18. Cloud Security: 4 Things Business Owners Need to Know

Justin:

Guys, we are live. Welcome everybody to episode 18 of unhacked. And, Mario, I'll talk to you later about episode 18 versus 19. We did a recording last week, and, I didn't even tell you guys. I pulled it.

Justin:

I'd we did the live recording. It's still out there if you wanna go look at that, but I have not published it because, let's just say we've had better work, and I I wasn't real happy with my own stuff. So we're gonna come back and maybe do a repeat on that one. Today, we are gonna talk about cloud security and, specifically, 4 things that business owners need to know in order to keep their organization safe. Before we get going, let's do a quick introduction.

Justin:

As always, I'm sitting here with my 2 amazing, fantastic, mostly bald cohosts. Actually, 2 thirds of us are bald. Brian, we're working on him. How are you? Exactly.

Justin:

We'll hold him down and shave his head one of these days. No. Mario, you wanna go ahead and, give yourself a quick introduction and then Brian, take over.

Mario:

Mario Zaki, owner of Mastech IT, located in North Jersey, about 15 miles, outside of Manhattan. I've been in business, 20 years now. It's

Justin:

a long time, man.

Bryan:

Yeah. Go ahead, Brian. Brian Lachepelle, present, CEO, and co owner of B4 Networks out in Niagara Falls, Ontario. The Niagara Falls area, Ontario, providing computer support services to all of the businesses in the Southern Ontario region.

Justin:

And I'm Justin Shelley, CEO of Phoenix IT Advisors, and we do work in the Dallas Metro, Dallas Fort Worth area, and then also Northern Nevada. So, that's us, guys. We're here every week. Well, we're here most weeks. Brian, you bailed on us last week.

Justin:

I'm still mad at you, but we're gonna we're gonna work through it.

Mario:

We found them, though. We thought I was missing you.

Bryan:

We We did. I'm like, what

Justin:

the hell happened? He's been captured. It's

Mario:

okay.

Justin:

So funny story on that. I actually, you guys don't even know this, but I was on a podcast a few weeks ago, and it's called Michael and Jeremy steal your podcast. And so I did a quick intro like this. Welcome everybody to the app new episode of UnHacked, and then they come in and do some weird sound effects and like, hey. We're here to steal your podcast.

Bryan:

That sounds

Justin:

And then we just kind of it's it's a comedy kind of thing, but I'll I'll put a link up to it. It was it was a good time. So, and then right after that, you don't show up. So I'm like, well, shit. Maybe they stole Brian.

Justin:

Alright, guys. Let's let's let's cut the nonsense and get started here. This this episode, for me, it's kind of, and I have to go back a few years because I don't hear this anymore as much as I used to anyways. But it was common for me to go out and meet with either sometimes active clients, but usually prospects, and talk to them about security. And I would hear some version of, I don't have to worry about it.

Justin:

We're moving everything to the cloud. Did you guys ever hear that?

Mario:

All the time.

Justin:

Do you still hear it? Do you still hear it? Just curious.

Mario:

We're like, yeah. We're we're we're good. We're safe. We're on the cloud. Yeah.

Mario:

We're on the cloud.

Justin:

I don't know what's going

Mario:

on the cloud.

Bryan:

Yeah. They still hear

Justin:

it. Okay.

Bryan:

Yep. Wonderful.

Justin:

Because it's dropped off for me significantly. I'm not saying never, but it's way way less frequent that I hear it. But I'll tell you what, if there was ever a false sense of security, I think this is it. Yeah?

Bryan:

Yeah. Okay.

Justin:

You know, cybersecurity, why don't why don't you guys just kind of spitball here and tell me what cybersecurity looked like? I don't know. Go back 10 years. How complicated was security?

Bryan:

What do we have to do? I mean

Justin:

this. Freehand up. Exactly. Yeah. Let's we encourage you to use the paid version.

Justin:

But, you know, you've gotta use you've gotta use a free one. That's better than nothing. In fact, Microsoft had a pretty good free one. Do you remember, secure was it security essentials? Remember when that was fresh?

Bryan:

Do you remember what it was called anymore?

Mario:

Yes. Yes. Yes. I think it was I mean, it was

Justin:

securities. It was decent. You know? It's kinda gone away.

Mario:

The built in one now, Defender, is Yeah. Better than they've what they've had in previous years. Yes. You know, it's it doesn't you know, you you have to pay for the higher ones to to manage it and stuff like that.

Justin:

Right.

Bryan:

Yeah. So, yeah, I mean yeah. Have an antivirus, have a firewall, don't click on links. That was it. I mean, it was easy.

Justin:

Pretty much. And now what we've done is we've moved to cloud, and I kinda warn people about this back in the day, but, man, it's Oh,

Mario:

and make sure you change your tapes in your server.

Justin:

Now you're really going back, Mario. And what okay. On that note, the funniest not funny. The it was funny slash tragic. People would religiously change these tapes out, swap them out, take, you know, you had week 1 at the office.

