UnHacked

Welcome everybody to episode 24 of unhacked where we empower busy and overwhelmed business owners. Brian, do you identify as a busy or an overwhelmed business owner?

Is that a joke? Exactly.

Where we empower busy and overwhelmed business owners who are also concerned about cybersecurity to outsmart Russian hackers. Listen. I say Russian hackers mostly tongue in cheek, but a lot of them, that is where a lot of this stuff originates. So, I've even named mine, by the way. I stole the name Boris Grishchenko.

I've never seen the movie, so I don't know how to pronounce it. It's a James Bond movie. Anyways, I digress.

So I'm

Justin Shelley, CEO of Phoenix IT Advisors. I work with businesses in, Texas, Northern Nevada, Utah, Idaho, kind of all over the place, but, we we do. We help people, stay away from these Russian hackers. Brian, you're here with me today. Mario's absent, so we're going on without him.

Brian, tell us a little bit about who you are and what you do.

Yeah. My name is Brian Lachepow with, president and CEO of B4 Networks, and I work with businesses in the Niagara region, to improve their operations using and leveraging technology. Canada. Yeah. In Ontario, Canada.

I've been there once, you know, and I didn't get to come see you. So I've gotta make another trip back up to Canada.

And since October, maybe we'll do a, by, what do they call those? A retreat. No. Run.

Oh, right? A marathon. Yes. Okay. Okay.

Cross border

1 too.

That would be amazing. Alright. Yeah. It's a deal. Okay.

So in today's episode, we're gonna talk about how to protect your business from bank fraud. This is getting complicated. There's a lot of it out there. So we're gonna go over that. Of course, we have to break down the infamous CrowdStrike event.

I can't imagine that anybody anywhere has not heard of this and probably has been impacted in some way, shape, or form. Then we're gonna wrap up with our, as always, the formula for how to protect your business 100% from Boris Grishchenko. Alright. Let's jump in. Brian, first of all, CrowdStrike.

What the hell? Tell me a little bit about what happened, who it happened to. Don't get into finances yet, but because we're gonna come back

to that.

But let's just, you know, what the hell?

Well, the computer's broke. No. I'm just kidding. So essentially, you know, long story short, cybersecurity provider CrowdStrike put out an update. Update broke, almost every computer that, the update went on to, and, that required businesses to or first of all, it required businesses to hopefully have a, backup plan, like to be able to continue their operations

and Manually.

Yeah. Manually, but required IT providers to have to visit every workstation manually one at a time in order

to restore do anymore. Right? Most of

what we

do is remote. And you couldn't do this on remote. You couldn't do it in bulk. Couldn't. Impact now I heard this.

Tell me if you've heard the same that this is historically the largest computer outage that we have record of. Have you heard that,

dude? Yeah. That's what I'm hearing as well. Thankfully, we weren't impacted whatsoever because we don't use CrowdStrike, but it could have happened to us just as easily because at the end of the day, we all use security vendors and Right. Right.

It could have happened to anybody.

Nah. This is definitely not well, I was gonna say it's not a dig at CrowdStrike, but

No.

We'll come back to that. I I actually was gonna start this this episode off with a no shit. There I was. Cool breeze out of the south, not a cloud in the sky. You know, however good story starts that way.

Because I shit you not, I'm getting ready to go out of town. I'm gonna be gone for 10 days, and I've I've gotta pay some bills, and I've gotta bill my clients before I go. And I'm sitting here and I go on to my, my portal where clients pay me, and it's down. Like Yeah. What the hell?

Okay. I mean, my first panic was like, I mean, did I not pay them? Like, what happened? Why how did how did they get locked out of my own payment portal? Whoops.

Yeah. So I I start panicking. Like, alright. Well, at least I've gotta get this other bill paid. I had to go on to Microsoft and update a credit card on Microsoft.

Right? And I I get on there, and I'm getting errors from Microsoft. I'm like, what the hell? So then I go, is it, DownDetector? Is that the website?

