, hey. Would you like us to opt you out out of future calls or whatever? And they're getting you to say yes, and they're getting they're recording the call.
Mario:So the article is pretty much saying when you're on the phone with these guys, you don't wanna use words like yes or, you know, anything that they can hack actually record and piece together to be able to kind of use your exact voice to maybe call into your bank or to call into your IT help desk or whatever. So there it it's these scam these scams are getting a little crazy with them just recording you. Like, they know they're bothering you, and they're asking you questions just to actually record your voice. You know, like, if you're saying, hey. Please don't call me.
Mario:Yes. Please opt me out. You know? Now they're they pretty much now you say yes, you know, call and stuff like that. And they piece it together.
Mario:They can pretty much create a whole whole sentences like, hey. Yes. I need my password reset, you know, stuff like that. So they were saying don't ever, you know, use these generic words or anything when you're speaking to these hackers or spam callers.
Justin:Yeah. Here's where I struggle though. 2 points. Number 1, we can't remember all this stuff. Right?
Justin:Like, we you go back to what Mike from BlockWorks said. We're educated beyond our obedience, and I would argue, you know, overwhelm is is the other thing. So it's like we hear never say yes. How do we do that? And, guys, we're screwed.
Justin:We're on a podcast. We're broadcasting our our faces, you know, video, and and we sit here and talk for hours. They can take anything from what we say and create anything that they want. Right? So, what you're saying, Mario, a 100%.
Justin:I've heard that before, and I I just wanna take that, which when I hear you talk, I mean, I'm in this industry and I go to despair. Like, well, shit. I gotta remember that. I can't ever say yes on the phone for fuck's sake. Like, how do I how do I get away from never?
Justin:You just
Jimmy:did. So,
Justin:you know, to what I love about what Cynthia is saying and and maybe this this is probably actually your point. I really did. When you it's interesting as I watch myself react to what you're saying. I try to put myself in my client's position, and I go to a dark place because I'm a goddamn it. There's no way to fix this.
Justin:There's no way to protect it. And so I I just wanna say that this has always been and always will be a game of cat and mouse. We will come up with ways to protect, and then criminals will find a way around it. That's never going to change. And so while that is an issue, what you're talking about, now we've got, you know, CyberQP or Cynthia is talking about a way to to protect against that, that very thing.
Justin:But man, it does get overwhelming. You guys want to say anything along those lines or, you know, push back on me? Or what what are your thoughts here?
Bryan:I think you nailed it on the head. I mean, there's not much we can do as far as, like, trying to prevent ourselves from being recorded because, we're we all are putting out content on a regular basis, whether it's just with phone calls with people you may not be aware of, just in person. People can record your conversations. You know, podcast, webcast, all the webinars, all the seminars, all the different, you know, Teams sessions you've been on. There's no way to prevent it.
Bryan:So, yeah, other other controls will have to be put in place to
Justin:to adjust
Bryan:for that.
Justin:And maybe it's maybe this is almost a, self promotion for us. Right? Because we're in this world. We go to these conventions, we talk on what we we prepare for these podcasts, we're protecting our clients, we're vetting this information, we're all day, every day, we're doing it. And it's frustrating and feels hopeless.
Justin:But damn it, if you're a business owner and you're trying to do everything else else and do, like, do your own cybersecurity or my favorite one is when I reach out to people without any questioning, without any any conversation, they'll say, oh, we're good. We're handled. Like, really? Really? How do you know that?
Justin:You know, and I I with I don't even get the conversation, but I'd love to know, like, how do you know? How do you have such confident? Now really, what they're doing is they're blowing off a salesperson. But as a business owner, how do you know that you're covered when this thing's constantly changing and constantly involve evolving? So, I I don't need any thoughts on that, guys?
Mario:Yeah. I mean, honestly, it's it's working with, you know, with the right company, you know, a one man shop, like, as the owner or even, you know, IT people, it's hard to cover everything. You know, here's an example, you know, of a 100 different vendors. Okay? As a small MSP or, you know, a a company, you don't have access to a lot of these vendors.
Mario:So, you know, a lot of these vendors don't even work directly. They only work with managed service providers like like ourselves. But it it's you know? And there's times where we come across like, oh, yeah. We're we're working with somebody, my nephew, that's been, you know, doing IT for a while and stuff like that.