Justin:

Week 2, you take home, and they're doing it. They're going like crazy, and they're they're they're they're good. God, this is probably at least 15 years ago. A this was not a client. I have to put that disclaimer in.

Justin:

A local library. I think it was even a a community college library, if I remember right. They're like, our server's dead. Here it is. They brought it into my shop, and here's this big old ziplock baggy full of backup tapes.

Justin:

Will you please restore from backup? Guess what was on the tapes?

Bryan:

Not the backups. Nothing.

Justin:

Nothing. There was nothing there. It was it was game over.

Bryan:

You're literally backing up nothing.

Justin:

Yeah. Because nobody's verifying it. So, I mean, listen, it's always had, security has always been kind of a pain in the ass, but, now we aren't just worried about tapes and, antivirus and firewalls. But what, if you had to describe the landscape, what what do we need to protect now? Anybody, Pilar?

Bryan:

It's infinite. It's everything. It's infinite. There's no there's no edge. There's no there's no end network.

Bryan:

There's no firewall. I mean, people are working from home. They all have their own computers. They're working off home computers, personal, bring your own device, bring your own, you know, device. They're they're yeah.

Bryan:

They're working outside the corporate network, hotels. There there is no I mean, yeah, it's it's everything.

Justin:

Mario Mario, you I think were you gonna say something?

Mario:

Yeah. Yeah. It's literally now, it's everything from, you know, before we used to really worry about the server. You know, let's make this Right. Sure the You know, the server has, you know, a backup and, you know, we'll manually log in once a month to update it and, you know, make sure as the latest updates, if it you know, make sure it's not missing it, you know, when it's doing it on on its own because it never really did it on its own.

Mario:

And the workstations, you know, not so much, you know. Just make sure you back up, on the floppy or whatever you're getting, you know, you know, if anything that you really need to get a copy of, just put it on there. But otherwise, let's download AVAS free and you're good to go.

Justin:

You know,

Mario:

now now it's like workstation has to not only be, you know, up to date, but backed up, has to have the latest OS. You need proactive maintenance. You need to make sure, you know, hard disks are running, you know, good because if it doesn't, then it won't update and then be vulnerable. You know? You have to

Bryan:

prevent people from logging in.

Mario:

On it.

Bryan:

You have to prevent people logging in on their personal devices with corporate access, like, corporate logins for, like, 365 and all these different applications. Right? Because if they access their their corporate systems with their their private computers now, all of a sudden, you've lost control over the data that's now in like, for example, Office 365. If you allow people to log in to Office 365 from their home computer, you've now lost control over all that data because you don't know what's on their home computer and and if anything's watching there.

Mario:

Yeah. Exactly.

Justin:

So there was, you know, we went from this mindset of if we're in the cloud, we're safe. And now we've just described a nightmare that we're we're dealing with. There was a recent study where they surveyed, or investigated 600 organizations, and they showed that a certain percentage of them had suffered a cloud related breach. Do you guys wanna guess what the percentage was? It's not a 100.

Justin:

Just disclaimer, it's not a 100. What do you think that if you if you went and surveyed 600 companies, what percent do you think you're gonna find that have had a breach? And I don't mean, like, almost, but had had some sort of a breach.

Bryan:

I'd say it's close to 80%.

Justin:

Mario? Yeah.

Mario:

I was gonna say out of 10. 8 out of 10 people, I would say, you know.

Justin:

95. Higher than I thought it would be. It's it's almost everybody. Alright. So that's this is why I mean, this has my full attention.

Justin:

The landscape has shifted where we used to be protecting geography or, you know, physical infrastructure. It's it's now it's so broad. The target is so huge that they're hitting it almost every single time. So our game has to be up. Right?

Justin:

So, now I'm talking of our game as IT providers as as cybersecurity experts, but we wanna, of course, talk to our audience, our, you know, business owners who are tuning in, and they probably give 2 shits about the technology, the, you know, the way we do it, the tools. So I wanna talk to to our, audience about what it is that they need to know in this world where things have shifted so dramatically to protect their organization. So, let's let's talk about this messy moving target that we're trying to protect now. And just at a high level, what I wanna talk about is, you know, to to secure an organization. The first thing you've gotta do is know what services you're using.

Justin:

You've gotta know where that data lives, how that data is being protected, and what you're gonna do in the event of some sort of a loss. So let's let's go ahead and and dive into each one of those one at a time. And I'm gonna punt this over to you guys. You know, you can duke it out for who goes first. But what are the the services that are being used most commonly?

Mario:

Well, I would say the Microsoft 365, is definitely up there, you know. And at some point, either using Azure for, you know, servers on there or, you know, SharePoint, obviously, emails and OneDrive. You know, those, you know, they have an entire platform in you know, a lot of companies could literally run their entire company off the Microsoft 365 platform. And, that is definitely, something that needs to be secured.

