UnHacked

Alright. Welcome everybody to episode 17. They I've got a I've got a fun topic for us. You know, I I like to say, if you do get breached, you can never get unhacked. That's where the title comes from.

But what if you do get hacked? That's what we're gonna break down today. And, we've got a for anybody watching live or or video later, we you'll see an I almost had an unfriendly face, an unfamiliar face. Brender's very friendly. Good buddy of mine.

We've we've known each other for years years, but, today is Brender's debut on UnHacked. Brenda, say hi.

Hey, guys. Thanks for having me on your podcast.

Do you do you expect you'll be back, again next week or in in future weeks, or is this just a one time, privilege?

No. I think, I'll jump in, probably not every single podcast, but I will be a recurring guest. How about that?

Alright. I'll take that.

I like that. Depending on how much we have used them today.

That's true. Yeah. I'll ask

you again when we're done here. Exactly. Alright, Brenda. Just take, take 30 seconds and tell us who you are, what company you're with, where you do business, and, anything interesting about yourself you want the audience to know.

Sure. Yeah. So name is Burinder Hans, based out of, Lorraine London, British Columbia here. If anybody knows Vancouver, so just outside of Vancouver, British Columbia or Red Rhino. We are an IT service provider much like, others on this podcast.

So we've been doing IT since 2010, and I've, been doing it a little bit longer than that. We've been, recognized on the MSP five zero one list, for top MSPs also on the in the Canadian top 50 best managed IT companies. The team here does a fantastic job. And so we've been, you know, helping people stay secure, take care of the IT for a number of years now, and, and having fun doing it.

Alright. Sounds good. Mario, you wanna go next?

Sure. Mario Zaki, owner of Mastech IT. We are located in North Jersey, about 15 miles away from Manhattan. And, you know, I like to think of myself as, somebody that's pretty well known in the industry at this at at this point. You know?

At this point, now you're winning cars and shit. Mario. We still have to debate whether your name is Mario or Mario. I get Yeah. You're I get harassed for that at home.

I get harassed all the time at home for that one. Alright. Brian, tell us about yourself.

Yeah. I'll keep it short and sweet like, like we talked. Brian Lachpow with b 4 Networks out in the Niagara Falls area in Ontario, Canada. Also managed services provider providing computer support services. And I'd like to say that, what sets us apart is just we're here to help clients get 1% better every single day.

No major changes, just a little bit better every day.

Alright. And I'm Justin Shelley, CEO of Phoenix IT Advisors, formerly Master Computing and based in, well, kind of Dallas Dallas Fort Worth area and then also recently in Northern Nevada, specifically, ELCO and surrounding areas. And coming soon, we'll be planning on taking over the world just like Pinky and the Brain. So, god, I hope nobody knows that reference because that, that

puts us in a

weird club, a really weird club.

Love it. Love it.

Alright. So guys, here's the thing. What what kinda kicked off today's episode in my brain is when I'm out prospecting, meeting with new prospective clients, well, I guess they're not prospective clients when they give me this line, but one of the things I hear frequently is, no. Thanks. We're covered when I'm talking about cybersecurity.

Now I can tell you from personal experience that's not always true, but good for them for thinking that. And, you know, sometimes maybe it is. But my question is, how do you know as as a business owner? So I'm just putting myself in their shoes. And, like, if I go to the doctor and I get a physical and the doctor says you're good, I wanna be able to believe that.

Okay? As a business owner, when when our IT company tells us we're covered, how do we know? Because what, what what what certifications, credentials, legal processes do we have to jump through to be cybersecurity experts? Anybody? Brian?

Brian?

Oh, yes. Oh, I love this question because it's one of my favorite, things to talk about. None of the above, Justin. Okay. There is absolutely zero requirements, legal or otherwise, for anybody to start a oh, sorry.

My my apologies. Usually, you have to have a permit to operate in the city and or province or in or state that you work in, and that's it.

That Business license requirements. Yeah. Right.

Right. Just a business license and anybody can say, I'm an IT security expert and I can help you secure your business against Russian criminals, cyber criminals who are coming out to destroy your business.

