UnHacked

Welcome everybody to episode 31 of unhacked. Like I always say, unhacked's kind of a a misnomer of sorts. The truth is we can do a whole lot better work preventing breaches than we can actually unhacking you once the bad guys get in. So, guys, it is, October. This is cybersecurity awareness month, and so, Brenda has joined us.

I mentioned last week, Brenda goes in the chat, and he's like, hey, guys. Should we come up with a special theme for October? I'm like, Brenda, that's the podcast every goddamn week. So but it did get the gears turning, and I really like the what what we've come up with. So, you know, at the end of each pod end of each episode, I'll frequently say we've got the formula, protect your technology, protect your data, protect your people, wrap it up with policies, procedures, and insurance, and that gets you to protected.

But what we don't do in a concise manner is go through and identify what those, best practices are. In preparing for this, it was really timely because I saw a post on Reddit, and a guy who had been in the industry either 20 or 30 years, I don't remember, said that a prospect for the first time had asked him, what are these best practices? What are these industry standards? And he's like, guys, I don't know. My bullshit.

That's a problem in our industry. We are unregulated, unless you fall under HIPAA or CMMC or NIST or, you know, something like that. Guys can run around saying they're cybersecurity experts, sell you stuff, and you don't really know what you're getting. So for the next three episodes, we're gonna break down exactly what these best practices are, and I'm gonna brag a little bit. I've added the page to the website.

If you go to unhacked dot live, there is a tab. I believe it's called the formula, and we're gonna put that in as we create these episodes. And then my commitment is to our listening audience to go ahead and keep those updated because, security is, not so static. Right? This is kind of a cat and mouse game.

It changes all the time. So we'll try to keep those updated. Alright. So that's our introduction to the episode. Let's go ahead and introduce the people.

We are sitting here with, as usual, my good friends, Brian the the guilty party who posed the question of what should we theme the cybersecurity awareness month after. Barinder Hans. So let's go, Brian, Mario, and Barinder in that order, and tell us who you are, what you do, and who you do it for. Brian, go.

Excellent. My name is Bryan Lachepoe with B4 Networks. We're based out of Niagara, Ontario, and we serve most of the Southern Ontario businesses around. We specialize in working with greenhouses, professional service firms, manufacturing companies, essentially business owners who have headaches in dealing with technology, we make those headaches go away.

Love it. Love it. Mario?

Mario, Zacche with Mastech. We are located in New Jersey right outside of New York City, And we service, the entire area, but, focus on engineering, architects, and, construction companies, and pretty much anybody that that has a computer that is, worried about losing their data to the bad guys. What's that guy's name? What's, Boris. Boris.

I forgot his last name. From Boris. Krishenko or something like that. I don't know. I stole it from a James Bond movie.

Some movie. No. Like, Burinder, tell us about yourself.

Burinder Hans from Red Rhino. We're based just outside of Vancouver, BC here. A fellow Canadian with Brian. We specialize in full stack everything when it comes to IT top to bottom. We'll help our clients take care of it, help them through their business transformation.

We won some awards, MSP 51 top 50 best managed in Canada. So I think our team does some pretty good work. And and most importantly, I bring the good ideas about cybersecurity to Justin and make sure that he knows what he's gonna be taught.

And we appreciate it. Yeah.

Yeah. He should really focus on the cybersecurity thing. It's really getting big.

I know. Right? It's becoming important.

Top 50 in Canada. How many do you guys have up there?

Like, there's at least at least 48.

I thought it was just you 2.

We're we're the only 2 that matter.

Yeah. You guys are competing. Got the top fifty award. So Yeah.

There you go. I'm saying something. Listen. I can vouch for these guys. I am sitting in a room of, very smart people in the IT world, and I love doing this week after week with you guys.

I am, by the way, Justin Shelley, CEO of Phoenix IT Advisors. I've got an office in Dallas, Texas, and more recently an office in little old Elko, Nevada. And we do, some work in the surrounding areas, even into Utah and Idaho. So, and I would say that, you know, we lead with compliance. That's what we do because I don't wanna be that guy getting on Reddit and saying, hey.

What the fuck is it that I tell people I do? Because I can't remember. Jesus Christ. So, anyways, we're gonna spill the beans today. We're gonna talk about what it is that we do behind the scenes.

And you, dear business owner, how do you know that you're getting what you pay for? If you've got somebody and you're you've hired them to keep you, safe from the likes of Boris Krashchenko. How do you know he's doing it? That's what this is all about. So by the end of these three episodes, you should know.

And then by the way, the 4th episode, the one I'm most excited for, we're going to ground 0. We're gonna talk to a guy who was breached, and he has been willing to share his story with us. I'm super excited about that one. So, guys, grab a pencil and paper, and let's do this. And and I'm trying to figure out how to make this exciting because if I'm a business owner, the last thing I wanna do is sit here and listen to a bunch of IT nerds talk about this kind of stuff.

So we'll try to keep the energy level up. We'll try to keep it, quick and concise, but for reals, just take a few notes and then cross reference our website and use this as your formula to make sure that you actually are protected and getting what you pay for. So with that, we are going to start with, our good friend, Mario. Tell us about, Internet failover and maybe even why that has anything to do with security. Mario, you got that one?