Justin:

So let's talk about 365 for a minute. And, Brian, I'll have you jump in here too. But, one of the things that kind of came to my mind as I was prepping for this is I can open up a Word document, and I can just copy and paste some notes or some thoughts in there. Where does that data live, Brian?

Bryan:

Well, in most cases, the data will live temporarily on your device because it usually caches a local copy of it, but by and large, it lives on Microsoft servers. And that could be depending on where you've subscribed and how you've subscribed to 365. It could be on a in a US data center. It could be on a Canadian data center. It can be on a European data center depending on, you know, how you've configured your 365.

Bryan:

But but, basically, at the end of the day, it's not living locally anymore.

Justin:

I've got a story. I and this wasn't Microsoft. It was a Google document that I had that I was using as almost like a journal. I was typing some pretty personal stuff in there, you know, just just being completely candid. I was I was working through some emotional shit that I was going through.

Justin:

And I opened up that document one time, and I saw somebody else's notes in it. Somebody had read what I had put on there and commented on it. Yikes. Yeah. So creepy stuff.

Justin:

It is some creepy stuff. How does that happen?

Mario:

Did they, like, give any advice?

Justin:

No. It was more of, like, you know, hey. I'm watch I mean, I don't remember. Honestly, I don't remember. I I saw it.

Justin:

I shit my pants. I deleted the document, and I never went back. You know, I never did anything like that again. Now it's not I will argue, you know, this was probably 10 years ago. Security has changed a lot.

Justin:

I haven't seen anything like that since. But when we are putting anything on a digital device, we need to understand that that information can very easily become public's, public domain, like, unintentionally. So step 1, just know that every time you type, you have to be prepared to secure that information, to know where it lives, what the potential risks are. That's terrifying, and and overwhelming to think about. So you've got, Excel files, Word files, you know, all of these, they go to either SharePoint or a OneDrive.

Justin:

Right? And and now you have to understand where does that, who has access to those. So SharePoint, it could be anybody in the organization. I've got clients who will come to me as they're trying to set up different folders and, you know, sites on SharePoint, and they don't really know what's there. They don't know who has access to it, because they go in and they start putting stuff up, and then that person gets fired.

Justin:

Somebody else comes in and tries to take over. It's quick that this stuff can get out of hand. Right? Do you guys ever see anything like that with SharePoint?

Bryan:

Yeah. Absolutely. It's it's one it's it's actually even becoming a bigger concern now with, Copilot and, because Copilot has access to everything that the user has access to. So I'm talking about Microsoft Copilot. If you subscribe to Microsoft Copilot, it has access to everything that's in SharePoint OneDrive that the user has access to.

Bryan:

And so what we're finding is anybody who's enabling Copilot all of a sudden are asking questions of Copilot, like, hey, what's the company policy on x y z? And it will go through all of, 365 SharePoint and every file you have access to and give you an answer. And so if you accidentally had an answer to financials and you're not access financials and you're not the financial person, you could ask like hey, you know, what are what's the company's financial picture? And it will go in and look through all the documents that you have access to and and give you that answer. And I remember a while back, and even now today like we we run into clients that you know, we're we're meeting with them for the first time, and we're, like, okay.

Bryan:

We go through and one of the things my team checks for is is access, who has access to what. And a lot of these smaller organizations, they start off, and they give access to everything to everybody. Right? Everybody has access to every server and or or SharePoint and or OneDrive, and as their companies grow and grow and grow and grow, they forget they did that. And so now all of a sudden people have access to documents they're Right.

Bryan:

Shouldn't have access to, and the worst is is maybe they right click documents they're Right. Shouldn't have access to. And the worst is is maybe they right click on a folder and say, I'm gonna share this this this access to somebody outside the organization, and and maybe there's, like, you know, folders inside there that really ought not to be shared or folders are added after the fact to a folder that was shared out, and now that link exists out there in the wild that anybody can access if they've they've selected anybody can have access to this folder as long as they have the link. And, and now all of a sudden information is out there that ought not to be. And so, you know, obviously, there's some things that you can do to remediate that, have every link that you send out expire after x amount of of days automatically so that you don't have these perpetual links out there forever, and just make sure you limit access to the people who need access.

Bryan:

And, maybe even in certain circumstances depending on the SharePoint site, limit who can share outside the organization. And that's all configurable, but, again, people are doing

Mario:

Brian, I'm gonna play devil's advocate here. Is this do you feel like this is the MSP's responsibility? Because, you know, we've we've onboarded some people and seen similar situation. I have a customer that I onboarded 2 years ago that from day 1, we told them, like, hey, you know, everybody has, you know, all your data on your server is the rights are anyone. So anybody can possibly

Bryan:

to advise, when it comes to that, but it it's no different than if you had a file folder in your office with a bunch of folders in it. If if you leave that in the in the in the lobby and you you know, anybody can come in and access, then anybody can go in and access. Right? Like, you can have an expert come in and say, well, you ought to put that behind a lock and key. But if you refuse to do that, at the end of the day, you have to as a it's a co managed responsibility.

