UnHacked

Welcome everybody to episode 33 of unhacked. You know, I say it over and over, but unhacked is a deliberate misnomer because the truth is, Brian, we can sit here and we can talk about this week after week. We but if you get attacked, if bad things happen to you, getting unhacked is virtually impossible. You're not going to get back to where you were, so we definitely wanna spend all of our time, energy, attention, and focus on preventing this stuff from ever happening. You know, we have our formula that we talk about.

We're gonna protect your technology, protect your data, protect your people, and then we're gonna wrap that up with a a good cybersecurity insurance policy and also policies and procedures. And while we talk about that week after week, we did make, some special effort on this, the bump of cybersecurity awareness to really break these down in detail. We've already done protecting your technology. We've talked about protecting your data. By the way, that one was boring as hell.

We might have to go back and redo that one someday. Well, listen, people, if they're gonna listen to us, we gotta at least not, make him go to sleep. Or or play this at night when you're trying to go to sleep, and you're welcome. Anyways, final one is protect your people. I'm

not security. Yeah. I was gonna say, cybersecurity ASMR.

That's right. Get your best sleep by Brian and Justin. Today, we're gonna talk about protecting your people. So quick introductions. I am Justin Shelly, CEO of Phoenix IT Advisors.

We work with businesses in the Dallas Metro as well as out west in Northern Nevada, Utah, and Idaho. And I am here with my good friend, Bran. Bran, we've been friends now for a decade. We're we're right at a decade. Great great to have, you know, to have this relationship, this friendship, professional relationship, and now co hosting the best podcast on the planet regarding cybersecurity.

Brian, tell people who you are, what you do, and who you do it for.

Yeah. I'm Brian, Lachepaul with Deeper Networks. We're based out of Ontario, Canada, specifically the Niagara Falls area. And, but we support all of Southern Ontario with the exception of the downtown Toronto, area. We have an office in the Simcoe, area in Niagara Falls based area.

And what essentially, we help small businesses get rid of all the headaches that come with dealing with technology in the modern workplace.

Alright. Alright. That's good stuff. Brian, I'm supposed to introduce 2 more. So I'm kind of you'll you'll catch me a little bit off kilter here because I'm supposed to say, Mario, go.

Mario, it's your turn. You're up. Berendor, you said you promised. You swore that you were gonna be here all the month of October. In fact, this whole thing was your idea.

And, Berendor, you're not here. Yeah. Anyways, whatever. So, luckily, the 2 best looking smartest of the group are here. They'll never know that I said that about them.

Please don't tell them. We're going to talk about protecting our people. So, guys, our loyal listening audience, grab a pencil, grab a piece of paper, and let's get started. By the way, Brian, did you know that there is a psychological impact to tell telling people to get a pencil and paper versus a pen and paper?

No. I didn't know that.

Fun fact of the day. Google it. Don't take my word for it. So, Brian, we're gonna talk about, well, actually, let's let's talk about the most common ways that organizations get attacked. I'm trying to use the right words.

Thank you.

Yeah.

Robert. Right, Robert? Anyways, we we've got a friend. Yeah. That's another story.

We're gonna talk more about that next week. But, using the right words, if we get attacked, what are the 2 most common ways and and do it like Jay Leno style? Was it Jay Leno that did the top 10? No. No.

It was the guy before him who's David Letterman. Right?

Yeah.

Yeah. Anyways, so we're gonna start with number 2 is what? What's the second most common way

to get breached? Attacked? Well, typically passwords, losing passwords, compromised passwords, okay. Weak passwords, all passwords, and we're not gonna get into that one because we have a whole episode on that and it was horrible. But passwords

are important. 2nd second most common way to get attacked. Now number 1, and this, I'll be honest, when I when I'm in front of a room of people and I say, hey, what's the the most common way people get hacked? Never hear this answer. So what is it, Brian?

It's spoiler alert. It's you. It's you. Well, not you specifically, but our our audience. Listen.