Yes. So, ISP failover, Internet service provider failover. Essentially, it's a backup Internet in in your office. You know, it helps primarily with, you know, making sure you're you know, there's a a down pole in the area, which happens a lot. Accident, the pole goes down, and you lose Internet.

You you have a backup Internet. Hopefully, they don't both go out at the same time. So it it essentially, if one Internet goes down, your employees can still work, you know, for those companies that are very reliant on Internet. As far as security, I you know, it it it's more of a convenience thing. But as far as security, we've set up some companies with an ISP failover, and what we do is we can easily route certain things to go on one Internet versus the other.

Like, for example, voice over IP phones, You can have them route through, the the the second Internet service provider. Or if you have camera systems that you want or or they're constantly recording and stuff like that, you could have it go through a second Internet so it's not boggling down your primary users using your your main Internet.

We keep the other guys from, lighting up their hot spots too. Right? And then maybe Exactly. Sharing over unprotected connections. So Yeah.

Best practice, number 1, and certainly can have some security ramifications. Brian, Brenda, do you have anything to add on this one?

No. I think Mario covered it.

Alright. Brian, then this is going to you. We're gonna talk about antivirus. I think this is just like Norton. Right?

Don't we just put Norton on? We're good to go?

Love that.

I've got the best one because nobody knows what antivirus is. And Oh my god.

It's changed. It has changed. I'll tell you that.

It has changed. So I'll dive right in. I mean, it's not a very exciting topic, but I think it's important. As business owners, you're probably very familiar with what antivirus is, which is essentially antivirus detects in most cases known threats like viruses and malware, but these days traditional antivirus alone is no longer enough to protect your business. You really have to go one step above.

So while antivirus works to block known threats and it and some antiviruses have the ability to do a little bit more, but let's just go with that. EDR is what we recommend now, which stands for endpoint detection and response. It goes one step further by monitoring for unusual behavior in real time. So it's not just looking at, does this virus match what I've got in my book of viruses? What is the behavior that is happening on the computer?

Is it normal behavior for that user, or is it something that a regular person wouldn't do? And when to detect something, it isolates that computer, is able to track all of the changes made, and in some cases, back them up. And in all cases, it records a history of everything that happened so that from a auditing and forensics approach, we're able to then determine what happened, how it came in, where where everything originated from, and be able to backtrack it if possible.

And, Brian, talk a little bit about the r in EDR, the response portion of that. What what should that look like?

What in most cases, it's automatic. It will just, it will start responding once it detects that something's in there. I like to say it's like Star Trek, but only in reverse. So Star Trek, you know, they have the shields that go up and nothing can get in. It's kind of the reverse of that.

The shields go up on the computer and nothing can get out. So that if you did have a, threat that came in and it would that computer gets isolated from the rest of the network, so it can't go and infect the rest of your computers, that user is essentially dead in the water until we could come in and help. So in in most cases, the responses shield up. But in other cases, it can backtrack, the the the damage done and to be able to undo some of it.

Okay. Bran. Yep. I'm sorry. Brendar and Mario, do you have anything to add here?

Yeah. Part of that response, it can even roll back some of the, the good endpoint security software depending on situation, can roll back if there's a ransomware encryption activity, which is what most business owners are concerned about. It can roll back on that as well. And that's, that's very handy, and also help IT professionals do a root cause analysis. How did this infection come into the 1st place?

But, yeah, versus an old school antivirus, we obviously don't recommend that. Don't sell that. You want a modern tool like Brian said, monitoring for that behavior. If there's come trying to reach out to a command and control in the cloud, you wanna stop that. It's gotta look at that behavior and be able to stop it.

Only a modern EDR tool can do that. Okay. And how would a business owner know if they're protected? Sorry,

Mario. Go ahead. And then we'll No. This other question. It's

the the modern ones go with a zero trust approach versus, like, the traditional antivirus that literally just checks against a black list. This one, it it only approves stuff that's on a white list.

Okay. So how do we know? I'm I'm, I'm Joe Schmo, the business owner, and I'm sitting here, talking to you guys, and you're saying this. I'm like, I have no idea what you're talking about. How do I know if I'm protected?

Yeah. You asked that. You and and that is a little tricky when it comes to antivirus because it's not like I had a test that I can go and and test. So there's a couple things. If you buy your own solution, find out what the the the version of the software you're using is and search it online.

You can usually just say, hey, you know, I have this version. Does it have these advanced features? If you deal with an IT provider, you can ask them if, if the the solutions the cybersecurity solutions they include has advanced features like threat hunting, real time monitoring, and automated responses. And if it doesn't, then then you can, you know, inquire about that. And in most cases, they'll know what EDR stands for.

But in all cases, you should have it verified by a second party if you're in doubt.

And if you don't

know what it stands for, what do you do?

Change your IT company immediately. You know, you I if I'm a business owner and I'm I go to my IT guy and he's like, yeah, you're protected by whatever. I might ask him, you know what? Can you go ahead and give me some more information about that? Like, do they have any marketing materials that I can look at?

Do I can I go to their website? You know, put your eyes on this. Because in the end, if your company gets breached, your IT guys on the hook maybe a little bit, but, as an as an owner, you're the one that's gonna be dealing with the bulk of this. So make sure you're educated. Mhmm.

Burinder, I think I cut you off.

No. No. I was about almost gonna cut you off, but I'll let you you finish

the call. I won't allow it.