Bryan:

Our job and our responsibility is to secure and advise, but, ultimately, clients will do what clients do. And and sometimes they can do things that that even though we have every best intention of saying, you know, you ought not do that, and we're gonna put these checks and balances, somebody can copy the document and just email it. Right? And so, there's only so much that we can we as an MSP can do other than advise

Mario:

and and And our tools, the, you know, like, you know, the our tools doesn't say, hey, by the way, you know, everybody has access to this folder, because it it it would alert us. And we don't you know, there isn't a tool that I know that will say that should have do that, but it we would get alerted all the time because it's telling us literally, like, everybody has access to everybody's access. Well, we know that. You know? But it it really you know, when you're obviously setting up something new from scratch, you you know, we do that.

Mario:

You know, like, okay, we're gonna set up a new SharePoint site or, you know, we're gonna set up a sales show SharePoint site. We're gonna set like a HR, you know, site and, you know, so on. And we're like, who do you want access to everything? But the problem is sometimes we inherit these clients and networks that weren't set up this way from the very beginning. And, you know, we could bring it to the the attention of somebody, but we cannot actually a security risk, but it's also not a security risk, you know, where we can easily just fix.

Justin:

Well, let me throw something out here.

Bryan:

Oh, sorry.

Justin:

No. Go ahead with best practices, then I have, I have a question to ask both of you guys.

Bryan:

Best practice in SharePoint now is to disable the everyone group. Like, that you should never use the everyone access group. It should always be either a departmental or named user that has access. The everyone group, but now is being recommended that you should just turn it off, especially with Copilot. Even if you intend on giving everybody access to something, it should be, okay, we've given these 4 groups, like, these departments access and that involves everybody, But you should never use the everyone group because maybe down the road, you're gonna want to create another group that is a more restricted group.

Bryan:

Right? Interns, for example, and they ought not to have access to that, and you never intended them for their access to that. But because they're part of the everybody group, they do. So we don't use the everybody group anymore. It's it's taboo.

Justin:

Okay. So I I heard something that if I'm a client of yours, I'm disturbed. And you guys just said, Brian, you said Mario, I think you asked the question, whose responsibility is it? Is it our responsibility as as, IT consultants? And I heard an absolute no from both of you.

Justin:

And I'm telling you that responsibility. As a client, what do you think if you go out and survey your clients and ask them or survey mine. You know, don't even throw your clients under the bus. Who do you think they're gonna say is responsible for this a 100%? Do you think they're gonna say this is a shared model?

Mario:

I think it's our responsibility to bring it to their attention. But yeah. And and work with them to to tighten it up. But it's their responsibility to tell us who should have access to what because

Bryan:

Sure.

Mario:

I don't know about you guys. I'm not reading my customer's data.

Justin:

No. 100%. We aren't. And so I'm I'm I'm pointing out a a mindset or a perspective. I know.

Justin:

This is something that, you know, really why I wanted to do this podcast today. This this episode is because I get this. I will admit it. I get this from clients where their perception of what I am doing and what I can do is very different from reality. And so it it is incumbent upon us even if it's not our responsibility.

Justin:

We sure as hell better be letting them know what's going on, what needs to be done, and and we need to be building processes around that. So at a minimum, then we're saying, hey, mister client, missus client, let's go in and review all of your data, which is exactly what I'm trying to point out here is we need to know what services we're using as business owners. We need to know where that data lives. What I didn't put in here, which is I'm I'm really glad we had this conversation is who has access to it that we know of? Which of our team members have access to that shouldn't?

Justin:

You know, and then and then we get onto how it's protected and stuff like that. But, I'm kind of jumping ahead because Microsoft 365 is such a wild beast right now. I I've been in love with it, and I fucking hate it at the same time. Thoughts thoughts, comments, questions, concerns?

Bryan:

Okay. Number 1, and I've been screaming this at the top of my lungs to anybody who will listen. You cannot delegate responsibility to an outside party for security, for, protection of data, for anything. You can hire somebody to take care of it, but you ultimately as the business that runs that. And and if you especially if you're a publicly traded company, that you cannot like, when you fill in those cure those those insurance forms that says who's responsible for, security in the organization, you'll notice that a couple of sentences a couple of questions later will be, do you have an MSP?

Bryan:

Right? Those are 2 different questions. Your MSP cannot be the responsible person. The responsible person for security data is internal to the organization. It has to be because it is their data and is their customers and that is their information.

Bryan:

We could be hired to take care of it, but it's not an obligation. Right? You can't absolve yourself of it because you said, oh, I've hired somebody to take care of this for me. That's not how it works. So the the legally, that's not how it works.

