28. 4 Steps to Securing ALL of Your Critical Data
Welcome everybody to episode 28 of unhacked. And, Mario, I haven't said this in a while, but unhacked, I came up with this title. It is a deliberate misnomer. Because the truth is 97% of businesses or breaches could have been prevented. Like, basic cybersecurity measures, the stuff we talk about week after week, preventable.
Justin:But once you've been hit, you cannot get completely unhacked. Right? We talk a lot about the emotional damage, the financial damage. We don't wanna go there. Last week, we had Joseph on here.
Justin:Phenomenal episode. Probably my favorite episode to date. And that was kind of the point he made over and over again is, like, your insurance guy, you only wanna see me once a year to write a check. You never wanna talk to me during the year after you've written that check. You never want a cybersecurity claim.
Justin:So, you know, week after week, we're here, and we are here to empower busy and busy and overwhelmed business owners to outsmart the Russian hackers. We wanna keep you out of their, out of their sites, out of their scope. And if you get in that scope, we wanna pretend prevent everything that they could throw at you. So, we're gonna talk about the best practices, the 97%, the the the basics, right, and how to get those in place. And then at the end of the episode, like we do every week, we're gonna close that 3% gap.
Justin:Because if I'm telling you we can get you 97% secure, what the hell do we do with that other 3%? So, that's that's always our our closer. So I am Justin Shelley, CEO of Phoenix IT Advisors. I work with businesses kind of all over. We're in the Dallas area.
Justin:We're, pretty heavy in Northern Nevada moving into Idaho and Utah, and I am here. We're missing 1. We, we usually have Brian here, but, Brian bailed on us. So we are, but, Just my good buddy, Mario. Mario, tell us a little bit about yourself, what you do, where you're from, all that kind of stuff.
Mario:Mario Zaki, owner of MasTec IT. We are located in our brand new office, brand new facility in Ramsey, New Jersey, and we service, the entire New York, New Jersey area, some Pennsylvania. We'll we just like Justin said, we'll do a you know, go all over the place. But we've been in business for 20 years and, you know, a lot of satisfied customers. Alright.
Justin:That's a lot of years, Mario. That's a I don't know if you know the, I mean, statistics. Right? For whatever they're worth, the the probability of a new business surviving 5 years is, you know and I've heard different numbers, so I'm not gonna throw a number out there. I just say you it's it's not great.
Mario:Yeah.
Justin:You know?
Mario:And then I
Justin:And then of those that that make it the next 5, that make it all the way to 10, really, really not great. And so what did you say? 25?
Mario:20. 20. 20. Okay. I remember after I because that's the 6 has been around for a while.
Mario:I remember when I put, I celebrated my 5 year anniversary. I was, like, so excited. Like, I made it.
Justin:I was like, victory. We did it. We did it. Oh, shit. Yeah.
Justin:Okay. So today, I mean, congrats though on the on the office. That's that's a that's a huge leap, huge step, and congrats on the 20 years. You know? I can't I've been I've been doing IT consulting for, god, 1997 is when I went in.
Justin:So we're coming up on 30 years, but I can't say it's been a straight line. Things went great. 911 hit. That kinda Yeah. Knocked me down a few notches.
Justin:I actually got out of IT and went into aviation for a little while, Got back into IT, renamed the company. So, I mean, it's been a lot's going on, but, I I can't leave it. I keep trying to quit IT and keep trying to quit, you know, and I can't. So I just keep coming back. Here I am, down at 30 years later.
Justin:So I anyway, I'm back on track. Today, we are gonna talk about how to make sure all of your critical data is backed up. And then we're also gonna break down you know, usually, I look for headlines, news articles, current events of data breaches that we can learn from. But today, this is my my favorite and least favorite type of security event that we're gonna break down because this is real world firsthand information. So that, I think that's where we learn the most lessons.
Justin:So, after we wrap that up, as always, like I've already said, we're gonna bring this 97% formula to a full 100%. Don't tell my attorney and don't tell my insurance provider that I'm promising a 100% because they all tell me I can't do that. But unofficially, you get to a 100%, because the bottom line is we're just trying to protect you, your business, your money, your bank account from the likes of Boris Grishchenko, the, I don't know. You know, I I use this guy because I wanted the name for a cyber secure or a cyber villain, and I I just googled it. I've never even seen the movie.
Justin:Apparently, it's from a James Bond show. I'm gonna have to go back and watch it, but he's the guy that I'm gonna pick on. He's not real. He can't sue me unless there's some other Boris Krashchenko out there that comes out. Who knows?
Justin:Who knows? Alright. Here we go. So we, you know, we kind of start with the current cybersecurity event, and you threw a curveball at me today as we were prepping. And, I guess you you had a couple of I mean, 2 in a week.
Justin:Right? Just some kinda out of left field calls from from somebody who has dealt with a a pretty significant event. So I'm just gonna punt the ball to you, Mario. What happened? Who'd it happen to?
Mario:So we, you know, we do normal marketing, you know, to prospects, you know, and stuff like that, and we we actually call them to follow-up on the marketing we sent. And 2 in 1 week tell us perfect timing. Let's set up an appointment. Let's do it. You know, one of them actually wanted an appointment the same day.
Mario:The other one we sat with, yesterday. And one of them did not have cybersecurity insurance. Their email their email got compromised, and they ended up wiring, a $100,000 to a hacker. The one that we spoke to yesterday, I'm not sure if they had cyber security insurance or not, but very similar. Their emails got hacked, and they wired a $175,000 in, to somebody overseas or some somewhere.