Mario:Well, that nephew may know computers pretty well and may have certain things in place, that's helping you. But he may not have the capital to invest in something like, CyberQP because he it doesn't make sense to him to invest in a company like this to help his uncle that has maybe 10 computers. But for MSPs that are managing 100 or thousands of computers, it makes more sense. You know? You you're splitting it among a bigger pie.
Mario:Plus when you you know, a lot of these vendors, the more you're signing up with them, the better prices you're getting. So it's, you know, it's working with a company that's been around and and and doing the right things and constantly going to shows like this and improving their security stack is what I think helps. Again, never a 100%, but it I think it it's all about narrowing down that percentage.
Bryan:I'll I'll add one thing to that, Mario. That's listen. I've got 18 of the most brilliant minds in Niagara when it comes to IT and computers and and and technology and security. And even I hire outside assistance experts in cybersecurity to watch over my back to make sure that my clients are safe. And so if you're trying to do it on your own with your nephew, don't.
Bryan:Because even somebody who's in the business, one of the largest managed services provider in Niagara, I hire outside help to come and help us to make sure that our clients are safe.
Justin:Well and and we're talking about one specific case of, you know, where you have a relative or a friend who's maybe not a a technology expert. But even in the case where you do have a reputable professional company, it's still overwhelming. You still need another set of eyes because we all have our blind spots. And with any organization within within that culture, you have things that you do and things that you don't do for both good and bad. It's really hard to break free that and when you're locked into one mindset, you don't see outside of it.
Justin:Our brains are programmed to not see outside of our belief system. If I believe I'm safe, if I believe I'm secure, if I believe I'm doing everything right, my brain will intentionally reject anything that disputes my belief.
Bryan:Correct.
Justin:So I mean, that's the dangerous thing I hear people say is no. We're covered. We're good. Goddamn it. I don't feel that way about my company right now today.
Justin:Like, I mean, I I I do and I don't. Right? But there's some cognitive dissonance there.
Bryan:You're always looking at it though. Right? You're always
Justin:Yeah. Yeah.
Jimmy:Yeah.
Justin:Topic. But I'll never tell somebody, oh, you know what? Like, we're good. No, I'm going to hire a 3rd party to come in and make sure that what I believe is true. And we're going to actually talk to, Jennifer from the company we use here in a minute.
Justin:But first, first, so one of the things Cynthia said is that, password breaches or how did she say that? When when breaches happen, the second most common entry point is a breached password. It's somehow they got a hold of your password. They guessed it or they hacked, you know, they brute force it or whatever. They got your password second most.
Justin:And that was interesting to me. I'm like, okay, well, what's the first? You guys remember what that is?
Bryan:In fact, end user end user email phishing.
Justin:Yeah. Okay. So, there's a lot of words for it. Phishing attack. You've got business email compromise, but it's basically somebody comes in, either impersonates an email email sender or actually breaks into somebody's email account and sends as them and and then is able to manipulate somebody into taking an action.
Justin:So let's go ahead and hear from Kelsey, which I think wasn't she with CyberQP as well. She was right. That's funny how these vendors bounce around. One thing I will say so in in disclosure, like, we are talking to vendors. These are salespeople.
Justin:Most vendors bring 2 people. They bring at least 2 people. They bring somebody who's good at, human communications, which generally speaking is not smart IT guys. You know, they're they're personable. They're they're bubbly.
Justin:They have they do little sign off dances like, Cynthia just did. But then they also bring somebody who's the technical side of it. And and we are we're talking to both of them. Kelsey, because I mean, she's been around for a while. So she knows the industry very well.
Justin:And, today, she's gonna be talking about a new product. She's with with a new company. So let's, let's see what Kelsey has to say.
Justin:Guys, this is Kelsey with tell us, real quick. Just give me, like, a 5 second introduction on the company.
Kelsey:Yeah. So I am with Infamous cybersecurity. We are security awareness training built for the channel, by the channel, and, our onboarding process is really smooth and effective. It can be done in just 3 clicks. So that is the the threes everywhere, and we're really happy to be here.
Justin:Do you when you say you do end user education, do you also do phishing simulation tests or no?
Jimmy:Yes. You do. Our
Kelsey:phishing simulation test.
Justin:Before you go into that,
Justin:we were just talking to the people down there.
Justin:I think you've met that vendor before. They do password resets and stuff like that.