I I think, there's probably not all EDRs are the same. Just because it has the word EDR in there doesn't mean it's the same as all and equal to all the other EDRs. There's, you know, some that are great, some that are not so great. Something that you can easily Google is, the Gartner.

Thank you.

Yep. Quadrant and and see what's in that top right quadrant and see if yours is in that top right quadrant. Great. If it is not, a switch switch of product. The only caveat I would say is if it's Microsoft Defender shows up in that top right quadrant, that comes with some caveats.

You need a IT professional before, somebody who really knows what they're doing before you try to roll out a defender as your primary line of defense.

I'm gonna go ahead and put that on our our list of, you know, the formula on unhack.live. I will add a link to the Gartner website that you're talking about because that is a very useful tool. If you can get the name of the product that you're being sold, go find on there and find out how how effective that it is at least ranked.

Yeah. Well, or or you can email or contact any one of us on LinkedIn 1. We'll we'll just tell you the 5 you can choose from.

Right. Pretty much. Pretty much. Okay. So, you know, we talked about the evolution of antivirus because it used to be like Brian said, it's a basically a spreadsheet.

If the file's on that sheet and it's listed as bad, don't let it install. Otherwise, We're good to go. That has changed. And now the other shift, like, major shift right now with anti, bad stuff is monitoring your Office 365. Right?

So we're talking right about monitoring your your physical hardware, your computer. And I I think, Brian, this one's yours as well. Let's go ahead and pivot to the the cloud stuff. I mean, I'm we moved everything to the cloud, and that's what's supposed to keep us safe. And Jesus Christ, it just made it worse.

Yeah. It it it kinda goes hand in hand with, BDR and antivirus because a lot of businesses today rely on Microsoft 365 for all their operations. Their documents are on there. They collaborate on there. And just like with your devices, you should have threat hunting and and, and and the ability to determine if some somebody's doing something to your system.

The same thing happens with Microsoft 365. If you have a monitoring solution for it, then essentially what's happening is it's looking for suspicious activity in real time, whether unusual logins are coming in from foreign locations. You know, is there any kind of phishing attempts happening or unauthorized file sharing? And it's looking through all of the logs that nobody ever pays attention to in Microsoft 365 65 because, you know, who actually looks at log files, right, and tries to find signs of suspicious behavior. And if it finds it, it will typically lock out that user who's causing the suspicious behavior if it passes a certain threshold, notifies, you know, us and or, your clients, depending on the situation, and then we can we can remediate from there.

One of the things I love about that is you even if you just go in and create a rule, in Outlook to forward your email to somewhere else It

will trigger.

That should pop up an alert. Yep. And and that would be a great way to test to see if you have it. You know, you you could you'd you'd still have to go to whoever is monitoring this and say, hey, did you see that I created a rule? If so, tell me about it, you know.

But I would, I would argue that this is becoming at least as important as the, the antivirus as we call it, is this, you know, monitoring and protection in all of these cloud applications we have. Mhmm. Brent or Mario, any thoughts?

No. Spot on.

The only thing I would just add, is just make sure you add a backup solution to your Microsoft 365 data. It's your point exchange. Make sure you have something. There's lots of great third party tools out there that will back up all your data, because Microsoft, while they have, you know, recycle bin type of restore option, they will say and Google will tell you that, what they have is not considered backup. Somebody deletes something in Right.

30 or 60 days, it's gone gone. So and for compliance reasons, financial reasons with IRS or CRA, You want to keep data, especially financial data for 7 years, records, so get your backups in place. As far as hardening Microsoft 365 secondurity, that's we've got, like, a 200 point checklist. It's it's a it's a big deal to to make that happen. It is not easy, and you really have to have good IT making that happen for you.

Okay. Yes. You do. In fact,

you can usually know what your secure score is by just going to security.microsoft.com/securescore. And even if you're not an admin, you can usually get your secure score. So if it's below a certain level, you may wanna talk to your IT provider.

Below 60, talk to your IT provider. Yep. Yeah.

Okay. Brian, remind me after this. I wanna add that link as well. So Sure. I didn't write it down fast enough to put it on here.

Okay. Go to firewalls, Brendon.

Firewalls. Firewalls. I love talking about firewalls. What could be more exciting than a firewall? Firewalls so when I'm talking to, business people, I don't expect them to know what a firewall is, But what I explain it is how I explain it is it's like your house.

Firewalls are your doors and windows. You want it the firewall is, sits between the Internet coming into your office and unblocks communication in and out and monitors it. Kinda like your doors and windows. You want the bad guys out, but sometimes you need to keep some people in and not be able to, transmit certain kind of data. For in your home, it might be like you don't want your kids going out past midnight.

Well, same idea at your at your office. There's some things you don't want to leave your your office environment. And that's traditionally been easy to do with a firewall. The other thing a firewall does instead of just protecting the inbound, outbound traffic, is it also allows for segmentation, creating multiple little baby networks in your office. It can get pretty complex.

But a really simple kit thing that you want to know about is any organization that takes credit cards. Those credit card machines, terminals, computers need to be isolated onto its own network for PCI compliance reasons. You might have other types of networks if you're manufacturing, and you have a whole bunch of machines, CNC machines in your in your manufacturing plant. You want to isolate them from your corporate network for data and then be able to create specific linkages when necessary. So there's a whole lot lot of nuance there.

