UnHacked

Welcome everybody to episode 29 of unhacked. And, as I've mentioned before, unhacked is a deliberate misnomer because and we're gonna talk about this more later on today. But, I mean, the truth is 97% of breaches could have been prevented with basic security measures. But once you've been hit, again, today's episode is really gonna illustrate this. You're kinda screwed.

You cannot get unhacked. So, you know, week after week, we sit here, and we we break down all the the recommendations, the tools, the processes of how to protect your businesses, but really we're trying to help overwhelmed business owners outsmart Russian hackers. That is what we're here for. We're gonna talk about the basics, the best practices, the 97%, and then, we'll wrap it all up with how do we close that 3% gap. So let's get started.

I am Justin Shelley, CEO of Phoenix IT Advisors. I work with businesses in the Dallas Metro, Northern Nevada, Utah, Idaho, Just, you know, trying to take over the world one one state at a time, I guess. I'm thinking the brain style. I'm not a nerd. And I am here with my good friends and cohosts, Mario and Brian.

Brian, go ahead and, introduce yourself. Tell us who who you are, what you do, and where you do it. Yeah.

It's Bryan Lachapelle with B4 Networks. We're based out of, Niagara, Ontario, and we supply services for, business small business small, medium businesses throughout all of, Southern Ontario. So primarily out of the Niagara region, but, also have an office in the Bay Area as well.

Now, Brian, do you have a specific target audience, like a a type of industry that you service, or is it just kind of, all of them?

We do support most businesses, but we have a very, a couple, interesting niches. We supply a lot of agricultural and greenhouses as well as long term care and not for profits.

Okay. Mario, you are next up. What do you do? Who do you do it for, and where do you do it?

So my name is Mario Zaki with MasTec IT. We, service the New York, New Jersey area. And we mostly concentrate on, you know, construction engineer, architects, and, whoever else, is in our area that has computers.

Okay. Alright. Today, guys, this is gonna be an interesting one, and it was kind of on accident. Couple episodes ago, we interviewed Joe Brensman. I hope I'm saying his name right.

I believe that's how it's pronounced. Great guy, great episode. The guy's just full of information, and I actually scheduled a follow-up call with him, for my own company, insurance, do a little rehashing of what we use. And in that interview, when we started the meeting, he was kinda muttering to himself about comments on the most recent video he'd posted. So I stole that shit.

I mean, this is what I do. Like, I find good information. And he was talking about a $5,000,000 lawsuit that is in play right now for a small business who did not pay the ransom. They were being sued largely because they didn't pay a ransom. So that really caught my attention

to that. Right?

I think that's nuts all.

Get sued for not paying the rest of the stuff?

I don't know because you can get in trouble for paying it if it's somebody on the do not pay list. Right? What do they call that?

Terrorism watch list or something.

Yeah. Yeah. So, I mean, it's not good. It's not good. So we just wanna never get there.

Anyways, we're gonna talk about that lawsuit. We're gonna talk about the tip of the week is gonna be how to spot a phishing email, and I think that this is one that gets talked about a lot. So we'll rehash it, and then we'll, kinda make a a final point on what we really need to do there. And then, you know, as always, we're gonna wrap it up with our formula on how to protect our businesses from the likes of Boris Grishchenko, my arch nemesis. Alright.

So, let's let's go ahead and jump into this video. And, again, I I wanna give full credit to Joe because I just I kinda watched the video and I took notes. And some of this stuff, I just ripped off directly. And, I will check with him before he published this to make sure he doesn't have a problem with that. But, Brian, you said, you you've also seen this video, and I just kinda wanna throw it out to you.

What what did you see? What was your kinda key takeaway in a nutshell?

Well, my key takeaway was was the fact that they're partially being sued. There's a little more to the story, but they're partially being sued for not paying the ransom. There's obviously a little bit more involved in that, but ultimately my I'm not sure if I should go with the biggest takeaway, but my biggest takeaways were, have systems and processes in place. Do something because, part of this lawsuit is also just them not doing much. The company is being sued.

It wasn't doing much.

Allegedly. Allegedly. Allegedly.

Right. Allegedly. So they know they knew allegedly knew they were supposed to do things and opted not to. And so, and and like Joe was saying, if you're listening to this podcast or you've listened to any podcast like it or watched any videos or even had any kind of, like, news in your face, and there's a trail that you have done that, you know you're supposed to take care of cybersecurity. And if you don't, then and then they can come after you as well, like lawsuit wise, if you get breached.