We could put bars on the windows. We can put, you know, security guards at the doors. We could put alarm systems all over the place. But if somebody, you know, props open the back door with a brick, you can't fix that. Right?

So, our human element is where we're gonna fail. So people are our biggest, weakness.

Are you, are you a Swifty, Brian, by chance?

Do I like Taylor Swift? Yeah. That's what you're asking. I mean, even the fact that you knew what I

meant, you're a part

of your music.

Just be sure. Okay. So do you know the song? It's high.

Yeah. I know the song.

I'm the problem. I'm the problem. Yeah.

Yeah.

Okay. Brian, it's us. Goddamn it. We are the problem. We are the problem.

Yeah. Are you familiar with Mark Goodman?

Oh, geez. Yes. He was on he was on stage at Robin 1 one year. Correct. And blew my mind the things he was talking about.

Did you Incredible. Did you read his book, Future Crimes?

I read part of his book, Future Crimes. As you can see from the back of here, I have tons of books and and some hidden, and I I get through most of them.

Okay.

But not always.

I will confess. I did the audio version of this, but it was a wake up call to say the least. Out of that I have it I have it here. This book, oh, Future Crimes. I got a sticky note on the front with key information.

This book, audience who is dying to know is 498 pages long, it looks like. Not a short book is my point. Right. Did read the whole thing or listened to it, and this is my key takeaway in one concise thought. In in the book, Future Crimes, Mark Goodman said, if you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

Cybersecurity is a people problem, not just a technical one. Would you agree with that?

100%. Cybersecurity is a shared model. Both we as the providers have to put in certain things in place, but the customer and their employees and the people that are using the technology also have to be vigilant about it it's it's I'll give you an example everybody can probably work with. Safety in a workplace is a shared model. You know, as as an employer, we have to put in certain safety things in.

But if the employee does something they're not supposed to do, I e climb a ladder that they're not trained to climb or do something they're not supposed to do or put their fingers where they're not they ought not to be. Doesn't matter what your policies say, doesn't matter what systems you put in place, they'll get their arm chopped off or they'll fall down or hurt themselves because they are not doing what they're supposed to be doing. So it's a shared model.

Right. I mean, another analogy. If you think about, you've got your office building, and let's assume we're not all work from home. We've got the return to work, whatever that's called that people are so outraged about. We're back in the office, and and you've got an employee who consistently is responsible for locking the door on the way out, and they don't.

And they leave it open, and they leave the lights on, and they roll out the welcome mat every single day. A, eventually you're gonna get broken into. But, b, if you know this is happening, you cannot let that employee keep doing that. You either have to fix it or you gotta get rid of them. Right.

So this is this is a big problem. It's the number one way companies get attacked, and it's what we're gonna tackle today. So if we are the problem, Brian, what would you say is the solution to this people problem?

Well, there's multiple solutions. Okay. 1 is, again, providing the proper tools. We're gonna cover off with a little bit more what that looks like in a bit. Education.

Right? Teaching people what they ought to do and not ought to do, and we'll get to that. Policies and procedure. And, of course, the last one, probably the most important one, all about culture. Right?

It's gotta be about culture. It's, you know, having a culture of

Yeah.

Cybersecurity mindset, and and growth mindset.

Culture is easily my favorite topic and where we are fighting organized crime rings, sometimes state sponsored. I I firmly believe that this is the only way we will win the battle is true of Granger. We have to do all this other stuff, but if that's where we stop, we're not gonna win. We're we're gonna I mean, it's So

and and from the top down, you guys, like, people think to themselves, like, oh, I'm too small, I'll never get hacked or, you know, it will never happen to us, then nobody else in the organization will take it seriously. So it has to start at the top and work its way down and or or left to right or however your organizational chart looks, and it has to be embedded within your culture that this is something that's important to the entire organization.