You wanna be able to have, a solid next gen level firewall that can inspect that incoming outgoing traffic properly, but also be able to create those segmentation, pieces, as needed. But it's really getting the doors and windows locked on your home. You wouldn't go to bed leaving your door open. Same thing at home. So a couple of things you can test for is when you're at your office, can you visit websites you shouldn't be able to visit?

Like, whether it's porn or malicious websites, you you that should be automatically blocked. And and most, firewalls will have content filtering policies available to you. And then in addition to that, do you have remote access into your office computer or servers to something like remote desktop? Do your IT people use remote desktop? If by any chance, they haven't caught up to the current decade that we're in and they still use a remote desktop to get into, not like a third party tool, but actual Microsoft remote desktop to get into the servers and workstations, that needs to be terminated immediately.

That is how most malicious actors will get in to your environment and and then perform their malicious activity. You want to stop that ASAP. Just sec go ahead. I'll let you all we'll talk about firewalls finish talking about firewalls first before we

move into the next shell.

Sure I heard you correctly that the best way I can tell if I have a good firewall is to fire up my favorite porn site.

No, please. So maybe, Justin can recommend that. I I can't see Well,

I'll put you on the website. Right?

Yeah. I'll I'll I'll show my favorites.

It's off the top.

No. No. The serious thought though, if you can find your firewall and and figure out the manufacturer and the model, put it into Google. And if you can buy that thing at Best Buy or Walmart or, get something

else. Yeah. Yeah. That's right. There's a difference between a router and a firewall.

You want something that's a next gen firewall. There's only a handful of good manufacturers out there that'll do that for you. Again, and and yeah. It should and again, just like anything else that you have piece of technology doesn't solve solve problems. It's the people who set it up the right way that truly solve problems.

Somebody can plug in a firewall and sell it to you for $2,000 and and not configure it correctly, and it's useless. You might as well leave your doors open. You have to actually lock the doors and know how to make it go.

How many times I've seen that happen? Unreal.

At least 25% of the times, I go into, an IT discovery on a new client. The backups that they pay for aren't working. Oh, yeah. It's unbelievable.

Yep. Scary.

One thing I do wanna add into the firewall too is the good ones will come with a subscription, either monthly or annually. So if you bought your firewall 5 years ago and you haven't paid anything else to it, either it's not a good one or you're not it's not up to date, which means Either

way, you're not protected.

Yeah. You're not protected. It's not it doesn't have the latest software on it because that has to be updated regularly as well.

Yeah. A 100% agree. In fact, there's cases where routers and or, and some firewalls are out of date, unpatched, and then they're used by the malicious actors to conduct other further malicious activity you hijacking your devices. So you have to keep them up to date.

I've got a funny story. I'm afraid I shouldn't say, but I'm going to. At a client that, just kinda quit paying bills that we weren't getting, weren't getting approved for stuff, and we had a firewall go out of out of certain, like out of date. The, god bless on the, the US government went ahead and wrote them an email saying, hey, your firewall's out of date and you're unprotected. So God bless the USA.

The, uncle Sam's watching your stuff too, and he may reach out if you're not, properly protecting things. That was a fun conversation. Okay. So this is this is a firewalls designed to protect you while you're in your office and your building. What happens when I take my laptop and I walk outside, down to the coffee shop?

Perfect segue. This is where the modern, workplace revolution has happened, where we work from home, work from coffee shops, work from airplanes, and all sorts of places. Some places may be secure. Some places may not be secure. Again, like Mario said earlier, we have to approach security and IT from a zero trust standpoint.

That Starbucks WiFi, it would be of minimal expertise level. 1 of my techs can show up with a backpack full of gear and generate a signal for WiFi that looks and feels and works like Starbucks, or pick your favorite coffee shop, and sit outside, the space, and you connect to that, WiFi, and all of a sudden, your data is traveling through that malicious person's backpack. And they can snoop on everything you're doing, that's going out to the Internet and be able to hijack your data. We don't want that to happen. And so when you're outside of your your office, there's some fundamentals.

One of the easy items to add and very inexpensive is managed DNS. DNS is high. You your computer understands what google.com or microsoft.com or whatever banking website.com you have. That's how it gets translated from an IP address, which we can't remember because human beings aren't meant to read IP addresses. We remember words and and and and letters.

So when you go to the website, it gets translated to an IP. Instead of it being hijacked, doing managed DNS will ensure, that your traffic is encrypted and can't be snooped upon. And you're actually getting back the right result to your computer is fundamental. That's easy to add, and I would highly recommend it. And any good managed DNS platform will also allow you to do some policies around content filtering, which is you don't wanna you wanna block malicious web sites, porn, etcetera, Facebook, maybe, whatever it is that you don't want your office users to be able to do.

There's other more advanced things you can do as well. Like say, for example, you want to watch what your work from home employees are doing. There's tools that can also do that as an add on item. So lots of different things, ways to package that. And then there's a a a more robust, more modern, integration or merger point of DNS and firewalls called SASE, A secure access service edge, essentially abstracts that networking piece away to make a super network for larger, organizations.

And that way, your work from employee is treated the exact same as any office employee. It's just that firewall that's typically at a physical level is now abstracted away to a cloud level and everything goes through that nexus point, before it goes to the outside world. There's lots of different ways to accomplish that. But fundamentally, if you, are as a business person looking at your employees and saying, hey, do I have this technology in place or do I not? Do I it's really, you have to ask yourself, when I go home with my laptop, what can I do that it couldn't have done at the office?