Yeah. So, guys, if that doesn't scare the shit out of you, it should. It should. It really should.

So to have a legal obligation, like accountants and doctors and lawyers. We don't have that. So,

so

mean to tell me when they say that their nephew that is a senior in high school is taking care of it, we shouldn't take them for their word for it.

Their nephew could start up an IT company, and there's nobody who's gonna stop them.

Well, yeah, because that's what I was gonna say. Like, doesn't even have to be a nephew. It can be a company, you know, with 20, 30 employees, and they can be claiming all day long that they're doing stuff. But when you look under the hood, are they? And and that's okay.

So this is one of the things, that it hold on. I just got distracted because one of our, audience member says that I'm the only one they can hear on Facebook, which is kind of interesting. Hey. Hey. Why don't you guys talk for a minute and see I'm gonna see if I can fix this.

Oh, man. So we've been talking this whole time, and they can't hear us?

Oh, it's it's recording, but the Facebook live apparently is only picking up me, and everything else is silent. So should you guys talk amongst yourself for just a minute?

Oh, boy.

We're gonna cut the tornado, they think it? No. No. No. We're not

cutting anything out. Just keep going. Just keep going.

Alright. You want me to talk a little bit about what we were just discussing then?

Yeah.

Yeah. Alright. Well, I'll jump in there. So one of the the the key things at least how you were asking the question, how do we know, if if the IT company we're working with, really has you covered and my answer to that is, you should always have someone verifying that isn't the IT company working with, whether they employ a third party like like almost everybody in this call. I know Mario and Justin have, galactic Scans as a as a partner who will, audit our clients and essentially give a report that we can't modify directly to our our our client base.

And if you don't have that in place where somebody else is watching over what you're doing as a secondary vulnerability scan or or a penetration test, then maybe you can hire somebody, like us who will come in as a as a secondary IT provider to do that vulnerability scanner that that assessment, and provide you with an unbiased report on what it looks like. So

Yeah. And, like, even like, what Justin said before, you know, you go to a doctor and he's telling you, okay. You're good. How many times have have we or anybody have gone to another doctor for a second opinion? You know, if you're if you're that worried, if you there's concerns or there's something that you may wanna double check, you want a second opinion.

You know? What is it gonna hurt?

Yeah.

You know, we we

for a report.

Right? Get blood work done. Show me my report. I wanna see it.

When when we go to discovery meetings for new prospective clients, it used to be really high. But now I would say it's down to about 30%, which is still a high number of backups that are allegedly working, but there's something wrong, either a misconfiguration or hasn't been working in a few days or a few months. Right. And and the owner thinks my IT company is taking care of it, and and it isn't the case. And that is the scariest because when something happens, how do you recover?

And you don't know when something's gonna happen. Nobody gives you a heads up.

Yep. There's absolutely zero times where we've done an assessment for a client or a prospect where I've went in afterward and said, you guys are perfect. There's always something that we find. Mhmm. Right?

And then that's not to say anything is scary. Like, even the best IT companies will will have some some some blind spots. And that's why having somebody, you know, check your back, allows us to be able to have that comfort of knowing, like, hey. We've done everything we can, but there's these other areas that we gotta focus on now as well because somebody else found these.

Yeah. And we've actually also have done the same thing and have said, hey. You know, are you aware that you're you don't have this in place? And there's times where they've gone back to the IT company or they they'll tell us like, oh, yeah. We talked to the IT company.

They did offer that to us, but they we never did anything about it, or it was just never done, or, you know, we didn't approve it. But now that you're telling us we probably should, now you're both of you are saying we should. And then it kinda helps them, like, alright. You know, maybe we should do cyber training. Maybe we should back up all the work stations or whatever it is Yeah.

You know, that we're discussing.

Alright. I'm

gonna jump back in here now that I've, I hope I fixed it. I think I did. I built a whole damn checklist too to to prepare this thing, and then there's still one thing that I've gotta add to the checklist that I missed. Anyways Yeah. So how how do you know?