Kelsey:I am a little familiar familiar with that.
Justin:So one of
Justin:the things that she mentioned is that, the top two ways that breaches happen. The number 2 is passwords getting breached. But number 1, do you know what the answer is?
Kelsey:I'm gonna go with the human element of it all.
Justin:And she specifically said phishing, but yes. Exactly. So so that's why I'm like, okay. Do you do fishing simulation? Because that's number 1.
Jimmy:Yeah.
Justin:Which is tied in with education. It's really the same thing.
Hornsby:So tell
Justin:me a little bit about why that training is so important, what it looks like, what it, what it means to the end user, and how we get past the problem that we all face, which is nobody wants one more goddamn thing to do in a day.
Kelsey:Nobody wants one more thing to do in a day, but, unfortunately, no matter how many great tools and how many great practices you put in place, the human element is always going to be the weakest link.
Jimmy:You know. It is. I mean
Justin:100%. Yeah.
Cynthia:We're none
Kelsey:of us are perfect people. We're not robots. There's a reason, you know, like, we're we are who we are. So this, tool is actually based built on behavioral science and attempt to actually educate your end users into actually learning what to look for and how to respond appropriately because hackers are only getting better. AI is making their lives so much easier.
Kelsey:Yeah. And we are so much more vulnerable than we've ever been.
Justin:Right. Okay. Brian, Mario, do you guys have any questions for Kelsey?
Mario:So you keep Akers out. Right?
Justin:That's the That's
Kelsey:the deal. I I got a question for you.
Justin:Not today, Akers.
Kelsey:I got one for you. Okay. Did you hear about the cyber criminal that got away? No. He ran somewhere.
Justin:Jesus Christ.
Jimmy:It's a
Justin:lot of guys. That must be time to wrap things up.
Kelsey:My wrap up music.
Jimmy:What do
Bry:you use? I've heard it once before.
Cynthia:Yeah. I still laugh.
Justin:I did I've not heard that one.
Jimmy:I will I will have to use that.
Hornsby:Okay. Yeah.
Justin:Alright. So we've kinda covered the the tool set that we need as IT providers, vendors, or or support people. Whatever. I'm blanking.
Kelsey:We're all people.
Justin:This, though, I I used to run a whole series of live seminars before COVID, and I it was titled The Human Element of Cybersecurity. And we were really pushing the training. But I will just say again, the main problem I face is nobody wanted to do that training. So yours is a little bit more engaging, entertaining.
Jimmy:Yeah.
Kelsey:It's it's built based on how we learn, you know. Okay. There were researchers involved and it is actually really cool, very effective.
Cynthia:Also, it's a necessary evil.
Bryan:It is.
Kelsey:It's either insurance requirements.
Justin:You have to do it anyways. Yeah. Yeah. What I would tell my as I was presenting this is, like, you can't just force people to do it. You've gotta show them.
Justin:Yeah. Because the biggest problem is the guys at the top never wanna do it. They wanna make their minions do it, but they won't do it themselves. So All right. Any final words?
Jennifer:No, I think that's all I've got.
Jimmy:All right.
Bryan:Thank you
Jimmy:so much.
Justin:Gotta unmute myself. I I didn't act fast enough. I actually have that sound effect for her bad joke. Let me see if I can play it now. Did that come through?
Justin:Did you even hear it?
Mario:A little bit.
Justin:Anyway, okay. So before I go, I've got some thoughts here, but you guys give me give me your thoughts on Kelsey's pitch there.
Bryan:I mean, they she nailed it. She nailed it. Honestly, like, everything that was talked about was, accurate. And probably one of the better interviews that we did that day. People don't like, taking the training, but it's it's so important.
Bryan:And and in most cases for insurance, it is a legal requirement or not a legal requirement, but a requirement. Otherwise, you won't you're you won't be paid out in the event of a of a breach. And so, tracking it and making sure that they're doing it, is key and critical.
Justin:Mario, what what do you got?
Mario:Yeah. I mean, I I talk to people all the time. Like, you know, with the system that we use, you know, the manager, of the of the place will be able to see if any of their employees are, have done the training or what they've done. And, you know, a lot of times, they're like, oh, yeah, you know, I I forgot to do it. Or, yeah.
Mario:Just to you know, my employees keep telling me it's annoying and stuff like that. But those employees are the ones that are clicking, you know, or because we we will train them, but also we will test them. And those employees that are not watching the videos, not doing what we tell them to do They're
Bryan:the ones falling for it.