Claiming ignorance is not a strategy is basically what you're saying there.

That was a takeaway for me is don't don't claim ignorance because that's not gonna work.

Why are they getting sued for not paying the ransomware instead of not instead of being sued for not

doing the solution?

Of all. So let's jump in. Yeah. Yeah. Great question.

And and that's that's the headline. That's the clickbait. But it it's it's a key funk or key part of it. But, obviously, there's a lot to this. So, I mean, we're talking a $5,000,000 lawsuit.

This isn't pennies. And, you know, interestingly enough, this is not a huge company. They do 11,000,000 in revenue. So Right. Average insurance policy for a company of this size isn't 5,000,000.

That was another thing that he mentioned. So they're too. Yeah. They're getting sued above and beyond what their insurance policy will cover. And, Joe, in our conversation this morning said it's not fun to fund these out of your savings account.

So, basically they were hit by the bad actors, the bad guys called Black Suit. Are you guys familiar with them? I've never heard

of Tilt

Tilt Tilt today. Yeah. And the allegations are, you know, and and this is not a complete list because it was a long list, but basically that they come the company failed to protect PII and that the data breach was preventable, which is what

we talk about week after week. This stuff is preventable. So hard to

argue with that. You know, we've, stuff is preventable. So hard to argue with that. You know, we've we've mentioned before or I've said that I have prospects look me in the eye and say, I don't have anything worth stealing. They are not gonna come after me.

The bad guys, why would they? I don't have anything. We all do. If we're doing business, we have information about our clients and that the bottom line is if we don't protect that information, we are on the hook.

Right.

And then the cyber criminals, I I think they either said they were going to, they threatened to, or they have put this information on the dark web. It's now up there for sale, which, you know, is is long term damage to the clients. But here's here's where the headline comes from. The company failed to provide any assurance that it paid a ransom to prevent plaintiffs and the class's data from being released on the dark web. So they are complaining that they, you know, the that they're saying they should have paid it to keep

this into a decision making. A couple of things. What they were saying is because you didn't take precautions that you ought to have, because you didn't do your due diligence like you ought to have, when they came to you with a with a ransom, you should have paid the ransom. And by not paying the ransom, again, you allegedly didn't take any precautions and didn't take any responsibility for the actions of that those precautions would have taken or would have prevented if you had done them. And so now you're liable for all the damages that came.

Right. If you're gonna screw it up if allegedly.

Right. If

you're gonna screw it up on the front end, you better, you know, protect your clients on the back end.

Right. Yeah. Yeah. So That essentially is the the nutshell of the lawsuit.

Yeah. You didn't

do anything before, and you didn't do anything after.

So And they're wondering why they're getting sued.

Yeah. Pay me pay me before or pay me after. Pay before pay not me, because I'm not the criminal. But pay before or pay after. One of the way one way or the other you're paying, is what the the message is here.

So there was a there was quite a lengthy list of what this lawsuit, says should have happened as preventive measures. And I went through it line by line, and I didn't see anything in there that we don't talk about or that we don't do for our clients. So that was good. But here's just a couple of them. Follow the CSAT guidance and cybersecurity advisories.

That in itself is a lot. Like, that's that's not a a small task right there. Follow FTC reasonable safeguards. Again, you have to know all these things to follow them. Adhere to a cybersecurity framework such as NIST.

I liked that one. Some industries are by regulation. They have to have security measures in place. Right. But it wouldn't be a terrible idea to do this on our own, whether we're regulated into it or not.

And that's not what they said specifically, but that is a conclusion I had come to a while back where I'm actually gonna start offering, these frameworks, compliance to these frameworks for my clients. As an add on service, it's optional, but, like, let's get ahead of this stuff. Case in point today. Right? Follow recommendations from the Microsoft Threat Protection Intelligence team.

Follow FBI cybersecurity recommendations. I mean, it's a it's a huge list. So it's do everything. That's that's kinda what the, the lawsuit says.

Now let me let let me add one thing because, you know, our listeners listening to this, like, holy shit. We're not gonna do 20 different things. A lot of this stuff overlaps. You know? So Absolutely.

You know? So, you know, it's like, you know, 2 factor authentications are gonna be on every list, you know, for you checking it at all. You know, you know, having a good antivirus, so it can EDR, that's gonna be on every list. You know, backup is gonna be on every list. Absolutely.

It's it's all the things like, I like to bring it back to something that people can understand. And imagine you're you're hopping on a plane. You expect the pilot to go through a checklist of things that they're supposed to verify before taking off. Right? To make sure that the plane doesn't just fall out of the sky.