Are Are you familiar with that one? No. Okay. DownDetector.com will it it's just like a live report of major businesses, that are having outages reported by end users, by the way. This isn't necessarily Okay.

Them self reporting. And I look at that, and it's like everything's down. I mean, everything. I was like Oh, wow.

Shit. And I'm, you know,

I'm sitting here with, my my business partner slash COO slash life partner, and I'm like, Liana, this is bad. Like, this is gonna be big. It's gonna be huge. You know, and then we just went out of town. So Yeah.

But I didn't Brian, I had no idea how bad it was gonna be when I said that.

Yeah. I knew of the moment I woke up because, like, I don't necessarily get up very early, but all I kept hearing is ding, ding, ding. And I'm like, okay. Seriously, nothing can be that important. Ding ding ding, and my phone was just going off.

Like, people were chatting and forth about it, not just within b 4 networks, but also, you know, all the different, associations and and groups that I'm part of. And it was just like flooded of of messages. I couldn't even keep up with everybody talking about it and and the impact. And I was, you know, just like crossing my fingers that we weren't going to be impacted because you never know. You never know where and who is using the vendors.

And so thankfully, knock on wood, you know, none of my vendors and none of my clients are affected. But yeah. A lot lot of people are

I mean, direct impact is so I just I mean, I was affected to an extent. Right? I couldn't I couldn't pay my bills. I couldn't, charge my clients. There was there was stuff like that, but that was pretty temporary.

But the the overall, if we'd look at the the global impact of this thing, have you seen any numbers as far as financial impact?

1,000,000,000? Yeah. They they haven't finished tabulating at all, and that's not including lawsuits. Right? So

Right. What's the is it, Delta Airlines, I think, is the first the first ones to initiate a lawsuit. So it's it's beginning. I imagine it'll turn into class action, and it's gonna be ugly. It's gonna be messy.

But, yeah, billions. Delta was claiming 500,000,000, just them, just just the airline, and that's just one client. God. It is. Okay.

So lessons learned. I wanna move into that. I mean, unless you have anything else to talk about as far as impact.

Well, no. I think lessons learned are are are gonna be huge, but, like, just talking about the financial aspect, since we're on that topic already. You know, you you can't you can't expect that even if you were impacted that your cyber insurance is going to cover this this type of interruption because it's not it's not a cyber security incident. It's a cyber, like, update. Yeah.

It's really There was no intrusion. It was just Right. An update gone wrong. Right?

And it's not a breach. And I I should have specified that because this is a cybersecurity podcast. This is not a cybersecurity incident.

Well, I mean, it's an incident, but it's and and it's surrounding cybersecurity, but it's not a breach. It's you know, nobody was nobody was breached as part of this, but the the the impact of it was because we have to do updates on a fairly regular basis, and in some cases, 4 or 5, 6 times a day. And the the updates, aren't always able to be tested in a very robust way. Now that's not to say that we shouldn't. It just sometimes things happen.

So all that to say long story short, whether or not these companies are gonna be able to successfully sue for this breach, or there's not this breach, this this incident, I have a hard time believing anybody's gonna be able to get paid out for this because, honestly, they should have internal systems and processes internally to prevent this stuff from happening. You know, as an example, updates are, yeah, the vendor should have, you know, notified and or should have put out a a test a fully tested update, But the client also shouldn't be updating every single computer in their entire network without doing a test case before. So

Well, correct me if I'm wrong, but I don't and again, I'm not a CrowdStrike customer. I

Neither am I.

You said not direct impact. But what I've read is that this wasn't an update that was really testable. It was something that just gets pushed. Because with cybersecurity, because it's time sensitive, not all updates, you don't have control over all of these updates. I don't know that this is one people had control over.

I don't I don't know.

I mean, it's a great reminder to do exactly what you're saying.