Right? And so it's a good way to ask yourself a simple question because your employees can also do that too.

So here again, safe to assume that the best way to go about that is to fire up your favorite naughty site.

Please don't do that. A lot of these a lot of these bad sites also immediately download malicious items onto your computer and and, and it's a good way to also test whether your EDR is effective or not. So, yeah, it is a good tool.

So you missed last week, Burinder. We were talking about the dark web. Dark web. And, I it took me back to the days of Kazaa or Kazaa. I don't know how you pronounce that.

K a z a a, I believe it was. And we just got an influx of people bringing in their computers, and and they were just taint because of that application, which was kind of the early stages of the dark web. You could get all kinds of free, music among other nefarious things on on that site.

So Was it was it like Limewire for torrenting and downloading out? Oh, yeah. That was like Limewire was right. Everything you downloaded, a third of things was viruses. Yeah.

Absolutely. Yeah. It seemed like there when you guys

was a big one.

So I guess I I hope everybody understands. I'm not being serious. Don't go to naughty sites or bad sites or malicious sites. But it was mentioned, so I I do have to poke fun at it. But I here as a business owner, if I wanna know if I'm protected at home, I I would say a safe step is just to go ask the person who is supposed to be, who are you writing a check to?

Ask them what they have, have them verify it for you, and then maybe do a little bit of research on your own just to make sure that what they've decided is a best practice really matches, what the industry experts say. Alright. Any other final thoughts on firewalls or DNS filters? I think we've kinda hit that horse pretty good right in the head. Mario or Brian, you have anything you wanna add there?

No. No.

Okay. Then the next up on our list of really exciting topics today is security updates, patch management. Mario, you wanna talk about this?

Yes. So, pretty much what you, you know, wanna do is make sure your computer and all your programs are up to date. You know, a lot of times, a lot of companies will rely on, like, Microsoft to update, you know, Windows. But a lot of times, it fails. I'm sure we've all seen it just fail.

Also, a lot of times, your computer won't update until it actually reboots. Like, it will download.

It'll start

installing, but it's gotta complete, once it's rebooted. We've seen we've seen computers not rebooted in, like, months. And it just, like you know, we we told them, like, listen. You know, if we if we take you on, we're gonna be rebooting your computer, you know, every couple days, you know, if if it's needs an update. And it it you know, so you gotta keep up with it.

You know? Come you know, software like Windows like Windows 7, Windows 8, these are end of life, so they're no longer receiving those updates. And as of October of 2025 Yeah.

Windows 10. Windows

Windows 10 will be out of, end of life. Now that, you know, Windows 11 is the is the latest one. The the problem is with Windows 11 versus previous Windows, like 7, 8, and 10, they require certain things to be in place for you to upgrade. You know, you have to have, like, an SSD hard drive, you know, certain level you know, you have to be a certain processor or higher for you to install Windows 11. So come next year, exactly 1 year from now, you will not be able to stay on Windows 10 because, you know, the Microsoft will not be releasing updates, Security, companies like, you know, EDRs and stuff like that will not be supporting it, shortly after that.

So you need to keep up with this stuff. And in addition, there's third party, software that you need to make sure, you update. Because prior to what we call, you know, patch management, you know, those little pop ups you would get on the very bottom of your screen that says, like, Java needs to be updated or Adobe needs to be updated. Click here to update. I don't think I've ever seen anybody actually update them.

So you need to have, like, a, you know, an IT company or somebody to to manually make sure not manually. Automatically make sure that they are updated and that they were updated correctly, because nobody you can't rely on your employees to actually update it. You don't want, you know, your IT person to have to come to your office once a week or once a month to hop on each computer to update it. So it's very important because now as far as security, for this stuff, if it's not up to date, that's how hackers are leveraging the issue. You know, a lot of times, they will release security updates because it's addressing a security that it discovered, so it's fixing it.

Now if you don't fix it, that's what the hackers are using to leverage your network. They they're relying on people not having up to date software or old programs or old operating systems that are not fixed, that they're that's when they're able to leverage that, vulnerability and, you know, do their damage.

And and I'm a, again, a regular old Joe Schmo business owner, Mario, and and pretty much what you just said made me go to sleep. No. And listen, I I'm I'm joking. I poke fun here's why I say that. I that sounded like I'm attacking you when I'm not.

I get this feedback because my girlfriend goes back and listens to these, and she's like, Jesus Christ, Justin. That shit was boring. And and I'm like, okay. I'll try to figure out how to liven it up. But how do I how do I, as a business owner who has no idea what you just said, how do I know that my computer's up to date?

You click on my

Click on start, on the bottom and just type in update. And the Windows update is gonna come up. And if it says, oh, you need to update, you know, and the update is lot more than, like, 2, 3 days old, then you you know, then you have a problem.

And and you know that and because I actually just did that as you suggested, and it says Windows update. You're up to date with a green check mark, and it says last checked today at 6:39 AM. So that was 4 hours ago, 5 hours ago my time. So, I guess I'm safe.

Your IT is on on spot on this. They're doing a good job.

I'll have to let them know.

Check mark too.