Mario:It. They're they're the ones falling for it. They're the ones going to Walmart down the street and buying gift cards and scratching it off and, you know, thinking that they're sending it to the CEO.
Bryan:Yep. There's a direct correlation between the people who are not watching the videos because we could see it. They they don't take the quiz. They don't they don't fill in the stuff. And the people who are getting the the ones that are falling for the, the the the attempts because we attempt to fool them.
Bryan:They're the ones falling for it. The ones who are taking the training, we could see that, are the ones not falling for it. So there's a direct correlation there.
Justin:Brian, do you have stats on that? Do you do you have like an adoption rate of the people that you give training to? How many of them actually take it? As a percent? I don't
Bryan:have it here in front of me.
Justin:I'm sure I can
Bryan:get it
Jimmy:If you had
Justin:to guess. Podcast? We will.
Bryan:This depends on the client because some clients are very actively involved. We have some clients that actually gamify it and make it into a contest, and they they give, like, gift certificates out to the employees who who, who who accomplish the the tasks that are responsible, and they have, like, a drawing, essentially. And then we have other clients at the other end of the spectrum who don't pay much attention to it at all. If there's somebody engaged as the primary I would say adoption is darn near well 100%. It might be 1 or 2 outliers at that company But in the organizations that don't have a lead or somebody who is encouraging and and taking ownership over it, adoption is next to 0.
Bryan:So you you have to have somebody who's engaged leading the pack, and I would say even, like, gamifying it, making it into a competition, and, having rewards and and, gift certificates drawn for the people who are participating.
Justin:Alright. This I'm I'm typing notes because this is gonna be a future episode as well.
Bryan:I would go one step further and and even say those who are following for it, you wouldn't accept an employee, you know, doing something that's unsafe in your workplace. For example, if they're a tow truck tow tow motor operator or the lift truck operator and they're constantly whacking into people and hitting people, you would fire them instantly because they're putting everybody in jeopardy. And I would go one step further and say, you know what? People who are ignoring cybersecurity, people who are not taking it seriously, people who are clicking on the links and falling for it all the time, After a period of of, you know, coaching, if they still don't, you know, come into compliance, they gotta be clear that
Jimmy:when they're
Bryan:putting your business at risk. They're, like, they're they're putting your entire business at risk. Every single employee there at your organization is at risk of losing their employment because of one person clicking on stuff that they ought not to, not out of, you know, oops. I didn't know out of I don't care, and I'm not paying attention. So just make sense.
Justin:One of the things I would Oh, go ahead. Go ahead, Maurice.
Mario:So so I I actually, we had an employee that we we've talked to the, the owner and we're, like, telling them, like, listen. This person's constantly failing these, these tests. And, you know, we don't think they're really watching the videos or not implementing what, you know, they're learning, and they're becoming a a security risk. And they sat down that employee. They're like, listen.
Mario:If you don't stop, we're taking away email from you. And, you know, if you can't if without email, you're not gonna be able to function and do your job, and you were gonna have to let you go. You know? It is it is point, to a point where it's, like, grounds of termination if you're just gonna be a liability to the company.
Bryan:100%.
Justin:I really believe that this is an HR like this. Cybersecurity awareness
Jimmy:training needs to be very
Justin:embedded in the HR process. The ongoing training, what the expectation is, what the consequences are. It needs to be the ongoing training, what the expectation is, what the consequences are. It needs to be baked into the process. And at least as importantly, it needs to be baked into the culture.
Justin:So we'll never get a company to adopt this when the CEO refuses to do it himself or herself. Right. Right? So we've got to start at the top. They've got to all do it.
Justin:They've got do it themselves. Promote it. Use the carrot first. Right? Let's do gift cards.
Justin:Let's do drawings. Let's have it gamify it. Make it fun.
Bryan:Right.
Justin:But you also have to have that stick attached to this. If they're not going to do it, it's like letting somebody leave the front door open every single night in a bad neighborhood. Right? I mean, eventually, you're gonna lose your whole business over this. So Yeah.
Justin:Hugely important. Guys, we just identified the number 1 and the number 2 most important. You know, when we look at what is this podcast about, it's about boiling down the noise out there and getting the, you know, the biggest bang for your buck. We just identified it. Number 1 is training, which ties to culture, ties tightly to culture.