And I I mean, you guys, from what I've heard, a confirmation that we're live on Facebook, all 4 of us, not just me now. Alright. Cool. So, it's it's kinda what we say every week. Right?

Do the assessment and get the road map, fill the gaps, and then that gets you to 97%. It's kind of an arbitrary number, but it's one that I've heard and I I agree with, But you still got that gap. What comes in that gap is the incident response plan and a good insurance policy. Right? So that's that's how I say we get to a 100%.

So now let's say we've done all that. Alright? We've done the the the assessment. We've taken the road map. We've diligently gone through it.

We fixed everything. We've we've bridged the gap completely, and then, bam. You know? We we still get taken out because it does happen, guys. We were at the Omni a few weeks ago.

I don't know how long has it been, a little over about a month ago. Right? And Yeah. I don't know. I wish I knew more about their process, but, things seem to go pretty smooth a couple days later when we were there, post breach.

Right? A couple days post breach. And then we've got, Brenda. And the reason you're joining us today is because, you've got a neighbor. You've got a a pharmacy up there who was kind of in a little bit of hot water.

Right? You wanna tell us what happened?

Sure. Yeah. The organization's name is London Drugs. They are a a pharmacy, retailer, in Western Canada. They have about 80 locations here.

So if we're my American, folks, that's like a CVS. They'll sell everything from, you know, toasters and blenders and drugs to take care of your pharmacy. Like, it's everything you can imagine. Right? So they're a retailer.

They have 80 stores. They're a large operator here, and they've been shut down for their 5th day now. There's

5 days.

5 days, 0 stores open. Yesterday, they got their phones online. And so before they got their phones online, they were saying with an abundance of caution, they're they're they're keeping their stores closed. Individuals are now getting concerned because at first, they were like, hey. We're investigating in case there's any breach of data.

Now they're saying there has been some loss of individual personal information, but they're gonna act in accordance with, you know, the the privacy notification policies that the government has laid out. And that type of private data could be anything from just a loyalty program to, you know, our drug purchases, which is a really big deal. Our health care information is about as sensitive as it gets. I mean, there's 2 real sensitive pieces of data for a human being. It's like your health care information and your financial.

Those are 2 things we don't wanna lose. And so, our drug purchase history potentially could be breached. Now, the the governments do have, processes, especially in British Columbia, where that network is supposed to be segmented out. So perhaps that isn't, impacted. We don't know.

Fact, there's very little information available yet. I feel for the team. Yeah. Yeah. I can show you.

Most companies only disclose as little as possible, and only what they're legally required to do so, which is, you know, not much at all. But, and right now, they're probably, you know, realistically speaking, busy dealing with, and, the aftermath of this breach, and they don't know how bad it truly is. And this they've got third party cybersecurity forensics and investigators working. You know? You know, all empathy and sympathy with that team working because it's it's it's it's not a a good week for them.

But as, other business owners look at a large organization like London Drugs being impacted, omni incident personally when we were there. We were at we were witnessed the omni incident personally when we were there. And now we're here, and we're seeing 5 days of store being shut down. Is that expected? The far part so far.

Yeah. And it's still ongoing. We is it gonna be another 5 days, 10 days? We don't know. Right?

Or will it be end of game, end of life. Right?

Yeah. You never know. And so, that this is 1,000,000 of dollars in losses at the very least.

Yeah. Best case scenario.

Best case scenario. But I suspect this is not their actual incident response plan. This is not what they did prepared for. This is not what they did fire drills

for. If they had one.

If they had one at all. And I think that's where we're gonna ship the conversation soon is in in the incident response.

To close to close 80 stores for, a minimum of 5 days. And, you know, that it can't be in a part of any response plan. Like, we'll put that thing together.

Why why did they close the stores again?

Because I just of caution is what

If I hear that phrase one more fucking time, I swear to god, I'm gonna punch kittens. Now legal disclaimer, I don't actually punch kittens, but I swear every time somebody gets hit, it's always out of an abundance of caution. We've gone out of business. Like, don't say that.