Right? Well, you know, unexpectedly. Yeah. If you don't do these things in your business, if you don't have these checks and balances, you don't put these cybersecurity protections, you're effectively flying a plane without having any checks and balances, without having verified anything, without having, you know, make sure that all the engine components are operating at optimal performance, and you're just asking for trouble essentially is what what it comes down to. Yeah.

So Exactly.

Well, to your point, Mario, they do overlap. And I think the point of it in in listing everything because it's basically, here are all the places where this information is stated. And, you you know, we sit here week after week, and we talk about industry standards, best practices. This is where they come from. Right?

This is this isn't stuff we're just making up. We don't just sit around and say, hey, I wonder what we should do to protect ourselves. It's out there.

Yeah. And at the end of the day, you know, you should be including your IT person, whether it's internal, external, outsourced. Because at the end of the day, they're the ones who are gonna know where to find the information for you to action. We don't nobody expects you to know where to find the information, but you should be consulting professionals who do. And that Right.

That's, the folks in the IT space. Yeah. Yeah.

I mean, so we we usually kind of break down the the financial and emotional impact of a breach. This one, like I said, it's it's kind of a new twist. And and if I'm just putting myself in the shoes of this company being sued, that emotionally is gonna just kick me right in the ass, you know, because Yeah. Okay. A, there's probably allegedly a lot of things that should have been done ahead of time.

You get caught with your pants down, and and now you're in trouble for still trying to do the right thing a little bit late, which is to not reward these thugs because we do talk about that. And it is it's a, you know, the there's a list of people we can't pay, but b, we don't really wanna pay them at all. We don't wanna encourage them to stay in business. Right. And so in doing that, man, they just get raked over the coals.

So, let's throw this out as a question. Is is it better to pay a ransom and encourage the bad behavior or not pay the ransom? And when we're looking at this from the perspective of our clients, you know, if if let's just say, god forbid, one of us gets breached, What's which one is the most harm? Paying the ransom to avoid disclosures or, ongoing theft identity?

Yeah. That's a good question because on an individual basis, if you haven't made the precautions you were supposed to, it might make sense for you as a company to survive to pay that ransom. The impact on the greater business community is that it's going to encourage and fund these criminals from continuing that that action. They're gonna continue it, and you might be supporting organizations that are doing much more, darker things, human trafficking,

right, and

and and terrorism, by supporting these these organizations by paying the ransom. So it's kind of a catch 22. In some cases, in order to survive, you might have to pay the ransom because you don't have either proper backups or the ability to get back up and running quickly. For example, if you're, you know, a medical facility or something like that where you have, you know, critical patients or critical information that you need to protect and or you need to be up and running again to be able to supply to the public. So it's yeah.

Tough tough call either way. Mario, your thoughts?

Yeah. I mean, it it really depended on a lot of it. You know, it's pretty much I agree with what Brian just said. I mean, if you don't pay it, is either you or your clients, you know, out of business? Like, is it is it, like, lethal if you don't pay it?

You know, if you did you but, you know, in some cases, if you took the prior proper precautions and it still happened, did you are you just, you know, or you, your clients, are they just down for a week or two until you recover and and do, you know, go from a backup or something like that? You know, in a situation like that, I definitely don't think they would have they should pay. You know? But if they don't have anything, if they don't have backups, they haven't been, you know, cautious about what they need to do when it comes to cybersecurity, then you have no choice but to pay it. You know?

Or depending also on how I I actually, talked to somebody. I think it was like a year ago. And, you know, I was telling him, I'm like, listen. You know, we don't do any security for you. We don't do any of this stuff.

I think we were only providing them, like, break fix work. And it it was a medical facility, and I'm like, you know, we, you know, we need you know, I need to know, are you gonna plan on on doing this stuff? Like, the doctor said he's retiring in, like, a year or 2. If it happens, he'll just retire early.

Oh, yikes. I'm like Yeah.

Okay. You know, that's that's your plan. That's your exit plan. I'm like, alright. That's fine.

You know? But, you know, you have to you have to do more than just, like, the bare minimum.

Yeah. I so I've got a couple thoughts on the the pay the ransom versus not pay the ransom. And early retirement's not a great strategy. I'm gonna I'm just gonna throw that out there. No.

I'm not a fan of that. But I I had two thoughts as I was kind of chewing this one, you know, which which route do you go? And forget about everything leading up to it for a minute. Like, you're in the situation for whatever reason, negligence or no, you're in the situation and and you've been ransomed. And it it's kind of like are you guys South Park fans by chance?