Justin:

And that's a podcast, guys. That's a wrap. Brian just did my closing arguments. And,

Bryan:

that said though, the same applies to cloud services. Right? Microsoft is responsible for the the the infrastructure, and the this applies to all the all the tools and things like that, where your CRM, your accounting systems, your HR systems. They're responsible for the infrastructure. At the end of the day, you are always 100% responsible for the data on that system.

Bryan:

That includes backing it up and securing it.

Justin:

So go back to the title of this episode. You know, what are the things that business owners need to know about cloud security? This is it right here, guys.

Bryan:

Right.

Justin:

So if if we step back from the weeds of who this and finger point over here and there and and abdication and responsibility, This is what you need to know, audience. You need to know that your data is out there, and you have a huge responsibility to to be aware of it and to protect it and to have a plan in case of loss, whether permanent or temporary. You know, so, like, get out a pencil and paper and just start writing down how you do business and what applications you use and where that data lives. I we really could wrap up right there, and that would be a huge takeaway that would, do wonders for securing your business. So let's let's step away from, Microsoft.

Justin:

And, again, I'm I'm biting my tongue because I love them, but that beast has become so unwieldy lately that, we actually have to put in new tools to, to monitor and manage that. It's it's I I don't feel it's possible anymore to do that ourselves. You know, you have to have a a sock behind that, and I will come back to that later. But, let's go into, you know, the these are the ones that most businesses have and that we know of. What are some other cloud services that as a business owner we need to be aware of and and mindful of?

Bryan:

Accounting is a huge one and, human resource management systems, or human HRIS. So if you're using like Bamboo HR or or third party HR management systems, the data that's in there. Yeah.

Mario:

I mean, you have other companies like Dropbox, you know, box.com. You know, you have, obviously, Google in in in g g drive or Google Drive. Plus, there's probably a dozen other ones that people are using, especially, like, the ones that have it for free. You know, there's, you know, you'll be surprised or you wouldn't be surprised by how many people or companies we've taken over. And all these people have different ways of, you know, sharing and storing, you know, stuff like, you know, on free accounts, like, like Dropbox.

Mario:

And they're logging in with their personal, account and stuff like that.

Bryan:

Yeah. You know?

Justin:

Okay. I'm just gonna say I'm gonna stop you right there and say that if you are using a product that is free of charge, you are the product. You are being sold. Your information is being sold. If it is nothing's free.

Justin:

If you're not paying in money, then you're paying in privacy concerns and loss. K? Yep. Okay. So we've got we've got all these different again, sit down and and pencil and paper and write out everything that you use in the in the course of doing business, know what those applications are, and then, you know, you you basically have to create a plan for each one.

Justin:

You need to know where the data lives. Because I I say that because it can be a concern for compliance in some cases, not always. CMMC is a great example of that. If your data lives outside of the United States, you're not you're out of compliance. So you you you need to know where it's stored.

Justin:

And then, you know, encryption is almost a given these days, although I am still surprised when I hear about breaches where the data was unencrypted at rest. Most things are encrypted in transit, but we'd at least need to know that. And then, you know, this is kind of a big one because if it's a cloud service, it will go down. It it's just is going to happen. So what are you going to do as a business owner when you do not have access to your email, when you don't have access to SharePoint, when you don't have access to QuickBooks online, when you don't have access to your HR?

Justin:

What's your process? And it might be, okay. We're gonna close-up shop, and we're gonna take a day off, paid vacation for everybody, maybe. But probably, you're gonna want some way, some plan for doing business at a minimum. So if I'm a doctor's office when I come in in the morning, or maybe when I go home the day before, I'm gonna print off my schedule So that when I get in the next day, if that schedule is not available, at least I know who's coming in and I have some information.

Justin:

You know, I I can you guys think of anything else that would be a good idea if, how you can be prepared? And we've already talked about this to some extent with our incident response plan episode. But but what can our, our audience do just to kinda limp by if and when things go sideways? And I'm talking about temporary. I'm not talking about massive breaches right now, but just just temporary loss of access because that's gonna happen.

Mario:

Well, it it's also, you know, kind of to elaborate more on what you just said. Like, also because we've we just seen it. We're we're literally working on an onboarding that we did this week on Tuesday. And, you know, the owner and the office manager had no clue where their data is, where their email accounts are hosted, where anything is. They're like, oh, the IT guy takes care of it.

Mario:

And that's, by the way, that's the guy that we just sent the termination notice to this morning. You know?

Justin:

So He's not your friend today.

Mario:

Yeah. He this guy just got a letter saying, of immediately, you're out. You know? And give all these guys everything they want. Well, he's not gonna he's not gonna easily oblige to this.

Mario:

But, you know, if he's taking care of everything, you need to review with him on a regular basis exactly everything that he's providing for you. You may not need the the passwords and all that stuff, but you just need the, you know, a road map of what that is. And I would also argue, the first thing you need to do, and this we discussed this in a couple episodes back, is educate your users. Your users need to know that they shouldn't be using, you know, free the free, you know, chatgpt, the free box.com, the free, drop suite or whatever it's called.