Mario:Every now with the one yesterday, they I actually saw the, the email chain that they they had, and they started off just conversating with their like, a normal customer of theirs.
Justin:So they thought that's what I was gonna ask. They thought this was a a customer slash client.
Mario:Yeah. So Okay. They they thought well, in the beginning, it was conversation that they were having with a customer
Justin:or or,
Mario:you you know, or
Justin:a vendor. Okay. A vendor. Okay.
Mario:And and then what ended up happening is supposedly, you know I don't know. Maybe I think they said, like, a month ago or something. One of the users that same user that was with the email, they clicked on a a link.
Justin:Oh, okay.
Mario:The hacker then gained access to their email. Now they never, from what I we saw, they the hackers never gained access to their computer. They never gained access to, anything besides their email box. And then Interesting. And then what the hacker ended up doing is, I guess, you know, like what we've said, they probably analyzed every email that was going in and out.
Mario:You know, they probably used AI, and they found out, like, this one, you know, this one email chain was pretty valuable. They ended up it's apparently, it looks like they took, like, a, like, a copy of the whole email and then created a whole brand new domain, complete brand new domain, and they and it was a very unique domain. It was, like, couple letters and then, like, I think it was, like, you know, piping afterwards or something like that. And what they ended up doing is they purchased a brand new domain, but instead of an I, they changed it to an l. You couldn't you can't you can't really identify this unless you know what you're looking for, and you're, like, zoomed in.
Mario:You know, if you're on your normal, like, small font, you know, you're trying to fit. You had to I had to, like, I had to literally zoom in, and I was able to see, yeah, the on one day, the conversation was with the I. The next like, 2 days later, it was a conversation with an l. Damn.
Justin:And that okay. So real quick, I wanna interject that fonts can be a huge problem with this kind of thing. A lot of times, you have to copy that text and dump it into, like, a I I put it in, like, notepad or something like that that doesn't use any fancy fonts to to see what's really going on because, I mean, some fonts take 2 letters and combine them into one character. You know? Like, it's just there's some weird stuff that goes on with fonts.
Justin:So Yeah. Yikes. That's tough.
Mario:And they literally and the conversation was like, hey. We didn't get your check.
Justin:Oh, man.
Mario:Re resend your check. And they were actually pretty smart. They're like, could you resend the check? And something about something I I I didn't really read the full details of the the conversation, but then, apparently, it says, well, actually, to speed up time, can you just send me an a can you send ACH? Here's our ACH information.
Justin:Oh, wow.
Mario:And a $175,000 later. And they actually didn't notice it for, like, a few I think it was, like, 2 weeks.
Justin:Okay. So let me let me back up and I think what you said was they sent your prospect or whoever sent a check, a paper check, and then the the bad actor, the fake, vendor came back and said we didn't get the check. Send it again. Oh, wait. You know what?
Justin:Never mind. On second thought, why don't you just do a a a quick wire transfer or ACH
Mario:or whatever?
Justin:Okay. And I trust that the check that went out then had already been cashed. They weren't able to, I guess, that's the one that was legitimate. So they've got a a bill to pay. They couldn't really stop payment on that, and they've wired now money again.
Justin:They can't stop payment on that because it's Yeah. It's fraud. It's gone. Banks can't get that money back. Oh my god.
Justin:Okay. This sucks. And and is this the one that does have insurance or does not have insurance?
Mario:This is the one I believe had has insurance.
Justin:Okay. And do you know and I don't know how closely you're working with them, but do you know if if they were able to get that money, in a claim? Were they able to get that money back?
Mario:I I mean, just as a disclaimer, these are not my clients. So Right. I mean, we're we're working on making them our clients. Yeah. But, essentially, I I don't think I don't think, they will be able to get the money back because when you do something like that, I think you only have, like, a week or so to get it back if the money is in the account.
Justin:At most. At most.
Mario:At most.
Justin:Yeah. Yeah. Most of the week. 24 to 48 depending hours depending on on the type of transaction. So yeah.
Mario:Yeah. And chances are once that money actually goes right into the account, it's pulled out or transferred.
Justin:Yep.
Mario:You know, like, you you're not gonna be able to
Justin:Close the account down. Yeah. Yeah.
Mario:Yeah. You know? So so, I mean, I know the first thing I told them to do is, you know, they have to go fill out a police report and stuff like that. So if they were getting their money back, they wouldn't be filling out a police report. But this Right.
Mario:This event, I I think happened I think that whole thing happened actually in the beginning of August, and they didn't realize it until, like, towards the end of August because the original vendor is like, hey, dude. You know, where's where's the money you told me you were sending? You know, or something. Like, they they they it'll it went, like, I I didn't really you know, like, they're they're living in some pain. I don't I didn't wanna sit there and kinda get, like you know, feel like I'm Yeah.
Justin:You know?
Mario:Because they're also not a client of mine, so I don't wanna ask personal questions. But, they they it seemed like they didn't really completely realize it until, like, a few a few weeks later.
Justin:At this? Okay. I mean, not planned, but this comes right back to you know, as I introduced the episode today and talked a little bit about, you know, this intentional misnomer, the word unhacked. This is what I'm talking about. This is preventable.
Justin:This is preventable stuff, and we'll we'll get into that. We'll talk about how it could have been prevented. But damn it. Once it happens, it's over. Right?
Justin:You're not getting that money back. Maybe you get it back from the insurance company, maybe. And maybe you don't. And and it sounds like maybe, you know, in one case, they they may have. In the other case, no insurance.