Yeah.

Do you

do you remember the episode of the turd sandwich versus the giant douche? They're voting for the it's a whole thing as a spoof obviously on politics, but they're voting for the school mascot. And, you know, point being, there's just there's no good answer. You know, there's just there's not a good answer to this. But let's frame this for a second on, you know, if if it was your child.

Now that answer becomes really easy. You do everything. You do everything to try to ensure a good outcome regardless of what led up to it. So I I might lean that way if if you find yourself in the situation and and that's what you have to do to protect your clients. I mean, you've gotta you've gotta take that seriously.

You really do. All all other things aside, you are a steward for your clients' information. You you put there, not only right now, but potentially for the rest of their lives, their identity, their security, their safety at risk. So this is not professional advice. This is me just musing.

I might find myself inclined to pay if that's if that seemed like the best way to ensure a good outcome.

Yeah. Everybody has a lot to say until it happens to them.

Exactly. Yeah. Yeah. That's that's probably a better way

to put it than what I'm saying.

But, yeah, easy to sit here and say, oh, if I was in this $5,000,000 lawsuit, I would. And by the way, I would have never got there because I do everything right in the first place.

That doesn't happen.

And that's why I keep saying 97% because you can do everything right, and it doesn't matter. You still find yourself in that situation. So okay. So how do we make this happen to somebody else? That's the question I like to ask when I'm looking at all of these things.

Thoughts. Brian, you got you got a you got a thought on that one?

Well, I do, Justin, and it's going to be probably the same thing I say most weeks, and that is cybersecurity should be like a journey. And and our good buddy, Joseph, by the way from the video said the same thing. Do something, right? You don't have to do it all at once. You're not we're not saying go ahead and take out a $1,000,000 out of your bank account and start putting in cyber security protections.

What we're saying is go after the low hanging fruit first, right? Take a look at get a gap analysis or a risk assessment done. Take a look at what are the most obvious things you need to do and start implementing 1 at a time as quickly as you can, as much as you can afford, in the order of priority that that the gap or risk assessment comes out with. And if you do those things and, you get breached in the meantime, at least then when they're looking at a lawsuit, it's like, okay, you didn't have your head in the sand. You tried.

You tried to do what you could with the resources you had in hand. And so I like to say treat cybersecurity like a journey. I used to say everybody has to have my my my, you know, this package in order for us to work with them. And now we've we've created, like, a sort of in between, like, a lower end package where we say, okay. This is at least all the things that we believe you should have in place that are affordable.

If you can, then go to the next package up and so on and so forth, and and then we'll apply different, protections in place as we go along. But just start somewhere, anywhere.

A document that process. We learned that from Joe as well. Right? Have that process documented. Yeah.

Mario, thoughts on this one? How do you make this happen to somebody else?

Yeah. I mean, it's again, adding on to Brian, it's you know, I I recommend the first step is educate yourself, educate your employees. You know, if if if the employer or I'm sorry. The employee knows, like, I'm not doing ACH authorization just based on an email that came in, or I'm not switching somebody's direct deposited information just based on an email. You know?

I have a process for this. They have to come to my office. They have to fill out a form and stuff like that, or they have to call me. You know, all of a sudden, you know, if you if you remember last week's conversation, those 2, prospects that I spoke to, you know, they lost 100 of 1,000 of dollars because they didn't have proper education, proper procedures. They just thought that email was legit, and they wired the 100 of 1,000 of dollars.

If you just educate and say, you know what? From now on, we will never do this, you know, you're you're more than halfway there. Right. You know, education, that's that's key.

Okay. And then the, I mean, the sad ending to the story is if you don't do that on your own, if we if we don't go through this process and have it documented and constantly be improving and vigilant, we don't wanna find ourselves being talked about by somebody else on a podcast of, hey, what should Justin, Mario, and Brian have been doing? Yeah. Because now we're under litigation and court ordered security measures, by the way. The court's gonna come in and say, okay, For you to stay in business, you're going to have to do x, y, and z, and you're gonna have to spend that money that you thought you couldn't afford.

Guess what? I bet right now you can. So That's

right now you can't afford that? Yeah.

That's what I'm saying. Okay. So that's I mean, there's nothing really new in in discussing this as far as what we recommend. Right? It's it's still kind of the same thing that we talk about week after week.