It's it's always not

a great

an abundance of caution should show up first in

the protection mechanisms and

the protection mechanisms and the protection mechanisms.

But we don't wanna tell you that.

And how many times do we see that with, organizations? Some, you know, rightfully spend the money and the budget on the right cybersecurity protections, which sometimes isn't even that much money. But it always costs more to remediate after an incident. And everybody we have to assume as cybersecurity professionals, we have to assume everybody can be bleached. So, you know, if the budget's gonna show up after because it's gonna cost you too much money to remediate and the impact of business loss in this case is too high, Why not take a fraction of that money you are inevitably gonna spend, put it up front, and and remediate, your risk, in a proactive manner.

Well, it's always the nothing bad ever happens to me mindset.

You said their phones just came back online the today?

Yesterday. Yesterday, though. Yesterday, they they got they they put a a notice out saying their phones are online now. And then they also have Canada Post, stores and some, outlets in the back of some stores, and those are up and running as well. So they've got, but those are probably, completely disconnected independent system, not related to London Drugs itself.

Right?

Yeah. I mean Yeah. From from from my opinion, if their phones were down for 4 days, I mean, that that that means their breach was bad. That means they they couldn't recover back. You know, the phones is is is somewhat easy.

Somewhat yeah. That's the easy part. You know? For it to take 4 days is a while.

It reminds me of the UnitedHealthcare, in the US that's still on ongoing now as well. You know, they're they're making some progress recovering there, but they they they were out for a significant amount of time as well. And and it was the breach came in in their case from, a a password compromised on the dark web or or somewhere anyway and had no two factor authentication. And the CEO of the organization, when they were talking about, you know, oh, you know, we we repel over 70 attacks every second. And so, like, you know, he was trying to make it seem like this is, like, oh, well, you know, we repel so many attacks every sec.

So does my

home router.

Right? Like Right. That metric is such a such a, you know, false narrative that, you know, while we repel, you know, over 99.999% of the of the, the the attacks there. Well, everybody's home computer and home router are trying to be attacked every, you know, 7 times a second. Having a a password without 24, what is that?

Brings down a a 1,000,000,000 multibillion dollar company like that.

Like, what

I I'm trying to I I can't even get my mind to the wrap that the that this one password can bring down this entire company and cost them 1,000,000 upon 1,000,000 of dollars. Like, what was this password doing?

I don't know. And we don't know what happened with London Drugs. That's why I brought UnitedHealthcare because we don't really know what breached London Drugs. But, you know, I think Justin mentions it dozens and dozens of times on all of our our our podcast. It's the simple things.

Right? If we can protect against, you know, 99% of the simple things, you're probably not going to get breached. And if you're failing at the simple things, right? Yep. Well, let me

and absolutely true.

The fundamentals are called the fundamentals for a reason. Right? Like, if we put those protections in place, you know, our job as professionals is, you know, reduce the risk of it happening through those fundamentals, and then assume it's gonna happen and reduce the blast radius. That's our job.

That's that's where I wanna I wanna transition now because we've talked about the fundamentals all the time, and we will continue to do it. But today, let's take a minute and say what if. Alright. What if it happens to us? What if it happens to one of our clients?

What if it happens to a prospect who walks in your door and says, hey. Oh my god. My building's on fire, figuratively speaking, just like I don't punch kittens. Building's not really burning tracking me. We're we're talking about a breach.

What do you do? What's what's the response plan? A, I'm gonna say if you haven't prepared for it to some extent Right. It's probably game over. Like, you're probably not coming back.

But how do we prepare for that? What tips can we give our, you know, the the business owners that we're all supporting and trying to guide through this process? What can we do to help them at least, like, have some peace of mind that if they've done everything right, which you've gotta start with those fundamentals, and somebody still breaks through, which is a possibility, a statistical possibility, what do they do? What does that incident response plan look like? If we were to just start diagramming it out, what's step 1, step 2, step 3, step 4?

Anybody wanna take a stab at that?

I'll start with the first couple of steps if that's okay. Yeah. So the very first step

that means Leave the harder steps for us.