Now before we get too far into culture, spoiler alert, spoiler alert, We're we're we're gonna okay. So we're gonna hit each one of these in detail. And I'm gonna go out of order because I wanna start with the most god awful boring thing that nobody wants to talk about. Policies and procedures.

We're gonna get it out of the way so that we can move on with the fun stuff. Right?

Yeah. And honestly, in in putting together the outline, I'm like, Jesus Christ, how do I make this episode not suck? How do I not make this the worst worse than passwords for fuck's sake? Yeah. Because if we just don't hear What's that?

Why don't we just rapid fire popcorn all of the policies they should have and just move on?

I I I think that's exactly what we're gonna do because, I could not think of a way that we could dissect these policies. And number 1 in a way that's entertaining because we are trying to at least, somewhat entertain people and not put them to sleep. But also, these are complex problems and and there's a lot of policies that we need to have. And while I can spit out a a template for each one of these and I used to do it. I had this traveling seminar that I would do and I and I I spent a lot of money.

I had these really nice binders and I would print out all these policies and I would even do a you know, go into Word and do a find and replace and put their company name in and everything. Here you go. These are your policies and procedures. I give them the book. Right.

And my point was I didn't wanna throw something away. I thought this book was neat nice enough that they wouldn't throw it away. But, Brian, do you think they sat there and read through those policies?

Even if they read through them, which I would hazard a guess they did not. No. They didn't. If they did, just reading through them isn't good enough. It has to be actioned.

It has to be provided to the staff. It has to be walked through. It has to be enforced at the end

of the day. Way ahead of me because really first, we gotta make sure that these things even apply to us.

Well, there you go, Hans.

Right? Because let's let's just take okay. So I'm gonna read them. I'm gonna ask you where you would wanna start. And I think I'm gonna get ahead of you because I I think we're gonna both include acceptable use policy.

And I do wanna talk a little bit about acceptable use. So, alright. So these are this this is the list of templates that I have available that I I give out to my clients if they want. Computer use policy, acceptable use policy, those are similar. Privacy in the workplace, employee monitoring, by the way, it is not assumed.

There is no level of privacy assumed in the workplace

Right.

Legally. However, sometimes you still have to put it in writing and there there's so many laws around this stuff. Clean desk policy, remote work policy, anti spam policy, email policy, technology assignment policy, social media policy, telecommuting policy, telework policy, cybersecurity policy, security policy. What's the difference? Oh, there is a difference.

Security response plan. Jesus Christ. Data security policy, data retention and destruction policy, asset management policy, bring your own device policy, website privacy policy, webs I I I can't I'm stumbling on my words. I can't even say all this stuff. So, I mean, listen.

There's a long list. And to anybody in the listening audience that wants every one of these, shoot me a message. I will print them out. I'll give them to you. I'll give you electronic copies.

You can also probably Google this stuff and find it. Now and I hear as I as I listed these off and now I'm rattling them off verbally, all I can hear is Brian in the back of my head saying cybersecurity is a journey. You gotta start somewhere and then you make 1% improvements every day. Did I did I quote you properly? I didn't do a good job of doing your voice.

I'm not impersonating here but but I'm close, right? So Brian, you're sitting down in front of one of your clients and you're like, hey, mister client, We gotta up our game here on policies for legal reasons for all the things we're gonna talk about today. Where do you have them start? Because if I'm your client and you give me this list, I'm giving you the bird. I'm getting up and walking out, and I'm going back to stuff that I understand.

Yeah. So So the the the very first the the place where I would start, if it were me, would be an acceptable use policy specifically surrounding what they can use as techno. Not not talking about how I mean, in the policy will be how they use technology, but I'm talking about specifically what technology they're allowed to use.

Okay. I

you know, we're using file sharing an example. Well, we're gonna we're gonna standardize on OneDrive. If if if they try to use Dropbox, that would be against the company policy because essentially, what ends up happening is it's called shadow IT. We don't want people spinning up their own applications that are outside of what's supported and what's monitored and what's secure with other things. Right?