But what was new that caught my attention really is that the the lawsuit specifically stated they should have paid the ransom. That definitely caught

my eyes. Yeah.

Yeah. So, but it comes back to, the title of the podcast. You know, This stuff's preventable. Put your best practices, your industry standards in place, audit yourself regularly. And if you don't have like, you've you've gotta have somebody helping you with this and and, you know, use us if you want to, use your own internal team if that's what you've got, Use your outsourced IT company, but but hold them accountable with some sort of a framework.

And whether that I I highly advocate for something like Nest or, you know, an actual framework like that. But there's so many other ways you can get that information. I mean, you can just Google cybersecurity protection best practices, and you're gonna come up with a list of things. Do something like Brian said. Do something, to make sure that whoever you trust to do this for you is being held accountable by somebody else.

That would be my best recommendation. Alright, guys. Any other final thoughts or takeaways as far as this particular topic goes? Otherwise, we're gonna move on to our security tip of the week.

I think that wraps it up for me.

Okay. Alright. Straightforward.

So it's you know, as we talk about these best practices and industry standard and all that nonsense, I do I like that we kind of include on a weekly basis of here's one that we can break down, and I'm just gonna this is a spoiler alert. The solution here is cybersecurity awareness training. The question is, how do we spot a phishing email? So the, again, we've already said the answer. We we beat that dead horse nonstop, but let's put that aside for a second and let's talk about some of the things you might learn in one of these security training courses on spotting a phishing email.

Mario, I'm gonna put you on the spot first. What would you tell somebody as if you're training a core a class of people, you got you're standing in the front of the class, you've got your best prospect and or your best clients in front of you. How are you gonna tell them to not fall victim to a phishing email?

So one of the so one of the things that I tell my existing clients, and I have people on a regular basis, they'll forward something to me and say, you know, is this legit or not? One of the easiest things to do is if there's a button that says, like, click here to do this, you know, to log in. If you hover your mouse over that button, the on the very bottom of your browser on the bottom most likely, it's on the bottom left with Google Chrome and Microsoft Edge. It will show you the link of where that button goes to. Okay?

So before you actually you don't even need to click anything. You just put your mouse over it. And if you see that it's not taking you to microsoft.com or, you know, whatever it is, If it's directing you to a random other website, right away, you know, that's just one of the ways that you will know that that's phishing.

Okay. Brian, thoughts?

I'm a big fan of the SLAM methodology. So that is looking at and and they use SLAM because it's it's an acronym. The s is for sender. So look at the sender, who's sending you the messages is coming from Gmail, you know, or something that doesn't look like it's right. Just ignore it, move on, delete it.

L is links, so that's what Mario was talking about. Hover your mouse over the links, work your way from the farthest end so that the end of the domain name, so, dotcom, for example, or dot dot, or g, and work your way forward. If it's dotcom.xyz, then then it's, you know, if it's microsoft.com.xyz, then that's not really Microsoft's website because it's it's, we work our way backwards. I could explain more of that later. A is attachments, you know, and take a look at the attachments.

If if the attachment doesn't looks if it looks just don't open it. But if it looks suspicious like, you know, invoice.pdf.xml, like that's not a that's PDF. It's it's actually a file that could harm you. And the last one is message. So look at the message itself.

Now this one is get becoming a little less important because of AI and and now we're able to criminals are able to generate a ton of of, messages that actually look like it's proper English. But a lot of the a lot of the criminals out there are still terrible at using English, and so you'll usually spot some errors in English. So reading the message oftentimes will help too. So those four things will go a long way towards helping you spot a phishing attempt.

Okay. I'm gonna throw my 2¢ at that SLAM method because I love that. And here are the pitfalls as I see them. Sender. It is so easy to spoof an email address.

I can I can have it show up in your inbox saying justin@phoenixitadvisors when the real sender is joeshmo@gmail.you'rescrewed.com? So, you you have to you have to be careful when you're doing all this stuff, and hopefully, you're paying attention, and not just like I I because we're also overwhelmed overwhelmed and overworked. We have to slow down when we're doing, you know, and when our spidey senses start tingling. Right? So, dig deep to find out who the sender is.

Same thing with the link because we talked about this, I think it was last week, wasn't it, Mario? That, the the link you're oh, yeah. Because your the breaches that you were mentioning, they had actually gone out and purchased a domain that looked very, very similar, indistinguishable from from the real one. So that can be tricky. It's you can still get tricked there.