Justin:You're you're just screwed. But, man, we've we've gotta prevent this stuff. We've gotta catch it earlier on. So, looking at this one and let's let's kinda dive into the one where they bought a new domain and they changed that one character. Imperceptible.
Justin:Like, I I can't sit here and say, hey, guys. Here's a good strategy on on not falling to that URL scam, you know, because it's it's so almost impossible to detect. But we can talk about
Mario:Like, honestly, the way it looked, like, I saw it. I I hate to say it, but I think I probably would have fell for it myself.
Justin:That's what I'm saying. The wiring.
Mario:I wouldn't have done the wiring, and we'll That's
Justin:where we're gonna go. That's where we're gonna go. So
Mario:Yeah. The domain That you can you can avoid them.
Justin:You can't you can't tell on some of those. I mean, some of them you can, but that's assuming, by the way, that you've got nothing to do in your day. You're not overwhelmed. You're not stressed out. You're not overworked.
Justin:You're not underpaid. And all you have to do is sit there and look at URLs and find out if they're fraudulent or not. Right? If that is your game, you may or may not figure it out. But for the rest of us, for the humans in the room, you know, who are overworked, underpaid, stressed out, we're not sitting there and deep diving on every goddamn URL that we click.
Justin:Unfortunately, we should be, but we just don't have that attention span. So what do we tell people, Mario? If you could have rewound the clock 2 months and this had been a client and you could have worked with them, What would you have taught them or or showed them to do in order to prevent this?
Mario:Well, it's so what I probably woulda and and I have tell this to clients all the time. Like, anybody that comes up to you or emails you Sorry. If anybody emails you, they wanna change their ACH information, their the like, for their paycheck or any customer says, you know, I need to change this. Get on the phone and talk to them. I actually went through a very similar, situation, about 2 weeks ago, 3 weeks ago.
Mario:I was switching from TD Bank, to Chase. I I was sick of TD Bank, and I switched over to Chase. Now I have a good amount of customers that will send me, direct you know, every month, they'll just send me a ACH payment for the amount. I sent out, an email to the people that I know do this, and I told them, like, as of this date, I wanna change, you know, my the, you know, my bank account information. So please, like, here's my information.
Mario:Call me to confirm this this in I'm doing their security. So I'm pretty confident in their but I was I did not wanna risk it. I didn't want that phone call. Like, hey. You know you know, when I say, I'm like, oh, I haven't gotten paid in 2 months.
Mario:I didn't like, oh, no. We changed it. So I told them, like, here's here it is. Call me so we can go ahead and, and confirm it over the phone.
Justin:Can I ask? And and tell me no if you don't wanna answer this live on the air. But, what percentage of your clients responded to that and called to confirm?
Mario:Well, I I sent it to no. I I there isn't that many that actually sent it. There was a total of, I think, 7.
Justin:Okay.
Mario:And, one of them replied. 1 of them actually called me.
Justin:So what'd you do with the other 6?
Mario:I I've been I called them. I'm like, hey. Listen. I know you Good. I you know, I'm like, a couple of them replied saying you need to fill out this form.
Mario:So I I got the form. I sent it to them, and I called them. Like, hey. I sent you the form. I just wanna make sure, you know, it's this number.
Mario:This is the number. Like, yeah. That's what we got. So, I mean, I had to take the initiative, which is fine. My point is you have to have a conversation either over the phone
Justin:You do.
Mario:If it's an employee, in person.
Justin:Yeah. And and I I asked that. I'm not I'm I'm almost putting your clients on the spot, so I hate I hate that question that I just asked. But it is in line with what I expected. Taking that extra step, it takes a few minutes, but it's so easy to get overlooked because we're so overwhelmed with everything we're doing day in and day out that, you know, one out of 7 took the security measure that will prevent this.
Justin:And, guys, this is why the Russian hackers are winning. Damn it. This is why. This is why. So, I mean, good for you.
Justin:This is the world you live in. This is what we talk about week after week. It's what you talk about with your clients day in and day out, and so you're gonna take those steps. But, man, it's it's so hard to to drive this message home to people. And and so we've talked before about changing when when, ACH or wiring instructions are changed to make that take that additional step to pick up the phone or verify another way.
Justin:But one thing that was interesting in this that I hadn't really considered, I guess, is there were not ACH or wiring instructions on file already that were changed. They didn't exist, if I understand this correctly. It was, hey, send me a check. You know what? On second thought, let's go ACH this time.
Justin:And so the same process needs to apply if you don't already have that information on file, or it's being changed, you know, and I just wanted to clarify that. So every time payment information is added, changed, deleted, or whatever, verify, verify, verify. God. We're talking about a quarter $1,000,000 here. Over a quarter $1,000,000.
Justin:Gone. Right? Up in cyber smoke, it's just gone. Even if you get it back from the insurance company I mean, listen. The last thing we wanna do is put all these insurance companies out of business because here's another scary truth.
Justin:There's a lot of go this going on, and insurance companies aren't able to pay out at the rate that we are increasing these breaches. Right? So it's like, eventually, we're not even gonna have insurance because this is getting so bad. That's kind of what's got my attention right now. So we actually I'm in a personally, I think we need to protect them as well.
Justin:You know?
Mario:No. I agree. Actually, I had a conversation with, my Allstate agent, a few months ago, and he was saying Allstate is getting out of the cybersecurity insurance business. They don't they don't wanna do it. And Allstate is a pretty big company.