I I'll throw out there also, you you should be getting or at least have the option to get reports, from whoever is responsible for these updates. They should be able to run reports for you to show you that, that everything's up to date or what percentage of your computer are up to date. So And

if they haven't talked to you about Windows 11, if you're on Windows 10 and they haven't started talking to you about Windows 11, you know, you maybe you wanna start the conversation or

Yep.

You know, because what's gonna also happen is come another 6 months, 8 months from now when a lot of these computers are not going to be able to take Windows 11, you know, and you have to go and purchase a bunch of new computers because it's you know, you can't upgrade. Well, guess what? Now everybody's scrambling to buy a bunch of computers so the price is gonna go higher.

True.

And and, also, you're you know, if you have an office of 20 computers that, you know, then all of a sudden, you have to shell out the, you know, money for 20 new computers at a higher price.

So let's take that and kind of pivot into hardware asset management. And I think, Brenda, you had some thoughts on this one. Because if if I'm, again, thinking as a business owner, I know what my computer is. But if I've got a 100 computers in my company, I don't know how many of them need to be upgraded. Right?

And I'd and and you were talking all kinds about hardware this and hard drives that and, like, I have no idea. Brenda, could you help me out? It's like I am lost.

Yeah. Yeah. So when it comes to cybersecurity, the very first item, is identify. I the the 5 the 5 key pillars are identify, protect, detect, respond, and recover. And I if you don't know what you have, you have to identify it.

You can't protect it. It it is, whether it's user accounts or your computers. And in computers, and I just use the word computer because mostly we're thinking about computers. But it's not just computers. That's all your hardware assets, your network, your your your computers, your laptops, your mobile phones, your CNC machines, your printers, your IoT devices, your security cameras.

You have to have a full list of everything that is on your network. And so every business owner needs to have, at the very least, a list, that's real and available in real time with their computers and mobile phones because they have access to more sensitive data. But then with short notice, your IT department or your managed service provider should be able to provide you a list of those secondary items like your printers, your tablets, your maybe not top tablets should be on the first list, but, your other second tier items, your printers, your network gear, your wireless APs be able to put that together for you and get to you quickly. The very first list, the one with computers, should have your updates on it. It should have your hardware information on it and be able to present it to you, basically, within an hour or 2 of when you ask for it.

If they can't do that, they're trying to assemble that data for you, and they don't have clear visibility. That's and it's a good test to do with your IT service provider. Be like, hey, Can you send me again my current, asset list? And and I need it in 2 hours. And let's see what they come back with.

It gives them 10 minutes to check their email and and get back an answer. Let's see what happens. And if you don't know what you have, you can't protect it. We all often, get asked about mobile devices. But, hey.

Do I really need to protect mobile devices? Well, it depends on the organization. If you allow your employees to access your cloud data, their email from their phone, then you have to do the risk assessment. And I would say yes. It give if they access important company data, something you want to protect, you would protect it on a computer, then you should probably be protected on the mobile phone.

That means you might be supplying phones or or, enforcing some sort of policy around it. But mobile device management is critical, often overlooked, but mobile phones are essentially the small little computers in your pocket have access to all the same data that you would otherwise, then we don't want to let that be a a point of vulnerability.

And really, we need to tie back into, patching and updates. You know, the a lot a lot of times we download these apps. Half of them are free, which by the way means you are the product. You're being sold. Yeah.

But then if we don't update those, we we've added vulnerabilities there as well. So Yeah. I mean, this gets complicated fast, guys. This is why, I I'll say frequently, this is not a DIY topic. And the purpose of today, I'm gonna remind everybody, is not to to give you the tools to do this yourself, but it is to give you enough information that you can make sure you are getting what you paid for.

Right? Yeah. Anybody else on asset management or MDM?

I would just comment that outside of security, you want to do very good has a harder asset management for your budgetary reasons. Your finest department will love your IT team if they can give you a life cycle. If you got, let's say, a round number a 100 computers in your office and you're on a 4 year replacement cycle where you replace 25% a year or you do all a 100 once every 4 years because you lease them, great. But you want to have that budgetary, value to your hardware life cycle management as well.

And and we're going to talk about policies and procedures later, but I would say that for proper asset management, you really need a good handle on your, in your HR process for how you're allocating hardware and how you're recovering it when somebody leaves the company. Because that is a problem I've run into with some clients where they don't have a good handle on where their equipment is, and then they come to me and say, hey, Justin. Where is this laptop? I'm like, I don't know. It last checked in in North Dakota.

Does that help? You know? I was like, well, we fired a person a week ago, and we didn't get the computer back from them. Like, okay. What what what would you like me to do?

I can't go to North Dakota and get that for you. You probably should've got that back when you fired them. Yeah. So I mean, there

I think there's a new TV show here for you, Justin, where you're like the bounty hunter but for computers.

And I mean, I'm I I'm kind of countering. I I agree with what you said. Yes. I can run a report quickly, of knowing what computers I manage for a client. But then we have shadow IT.

We have bad policies and procedures. We have, I don't know if they call it shrinkage like they do in the in the retail industry, but stuff disappears and also stuff shows up on networks that you don't know about. That can get super tricky and there needs to be a process around that as well. Absolutely. Okay.

Let's go. We're we're getting close guys. We're getting close. And I by the way, if you need to take a break and sharpen your pencil because I know you've taken a lot of notes, go ahead and do that now. We're going to move into encryption and then passwords.