Bryan:Right.
Justin:And then number 2 is password
Bryan:Nobody wants to pay that.
Justin:Yeah. Nobody listened to. No. I swear to God, the problem wasn't the topic. The problem was my headline.
Justin:That's more of a marketing admission of failure than, than anything else. Like, let's take the most boring topic and give it the worst headline ever invented.
Bryan:Right.
Justin:It was good content. I really I'll probably have to go rename that episode and relaunch it or something later because it really was good content. But, okay. So, you know, we've we've done all this thing. We've got block works or similar.
Justin:We've got all the key components in place. We've got passwords under control. We've got an amazing training program, and we've got the culture to go with it. And we've hit that magic 97%. We we always need to know where our blind spots are.
Justin:Right?
Jennifer:Right.
Justin:I'll say it again. We're not wired for it. This is why we can't change somebody's mind politically, religiously, it whatever. We we are wired to believe what we believe and look for evidence to prove ourselves right. Never do we look for evidence to prove ourselves wrong.
Justin:In this world, we better we better figure out a way to do that. And that's how we do it is we bring in a 3rd party to do assessments for us. So unless you guys have anything else to introduce, I'm gonna go ahead and roll with Jennifer. Okay.
Justin:Jennifer is with well, you know what? You tell me who you're with and, like, real quickly what you do. Okay.
Jimmy:And then
Justin:I'm gonna start asking you some questions.
Jennifer:Sure. I'm Jennifer Pierce with Galactic Advisors. We provide third party cybersecurity assessments for you to be able to offer so for an MSP to be able to offer to your clients to help your businesses grow and keep everyone safe.
Justin:So when I first approached you about doing this, I'm trying to remember what I asked, but you came back with an answer that I absolutely love.
Jimmy:Do you
Justin:remember what it was?
Jennifer:Well, you asked me what I thought the biggest problem was out there right now.
Justin:That's what I asked.
Jennifer:And I said, well, I think it is what I always think it is. The unknown Yeah.
Bryan:Unknowns. Right.
Jennifer:How do you find something that you don't know what you're looking for? And what is an MSP to do about that? And how can clients stay safe when they don't even know what they're looking for? And the answer is 3rd party cybersecurity assessment.
Justin:Why can't I
Justin:just do it myself,
Jimmy:though? Well
Justin:I'm at least
Justin:as smart as you, I think. Man.
Jennifer:Oh, no. You're way smarter than me. But here's the problem. When you're talking to your clients and you're telling them, hey, you know, you you need this thing from me. You need it.
Jennifer:Yeah. You're just saying that because I need it. But if you get a neutral third party with national experience, the experts to come in and do the test and they validate everything you've been saying. Instantly, you've built that rapport, and they can trust. They've seen it, demonstrated that they can trust everything you're telling them.
Jennifer:So you built that trust in you, and you become the expert executive consultant in
Justin:Alright. So in full disclosure, I cut I cut that one off a little bit early because I don't even know what she said. But after we got done, she's like, oh, shit. I I shouldn't have said this or that, and I I don't know. She thought she was talking to somebody else.
Justin:I don't even know. So I just I took the key piece there. And really, it comes down to what we've already talked about. Right? Is is knowing, you know, we have these unknown unknowns.
Justin:We think we're good, but we've we've got to get another set of eyes on it. And one of the things I love about that product, that scan, is, I've run this on individual users, just like one person, small companies or home users even. And then I've also run this on organizations with hundreds of users. And even in the smallest cases, the report, the complete report that comes back is, like, almost a 100 pages. And on the bigger organizations, it's more than that.
Justin:So we get a ton of information. And I don't think I've ever looked at one of these reports and been like, oh, yeah. I knew everything in there. Right? I mean, there's there's always something that I'm like, oh, shit.
Justin:So and so has a path or a file on their workstation called passwords dot s xls. Right there. They're keeping their passwords in an old spreadsheet. It'll find stuff like that. I don't
Bryan:know what
Justin:what do you give me, Brian, I think you're muted. I think you're trying to talk, but you're muted. But go ahead. Give me give me your takeaway.
Bryan:Yeah. There's their own scan changes from from from month to month, from week to week. So, you know, I'm busy doing help desk and providing help desk services and setting up servers and configuring things and just helping people when they have problems and, you know, cybersecurity as well. But these guys live and breathe cybersecurity. This is all they do all day long and they have probably the best experts across North America working with them.