Bryan:

AI tools.

Mario:

AI tools. They need to be following what you want them to use, not that they should be using their own stuff. So you would need to know exactly what your users need to know what is allowed and what's not allowed.

Justin:

So we're talking about 2 things now. You've got an acceptable use policy that needs to be in place, and then we've got shadow IT, which that's another one that's just exploded. So these are these are 2 things that we need to be paying attention to on a pretty regular basis.

Bryan:

So to add to what Mario was saying, I'd say the very the very first thing that you ought to do to be prepared for a a a temporary outage is to identify 1st first identify what you have. And I think you talked about that, Justin, listing out every single application that is cloud hosted or not, that you have access to that, you know, identifying where the data is, then identify from a priority. If this went down, is this critical, or is this, we could wait a couple days and no big deal? The items that you've then identified as being critical to to your operations, how are you going to, you know, plan real quick? How are you gonna make sure that that information is available to you should that go down?

Bryan:

Do you need a backup of that off-site? Do you need, you know, some way of accessing it so maybe the data is duplicated in 2 different locations? Like you suggested, maybe you download your calendar for the next day. Whatever those things are that are you know, we cannot function without these 4, 5, 6 applications. What is my plan for when it happens?

Bryan:

When this is no longer available, what is my plan to make sure that I can continue operating? And at at at the high level, that's what it would be for me. Yeah. Yep. Agreed.

Bryan:

Okay.

Justin:

Now we're gonna pivot a little bit. So we've talked mostly about technology, which is kinda where we live, the world we live in. But the curveball here is that protect while protecting data is super important, it's at least important and I would argue maybe even more important to be aware of how we protect our users. And, and that is a very broad subject. But you know, so we've got education.

Justin:

We need to teach them. We've got, and I I don't wanna get too off track there, but so let's let's just talk about some of the threats that the the ways our users are being manipulated, because we can protect all this stuff. But all it takes is is a well meaning but misinformed or caught unaware end user to break all the protections we have in place. So so, guys, talk to me about some of the threats that exist right now and specifically that you see trending upwards.

Bryan:

The biggest one is, a bad actor fooling or tricking your end user, your client your so your employee, into entering login name and password to access the dozens and dozens of cloud services they use. Right? And so, we're seeing that a lot lately where people are getting accounts compromised because they think they're on the website to change their password because they received an email saying they need to change your password, or they've, you know, received an email that says, hey, here's a document you need to read, and they click it, and all of a sudden they get in an Office 365 login prompt, and they're they're entering information in there. And so they're they're getting fooled into entering information, and for me, that's the biggest one. And as far as protecting against it, if we can find ways of incorporating single sign on across as many tools and tool sets as we can.

Bryan:

So we're either using, like, a Google sign on or a Microsoft sign on 365 that will log in to all our other pages and then secure that account, either through, 2 factor authentication. I think that would go the that would have the most impact because then there's the the attack surface has just gone from, you know Right. All these logins and passwords being able to be compromised down to 1, and then we secure that one as much as we possibly can with Yeah. Various tools. It's almost becoming conditional access, things like that.

Justin:

Yeah. Yeah. The the single sign on is almost taking the place of, like, password managers. Right?

Bryan:

Yeah.

Justin:

Or or at least it's, I don't know if it's taking the place yet, but it it's kind of the trend that I would say is Yeah.

Bryan:

I mean, we can lock it down to the point where if your staff can't or aren't supposed to work outside the office, we can lock it down so that single sign on can only work from your office.

Justin:

Right.

Bryan:

And if somebody tried to log in from it from anywhere else, it won't it just won't work. Right? And so, or if they're you know, if you're, like, okay. Well, they need to be able to access anywhere in in in Canada or North America. You know, it could be locked down geographically so that they can only log in from certain, you know, areas.

Bryan:

And then if a bad actor who typically come from outside of country, not always, but typically, they just wouldn't be able to even access that account. They just would refuse outright their their their login.

Mario:

So

Justin:

Well and this is what I love about the toolset that, we've recently put into place is that it monitors that. So you've you've got, you know, for endpoint protection, the computers, we've had it for a while where it looks for behaviors, and it flags things that are outside of normal behavioral patterns. And now we've got that for email logins or, you know, which is moves to sign on and everything else, is it'll it'll kinda geofence. If you see a user that's always traveling a 3 state area, for example, that's normal behavior. But then all of a sudden, he's be vacationing in the Bahamas, it's gonna flag it.

Justin:

And if it's suspicious enough, it will actually lock them out and, you know, notify IT or supervisors or whatever. So,

Bryan:

we're using the same.

Justin:

Yeah. So we have to go beyond protecting the endpoint, beyond protecting the data and protecting the technology to actually protecting the users and the behaviors of the users. So this is this is relatively new where it's become so critical to have that piece in the cybersecurity stack.