Yeah. Exactly. Yeah. The the very I mean, overall, I I could touch on the steps very quickly. It's you'll be first you gotta prepare for potential incidents.

So you gotta identify what potential threats you have, then you gotta work at figuring out how you're gonna contain the impact of those threats, like how you're going to, make sure they don't happen. Right? So this is all part of the incident response planning. You're you're figuring out what can attack us, how can they attack us, what can we do to prevent them, and then you move on to when it happens, what are we going to do to eradicate that threat, to investigate it, find it. Moving on after that is recovering and restoration operations, like, what are we gonna do to recover?

What are the things we have to take care of? Learning from that incident and then diving into testing and evaluation of the changes that you made and then right back to step 1. So really quickly, those are the seven steps of the incident response plan. So I'll just dive into the first two real quick, and that's preparing for potential incidents. Right?

The very first thing we have to do is identify where are we vulnerable. What kind of, you you know, what systems do we use. So first, it's identifying all the different systems that you do use, what applications are you using, what cloud services you're using, identifying that you know where your your data is. If you don't give your, for example, your your team's, access to file sharing applications, they're probably gonna use private personal file app for sharing applications. So knowing, you know, whether that's happening or not is is important, providing people with the right tools so that you can contain it.

Moving on after you've identified all the applications and all the cloud services and all the different places ways that people can break in, then you move on to identifying what potential threats those things could be vulnerable to with passwords. Right? Is there is there, you know, a vulnerability that's physical, local, cloud only? So just identifying all the different ways that somebody can gain access to that system whether through, legitimate purposes because sometimes it's just an error on the part of somebody who's maintaining and or working in that system. So putting in internal checks and balances to make sure that internal personnel don't accidentally or maliciously compromise a system.

Right? So, you know, containing in the sense that, you know, if you don't need access, you don't have access. And if you do have access, maybe it's granted on a one time as as needed basis so you don't always have access. Alright. I'm gonna Okay.

Yeah. Yeah.

Rinder, do you want I know you've gotta jump off, so why don't you take a minute?

Yeah. I've gotta jump off in a few minutes here. So, 2 thoughts I run through my mind when, you started, and one is just echoing what Brian said. You have to identify what your risky data is. Data is what you're, most likely gonna be liable for.

Obviously, there's downtime. That's a risk to a business. So identify that too. But data is where somebody is gonna sue you. Do you have client information that is protected?

And is that legal liability? Do you have employee information? Everybody who's listening has likely got employees, and they have SIN numbers. Where are you storing that? Then lastly, credit cards are the common one that we should be protecting.

Like, we have our, an obligation to protect that data. So in my discovery meetings, that's usually the first thing I ask is what is the sensitive data you have? Some organizations have intellectual property. They publicly traded companies have different obligations. Identification of your risk is number 1.

And then of course, you do all the fundamentals. You go through all the various steps. You come up with a great incident response plan, a disaster recovery plan. It's written down documented. Great.

You got all the check marks. Are you doing a fire drill? Are you testing that incident response plan and the integrity of it? Because what happened last year is probably not the same thing that's gonna happen next year. So periodically, have your IT partner test your disaster recovery plan, and it's not like, you know, yes, your backups are there and it's working.

That's not a response plan. So in one of our cases right now, we have we're undergoing one of our larger clients, our manufacturing facility, an actual fire drill where we boot up all their equipment in a parallel system. Imagine the building burned down scenario where all the data and infrastructure list. And then Yeah. Get them back up and running.

You can start to start to finish. How long did that take? Document this step by step process because when an emergency happens, you don't have time to figure it out. You're stressed. You're up all night.

So have that documented. And so those fire drills need to be happening if you're a business of any size, smaller. And smaller, it's gonna be easy. Great. There's no reason not to do it.

And if you're bigger, you have more resources and more risk. You should definitely do it.

And one more thing I wanna I wanna also add is have more than one person have admin privileges into, whatever system you're using, And make sure you loop in your IT company, what you're using. And we've seen we've seen companies reach us. Hey. This employee was using an a personal Gmail account that they set up with our for our company, and they were sharing out of that stuff. And he's no longer with us, and we need access to it.