Mario:They don't they don't wanna have a what's gonna end up happening is gonna be a lot less insurance companies. And as you know, in every industry in the world, if there's a still a high demand, but there's, you know, less insurance companies out there, the rates are all gonna go up.
Justin:Goes through the roof. Yeah.
Mario:Yeah. Yeah. You know?
Justin:And and that goes back to what, Joe was telling us last week. The insurance guy that we had on here, like you I'm selling you insurance. You would think I would want you to buy more insurance, but I don't. I want you to buy more protection. I want you to prevent this stuff.
Justin:I want you to never have to call me. So alright. Let me bring my blood pressure back down a little bit, and we're gonna move on to our weekly cybersecurity tip, which is what we named this episode after. So how you know, the 4 steps to securing all of our critical data. Now, Mario, have you ever had the experience where you you meet with a prospect?
Justin:You know, hopefully, none of our clients feel this way, and I'll protect a few of mine who I have a hard time reaching, and getting getting the right mindset out of them. But have you ever had somebody look you right in the eye and say, I don't have anything worth protecting?
Mario:Oh, absolutely.
Justin:None of my stuff's important. You know? I don't I don't have any data to worry about. So to combat that, I I wanna talk about this. I mean, you know, we've we've dabbled with it before.
Justin:I have a webinar where I talk about this quite a bit, but, how is it that we protect our critical data? And step 1 is actually just identifying it. And so I'm gonna I'm gonna blast this off real quick, and then I wanna kinda talk about it and get your take on this. But I would say build a spreadsheet, you know, just a very simple spreadsheet. Column 1, what is the key business function or application that we're talking about?
Justin:And there should be several of them at a minimum. We've got HR. We've got, sales and marketing. We've got operations, and we've got finance. Like, just if it's nothing but those 4 basic ones, get those on a on a spreadsheet.
Justin:And then that's column 1. What is the function, or what is the application within that function? And then column 2 is what type of data is involved? Column 3, where is that data stored? And column 4, what is your process for backing up, restoring, and verifying?
Justin:So what are your thoughts? And let's just let's start with column 1. Let's talk about how do we identify the key business functions or applications. And maybe we can do let's pick a sample client. Do you have an industry that you focus on, Mario?
Justin:Is there a specific industry?
Mario:Construction engineering.
Justin:Let's let's just, let's make a fake construction company that is a client of yours, and you're running through this this list with them. What would be in column 1? What are some of the basic functions or applications that they use?
Mario:So, I mean, with some of them, it's gonna be QuickBooks. Some of them are, you know, software like what's called Procore, even Microsoft Outlook, like email, Microsoft SharePoint, Microsoft OneDrive. I mean, the regular server is holding critical data. I mean, there's a, you know, AutoCAD, you know, Revit. There's a bunch of programs that they they all use.
Mario:But
Justin:That's perfect. Let let's let's did you have more? Sorry. I cut you off.
Mario:No. No. No. I mean, I can go on for a while because they're all different, but those are the critical ones.
Justin:So there's there's 6. Right? Now if I go back to my my cute little, 4 column table that I just described, We're gonna hit these one at a time. So QuickBooks, what type of data is involved with QuickBooks?
Mario:So QuickBooks, you know, most of it is gonna be accounts receivable, who owes you money. You know? You you wanna keep track of who owes you money, a list of all your customers, and then in a lot of other cases, is the accounts payable, what bills you've paid. You don't wanna pay a bill twice. You know, so you wanna see what you've paid and, you know, what check number and where you sent it and stuff like that.
Justin:Okay. So we've got and and you know what? We could build this column or this this table just as complicated as we wanted. I want this to be simple just for the sake of this conversation. But we could also talk about hold on.
Justin:I I lost my complete train of thought there because I was I'm I'm building this little table that I want. I'm gonna I'm gonna get back on track. It's okay. I was going off track anyways. So we've got client information, client, vendor information, accounts payable, accounts receivable.
Justin:So two things. Number 1, this information is valuable to other people, to bad actors, to hackers, to, Boris, whatever Russian guy. Right? This is valuable information if they get a hold of it, number 1. And number 2, if your client was to lose this information, it's it's devastating.
Justin:It can be very problematic. So this would be you know, if we were to put a risk on this, a a score on it, this is this is way high up there. So that's the type of data. There's also gonna be financial like, if you have the right access to QuickBooks, you can pull credit card numbers, bank account numbers, routing numbers, and stuff like that. So, really, really high risk in our finance software.
Justin:Alright? Yeah. I mean, I can
Mario:take it even further. If they have full access to your QuickBooks, they could log in, change their account information in QuickBooks. So one of your customers pays you, pays one of your invoices, they're actually paying the hacker.
Justin:Yeah. Yeah. So we we wanna keep people out of QuickBooks. Oh, no. No.
Justin:That's that's just that's fine. Okay. So if we're we're gonna go down the line here, and let's look at Procore. So what kind of stuff is stored in Procore?
Mario:So Procore is, like, what, like, the engineers and construction use. Like, it'll they'll that's where they'll see their blueprints, adjust blueprints, create, you know, the blueprints for a job, essentially.
Justin:So we've got this is this is our basic operations, how we conduct business day in, day out, processes, procedures, service delivery. Without this like, without QuickBooks, we can still deliver services. But without this, we're kinda dead in the water. Right?
Mario:Yeah. Yeah. Exactly.
Justin:Alright. Outlook. What type of data? I mean, this is obvious. We don't need to spend a lot of time here.