The attachments. I love that our operating systems now hide the extension from us, you know, like wiring instructions dot PDF. Microsoft's like, ah, we don't need to know what that is. Let's just remove it, and we're gonna hide it unless you go in and find that. So that can again, it can be really hard.

So you've gotta you gotta know what you're doing. Again, do some training. And then the message to AI, I'm actually not gonna give AI credit on this one because I I still hate AI. I still think that it sounds very robot not robotic

Yeah.

But, you can you can sniff it out if you're do you guys ever look at update myself because only old people use Facebook, but Facebook has started doing an AI summary of the comments for when there's a lot of comments. And there Oh, no. That's it. It's the same formula every time. It's like the comments are a mixture of this, you know, one side versus that, the other side with one user saying whatever.

Like, they pick one thing to spotlight to make it sound inter I don't know. I yeah. It's the same format every time, and I'm just like, come on, Zucky. You can do better than that. Anyways, I've I've and also, I, I got a phishing email the other day, and the message was still, like, just trash, the grammar and the punctuation.

I'm like, good lord. Who are you gonna get with this?

Yeah. Yeah.

And they get people. They wouldn't send them out if they've got 0.0001%. They they've succeeded.

Oh, I know. I know. That's what sucks about it. So, yeah. I I love that framework.

And really the best part of that framework is just having something, having a formula. And really, it comes down to if we're always aware of it, just the awareness. What I love about security awareness training is the word awareness. It's not that we're gonna catch everything. We can still get tricked, but having that constant reminder, at least then our spidey senses are, like, worked out.

Like, they're they're, you know, rippling muscles instead of sagging. Right? Yeah. Like Yeah. We know we know, to be vigilant.

And I'll I'll just go on a tangent here. You know, gut feeling Yeah. And, like, 6th sense and all this stuff that we use to talk about, intuition or whatever that we don't really understand. I I heard it explained. I'm not an expert, but that our brain on a subconscious level just takes all the information that it has whether we're aware of it or not.

Looks for patterns. Makes these decision yeah. Looks for patterns, and and it just starts throwing up these check engine lights at us. And that's what this gut feeling is. So even if we're not aware of it, but if we practice this SLAM method like you're talking about, we're hovering over the links and we're checking the user, the the sender, it just develops that

Yep.

6th sense or that spidey senses as I like to call them.

I had an interesting situation come up the other day, and it was I had a prospect, and I sat down with them and I talked about how, you know, part of our our thing is cybersecurity awareness training. And they looked at me deadpan and said, I don't want my people taking security training like that because I don't want them to be afraid. And I was thinking in the back of my head going and, like, she says she didn't want her people to be on edge all the time. I was thinking, listen, the danger is still there whether you know about it or not. The danger is always gonna be there.

Like, it's like walking through, you know, a zoo and ignoring the signs because you're afraid of what might the signs might read, and all of a sudden you walk into a lion's den. Like, the danger is still there. You still have to pay attention to the signs. You still have to pay attention to the warnings. Cybersecurity training is

never tell that this person never tell their kid, like, don't speak to strangers

or someone.

To strangers, don't touch a hot hot stove. I don't know, Mario.

I I

don't like speaking ill of others, but this that just threw me as, like, that's not gonna make the problem go away. It's just gonna make your people more vulnerable to the problem. And Yeah. Don't don't look like Don't be that person.

Crossing the street because you sure don't wanna see that car coming at you.

Yeah. Jesus.

Yeah. Oh, my god. Okay. Please, please,

please, awareness training. It's so important.

Yeah. It is. Alright. Anything else we need to break down on phishing emails?

I do wanna say one more thing about phishing emails, and and I think it's kind of more of the generation that we've been living through lately, if that's the right term. But I I noticed, like, people, like, now, they don't wanna just pick up the phone and call somebody. You know? They Yeah. They don't you know?

It really if if you're still unsure about something, you got some but something somebody, sent you an email. Say, let's again, let's just talk about, you know, payroll change, new direct deposit change. Just pick up the phone and confirm it with them. You know? It's gonna take you, what, 2, 3 minutes.

Hey, John Doe. I just got you know, I just wanna make sure. Is this legit? Did you change your bank account information? You know, it it it's a 2, 3 minute call can change, it can make a big difference and change somebody's life.

You know? Yeah. You know, you know, take that extra step just if you're unsure. If it looks suspicious, it probably is suspicious, and and just pick up the phone call. They or call them over to your office and, like, hey.

You know, is this legit? You know? Pick up the phone.