You know, we tell him, well, cool. There's nothing we can do about that. You know, we can't hack into his into his Gmail that he set up. Or, you know, if they're using, like, box.com, they're using, like, a free box.com account and to share files and stuff like that. And we're like, listen.

We can't we can't do it. It's set up as into his personal box.com. We can't we, you know, we there's no way we can do it without actually hacking in. It's unethical and, you know, so on. But, you know, also loop in the IT people so that they know what you're using, what your risks are if, if there is a risk in there, and have, like, a plan b.

If this person, god forbid, that gets hit by a bus. Can can they can somebody else access it?

Okay.

And that's a

Here's a here's an angle I wanna throw at you guys. Because most of what we're talking about here is is protecting the technology, recovering the from the like, in in ground 0. Right? It it happens. You're hit.

We go through the process of of trying to restore. This is this is where our brains focus. But a business owner, you know, who's not focused on his technology, what's he focused on? It it it it better be money. Right?

Because that's kinda where we started this.

Yeah.

So that's okay. So London Drugs, they're down for 5 days. How much money is gone? So, I would argue that a a big part of our incident response plan needs to be take your SOPs, take your your operations manual, however you do business. How do you transact with your clients, your patients, whatever?

Go through step by step and imagine what you would have to do if you had no technology involved.

Right?

Could you do it? And if you can't, get creative, think outside of the box, and find a way where you can still let people in your door and sell them a Snickers bar. Right? Like, it it's crazy to me that they're closed, that their doors are closed. Get out a pad and paper and start writing down credit card numbers or or whatever.

You know? Like, I'm I'm not this is not legal advice. Don't do that because it's PCI compliance problem. But you know what I'm saying? Like

I know. I know. Use use the hotel hack as an example. Right? When we walked in to go check-in, they had no credit card systems.

What did they do? They they they had a a text message

back to

your phone. Yeah. It was a backup system. They sent a text message to my phone, that said, here's the information. You you paid via your phone.

Right? And and they were able to accept it that way. And then they had no key cards. The whole hotel had no key cards. So what do they do?

They had people escorting you to your room. They had people on every floor that had a master key, and they would let you in the door, and and let everybody in that way. It wasn't pretty, but it was effective, and it But it worked. They were able to

We had a room to stay in.

Working.

And what was the delay? Of of 5 minutes?

Yeah.

Honestly, it wasn't even in the lineup. It was, like, really, really fast. Right. So when you talk about restoring operations, you can't do that in the middle of an incident. You that that whole plan, that that the hotel Well, it's it's

just plan in there. Separate from recovering the technology. Right. Right? You've got that component, which is what we talk about and where we focus, but separate parallel to that.

Well,

it's it's actually operate. Right. It's a it's a contingency plan during your operation separately. Right. Right?

Because you know what step 1 is that everybody misses when an incident happens and nobody's thought about it ahead of time? Calling your insurance provider. You need to have their client. The that step 1 is insurance provider. If you have an insurance claim that you're gonna potentially make and London Drugs is obviously gonna have a big one.

You're gonna make a claim. You can't start work and start remediation until your insurance provider and their people say yes. Like, that's

Call your insurance provider. Call your attorney. Call your, PR person who's gonna say, please start your headline with out of an abundance of caution, we're gonna close all of our stores indefinitely.

Jesus. Well, the immediate the immediate thing that the insurance company is gonna do is send over a forensic team, and it will not be your IT provider that will be there doing the forensics. If you call your IT provider first, chances are what they're You

can't remove to me. You you can't remove evidence, and forensics needs that evidence because they need to know that all the things you promised on that insurance questionnaire that you actually did them. That's what because otherwise, you can Which

is why how

your how you're going. Important

It's why it's so important to have that procedure plan. Right? What are here's what we're gonna do technically to recover, but then procedurally, what are we going to do to continue to conduct business? Right. You're right.

Because first call, it it's insurance company. 2nd call better be your lawyer, your team of lawyers perhaps.