We have a whole episode on passwords, so I'm not gonna spend a lot of time there, but I would like to take a second and talk about encryption. Hardware encryption is I mean, basically, it's it's if I pulled the hard drive out of your computer and tried to, you know, throw it in another device or what we call a toaster, you know, it's a a device that reads the information on your hard drive. If it's encrypted, I can't get anything off of it. If it's not encrypted, I don't need your password. I don't need anything.

I can go in there and I can find the files and I can access them. So a best practice, especially in regulated industries like HIPAA for example, if you have patient data on a laptop that walks out of your office, that better be encrypted. That that's super important. And, you know, we might even add destruction of hard drives into this. We were talking about it before we jumped on the show, but that information also needs to be properly destroyed.

I would, I would argue that pretty much everything should be encrypted, whether that's your, your phones, you can encrypt those, you can encrypt, servers, you can encrypt workstations, but at a bare minimum, we need to encrypt mobile devices that contain, either industry secrets, you know, or some sort of PII, personally identifiable information for your clients, regardless of what interest, industry you're in. And and I see some some notes flying in on the background here. I don't know who's typing those. Go ahead and and jump in. Talk about, backups and portal media.

Is that you, Brian?

Yeah. It was me. Just, a lot of folks do backups the old fashioned way where they're backing up to, like, a portable hard drive, and then they take that portable hard drive off-site. I'm still an advocate of of doing it, automatically through the Internet through encrypted channels. But if you're one of those people who like to have physical backups of your stuff on a portable hard drive, it should be encrypted.

Absolutely 100%. You should not be walking out with unencrypted data, and most basic backup systems don't always encrypt by default. So you want to use a backup solution that has the ability to encrypt the data so it's unreadable to anybody without the encryption keys.

Yeah. Can I can I throw in a disclaimer? Like Yeah. Sure. You you're gonna need to keep that decryption key or password, you know, easily accessible.

Because if you can't find it or if you forgot that password

get it. Yeah.

You can't get it. You know, like, it's it's otherwise, we would have been able to stop the hackers from encrypting it, you know, encrypting your data. It's still very similar technology. You need to make sure you your IT people like, we have a system that will automatically pull the keys, you know, from from there if we've encrypted something. You know?

So you need to make sure because we've gotten so many calls, like, oh, why? You know, my, my brother-in-law encrypted my laptop and I can't get into it.

Yeah. Yo. This is again, I'm gonna point out while we're giving you, the business owner, enough information to make sure that you are protected, this is not DIY. If the wrong person encrypts your your, computer, you effectively have a ransomware attack because that's exactly what they do is they encrypt and they don't give you the key. If you don't have that key, you're in a lot of hot waters.

So, make sure it's done. Make sure it's done right and make sure that, this is not done DIY.

It's I've talked to IT department, and they're like, oh, we don't like BitLocker. And I'm like, why don't you like BitLocker? Because that's our default every client, every organization, every computer, unless there's an exception to be made for some reason. And I can't think of one off top of my head. They're encrypted, and that's a standard we enforce.

And, and it's there's no additional cost to it. It just needs to be done and managed. And they're like, it probably had an inch issue or 2. They're like, oh, we hate BitLocker. We don't do it.

It's lack of knowledge. And it's an IT department telling me this as and, and I was like, we manage thousands of devices in the field. There's no issue with BitLocker. That's a that's a person problem, not a technology problem. And and there and the thing is people don't invest the time in, into the right training, the right understanding of how the technology works, and the process to ensure there's consistent saving of the the keys, those encryption keys into a third party solution that's you don't need your computers to be able to access.

Because once your computers are encrypted, if that's where you're saving your encryption keys, that's an Excel file or something, that's a bad that's a bad place to put it.

That's like writing down the combination to your safe and throwing it inside and closing the door. I do. Guys, we're we're short on time, so I'm gonna try to accelerate this. The next topic is passwords. And really, I'm just gonna point everybody back to episode 13, where we spent way too much time talking about passwords.

Our our least downloaded episode ever. I don't know if that's still true, but I like to say it.

It'll quickly go to becoming the most downloaded episode after the

It's like, hey, I keep promoting it. But you know what what needs to be taken into account? What I will say about passwords is we think about it a lot with websites, with our computers, with our phones. But do we think about it on our copy machines, which by the way store very personal information, very critical information on on the hard drives? Do we think about that with our firewalls, with our routers that somebody set up for us?

A, do we know what those passwords are, and have, you know and b, do we make sure that they're not just the one I can hit up

the default?

Yeah. I'd say, hey, Google. What's a default username and password for this model and this make of a and it's like, here you go, Justin. And it works.

Security cameras?

Yeah. Yeah. Yeah. So all devices, switches, firewalls, cameras, all devices, this whole IoT, Internet of Things, got it makes this really hard to do, but but that all needs to be taken into account. Okay.

We're gonna close this. We're gonna bring it home with application white listing. And Mario, I'm gonna I'm gonna turn this over to you. But again, we, we're we're pretty short on time, so keep it high level. Keep it business owner appropriate, and then we're gonna kinda wrap up for this week and, start all over again next week with a different topic.

Mario, go.