Justin:We're just gonna call it communications. Mhmm. But, potentially, we could have data, like, a lot of times people shouldn't, but they do send, PII, personally identifiable information, stuff that could violate regulations depending on which industry you're in, if it's not encrypted. So we have to be pretty careful with this one as well. SharePoint, what what do what do your clients your construction clients normally keep on SharePoint?
Mario:Well, again, they'll they'll like, PDFs of, like, drawings of, you know, the the jobs that they're working on, the specs of, like, the jobs, and, you know, that's where, you know, every department, the electrician knows, like, what they need to, you know, have in stock, what they're doing. You know, like, all their data. Like, it's it's Procore was the blueprints, you know, then, you know, SharePoint, they'll use for the actual PDFs of of each job.
Justin:So we call this stuff like that. Call it intellectual property, IP. Right? This is kinda where, it it's it's not tangible, but it's very valuable. Mhmm.
Justin:Right? Okay. Servers. What, these days, what are your clients keeping on servers? Because this is an interesting topic that we've already talked about as far as cloud versus on prem, but what what lives on servers these days?
Mario:So a lot of it is, you know, it it really is 2 schools. Like, some wanna go cloud with, like, with SharePoint, you know, and then some wanna keep a local Same thing that they would normally put on SharePoint, they would put on on,
Justin:sure. Either or, not an and usually. Although sometimes it can be kind of a hybrid. Yeah.
Mario:Okay. Yeah.
Justin:And and AutoCAD type of data, I mean, this is kinda where they're building the stuff we've already talked about. Right?
Mario:Yeah. Yeah. Very similar to, Procore.
Justin:Okay. Yeah. So we'll call this operations process service delivery. Okay. Now we're gonna go back, and and we'll do this pretty quick because this is gonna get boring as hell for people that don't care about this.
Justin:But where does this data live? So let's talk about QuickBooks. Usually, are are your clients using, QuickBooks on prem, like, that they install locally, or are they using QBO?
Mario:Some of them some of them have it on the line online. Some of them have it locally. Usually, the people that have the server will have it locally.
Justin:Fair enough. Procore, where is that stored?
Mario:Again, some of it local, some of it on the server. So sorry. Some of it local, some of it on the cloud.
Justin:Some of it cloud. Okay. Outlook is mostly cloud these days. You have anybody that has their, in house No. No.
Justin:We don't. Forgot the name of the server. That's that's beautiful. Exchange server. It's never you
Mario:won't take out a client that has has has that. They're like
Justin:I used to love Exchange Server. Don't get me nerd and out. Anyway, SharePoint is cloud. Servers are on prem. I'm just going back to where this stuff lives.
Justin:And then AutoCAD, is that mostly on prem, or do they have cloud storage for AutoCAD?
Mario:It's either or. It's very similar to, like, Photoshop. So, like, it's the program, but then the files may be stored local or, on the cloud. A lot of it is local because it's such big files.
Justin:That's yeah. That that was kinda my understanding with I haven't done much with AutoCAD in a minute. So alright. Now the fun part, QuickBooks. And we have to divide this, and and we're not gonna deep dive on this.
Justin:But if we have, you know, QuickBooks installed locally, then our process to protect it is very simple. Right? It's a data backup. And we could deep dive on data backups, which was kind of what we're supposed to do here. But here and here's why I didn't though is because data backup used to be the be all end all.
Justin:Right? It was it was it. If you had your data backed up, you had either a tape drive or, you know, a local hard drive that you swapped. Then we started introducing some cloud storage to that, and then it's a hybrid. But that was all when the data all lived in house.
Justin:And now kind of the point of this exercise is the data's all over the place. We are only talking about 6, processes, 6 applications, and all of them but the on prem server could live locally. It could live at a cloud, and then which cloud? Right? Because, I mean, this gets complicated.
Justin:Right? So and that's why I I the point of this exercise is, so many people say, well, we went to the cloud. Everything's safe. Everything's fine. Right now we just don't know where it is.
Justin:Now we just don't know where it is. That's great. How do we protect it? So if we're going to talk about QuickBooks on prem, that's easy. We protect it with a data back.
Justin:I say it's easy. It is easy, but it is also very critical, very important to monitor closely. Backups run, silently, and a lot of times they make mistakes or they stop running silently as well. So you better have a good backup that's being monitored and tested. Test restores, at least go look at your data on there.
Justin:You know? Look at their reports at a minimum. But, ideally, you're doing test restores and, like, they call them tabletop exercises, right, where we what what does the process look like, and let's let's role play it. Okay. Fire drills.
Justin:Fire drills. Yeah. Exactly. Now cloud QuickBooks, QuickBooks Online. How are we protecting that one?
Mario:We're trusting that in Intuit is backing up your data. But one thing you gotta remember, and I haven't actually tested this recently, but, you know, when we're always when we're talking about backups, we're always talking, oh, in case of a hacker, you know, gains access, you wanna have a backup of your data. Well, what about if you accidentally messed up your data yourself? You know, what if you accidentally just you thought you were deleting, you know, something you didn't need, but you ended up needing it. You know?
Mario:No hackers was involved, but you may have to restore to someone. Now I'm pretty sure I'm pretty sure, QuickBooks online does let you do your own backup.
Justin:It does.
Mario:You're right? So backups I always tell people, I'm like, listen. We're we're gonna back up your stuff. You know? If it's a server, we're backing it up every 2 hours.
Mario:You know? And we're storing it locally. We're storing it on cloud. But once it goes to the cloud, it gets replicated to another cloud. But if you feel like you would like to back up your own QuickBooks or your own you know, stuff like that, go ahead.