Yeah.

NPR, you have to get all those people in play involved.

Right.

But man, your operations guy better be just, like, going crazy. In most cases

in most cases, you're you're you're gonna have 2 teams essentially with with regards to, an incident response plan. You can have the team that's trying to remediate and fix and get back up and running, and you're gonna have another team or or person if you don't have a big team, another person who's and has the contingency plan, and they're gonna run with that. So you don't wanna put it all on the same person's hands because they can't they can't Exactly. Yep. Recover and try to put in systems in place to allow the business to continue to operate.

Right? So those two things have to be separate people, separate not not a separate plan because all part of the same plan, but different people have to be enacting those. They have to be thought of as sep can have that recovery.

That is a key part of every incident response plan is who is your main point of contact for the specific things that you're dealing with. Right? Whether it's Yeah. Legal, PR, like all those things we talked about, your IT team, and then, you know, your operations manager needs to be having, you know, running with the how do we keep that money flowing? Because you're gonna need

it with it. Yeah. Yeah. You know, you you understand? You definitely

I've gotta jump off here. Thank you for inviting me. This is a lot of fun. I'll definitely see you again.

Okay. Brent, there should be your all your contact information that you want, and I will publish that on unhacked.live. Anybody listening that wants to do business with Brenter, jump on the website, and, and you'll be able to schedule an appointment with him.

Sounds good. Yeah. You could Brenda, thank

you for being here.

Sounds good. Thanks, guys. Take care.

Alright. Thanks, Hunter. Alright, Mario.

So yeah. So, I mean, it it it is it it is an interesting conversation, though, because if you're bringing in your insurance, you're bringing in your lawyers, your PR, and stuff like that, what about if your IT guy or your IT company is able to recover you seamlessly within a few minutes? Not that I'm saying what you guys said is wrong. No. It's absolutely right.

But I'm saying, like, what about if you're able to say, okay. Well, we've we can easily isolate this incident, and now we can recover very quickly. Are you still, like, I I'm just trying to figure out what's the order. Do you call your IT people first, but may tell them, like, this is what happened. If you think it you know, like, do we need to bring in the insurance?

Do we do we need to go that you know? I'm just playing devil's advocate here.

I mean, I wish we had, we've we've got another, potential cohost who could speak to that. Right?

Yeah. 1 of our

one of our colleagues is going through or or recently went through an incident, and and that was a question. I know that that's at first, they were not going to involve insurance, and then they decided they were. And so it it it got a little bit sticky because they had already started remediating because that was the that was the point. You know, we can get you back up and running quickly, which they did. But now you've stepped on evidence.

So me as an IT guy, you know, when I'm when I'm consulting with a client, if this were to happen, I'm calling the insurance company before I touch anything. That's me. Because I don't wanna come back at me later and saying, hey. You wouldn't screw things up. Now our claims denied.

Yeah. Then

Even if I can get back up in 5 minutes, I'm still gonna call the insurance company first.

Yeah. But if you're bringing a if you're able to bring them up back in 5 minutes, then then there is no claim really. You know?

Well, you don't know how long that the, attackers were in the network.

Was exfiltrated. Right? Because now you've got, you just don't know how it's gonna pan out. Getting the technology back up and running is one of the key things that we have to do. But, you know, like, I think it was Brian that said, you've gotta have different people in charge of everything.

Yeah. And again, not that I disagree.

Monitoring what's coming out of the network and yet it's separate from from the systems that you're using that you need to recover from, there might be the possibility of doing a rapid recovery because you're logging everything going in and out, and so there'll be a forensic, like, log of what what was exfiltrated, if any. But if you don't have that in place, if you have nothing in place to to monitor which information is being transmitted, outside of your network or in outside of your system, whatever that might be, then you probably should just loop the insurance, and they're pretty they have a rapid response team. Most insurance companies, if you have cyber insurance liability, they have a rapid response team that And

really, if we if we back up to preparation, we should be well acquainted with our client's insurance companies. You know, I'm I'm in contact with them. Mhmm. So I wanna know, are we doing what they expect us to be doing? Number 1.