I mean, you make a good point. We, as humans, we're very social creatures, but then we've been through a lot in the last decade or so of, you know, the influx of social media, the absolute domination of social media. And then you put us through a global lockdown. And and we've kind of become afraid of human interaction as a population, and it's it's weird. And and that's a good point, Mario.

A lot of us just don't want to. And, you know, it's a generational thing. And I'll be honest. I don't I don't love it myself. I I'm not one who loves to pick up the phone, but, you just have to, in cases like the phone.

Yeah.

And you know what, though? Honestly, it's it's it's very similar. It it is because of since COVID and there's a lot of people working remote and stuff like that, they don't have the, you know, the office and stuff like that. And and hackers are taking advantage of that. You know?

They can you know, there's ways to find out if companies are fully remote or if they're not. You know? You know, you can get a sense of, if they're remote or not. You can go on somebody's, LinkedIn, on a company's LinkedIn, for example, and you you'll see, you know, this person that is you know, he's in California, another person working out of Missouri, another person's working out of Florida. Chances are they're remote.

You know, they become a target. You know? Okay. Let's see who this person is. All accounts receivable or, you know, HR director or something like that.

You know, you become a target. I I personally, honestly, I if it was up to me, I'll get rid of LinkedIn because you're providing so much information to hackers, you know, through LinkedIn. But, you know, that's just me. But, you know You're on there. Providing them.

Yeah. You're providing yeah. I am. I am. But

Trust me. I'm hacking you right now just in case you didn't know. I've I've already taken all your information. I'm gonna try to breach it myself. And, otherwise, if I can't, I'm gonna sell it.

So you could lock it down. You could lock it down.

So, essentially, it's it it it really is, you know, just a matter of taking that extra minute or 2 and just confirming. Yeah. That's it.

Alright. So that's email. But I I will say that this is a huge way people are getting in right now. Email security, business email compromise, whatever however you wanna label that. It it's one that needs to be, yeah, it needs to be taken very seriously.

So, alright. We're gonna move to our 3rd segment. We're gonna talk about our weekly business tip, we've been adding in lately. And I wanted to throw this out, guys, content marketing. And, again, old Joe has been providing the fuel for today's fire.

And when when I had my call with him this morning and just talking about my business and what we were up to, and I I mentioned marketing. And he just said that, you know, his his business, the, he started creating these videos that caught my attention. The reason we talked to him and about him, is just through making these videos, content marketing. He says he's growing 40% year over year, and that's all he does. So just wanted to throw out the concept of content marketing and and do a gut check with both of you guys.

What are your thoughts on you know, we're we're sitting here creating content as it were. So, obviously, we all do some version of it. But what are your thoughts, Brian and then Mario, on creating content and using that to grow your business?

I think it's one of the one things that we could do that is so simple and so easy is offering up our expertise to an extent at no cost to our prospects to show value in advance.

A

lot of the times people don't know the industry that you're working in as well as you do. I'll use IT as an example because I'm knee deep in it. Most people have never purchased IT services or have done it so seldomly they don't know what to look for. And so by by us putting forward our 21 questions you should ask any IT service provider, the IT buyer's guide on our website, the books that we have, and things like that. We're essentially showing our, prospects.

This is how you should be buying IT services. This is what to look out for. So if you put out content, especially educational content that teaches your prospects what to look for when buying your services and what are the gotchas in your industry, it goes a long way towards putting you in as a expert in that field and, shown as, like, the person who knows, and people would be more likely to do business with you, compared to somebody who is not doing that. Okay. And that's the key.

Mario, same question to you, and and I'm gonna add. And and then, Brian, if you wanna loop back in on this, do. But do you have any clients that do this to grow their business? Mario, what are your thoughts in general? And then also, do you have clients that do content marketing?

I do have, like, some clients, but they kind of do it you know, they don't do it heavily. It's more just to kind of, like, get their name out there. It's to kind of, like, build the following. But it is it is important because, you know, the you're you're literally when especially, like, I'm just gonna talk about IT. You know, for people to find you, you know, there's a couple different ways to do it, but the most common is obviously just Google, you know, IT services near me, for example.

But when when they are kinda when a prospect is maybe seeing that you provide, like, a service to, like, the community or you provide more information, educational information to different things. Maybe they see your amazing podcast with, 2 other people, and they, you know, they follow and they're like, you know, you know, when that need comes up, you're gonna be one of the first people on their minds. You know? They're not gonna just completely ignore somebody or at least give you a chance to, you know, to see what your service is about versus, like, somebody else. So it's just to kind of touch people appropriately.