Bryan:And even they will utilize outside sources as well. And they're constantly changing what's in that scan. And so what we found 1 month we could fix it all and the next month it will find new stuff or somebody on on the network or somebody in your office or your business will change something and, you know, open up a vulnerability that wasn't there earlier, and their scans will pick that up and help us close those loops. So it's it's it's essentially a constant, you know, verification.
Jimmy:Are we
Bryan:doing what we're doing? Yes. Let's get somebody to verifying it. Did anybody change anything? Yes.
Bryan:Let's fix it. So on and so forth.
Justin:Alright. Mario, what are your thoughts?
Mario:Well, I I what I love about the the galactic is not only are they watching over us and helping us, watch over our clients, but, you know, at the end of every episode, we we talked about how we can, you know, run this scam for our our prospects and stuff and stuff like that.
Jimmy:But, you
Mario:know, pretty much tying into what we were talking about with the previous vendor, It's all about training. It it's it's it's teaching your employees. And what we do with these scans is we teach you guy or we teach the prospects that we sit down with any vulnerabilities on their network. You know? Sometimes, just educating these prospects, they realize that we know what we're talking about and we're using the tools, you know, that will help us figure this out versus, in no matter if you notice a big theme with a lot of these vendors is education.
Mario:If we can educate somebody on what those vulnerabilities are, you know, then you've built a trust. And once you trust somebody, it it makes it a makes it a lot easier to work with somebody. So it's education. You know? It's it's not only watching over, but educating you on on the vulnerabilities that you may have.
Justin:Yeah. We've got a kind of a recurring a recurring theme going on education. Alright, guys. This one, it's been a doozy. We've been we've been on here longer than we normally are.
Justin:Hopefully, the the content was good and useful to our audience. I will say that today we probably got a little bit more technical than we normally do. In some cases, Brian, you're muted again.
Justin:Yeah. Just today.
Justin:But but hopefully, you know, the the value here isn't necessarily in the technical details. The value, at least for me, when I go I go to this event, I'm I'm walking down the halls and I'm looking at all these people. Number one, I have to keep in mind, they are salespeople, right? They all they all believe in their product, but they are also paid and commissioned on generating revenue, like every business. But having them all side by side, and we only interviewed 5 today.
Justin:And and like we've already said, there there are probably a 100 vendors there. We we can't get to all of them. I do make a point of going and talking to as many as I can at these. I used to avoid them. It's like, you know, going to the carnival.
Justin:You gotta stay away from the, like, hey, come try to win a prize here. Like, I'm just trying to ride the ride, damn it. You know, I used to feel like that at these. But then I realized this is a this is a really huge resource that we have available to us to talk side by side to these guys. So it was it was wildly useful to me.
Justin:And I'm gonna kinda wrap up with my takeaways, but I wanna turn it over to you guys first. If you'll each just take a minute and, you know, what were your biggest lessons learned from this conference, from talking to the vendors? And maybe if it even if it wasn't the the vendors and the experts that we talked to, maybe from some of the presentations that we watched, we were all there for 3 days. What what was your your takeaway? How are you gonna be a better person, a better business and a better cybersecurity expert to your clients?
Justin:And, Mario, you do wanna are you ready to go first? Yeah. Yeah. Okay.
Mario:Yeah. I mean, one thing Besides
Justin:the car, you can't talk about the car anymore.
Mario:I'm just kidding. Well, well, what helped me win the car in in you know, obviously, our listeners don't know, but, you know, you guys will vouch. One of my biggest things about my presentation was not being content with where you are. No matter what you're doing, you know, you can be doing okay now, but you're never content with what, you know, with where you are now. And speaking to these vendors now these vendors spend 1,000 upon 1,000 of dollars to to be at the show.
Mario:This is a a huge show. So they're if they're a a fly by, you know, vendor, they're not gonna they're not gonna spend, you know, 1,000 of dollars to be there. They they have to have a good product, been around for a while to be able to afford this. So, you know, what we do is we go to these guys, and we're never content with what we're using, you know, right now for our, customers. And I wanna say the majority of my security stack that we offer, we've gotten from these vendors at at the this show or, you know, previous shows.