Yeah. I know in most cases with our security products, we can push out, you know, like, hey, we're gonna push this update out to these 10, you know, test bed cases or test workstations that we have internally. Then we move on to another, you know, 1010 15 across, you know, our all of our clients. And when when we've confirmed everything is good, then we start rolling it out, you know, first five clients, next five clients to, you know, it it's we never just blanket go, hey, here's an update. Let's just push it to everybody and see what happens.

Right? So I don't know if this was the case with CrowdStrike because you're right. Some security vendors, you don't necessarily have full control over when and how the updates will be released, but Right. It's still got that responsibility.

That process you described is definitely how you handle Microsoft patches. Right? And again, I without any direct impact, I didn't see this happen personally. But one thing I heard discussed was that this may have been a patch that was pushed out without anybody's oversight or consent or even the ability to test it. I don't know if that's true or not, but it does raise a lot of interesting questions.

Yeah. And like and like you said, it's it's it could have been a a high or was certainly a high sensitive, update. And so sometimes you don't want those to go through, a robust testing phase because it's got to get out there because the damage that could be done left unchecked is worse than, you know, than than than the alternative.

Which, you know, and again, hearsay, reading in the forums because, by the way, this has blown up. I mean, everywhere you go, we're reading, from people who are personally impacted by it, whether that's Reddit or just news articles or whatever. But, I I am reading comments from people in the trenches. And one of the things that I understand is that this update had there was no quality control within the the vendor's processes. So that I think is where the lawsuits are going to land.

Right. TBD. Right? Well, we'll see

those And the folks had they had deep and I'm not gonna use techno terms, but they had deep access into Microsoft's root systems that Right. Most vendors wouldn't have access to. And, you know, in in a for example, in a Mac environment, that's not even available, to security vendors. It's completely locked down. And so is that something that Microsoft's gonna do as well down the road?

Because they were forced to open it up. They were forced to. Yeah. Europe. Now they might use this as a case to go back and lock that down from a security perspective saying, you know, like, here we had this incident that impacted 1,000,000.

You know, the the benefits don't outweigh the the the risks, so we're locking it down. And and

here's just my own, musings, shall we say. If if this update had such a dramatic, I I haven't seen it. I'm I'm inferring this that it was a 100% failure rate. If you got the update, your machine was tanked.

That was

my understanding. Which tells me this is just Justin's, philosophy, that it wasn't tested at all. Right. Like, it wasn't rolled out to a machine at all or it would have bricked that machine. Not bricked blue screen, but you know what I mean?

Like, so these are my questions. This is where I wanna I wanna watch the fallout. I wanna see how the lawsuits take place because, when you put that much trust in a vendor who has this much of a market share, like, they are a huge vendor to not have any kind of a a process for testing before they roll it out like that. Unheard of. Unreal.

Absurd. God, I'd love to be wrong because that's scary. That's terrifying. And with that, I do wanna transition into, you know, what do we learn from this? I talk a lot about how do we make this happen to somebody else?

How do we not be the low hanging fruit? Because bad things are gonna happen. Yeah. And this is a case where all the stuff we talk about, the industry standards, best practices, insurance, like, all that stuff kinda falls short here. Mhmm.

Wouldn't you agree? Like, how could you have prevented this? I don't think it was preventable. How could you cover it financially? I don't know.

I mean, you mentioned before we started recording, insurance companies probably aren't gonna pay out on this.

If you have business interruption, they might. Correct. But cybersecurity only?

It's not cyber. So. No. It's not cyber. So what what would you tell you know, you're sitting in front of a a client or a prospect, and they're saying, hey, Brian.

What could I have done to prevent this? What would you tell them?

Well, the first thing I would say is, okay. We probably won't be able to prevent that type of issue. But what we can do is plan for its inevitability. It's going to happen. Right?

Clients will be breached. Clients will get updates. Clients will have blue screens that like, it will happen. It's a matter of if or when, not if. And so from my perspective is and we do we do, you know, incident response planning all day long with a lot of different clients.