You know? It it it's kind of, you know, a lot of people also, especially more on the consumer, like, basis, like home users, they like working with somebody that they've they're they kinda have a connection with, you know, versus somebody that's just out of the blue. You know?

Yeah. To answer your question, Justin, I have a client who sells orchids. And, apparently, orchids are really hard to take care of. And so they have an entire, like, training, free training surrounding how to care for your orchids. Really?

That that was pretty pretty impressive. It's like orchid school. Like, you go there and you've learned how to you know, they have it online and they have it, in in class kind of things, like here's how you take care of your orchids. And I thought that was really clever because who are you gonna buy orchids from? The person who just has them in the shop or the person who just taught you how to how to care for them?

Yeah.

Yeah. No kidding.

I thought that was pretty wild.

I love that. I love that. And and I'll tell you that kinda why I wanted this was a gut check for me because we do create content, in that we've we've got a podcast. But where where it was kind of a maybe a little kick in the teeth. I'm like, I don't do enough with it.

I have it. It's out there, but I don't promote it, and I keep talking about it. So clearly, I need to up my game. And and the real kicker here is that for an hour, Joe sat with me this morning and walked me through details, and he's sending me video links that he's done on, well, you're gonna need more information on this. And he's from terminology to, like, understanding contracts and, like, just how to market my he sent me a video on how to market an IT business, you know, the things that he's learned.

And for almost an hour, I'm sitting there going, just send me the goddamn bill. I mean, the the decision was made. And I know plenty of people in places where I can buy insurance. And and I was almost annoyed that this hour long conversation where I'm like, dude, I'm almost sold. I just send me the bill.

You don't even have to say anything. Just like, here's the invoice. Okay. Paid. Like, let's you know?

So that that trust that was built now, obviously, we've had, you know, not just seen his videos, but we've had them on the podcast and and whatever else. But, man, if you want a way to build trust with your clients or prospects, this was an eye opener for me. And then, you know, another vendor that we all share that we've, I've been with for over a decade now. I had consumed a lot of that content before, we again, when it was time to buy, I was just like, send me the bill. I don't I don't have any I don't have any questions.

You know, I don't wanna be sitting in the back of the room. I wanna be sitting up front with the cool kids. Like, how do I join that club? Let's do it. I don't care what it costs.

So, I am I'm a fan, and I'm also a sucker for good content. Alright, guys. I think it is time to wrap up. We've got our formula, follow the best practices, which means protect your technology, protect your data, protect your people, do all those things based on best practices, and that gets you to 97% and then wrap it up with policies and procedures, which we can help you with and a good insurance policy. And we know a guy for that, And that provides a formula that at least helps me sleep at night.

So that's my takeaway. That's my, closing. Brian, we'll let you go. Mario, your last, final thoughts, and then we're gonna wrap up for the week.

So, my my final thoughts wrap up is just again, treat cybersecurity and IT in general as a journey. Look to get 1% better every day, and you will achieve success. If you get 1% better every day, think it's like 300 and something percent, at the end of the year. So, start that journey and you'll you'll get there fast.

Alright. 365 days in a year if that's the number you're looking for, but it's also compounding.

Yeah. It's

a compounding effect, so it goes maybe over that. So Yeah.

I don't remember what it is. I'm not that good at math.

Darren Hardy, compound effect if you're interested. Brian or Mario, what do you got for us?

Pretty much don't be a sitting dog. I mean, you you pretty much just do something, you know, like like Brian said, like, can I just take you know, it's a it's a journey? Don't sit there and say nobody wants my shit, you know, and think that it's not gonna happen to you. It will happen to you. It will happen to you or your employees.

It's a matter of time. These things are just getting easier and easier for them, with the tools and stuff like that. And it's coming. Like, it they're they're going to find a different way. Maybe not through an email.

Maybe not through some maybe it's maybe, you know, it's a text message. You know? It will happen, but you have to just, you know, do something. Don't just sit there and think you're dodging bullets the whole time because eventually, you will get hit.

Yeah. I mean, I I will reiterate you'll get hit if you don't do anything. 100% guarantee that. And, Yeah. But if you wanna know where you're at on that, spectrum, unhack.live, book an appointment with myself, Mario, or Brian.

All 3 of us can walk you through this. We can, show you where the gaps are. We can build a plan, a road map, and, and help you close all these gaps, guys. That's what it takes. Brian, thank you for being here.

Mario, thank you for being here. And we'll see you guys next week. Take care.

Take care.