So that would be my first step, and then follow that up with a good good old fashioned clean desk policy. You'd be amazed at how many times, that I find pictures on the Internet with, you know, people with a note notepad on their screen with the password that's on it or, you know, like, things that are, compromising for their their clients and or, employees that are just sitting on desks, and they're taking photos and publishing them all over social media. So very, very important to have a clean desk.

Well, okay. Listen. I'm gonna I'm gonna pause you there because, like, I'm glad that the camera doesn't pick up my desk because it's not clean. I mean, I've got sunglasses over here. I've got yesterday's mail piled up over here.

I've got my water sitting here. I've got an empty Brian, I have trash on my desk. I've got an empty water bottle.

When I refer to clean desk, I refer to clean from a cybersecurity standpoint. Where there's nothing on my workstation that is going to compromise anything if somebody were to walk into my office. I don't care. You know, I've got I've got this on my desk. I've got, you know, like, you know, different things all over my desk.

I don't think anybody's gonna be overly concerned over that.

Okay. So I'm way off track, but I have seen offices where it isn't a company policy to not have anything on your desk that you're not currently working on. When you go home, it has to be clear. Yeah. And and you know what?

We're off track. This isn't a security issue, but I still remember that. And that was impressive. In contrast, when I bought a piano 25 years ago, 30 years ago, I still remember the owner of that piano company, his desk was a disaster.

Yeah.

I still remember that. So alright. Then my tangent's over, but, okay. So we've got go ahead.

Yeah. So mine were were acceptable use policy and clean desk policy. So Justin, where would you start?

I'm a big fan of BYOD policy. Okay. And so you've got with with bring your own device, most people, most employees, and it's it's similar, it kind of dances with shadow IT. But if people can figure out how to get their email on their phone, even if the company doesn't specifically encourage it or promote it, they still can do it. And now we have potential data leak problems.

Right? So we have to figure out what we want people to what what devices that we want them to use and how they're gonna use them and how we're going to protect that data once it hits their phone. Because if I've got an employee, let's say I've got a part timer. They use their own phone because I'm too cheap to give them a laptop or or whatever else. They so they put it on their laptop, their phone, and then they quit or I fire them.

Do I have the right to go in and erase their device or or at least my stuff off of their device? These these are just things that we need to talk about ahead of time. Right. And then along with that, I think it's important if you are going to be handing out company issued equipment, there really needs to be a clear process in place for how you're going to get that equipment back at the end of their employment, because you can run into legal issues there. And, you know, can you withhold pay if they don't return the device?

Well, some people can, some people cannot. Right. You know, what what can you really do if somebody doesn't return a laptop? Well, you can sue them. Good luck.

A lawsuit costs, you know, $20,000 if you're gonna hire a attorney. It's just not gonna happen. You're basically donating that equipment. So, and it does also play into security where we, you know, they're depending on which set of controls we're adhering to, we have to have a a good asset list. You know, what assets do we own?

Where do they live? What data's on them and stuff like that? So those I I mean, I agree with you a 100%. Acceptable use, I think, is probably the number one place to start, and then I would bring devices into it shortly thereafter. There.

And and then it just becomes a game of, you know, going through this list and picking the ones that are more important to, you know, that that tie into your company's, your culture, your goals, your your mindset, and and whatever else. So Yeah. Any other thoughts on policies and procedures?

Well, I do like the the the concept of a journey now I'll in this particular context because, when you're building out your policies, you can get all of these all at once. But the the key part comes in with the enforcement of the policies. And if you're not consistent in the enforcement of the policies, then nobody will listen to them and they and it and it falls on deaf ears. If you try to put out 50 policies all at once or 20 policies all at once, the odds of leadership actually being able to enforce those policies are are pretty next to nothing. So, ideally, what you would do is is, you know, work on the policies.