Bryan:

Yeah. Then the nice thing too is if if the person leaves the organization and you need to I mean, imagine, like, I think they were saying that the average person has 20 plus cloud services that they're subscribed to. You know, when you have to clear somebody out or if they leave, you you've gotta remember, first of all, to go through all of these third party applications, these third party tools, and reset those passwords and lock them out. Or if they're all single sign on, you can just disable the account and they just lose to everything that single sign on has access to, which is absolutely a wondrous thing,

Mario:

I tell you. And it's fairly quick too. It's literally like, you know, within a minute or 2, it just kicks them out of everything.

Bryan:

Yeah. Yep.

Justin:

And I like that we're getting to a place where things are more standardized. We're not there yet. So it's it's it's a great theory, and I can't wait till it's, universal. You know, we still do have to track all the logins, all the what everybody has access to. Basically, every time you grant access to an end user, it better be recorded somewhere and put into the off boarding procedures.

Justin:

And that that's tricky. You know, that's that's easier said than done.

Bryan:

Especially when you've got IT providers handling some of the logins and then somebody internally of the organization. Right? For example, giving access to the ERP system because maybe we don't have access to it. They're creating logins and passwords. And now we can obviously manipulate our end and have a rec because we record everything.

Bryan:

But, you know, maybe there's not that same level of protection or recording on, at the at the, you know, the client level.

Justin:

Yeah.

Mario:

But you are putting your all your eggs in one basket, though. You know? Like, it is a you know, as long as it's secure, which, you know, it from what we see, it is very secure, you are putting your eggs in 1 basket, though. That's why True.

Justin:

And that's always a trade off. That that was the argument against password managers in the beginning. And what my pushback on that is, first of all, as close as we can get, nothing's a 100% secure. So now we're gonna weigh the the risks of the technology against the risk of human of humans. Right?

Justin:

If you put humans in charge of this, 100% they're getting breached immediately. Yeah. Yeah.

Bryan:

They're gonna use the same password everywhere because it's just I can't remember 30 passwords or a 100 passwords. Right? So I'm gonna pattern it, or I'm gonna use the same one in 10 different locations. Or a

Justin:

100 different location. Yeah. Yeah. So okay. Any other thoughts on protecting people?

Justin:

And and I know we've, you know, we kinda touch on this frequently. So reminders are good It starts anything new. It

Mario:

starts with training. It starts with training. Yeah. You know? It it's you know, train them when they first get in and train them, you know, from then on forward.

Mario:

Because if they're going to fail a test, it better you know, you better hope it's your test that they're failing, not a real not a real test.

Justin:

And not only does that educate them, which is what we think training does, but it also just builds behavioral patterns. If you know that you're going to be, you know, tricked or there's an attempt to trick you by your employer, you become pretty comfortable looking for, you know, tricks. Right? So, it it just creates that mindset. So when you're going through your email, you're not just randomly keep clicking things like, oh, shit.

Justin:

I don't wanna hit this. My boss is gonna come yell at me, which is a small problem compared to what we're trying to prevent against. Right? So any other thoughts on protecting people?

Mario:

No.

Justin:

Okay. I've got I've got a lot of notes written down, but we're, we're kind of pushing up against the clock here. So we're gonna start winding this down a little bit. I'm I'm gonna say again the, you know, the the need to protect these cloud services is huge. So there's tools that we can do, that we can put in place, and then there's just general awareness and and educational.

Justin:

So, you know, you guys got ahead of me big time when you're like, it's not our responsibility. But if if I'm listening to this podcast as a business owner, the one thing I hope I learn is, yeah, it we have to be responsible for this. We have to be aware of it. You cannot abdicate this. Now as a CEO of a company, you also can't do everything.

Justin:

You can't be good at everything. You can't have your eyes on everything. You you know, we just we have limitations. And so my my suggestion there is find somebody or an organization that you can trust completely, and then don't trust them. Like, put them in charge, empower them, and then hold them accountable.

Justin:

And, you know, week after week, we come in here and we offer that. We're doing these free assessments. We're doing it's it's a mini pen test. It's a vulnerability assessment. Call it what you want, but we will we'll go in with the tools that will mimic what a bad guy would do if they get into your network or if they if they trick your people.

Justin:

So, you know, at a minimum, do that. And then take that. If you don't plan to change IT companies, that's fine. Take this information back to your guys and say, hey, guys. Here's what I found.

Justin:

Let's work through this, and it doesn't have to be an attack. It doesn't have to be a negative conversation. It's just a we wanna be safe. What do you think? How how can we fill some of these gaps?

Justin:

Right? So any any other thoughts on the the vulnerability assessment or just ways as a CEO we can keep track of all the, like, huge things that we're responsible for.

Mario:

No. You you pretty much hit it run on the, you know, on the head. Like, you have to put somebody in charge and, you know, that that person that's in charge has to work with the IT company. We will we're gladly work on getting this secure and and set up, but we need we need guidance. Like, we will take the responsibility to get it done, but we need the guidance to make sure, you know, what we're doing, You know?