Mario:You could never have enough backups.
Justin:And have too many. Yeah. For sure.
Mario:Backups are like the only one thing that you could never have too many of. I I can't think of anything else that you could have too many of besides money. I'm I'm
Justin:I'm gonna I I agree 100% with you, and I'm gonna add something to that. You have to be careful where you store that backup. Because when we're getting back into cybersecurity, we're gonna export. We just talked about how sensitive and critical this data is, and now we're gonna export it. And by the way, when you do a QBO backup, QuickBooks online backup, it comes out in the form of an Excel spreadsheet.
Justin:So that's very accessible data. So we have to be careful with it. You know, again, it comes down to process. And then I would say if you're going to do that, it wouldn't be a bad idea to build yourself a sample QuickBooks online account. You know, there's a trial or whatever.
Justin:Have a second account and try an import of it, and make sure you get back a price.
Mario:You could always create free trials. They're always offering free trials.
Justin:Right. So do an export, do an import, and then may be careful where you store that data in transit and then, you know, in the meantime at rest. So
Mario:Yep.
Justin:It gets complicated, Mario. This, I've said before, this is not a do it yourself industry. Cybersecurity is not a do it yourself. Get get somebody to help you out with this stuff. But regardless, you know, the the first step, and this is really the point I wanna make is just to start diagramming this out.
Justin:Find out where your information lives. Find out, what's being stored, where it's being stored, how it's being protected. And it doesn't take very long before, you know, into this process where somebody's gonna say, okay, I guess I do have information that's, important and needs to be protected. It's really easy to say, I don't have anything the bad guys are after until we start doing this exercise. So I'm gonna kind of cut this off here because like I said, this could go on forever.
Justin:This is not a simple process.
Mario:But to answer your to kinda answer your original comment is people and we hear it all the time. People say, well, I don't have anything that, you know, the hackers are gonna want or anything that I need. A lot of time yeah. Every single time, the hackers don't give a shit about what, you know, what data they're taking from you. They don't want your data.
Mario:You want your data. It's like your children. They don't want your children. You want your
Justin:Right. Right.
Mario:Right. And I think I stole that from you. I but but, you know, it it's there's always something. You know? Even if you're a plumber.
Mario:You know, a plumber, you know, you're mostly just get a call, you go on-site, you you create a work order, you take a check, you take cash. You need to keep track of it. You know, most of them are keeping track of those. You know, landscapers. You know?
Mario:They they can have landscapers is an industry that can have, like, a 100 employees, and the whole time they only have one computer. You know, they have one computer where the daughter of the owner does billing once a month, you know, and stuff like that. But they're creating invoices. They need to see who has paid them. You know?
Mario:Like, yeah, they they they probably just need their weed whackers and their lawn mowers and stuff like that, but that you know, they need to know who you know, sometimes they may not even remember who their customers are if you just ask them, like, don't look at your QuickBooks. Tell me all your customers. They're not gonna remember.
Justin:Right. You made a oh, sorry. I don't wanna No.
Mario:No. No. No. Go ahead. Go ahead.
Justin:I You you brought something to my attention that, okay. So in in our industry and you and I are are members of this great big peer group, right, where we interface with IT companies all over the country, all over the world, really. And one thing I hear all the time is, you know, we define our target audience, and one of the favorite things guys like us do is cut it off at a minimum. Like, a minimum of $2 a month, $3 a month, a minimum of 5 users, 10 users. But you just talked about somebody, like a landscaping company that might have a 100 employees in one computer.
Justin:Most IT companies aren't gonna help them. That puts them in kind of a tough spot. Right? And so I'm, I'm just I'm just throwing it out there. Now I don't I'm not gonna put you on the spot.
Justin:I'm not gonna ask if you do that. I will say that I don't have a minimum, and I'm also gonna say it's really hard to make money on these little tiny companies. And little tiny, by the way, they could be doing a a shit ton of money in revenue, but it's hard for us to to display the value of that. And, you know, if I do a cybersecurity offering that's 50, 60, $70 a month per workstation, And this great big company only has 1 or 2 workstations, but this information is still super valuable, super super critical to them and valuable to to criminals. Right?
Justin:So, I don't know that I even have an answer to it. Do you do you have any comments on that, Mario?
Mario:I mean, we we get all the time, like, people that call us, like, either home users, you know, because even even if it's not a business, like a home user. You know? Like Right. You know, they want they want you know, they they do you know, they have pictures of their grandkids and stuff like that. You know?
Mario:And we're we're not gonna, you know, help be able to help them, but we usually know somebody that would be able to help.
Justin:Okay.
Mario:So you So
Justin:you you have a referral?
Mario:Re refer to to some people. Now that I know you have a a minimum, you you'll probably be my referral person, but, you know, they still have they. You're right. They still need, you know, protection, and they need somebody. You know?
Mario:And even though we may not be able to help them, we'd be more than happy to try to get them the help that
Justin:they need. Right. And this this kinda so this is one of the things I talk a lot about. Technology, I'm kind of a a tech junkie. I'll talk a lot about that I love business.
Justin:That's really my my first love. I just kinda cheat on business with technology. You know? This is my mistress. But what I don't talk a lot about is is why business is so, almost personal.
Justin:So I I love it. It's just in my DNA that I love it, but it it's a little bit personal in that, my parents have run small businesses 2 different times. The first time, it was not a good outcome, and then the second time, it was better, but, still, I've watched that struggle. I've watched my my blood, you know, lose everything. And so where I can't make myself cut off these small companies is because of that.