And what always seems to get left out of the incident response plan because it requires a 100% of the client responsibility because it's there on their hands is when, when this occurs, when there's a failure, when there's an outage, how am I going to keep my business running in the meantime? Right. Right. How am I gonna make sure that people get paid so I have a second alternate method of being able to send money or receive money? How am I gonna continue to do to to have transactions, place orders, make orders, fulfill orders?

Right? What are my manual processes? And you and I had an incident not too long ago, maybe a couple of months ago where where a hotel was breached and and they I mean, from my perspective, they did a great job.

It was phenomenal. Yeah. Within a couple days, they I again, I've said this before too. I wouldn't have wanted to be there at ground 0, you know, when it happened, because I'm sure it was a disaster. But, yeah, they they seem to have had a plan or they came up with 1 very quickly.

Right.

And that's so critical. And yet, like you said, so frequently left out of the plan. Yeah.

So, like the first thing I would say to a client is ask yourself, if I had no access to any of my technology, what can I have in place in advance? Whether I, you know, if I run a doctor's or office, maybe I have a printout of all my appointments coming up. If I run like an IT firm like us, maybe I have a list of all my clients, their phone numbers, and and and contact details so I could at least reach out to people if I got breached. I won't have access to my systems to be able to look at those things, right? So having different ways and different means of being able to do different things such as, you know, processing payments, maybe you have a a primary vendor that you use day to day.

Maybe you have a secondary one that you can access that might not be as integrated into your systems, but you can still continue to accept payments by manual some manual process. Maybe you have forms you've printed to continue to place orders, and you can write those orders down on paper. Maybe you every day, you print out your entire inventory, at the end of the day. So tomorrow, if, you know, there's a breach that happens overnight, you have the inventory list of all the parts and things that you have available to sell, you know, in some sort of manual way. I don't know what you know, because every business will be unique, but ask yourself, how can I continue to operate without my technology?

Like, sort of going back, you know, 50, 60, 70 years pre technology, what would you have done? Yep. Put those in place now so you have them.

Right. Right. Yeah. A critical part because most of the incident response plans are about how we get back up online, how we do damage control, how we do PR, how we do legal. But Yeah.

Like, what about how we do business? Yes. But how we do business?

Yeah. How do we continue like, because money's gotta keep flowing. Right? We gotta keep keep going because the the impact on your clients, once they feel it, they may be inclined to go, you know what? Maybe it's time for me to look somewhere else.

Maybe I'll use this opportunity, you know, because x y z company weren't able to fill my needs. I need I still have needs to fill, and I'm gonna go somewhere else.

Right.

Right? And, oh, look at that. I got way better service here, the sudden, from this, you know, than I normally get. I might just switch completely a 100 percent forever, and then you've just lost business. Right?

So you wanna be able to continue to supply your your customers and or patients and or whatever it is you do throughout the incident while you're recovering.

Well yeah. And I mean, to kinda add to what you're saying, it's like this stuff's expensive. So if you also can't bill and conduct business, not only do you have the cost of the the downtime, the cost of the recovery, like, you've you've gotta have the money rolling, and you can't have you can't have that financial gap in there. So

And and you may even have requirement in your insurance in business interruption policy that, oh, look at that. You didn't have any manual system set up at all. Well, we're not gonna cover the losses that would have occurred if you had those systems in place because, you know, due diligence says you should have done that. And I'm not saying your policies have that. I'm saying they might because if I was writing a policy, I would certainly put that kind of language in there.

Yeah. Hazard a guess the insurance brokers and and and and underwriters have have thought that through and went, well, you know, we're gonna have this interruption, but it's gonna be limited if you don't have the manual systems in place.

You know, and that just talking about insurance, this is also a good just a reminder of, you know, know your policies. I would argue know your know your, agent, your insurance agent, and communicate with them frequently and introduce them to your, whoever's handling your technology. Make sure that everybody's on the same page. That that'll help in a payout if you need to because the insurance company's job, by the way, is not to pay out. It's to protect the investors.

You know? Yeah.

Yeah. They wanna keep their money. Yeah. Yeah. Yeah.