Mario:

And we need to facilitation. Right?

Bryan:

Yeah. Something require an internal person, for example. We can put in systems in in in in place to protect, but the policies that go along with those, the controls that go along with those, those are typically, you know, policies that have to be created on on the client's end and disseminated and enforced. And so, you know, I can put in an antivirus and and I can put in content filtering and I can put in these things, but there's also the other end, there's an acceptable use policy, right? And so for example, somebody goes to an AI website and uploads all your confidential files, I can't stop that.

Bryan:

Right? That's something that a policy has to do with enforcement, with training. And so that internal person is just the facilitator for us to be able to interact with and say, okay. Here's what we've done, and here's what you need to do. Yeah.

Justin:

Alright, guys. So I've kind of already said that I'm gonna give you one more shot to, for any closing arguments, and then we're gonna go ahead and wrap this up as we're, we're pushing past 40 minutes on this episode today. Mario, you wanna go first?

Mario:

They're they're listening, you know, during their commute. I hope they had some

Bryan:

traffic.

Justin:

It's a long commute. They they hit rush hour today. Maybe they'll have to wrap this

Bryan:

one up

Mario:

on the way home. No. I mean, nothing nothing that we haven't covered. You know? Just, you know, you you take responsibility, work with somebody, make sure you, you know, you at least put somebody in place that is that is not, just gonna to hope that somebody else is taking care of it.

Mario:

Make sure it's, you know, delegated to somebody to have the responsibility to to make sure it's it's in place. And test it. Once you've put it in place Yep. Test it.

Bryan:

For me, it's, obviously 1% better, as a CEO, as the owner, as a manager or leader of your organization. You're always trying to get or you should be always trying to get 1% better every single day, and that that might involve, coming up with quarterly key initiatives that you can do surrounding cyber security, right, and and then, making sure that whoever you're working with on your IT provider side or even if it's internal, what are the what what else? What can we do this quarter, this month, this week that we can add that will improve our our our posture? Because security is not a one and done. It's a journey.

Bryan:

Right. It's a journey that you're gonna be on, and you're gonna add a little bit more, a little bit more every single day, every single week, every single month, every single quarter in order to improve your posture. And, if that's the one message people come across today is, a, you're responsible, b, it's a journey, c, get 1% better every day. I

Justin:

I love your 1% thing. I can't copy it because you started at first. But that that's been a mindset of

Mario:

my brother. Using it last week when he wasn't here. I was thinking it's like just, you know, just in case he did get kidnapped by the Russians or something. Right.

Justin:

So so my sign off today is just gonna be that, you know, as a business owner, as a CEO, we are overwhelmed. We we have so many hats that we wear. We're juggling everything. And so I hate to say this, but I'm going to. If you are not watching where cybersecurity is concerned, if you are not watching this like a hawk, if you are not creating a company culture around cyber security and protecting your organization and your assets and your data, then you will not survive as a business.

Justin:

Hands down plain and simple, black and white, ones and zeros. There's no middle ground here. You've gotta do this. This is as important as finances. It's as important as anything else you do in business.

Justin:

So on that note, at a minimum, take us up on our offer, go to unhacked.life and, book that assessment. You know, we all we all offer that. And if you don't, if if you're outside of the area that we're in, we will put you in contact with somebody who will do this for you as well. That said, on the website, you've also got social media links. You've got past episodes, upcoming episodes, and and please do us a favor.

Justin:

And if you find value in this episode or in this podcast in general, share it with your colleagues. Help us spread the word because, yes, we're here to make money. We are for profit businesses. However, we're all on a mission to protect our fellow business owners. So, great.

Justin:

That's what I've got, guys. We're gonna call this one a wrap, and we will see you all next week. Take care.

Mario:

Bye, guys.

Creators and Guests

Bryan Lachapelle
Host
Bryan Lachapelle
Hi, I’m Bryan, and I’m the President of B4 Networks. I started working with technology since early childhood, and routinely took apart computers as early as age 13. I received my education in Computer Engineering Technology from Niagara College. Starting B4 Networks was always a dream for me, and this dream became true in 2004. I originally started B4 Networks to service the residential market but found that my true passion was in the commercial and industrial sectors where I could truly utilize my experience as a Network Administrator for a large Toronto based Marine Shipping company. My passion today is to ensure that each and every client receives top of the line services. My first love is for my wonderful family. I also enjoy the outdoors, camping, and helping others. I’m an active Canadian Forces Officer working with the 613 Fonthill Army Cadets as a member of their training staff.
Mario Zaki
Host
Mario Zaki
During my career, I have advised clients on effective – and cost-effective – approaches to developing infrastructure that fosters productivity and profitability. My work has provided me with a broad-based knowledge of business from the inside, with an expertise in areas that go beyond IT alone, ranging from strategic planning to cloud computing to workflow automation solutions.
18. Cloud Security: 4 Things Business Owners Need to Know
Broadcast by