Justin:And and I love, like, if you don't do it, at least, you know, you've got that referral partner, and I love to hear that because, most of the stuff we talk about here on the podcast does apply to smaller companies, but also it can be very, very challenging for them to find an IT company that will do good quality work for for that small organization. So, yeah, I don't know. This this is just like a side note.
Mario:Yeah. Yeah. And the thing is and and we we will still talk to them. We'll see what they need. We we see if they you know, I actually have, a client of mine, very small, 4 users, but they're a construction.
Mario:You know, they do, like, you know, smaller construction. That company, that 4 user referred me to one of to a relative of theirs. That's one of the biggest customers that we have now. That's over 60 users. You know?
Mario:So sometimes sometimes if if every you know? And also, it it depends on, like, we're not we may not go after the smaller, you know, customers, but some of them, they sometimes they come to us and, you know, sometimes we'll help them, sometimes we'll find them a happy home. You know?
Justin:Right. Okay. And I'm gonna I'm gonna come back to this because I want one more point I wanna make before we get off of this little simple spreadsheet idea where we you know, again, I'm gonna state the column. So your your key business application or function, process, whatever you wanna call it, is column 1. Column 2 is what type of data is involved.
Justin:Basically, what we're trying to determine is how important is it both to you and and potentially to the to the bad guys. Column 3 is where is that data stored? And at as simplest cloud or on prem, but also in more complicated, sometimes we've gotta know geographically where it's stored in the cloud environment. There are regulations that don't allow it to be stored overseas, for example. And then 4th is the process for backing it up and restoring it.
Justin:And where that gets touchy, so we did QuickBooks online as an example, and it's very simple to go export the data out of QuickBooks online. You can take that data. You can import it into QuickBooks desktop. You can archive it. You can sample restore with it, whatever.
Justin:But other applications, names I'm gonna hold, and not not publish, don't allow you to back up your own data out of their system. And so you made the comment that we have to trust them. And I would argue that that's a risky strategy. So, one one thing that so we're you know, as a company, we're we do a fair amount in compliance. And one of the, assessments we can run is called a vendor risk assessment.
Justin:Have you ever heard of those, Mario?
Mario:Of course. Yeah.
Justin:Okay. This I don't know how often this gets done. It's not something that we get requested to do very often, but it is, you know, it it's pretty thorough where you just basically have to go through and and it is still a trust, but it's a trust but verify where you go and you ask your vendors a series of questions of, do you do this and how do you do it? Everything from data backup to training your employees, you know, cybersecurity awareness training for your employees. And so I would say that, you know, the kind of the the bonus point here is if you have cloud vendors where you cannot personally back up and verify the data, then at a minimum, run a vendor risk assessment on them and find out how they're doing it so that you can comfortably trust them.
Justin:Thoughts on that one?
Mario:No. I completely agree. I mean and also sometimes sometimes you kinda need to test them. You know? Like, you depending on what it is, you know, delete something that you don't really need
Justin:and
Mario:see if they can bring it back.
Justin:Yeah. Yeah. Good point. Especially, if you have to delete something anyways. Call it and tell them it was an accident.
Justin:I need it back. Give it back.
Mario:Yeah. Exactly.
Justin:Because I do think that it's it's really easy to fall into this trap that because we have a cloud provider that they've got it figured out. But guess what? They're just humans. Right? They're just people that are overwhelmed, stressed, underpaid, overworked, and everything else like we are.
Justin:And we god, we hope they're doing it, but we don't really know. So okay. And and at the
Mario:and at the minimum, no like, you know, sometimes it's you just need the knowledge just to know that, like, if you delete something, like, they may tell you, no. We can't restore you. You know? Like, it would
Justin:Right. You know, like, it's just that information.
Mario:Yeah. You know that if they can do it or not.
Justin:Yeah. Good point. Good point. Because then you can build a process around that. And and this comes back to you know, we're gonna jump shortly to the the formula, and we really do need these processes around the worst case scenario.
Justin:So, before we go though before we go there, let's talk about just we do a a weekly business tip. And one of the things we talked about before we jumped on the call, Mario, was the client analytics and profitability. And you had mentioned that in a meeting you were with with, a mutual mentor of ours, that that she had brought this up. Tell me and we'll keep this pretty short. Let's try to do this in, like, a minute or 2.
Justin:Tell me what it was that she pointed out we need to be doing.
Mario:She she pretty much and she preaches us all the time. You have to know your numbers. You know, you have to know which customer is profitable, which one is not. You know? In in, like, in our business, you know, some you know, we'll have, you know, some clients that are not that profitable.
Mario:You know, they're opening up a lot of tickets. They're on an older plan. You know, you may have given them a discount somewhere. You know, they're they, you know, they may not want, like, the full security or something. Essentially, if that customer is not profitable, you can't be afraid to to cut ties with them.
Mario:You know? You know, you may lose, like, some money, in the, you know, monthly, You know? But it you know, sometimes that money is not worth the the the the juice is not worth the squeeze. So if you Right. You know, you could always maybe increase, like, have a price increase on, like, a couple other customers.
Mario:Maybe if it's just 5%, you know, and they were slightly profitable, now you've made, you know, made it up or, you know, made got it even. But sometimes, you know, you have a customer that's just taking up too much of your time. And if you're not making money off of them, don't feel, you know, don't feel scared to to cut ties with them.
Justin:Yeah. Yeah. I I mean, I I agree with you, and, god, that's hard. You know?
Mario:It is. It is.