Yeah. So know your policy.

They wanna keep your money, not not theirs.

Yeah. Yeah. I mean, listen. That's all we're all in business to make money. I don't fault the insurance companies for not wanting to pay out.

But, yeah. Make sure that you are covered so that, in this event, in these unpreventable events, which there are so few of, make sure that you're gonna be taken care of financially as well. So

Yeah.

Listen, I could probably go on all day about CrowdStrike just because it's been our world now for, I don't know, 2 weeks, 3 weeks. But I think that's those are the main points. I don't wanna I don't wanna bore our audience too much with No. Any more tech tops talk. So let's go to our tip of the week, and we're gonna talk today about bank fraud.

This is something I learned. It's been a while now, but I was kind of a little surprised by it. The whole FDIC, you know, this bank is FDIC protected or or whatever. And you don't have that in Canada. Right?

Do you have something else?

We have something similar. So we have a a a depositor's insurance.

Okay.

But it's limited as well. Right? So in in in a case of a business, I believe it's $100,000. So if you have, like, $1,000,000 in your bank, you know, your your their their exposure that the banks are limited to is is, you know, from an insurance point of view is very, very minimal.

And is yours the same? So here in the states, the FDIC protects against a bank that goes insolvent or out of business. Right? It doesn't protect from any kind of fraud. Right.

It's same. Just if the bank goes under.

Right.

So that feels warm and fuzzy. But when you get hacked, you know, when when somebody uses your computer or your identity or or some other way to transfer money out of your bank account, that doesn't mean anything. FDIC means nothing.

Right. And even the banks will have policies typically in place that if they came in with your credentials, bypassed any kind of 2 factor authentication or whatever because you gave the code out or whatever. Whatever reason how they bypassed it, you're you're usually on the hook. They're like at least there's been reports here

in Canada

as well that, you know, oh, well, you know, they got in using your login and password and and they provided the the the text message that was sent to the phone. And so Yep. You know, they use a legitimate way to get in, and that's on you to keep those those protected. And of course hackers and use social engineering all the time to try to trick you. Right?

They might call you and say, hey, I'm from the bank, you know, x y z. I'm gonna send you a code, you know, to prove who I am. Just read the code back to me, and and of course, it's not really that. They're just trying to log in to your account and get access to your your bank details. So the code that you give them is actually the code for them to log in.

Right.

And and that's crazy because banks sometimes do do that exact same thing legitimately where they will say, okay. To verify who you are, I'm sending you a code. Read it to me. I've had that happen. So, yeah.

Yeah. That's I don't like that.

Now they're they're they put in right into the code. Like, do not give this out to anybody who asks for it. This is strictly for you to put in directly into your like, at least that's what they do.

But I'm saying over the phone. I've I've been on the phone where they say I need to verify who you are. I'm gonna text you. And I mean, in in a legitimate scenario, which I don't like that they do that. Mm-mm.

So, listen. There's a lot of good. There's a lot of bad about banks. I I have gone in prepping for a webinar one time. I called my bank, and I'm like, hey.

What happens if I get breached or, you know, what happens if wire gets money gets wired? And and they were this person was very dismissive. I was not impressed at all. And then I said, well, do you have any, like, any training or any tips or anything about how do I protect myself? And they they still came up short.

They didn't have anything for me, and I was really upset with that. The flip side is I have personally met with bankers. Like, walk into the branch, talk to a human. I've done actually, I've done seminars, you know, co, you know, joint venture seminars with banks. And I can tell you that the people care.

Yeah. The system does not. The system gives no fucks about you or your money. But but when you talk with the people so this would be like my, maybe my top two list as far as how to protect is get to know your banker, the human that lives and works in your town at your branch and ask them, like, what what should I do? Find out what their system does, what protections they have, and then take that information and make sure that you have all of your account settings and alerts configured properly.

You know? So for example, if I if I try to wire money right now, my bank will send me a text that I have to put into the website to to send that. Or I have to physically walk into the branch.