Mario:So it's it's we're constantly trying to learn what these guys do and what, you know, what they can do to help us, and we vet them. We test them against our environment or against, like, a test environment to make sure that this is something legit and that would help, you know, our customers.
Justin:Right. Brian, what do you got?
Bryan:Well, I'll end it like I end most of our podcasts. We have to start treating our businesses and and even cybersecurity specifically, but every everything through all of our businesses as a journey. We're there to improve day to day. And if all we're doing is, doing our very best every single day to improve even just 1%, that's what that's what matters. So we're not gonna get everything perfect, when it comes to any of this stuff but, every time we learn something new we implement that we we look at what can we do today?
Bryan:What can we do this week to improve our cybersecurity posture, improve our operations, improve how and implement that and ask that question day in day day in and day out and week in week out at your quarterly meetings at your annual planning sessions and, in everything you do then, we will all eventually get to the point where, the we're not that low hanging fruit on on the tree as as you like to close-up with. So sorry for stealing
Justin:your thunder, Dustin. No. That's alright. I love it. You know, one of the things that when I'm trying to, you know, approaching a prospect and I'm trying to present them with why they should use my services, One of the reasons that I don't say, hey, we use, x y z vendor in our cybersecurity stack, because we all do.
Justin:We all all IT companies use a toolset, and and there's a million ways to do this. That's just like there's a 100 different ways or a 1000000 different ways to make a chocolate cake. Right? And so I'm not gonna list off the ingredients on the invoice of, you know, I've got 2 cups of flowers and, whatever. It's it's a moving target.
Justin:It's a cat and mouse game. It always has been always will be. And so is how we approach it, you know, and this is why I go and I now make a point to talk to as many of these people as I can, because I will change the way I approach it. When I when I get new information, I do new things. And I believe that as long as we're doing that, and as long as we know what our gap is, and have protection, whether it's, you know, insurance and incident response plan and everything else, I can 100% clear my conscience and sleep well at night because I know I've done everything that I can do.
Justin:Right? Now the bad guys are they're also trying to do everything they can do. So we we have to say stay vigilant. And this is something I haven't really closed with before on this podcast, but, you know, we are trying to, get in the heads and the minds and the brains of business owners. That's who we talk to even though it's a technical podcast.
Justin:If if there's, you know, the biggest value I believe that we can bring to business owners in doing this podcast is creating a mindset, and which which should then transfer to a culture within your organization. If you are week in week out listening to us, you don't have to go out and do the research that we do. You don't have to live in the world of, crime and thugs and breaches and ransomware. And and I mean, it's crazy, and it's it's disheartening a lot of times. But if you're at least listening and becoming aware, it will train your brain to expand your vision and to be looking for the things that you're normally blind to.
Justin:So if nothing else, you listen to this thing, and you train yourself to look for and protect against these, I mean, it's it's just everywhere. The attacks that are going on all the time. We have something of value to offer just in the message And then you can always go on, right, and schedule a free gap assessment. I'm gonna start calling it maybe, but let's let's know where those blind spots are. And let's build a plan for that.
Justin:So we get the basics in place. We find out where our gaps are. We build a plan for that. And we're good. And I'm gonna call that a 100%.
Justin:I'm gonna start calling that a 100% or at least as close to it as possible. Right? So, go to unhack.live. You can get all the information you want and more about me, Mario, Brian. We're all a bunch of great looking IT guys, and very personable.
Justin:Really kind of a a unicorn in the industry because, you know, IT guys are I don't know. Anyways, that was stupid. I shouldn't have said that. Told you it's been a long one. So jump on there, schedule an appointment with us.
Justin:We're just gonna take a few minutes and we're gonna ask you some questions, and then we will give you a link that you will click on and it simulates what would happen if one of your employees clicked on a malicious link. And it will go out and it'll scour your network and it'll find a 100 plus pages of things that we need to be aware of. From there, we boil it down, we create a plan for you. So, I think that's plenty, guys. Let's sign off.
Justin:Last thing I'm gonna say is we are gonna, just today, I'm like, okay. We need an incident response plan episode, and we need an episode about cybersecurity awareness training, the culture, the mindset, the carrot, the stick, the and the whole thing on how how we fill those 2 gaps because those are, those are huge. So, with that, we're gonna go ahead and wrap up. Thanks for being here, guys. We'll see you next week.
Justin:Thank you,
Jimmy:guys. Here.
Creators and Guests