So application whitelisting is another layer of security. It's, something that that gets installed on your computers and your servers that prevent users from installing any type of software that is not previously approved, or they can request approval for it, no matter what it is, no matter if it's malicious or or not. It will have to be approved by your IT department. You know, something as simple as, like, Spotify or even Google Chrome extensions that have been known to be malicious, will not get approved without, your IT department being notified, checking to see if it's safe, then they can approve it. This also helps with hackers because when hackers hop onto a computer, what the first thing they're doing is they're downloading something that can let them either download more tools or upload their data.

The application whitelisting creates, like, a barrier or a ring fenced around all the programs that prevent things from going in and out that wasn't previously approved.

Yeah. And this is one of those things that's a giant pain in the ass. But I've said before and I'll say it again, if security isn't a pain in your ass, it's not being done right. Even, not just for the end user, like, my technicians hate this too, the application white listing. I got a lot of pushback when we first tried to introduce that.

So, definitely can be a pain. We have I'm gonna add real quickly that we have touched on Shadow IT that we could probably do a whole, episode on. In fact, I think we did, if I remember right. But in part of protecting your technology is finding all of these devices and applications that get installed without our knowledge, and we need a process around finding that. So, I'm gonna talk quickly about maturity levels, because what we're talking about today, these are the basics.

You can go deep with a lot of this stuff. I would argue that application white listing is probably a a maturity level 2 or 3, where most of what we're talking about is level 1. But one of the things that we do, and you guys, will kinda sign off with this as a as a final thought, is where do you start your clients off, and then how do you progress them, and how do you decide how far to progress them? So, like, my system is set up with maturity levels 1 through 4. Obviously, I start with level 1, and then it becomes a conversation of how far do you wanna go, and, you know, what's the budget look like and, you know, what are the trade offs?

So, I'll I'll I'm gonna give each of you a few minutes to do that. Final thoughts, key takeaways, and then we're gonna wrap up. And we'll go Brian, Barinder, Mario. Brian, go ahead. What are your thoughts on that?

Okay. So how deep do you go? I'd say, you know, from my perspective, I've I've said it once before and I'll say it again. I believe cybersecurity is a journey. If we if we talk to a prospect and they just don't have the budget to do everything we would want them to do, If they could at least start implementing some of the precautions that we're talking about, it goes a long way towards showing that they've got the good intentions.

And I think when we talk to, an insurance person a couple of weeks ago, or a couple of months ago or whatever the case may be is, you know, if if you've shown an effort to make changes, you're going to be held less liable than somebody who completely out out out just said, no. You know what? I'm not interested. I don't have the budget at all for it. Do what you can.

Implement what you can. There are basics, but, you know, even if you can't afford all of them, at least start implementing the things that are that are key, as soon as you can. And again, treat it as a journey, and that's the way I look at it.

Alright. I love it. Birender?

Yeah. Just to agree with everything Brian said. Just to add, I would say, yeah, it's it's a journey. When we're starting, there are some fundamentals that absolutely everyone should do. There's, like, 10 items.

Like, MFA is one of them. If you don't have MFA, you do not care about cybersecurity, then we can't even have a conversation. Yep. But, once you take care of the fundamentals, then you have to assess the risk. What is really key to the business that could take it down from a operational perspective or liability perspective?

You don't want lawsuits, and you don't want downtime for your team or your sales. And and so those are the two ways we discuss, cybersecurity road mapping with a client. And if, somebody want I love your framing around IT maturity levels, 1, 2, 3, 4. If somebody wants just a cheat sheet, you can just jump ahead. We'll talk about compliance later episode.

But we go to CIS controls, and they already have an IG 1, IG 2, IG 3. If some if an IT department can wants to jump ahead, go take a look at that. Very easy to read from as far as the compliance mechanism goes, and and you can jump ahead. But, yes, take care of the fundamentals. They're mandatory, patching, and all the things we discussed, and then, and then do a risk assessment.

Okay. Mario, final thoughts, key takeaways, and thoughts on maturity levels.

Yeah. I I I agree with, what Brian and Brenda said. You know, you you have to start with certain little things like, you know, free stuff like MFA, you know. But what I've said in the past is, like, the first level, the first thing that has to be done to protect you and your employees is education. You have to make sure your employees are properly educated just like you would educate them with their day to day work for programs and stuff like that.

They have to be educated on what you're you know, what they're supposed to do from a cybersecurity standpoint. You know? They they need to know that there's a certain standard, to work for you that they have to do, you know, no matter if they think it's convenient or not or a pain in the ass or not. They it starts with the employees. If you if your employees are educated, you've you've you're already, you know, much further away than other people other companies.

And you should have started with spoiler alert spoiler alert because that's episode or or session 3 in our series. We're gonna talk about next week where we're gonna talk about how we properly protect our data, and then the week after that, we'll be protecting our people, which is where MFA and education and culture and all that falls in. So, guys, I hope you have loved episode or sorry. Session 1 in our 4 part series for cybersecurity awareness month. We have talked about how to protect your data.

I'm sorry. Goddamn fucking everything. This is how to protect your technology. I'm getting ahead of myself. Next week, we will talk about how to protect your data, and then we'll, we'll protect our people.

And honestly, I think that's really where the rubber hit the hits the road is that third one. Stay tuned for all episodes. The the the last one of the week or the month is gonna be, I I can already tell you it's gonna be my favorite. So Yeah. Brian, Brendon, or Mario, thank you so much for being here this week, and we are going to sign off.

We'll see everybody next time. Take care, guys.

Bye, guys. Ciao.