And mine knows that if if there's a wire, I'm physically required to be present with ID in order to prove that I want that wire because I don't do wire transfers. It's very, very rare I ever have to do one. So I physically have to be in bank in order to do mine, which is fine. Right. But Yeah.

Going off of

what you're saying, you know, there's there's alerts and bank settings and things like that. In most cases, you have the ability to have a, core commercial banking system that essentially has checks and balances. So for example, my bookkeeper or the person who takes care of sending money in my place to all of our vendors, they can't approve things on their own. They can set everything up, but then I gotta go in and say approve. Right?

Right. Yeah. And so you can have systems like that where they have limitations on how and what they can do. They can't just randomly add people you know, to do, you know, direct payments to or or we call them email money transfers. I don't know what you guys have there, but, you know, direct debit.

I don't think so. ACH. Yeah.

And so you in most cases, you can have, like, a dual approach where one person can do the setup and the other person has to approve or and vice versa. So you don't you have to have 2 people. So somebody breaching your your security getting logged in the password, we actually have to get 2 different people's logins and passwords in order to be able to affect any kind of transaction. Right? Yeah.

So that's that's one of my recommendations for things that you can do.

Yeah. So I mean, recapping that, Know your banker. Know know how to deal with it. Get policies set up both, internal policies because your is your bookkeeper an internal employee, or is it outsourced?

So it's a combination of a couple things. Our day to day stuff is an internal employee, and then we have somebody outsource that takes care of stuff. They'd have no access to any of our banks.

Okay.

They have read they have read only, logins to be able to go download all the transactions, but not every bank has that. Like small small business banking in Canada does not have, in most cases, a a system that allows you to create users that have read only access. The the the commercial, banking that I have does. So I would recommend those.

Okay. So now we're now we're at another point that I didn't even have in in the notes, but, like, figure out make sure you're using the right bank. Make sure that the bank you're using is, you know, has all these these features and and settings and policies available. So, so, yeah, have internal policies, train your employees who are touching money or have any knowledge of vendors. And, you know, the I think the other one we need to touch on is, vendors and clients, like who we pay and who we are paid by.

Right. So yeah. So for example, if you're receiving money from a client or sorry, a vendor, or sorry. You you, yeah, you receive payments from anybody, You should have already let them know how to pay you in advance, but you should already also let them know if this is going to change, you have to confirm it verbally with us as well. So we'll send you a notice saying, hey, this is how we're gonna change or update our banking information.

That could be on your invoices and or, you know, however. But it should always be confirmed verbally with somebody in your office. So, you know, that that's on them. They if they if they receive a message from, you know, claiming it's from you changing the banking information and they don't call you to confirm the information and they send it somewhere else, you know, depending on how it came in, it it may be your responsibility if it came from your systems and your email, or it might be their responsibility if it came, you know, from, you know, some sort of phishing attempt or some sort of, you know, spoofed email or whatever the case may

be. Right. So yeah. I mean, this is again, this is one that we could talk about probably more, but I'm trying to keep it relatively short so that it's still somewhat interesting. But man yeah.

Know know your procedures and get them reviewed. Get somebody else to make sure that what you're doing is the right thing and communication. Too often, it's after the fact. And I've I've seen this personally where there's a breach or there's a scare, and then all of a sudden the policies get put in place. Yep.

We do it, do it now.

I'll give you an example of how how silly it is because it might be something that you need to reconfirm with people on a regular basis. So I'm an IT company. Right? I am we're knee deep in this technology and security and and all day long. About 5 or 6 years ago, I had received an email supposedly from me, it wasn't from me, asking her to buy gift cards.

We all know that Oh, god. Yeah. Age old scam. Go buy these gift cards. So she she looks at me, and she says, well, Brian like, she because I was walking by.

She goes, Brian, where do you want me to buy these gift cards from? And I was like, wait. Wait. What? She goes, you just sent me an email.