Justin:I've got clients and especially where I just talked about how, you know, I will take on smaller clients where it is harder to be profitable. I'm not saying it's impossible. I'm just saying it's harder. You have to do things really smart. You have to be careful, because those relationships, those clients can suck you dry if you're not careful.
Justin:So, yeah, know your numbers, know what you're up against, analytics. This is I think it's like, nobody's gonna say, oh my god, I never thought of that to to run your business by your numbers. But doing it, actually executing on that can be a different story and knowing what the proper numbers are. Like, just even knowing what numbers you should be looking at can be a challenge. So, I might make a a plug here for EOS, entrepreneurial operating system.
Justin:You know, if if you're not, and I'm talking to our our audience here, if you're not using some sort of a a business coaching platform or or and they call this an operating system, which I kinda love, I I highly recommend it. It's easy. It's simple. Easy to wrap your brain around, and it does help you kinda deep dive into these numbers and and get a handle on, what data points you should be looking at. So, alright.
Justin:Let's move to kinda close this thing up here. We're over 45 minutes in, 48 minutes in according to my timer here. So time to wrap up. Mario, this is where I like to bring the whole thing home because, for years, I've been talking about this 97% number, which I stole to be fair, that, you know, 97% of breaches are preventable with basic security measures. And that it's just the stuff we talk about week after week.
Justin:If you do this, most likely you're not going to get breached. Most likely. And, you know, 97%, that's pretty solid. However, we've got so much writing on the line that I don't I'm not comfortable with that 3% gap. I don't want it for me and I don't want it for my clients.
Justin:So the 97%, it's not easy, but it is simple. We need to protect our technology. That means antivirus, firewalls, you know, that sort of thing, 2 factor authentication. We need to protect our data, which means data backup, which is what we talked about today. We need to protect our people.
Justin:This is education, cybersecurity awareness training. Get those three things in line. Do them right. Do them according to best practices, and most likely, we're not going to get breached. Right?
Justin:Most of the breaches we talk about, they were failing in one of those areas. Now because that's not enough, we wrap it up with the how we close that gap is policies and procedures, number 1, making sure that we have, you know, what to do, what we allow our people to do with our technology. Can they get on Facebook? Can they do, you know, whatever with with business computers? Can they bring their own devices?
Justin:All that kind of stuff. Define how you're going to use technology and make sure everybody understands it. Constantly educate about it, at least once a year review these. Because what happens a lot of times people put them in the hiring book. You know, your your playbook when you bring on a new employee that's a 150,000 pages long and you put them in a room and you're like, here, read this and sign when you're done.
Justin:And if you want that paycheck, goddamn it, you better sign that that line saying that you've read and understand and agree to everything in here, and then we move on. We gotta bring these things back up. We gotta make sure people really understand what it is we're telling them they can do and and why. And then the final step go back and listen to episode 27, guys, if you haven't. A phenomenal episode, about cybersecurity insurance.
Justin:Definitely have a good insurance policy in place. That is what makes me feel comfortable that we have this thing wrapped up at a 100%. Just don't tell my attorney or my insurance company. Mario, final thoughts, key takeaways. Anything else you'd like to say before we close this thing up today?
Mario:Well, I have another way you can get to a 100% without any of that stuff.
Justin:I'm all ears.
Mario:Turn turn off your Internet. If you don't need Internet
Justin:Don't live under a rock.
Mario:Exactly. They burn past. That's all you need.
Justin:I I actually I I used to do that at the beginning of my webinar. I would, I would play a video that just scare the shit out of people. I'm like, doesn't that make you just wanna go, like, live under a rock somewhere?
Mario:Exactly.
Justin:Here here's some good news. So don't end with that. That's bad news.
Mario:No. I'm just kidding. I mean, listen. You know, there's people there's companies we've talked to. There's people we've talked to that, you know, kinda feel like they're, oh, we're too small or we don't you know, we we've been good so far.
Mario:It's gonna happen. You know? It it's you got to you gotta just be ahead of them. You gotta be open minded. Realize like, we're not doing this because we want your money.
Mario:We wanna do this because we we wanna help you. You know? We we we want to make sure that I don't I don't wanna sit with somebody, you know, or 2 people in a week and say, you come by, and we've lost a a quarter of a $1,000,000. Like, that that you know, I went home, and I was like, oh my god. You don't wanna go through that.
Mario:You don't wanna because that's not just gonna be a bad day. That's gonna be a bad year, and it could be, you know, it could be the end of your business. You know?
Justin:Right.
Mario:So just at the very minimums, talk to somebody to see what you have and what you need. You know? Right.
Justin:Yeah. Yeah. And that's, you know, that that's our our sign off offer week after week after week. It'll always be here. Go to unhacked.live.
Justin:You can reach any of us, and and we'll do these assessments for you. We can run, you know, call it a gap assessment, cybersecurity assessment, but we're gonna run you through our basic standard procedures and policies on on how we protect you from the Russian hackers. And then we'll give you the the road road map on, you know, the plan for how to get from where you are to protect it and without having to live under a rock. So, unhack.live, we are also on social media, YouTube, Facebook, but all those links are on our website, unhacked.life. So go there, schedule an assessment.
Justin:I am Justin Shelly, CEO of Phoenix IT Advisors. And, Mario, thank you again for being here. Go ahead and say goodbye, and then we'll we'll sign off for you guys next week. Take care, guys.
Mario:Mario, Zach. That's tech IT. I appreciate everybody out there, and we look forward to hearing from you guys too.
Justin:Alright. Thanks, Mario. Thank you so much.