And then number 2, I wanna know in the event of a breach, what is their process? Right. So if

if that's a part requires us to contact them and kind of breach requires us to just remediate right away. Because it could there might be some circumstances where it's it's

I don't want my I don't want my first contact with the insurance company to be, hey. A client's been breached. Right?

I I

I want it to be, hey. We've been talking. We've been doing everything. The worst of the worst has happened. Let's get to work.

We already know what we're supposed to do. Let's get going.

Yeah. I completely agree.

Alright, guys. I think, unless you have any final thoughts, I think that's a good place to wrap this up.

Well, I don't my only final thought would be that, because we went through this fairly rapid fire, I I would I'm gonna we're going to put together at least, you know, I'm speaking for the rest of the team here, but we'll put we'll put together the incident response steps on some sort of document that you can, download and take a look at, and I'll I'll get, Justin to put it up on the, unhacked, like, as a link there so that, anybody who's looking for for information on an incident response plan, you know, it's not a template or anything like that. It's just very high level, instructions on the 7th.

No. And the other other thing I was gonna add is, you know, you put in the steps in place and, you know, you've confirmed. Because don't just plan it. You actually have to do it. But once you actually do it, go ahead and do a fire drill.

Have a fire drill. You know? Like, okay, guys. What happens if this server is dead? Go.

What could we do? You know?

You

know, I I even even if it's something simple as well too, put a put a file on your your desktop and delete it. Wait a few days. Ask your your IT person. Hey. I deleted this.

Can you recover it?

Yeah.

You know, something simple. You know, let's see if those as men little steps are covered before we tackle the larger one.

You know, I mean, might be fun for a future episode is to actually run through, a simulated attack. Like, take a system offline, bring it back up, and,

yeah.

I don't know. I'm just trying to scheming in my brain, but,

I love it. I like that.

I, you know, I I I want these these podcasts to be informative educational, but we can add a little entertainment to it that way. You know, like, let's let's let's burn the building down and then rebuild it and see, see if, see if it all works out. I think we're I think we're gonna have to figure that one out. Okay. Guys, let's go ahead and wrap up.

As always, the the the next step to the the business owner who is listening and just trying to keep his business alive, keep the bad guys out. It's not like we don't have enough things to do. We wanna make this part way easier on you. So jump on unhacked.live. Book that.

It's a it's a free consultation. We're gonna run through, do the assessment, vulnerability assessment. We'll find out where your gaps are, and we will prepare you a road map and show you exactly what you need to do,

just to step by step. With us or not. Correct.

You'll you'll have the whole formula. Here's your assessment. Here's the process to bridge the gaps. Here's a sample incident response plan, and get some insurance to wrap it all up, and you're good to go. Now Mhmm.

Along the way, we can help you with any of those, or you can just take that right back to your IT guy and say, WTF, man. You know, like, you said we're covered. How come we're missing 97% of these? Anyways, alright. Unhack.live, and next week, I think, we're either gonna talk about a fire drill.

I I don't know. That might take me a little longer to put together. And it so if not, then next week, we're gonna talk about the return on investment because I really do like talking about money and how this stuff pays for itself, but the return on investment of keeping your equipment up to date. I can't tell you how many times when I'm out interviewing a a prospective client, and I just walk around to their computers and, it's bad. Like, the cobwebs are everywhere.

Right? And, this thing was built back in 1985. Yeah. Oh, I I'm serious. I've seen anyways, we there there is a cost to keeping it up to date, but there is a bigger cost in my mind to letting it go.

And that's what I wanna talk about is we'll do some actual math on the benefits of keeping your equipment and your software

up to date.

So And your employees happy. I mean, listen, our biggest expense is payroll. Let's let's leverage that instead of, like, making them all wanna punch, monitors. Punch them. I almost said punch kids again, but I my my attorneys already contacted me while we were live and said, don't ever say that again, Justin.

So don't really punch kittens. Alright, guys. We will see you next week. Thanks for joining us. Take care.

Take care, guys.