I'm, like,

like

and she would have done it had had I not been there in the office. Right? She would have figured it out how to get these these things because they put a lot of pressure on you with these these

these people

who go

there. Tell me, I think, I might have missed it. Did what was the the job function of this employee?

She was a marketing person.

Marketing. And

so it had nothing to do with finance, not attack, not finance. But, you know, I had inadvertently like, I know that you should never have, but I never instructed my marketing person to, hey, listen. If somebody says you buy a gift card, like, don't do it. Right? So now we have obviously a security training program in place that everybody gets this type of information on a regular basis.

But, you know, as an oversight 5 or 6 years ago, I didn't even think about that. Right?

Okay. So you just I'm I'm adding to my list because this was 4 tips. Now it's then it was 5. Now it's 6 because security training is key. And and I'll match your story, but mine was a tech.

Oh, no. I mean, I had a technician message me

know better.

Saying, hey. Where do you want yeah. Same thing. Where do you want me to get these gift cards or or whatever? I'm like, what?

At least he checked with you though, like, you know, directly versus back to reply to the email.

Yes. But damn. Like, you should

know better. Reply to the email. Where do you want me to get them? Is this really you? I've got that one written before where somebody replies back saying, is this really you, Brian?

What do you think is gonna happen if it's Yeah.

Nobody caught me.

Yeah. That man's not me. And the criminal is obviously gonna say yes.

Oh my god.

Crazy. Too funny.

Yeah. Get that get those security training in and make it mandatory. Make it part of your culture. There's we did an episode on this already. So again, try not to beat the dead horse too much, but hugely important.

So, listen, we've been at this for, coming up on a half an hour. I was toying with whether or not because I'd like like to add just a general, business tip to our our weekly podcast. And I was gonna talk about one thing, but I'm gonna I'm gonna pivot, Brian, because Sure. I I wanna talk about getting in shape. Oh.

Well, so okay. I'm gonna go through the whole thing. Be the face of your company. I started off intentionally hiding myself from the business because I didn't want people to get tied to me emotionally. I wanted, honestly, I wanted to be able to go on vacation without people demanding to talk to me.

Right? So I I made a very corporate looking and feeling structure. And, you know, that was 15 years ago or whatever, to today where my picture is on the face of the website, all social media. I'm doing podcasts. I'm writing a book.

And, you know, like, everything now is is the opposite. I do want to be the face of the company. Right?

Why is that? Why like, why is it important for you to be the face of the company? Like, I know why. I know what the reason why I wanna prodding

me because Yeah. Because people don't do business with entities and corporations and, you know, they they do business with people. And not just people, but people they like. No trust in like. You have to have that that connection, or, you know, in order to gain that trust and and have that really I mean, ultimately, it's because it's a relationship.

We're humans, and this is a relationship. So That's right. Yeah. So that that was the tip. And then, we just kinda started talking about I think you said well, you just mentioned a minute ago.

Let's run a marathon together. And Yeah. You've been you've been going to the gym like a beast. I think an hour a day or some nonsense. Right?

Sometimes an hour, an hour and a half. It all depends. It was all and and mostly at the beginning. Now nowadays, I might go, like, 3, 4 days a week, but the the intent was to get back into shape, get back into a healthier state of body and mind, because for a long time there, I was oh, I think I was creeping up on almost 2 £7270, down, you know, down 70 now, like around 195. And I was like feeling really tired and lethargic all the time.

And, obviously business was impacted because of it because I didn't have the the, you know, mental capacity, the mental energy, physical energy to be able to keep up with what was going on. And, it definitely affected business, affected our clients, affected our employees, and general mood around the office. And I find now, you know, now that I've I've been going and exercising, I'm more awake, more more, you know, more everything, more, you know, a lot better sleep, a lot more energy, be able to keep up with things, be able to think faster on my feet. It's it's insane.

Yeah. Yeah. It's huge. And I I have to confess, I'm kinda tattling on myself. That's why I wanted to bring this up because I, you know, I used to run marathons.

On demand, I could run a half marathon. I had to train for a full, but on demand, I could run a half marathon with no preparation. And I let everything go. There are a lot of reasons, which I'm not gonna get into. But, you know, I I let myself go to the point where now I cannot even run, a 5 k without stopping and gasping for air and and possibly collapsing CrossFit.

I've never done it before, but I'm gonna I'm gonna do that as kind of a cross CrossFit. I've never done it before, but I'm gonna I'm gonna do that as kind of a cross training. And then I do plan to run the Chicago marathon in just a little over a year. So I'm gonna give myself a little time, but, because you're right. Excuse me.

You can I can see and feel a difference? I see it in the mirror. But Yeah. But the the feeling, the the sluggishness and and whatever is

Any clients can see

it. Right? Absolutely. Oh, yeah. Oh, yeah.

Yeah. So it's time. It's time. So, I'll be reporting back in in a future episode on how that goes.

That's our weekly business tip. Be the face of your company and, get in shape.

And make that face look good. Right? I mean, listen. If you're gonna be the face, look decent. Take care of yourself.

Trim up your beard, for example. Oh, shit. I didn't do that today. Yeah. Well

You look beautiful, Justin. We're glad you.

Thank you. Alright. Let's wrap this up, Brian. I love I've kind I'm kind of proud of this formula that's kind of evolved, at least in my brain as we've done this podcast. I used to run with this 97% number.

Yep. I stole it. I didn't come up with it. I do I I can, you know, unscientifically validate it that you can prevent 97% of breaches with best practices. Just do the basics.

Basic. Care of the stuff we talk about. You're you're 97% good. So protect your technology, protect your data, and protect your people. Do that right.

Follow the best practices. Probably you wanna hire us to do that for you because this is not a a self help kind of thing. It's very complicated, very difficult. But with that in place, you're you're 97% there, but I don't like that. I don't like having that 3% lingry.

And so the the wrap up the formula, it's kinda what we were talking about earlier. Policies and procedures, review them, update them, and and and those things within your organization. Don't just put them on a shelf, and then get a good insurance policy and know your insurance agent. Right?

And your policy and procedure is not just during, but or after or before an incident, but, like, during. Like, what are you gonna do to continue your business going? Right? That's also part of it.

Right. And that's just the one. That's just the, instant response plan, but you've got, you know, how do you want your employees using technology that you provide them? Do you want to allow them on social media? Do you want them to allow them to download files?

You know, there's a lot of things that need to be thought through from a business perspective and then put in the paper, signed off by an attorney, and trained on. You know? It's so, you know, don't just hand an employee a stack of papers when you hire them that's a 100 pages long. Make them sign it and think you're good. Forget all about it.

No. Yeah. For fuck's sake, you'd come back a year later. They don't know what they read. They just wanted a job.

They're trying to get a paycheck. That's stupid. So, that that's dumb. But, anyways, that is, what I I genuinely believe. If all those things in place, we are now at a 100%.

My attorney and my insurance company both will not let me say it's a 100%. So I'm just like, this is my personal opinion that has nothing to do with, you know, whatever, fine print. Yeah. But that helps me sleep at night, having all that in place. That that makes me very comfortable.

So that is how I roll personally. That is what I do for my clients. Brian, do you have any, final thoughts or takes on that formula or anything else we've talked about today?

I think I think that wrap up is pretty good.

Okay. Alright. Well, thank you for that, that deep summary.

Yeah. Oh, get 1% better every day.

There we go. Alright. That's that's at least something. Alright, guys. Thanks for tuning in.

As always, go to unhacked.live and schedule a free assessment. We can work with you on all of this stuff, and and and much of this will be free. We'll do an assessment. We'll give you a full road map. We'll show you what needs to be done, and then you can hire us to implement for you.

You can self implement, or you can take it to your tech team and say, do this. Right? Do this. So unhack.live. That's it, guys.

We're gonna wrap up, and we will see you next week. Take care. Brian, thanks for being here. Cheers. Thanks.