If you don't have any already, work on them 1 at a time and and deliver them as you develop them. And that way, you can train your leadership team on how to enforce each policy as they come out. And within a, couple of months, maybe 3, 4 months, you should be able to have the majority of the policies in place.

And, we're we're going to I I actually wanna bring policies back in as we go through education and culture because one of the biggest problems I see with policies and procedures, and and let's throw employee handbook in there, which isn't even on this list because it doesn't, you know, not directly tied to, cybersecurity, but it kind of encompasses all of these. Right? And so you you hire a new person and you go put them in this, you put them in isolated confinement or whatever, solitary confinement. I mean, I mean, you put them in a break room by themselves.

Download them now.

And you stack this great big book, you know, the stack of documents in front of them or you do it online or whatever. But you basically give them some number of hours to go through everything. Go through, read it, understand it, sign off that you understand it, sign off that you're going to comply with everything in here for the rest of your existence at our organization. And then we're gonna walk away, and we're gonna train you on how to do your job, and then we're never gonna talk about this again. That is how I see them use.

Yeah. And we we learn we remember very little of what we read. And so that's again where the journey comes in as you can then turn around and maybe once a week, once a once a once a day, have, like, download a new nugget of information to remind people, like, you know, here's a little bit of, of what, you know, our policies are here and there. And, like, I'll I'll give you an example. During our huddles in the morning, every every day of the week, we have a 10, 15 minute huddle.

And in there, we're we're delivering some some little training tidbits. Now they're not always associated with policies, but usually it's, you know, how can we be 1% better? How can we live our, you know, greatest of all time, getting becoming the greatest of all time for ourselves, journey, and, and and or, like, tips and tricks on how how to productivity hacks and things like that. If we were trying to do all that at once, nobody's gonna remember them.

But Right.

Because we're doing delivering 1, 2 minutes a day every day, it's highly likely somebody will pick up on a couple things and then implement those.

Yep. Yep. I absolutely love love the way you're doing that. So, excuse me. Let's let's go ahead and we're gonna skip to education.

Okay.

And and we're gonna talk about because it for me, it ties into policies and procedures. Now generally speaking, when we talk about education in a cybersecurity setting, what are we talking about?

The dreaded annual training on cybersecurity.

We'd love that. What are you talking about? The courteous videos, the stupidest test. Yeah. Spot the phishing email.

Oh, you messed up. You didn't check this. Fuck. Anyways, okay. So you've got the annual training.

Is that enough? Let's say we do that. Let's say that you're in the top 1% of companies and you actually have annual training, because I don't know. I I I don't know about the 1%. Have it?

I know.

Annual training.

I know. But when you pick up a new client, how often do you find that they have a very effective annual cybersecurity awareness training program in place?

No. No.

Never. Almost never. Right. No. So that's your baseline.

That's the minimum. Usually by, by, standard, I'm I'm blanking, anyways, regulation compliance. That's what I was looking for. Annual training will be in there. Right.

And that's usually where that stops. What's the next step? What's the because if you only do it once a year, are we really even getting any benefit about I would argue minimal minimal benefit.

From my point of view, you you do your annual training, and the week after you hire somebody, you've already done your annual training. Now that person's gonna be the whole year with you without having any additional training. So the next part is micro training, and that's again part of the continuous learning little little nuggets. So typically micro training is, like, 1 to 2, 3 minute video, small little quiz, once a week, and it's just a reminder and keeps people on their toes because if they're constantly hearing about it and constantly learning about the little things they can do, then they're more likely to implement those things and it's always top of mind.

Right. One of the things and so I'm kind of jumping around here because this, this applies to culture as much as anything else. But with these micro training, depending on what platform you use, a lot of them have, a point system. Like as you go through and you do them, yeah, you get the right answers or or even you just show up, you just go through and watch the little video, your score increases.

Right.

And so I I really do think that, and again, this is more of a culture than, just education, but they tie together. We we have to bring this to the front. We can't just shoot it into somebody's inbox and say we've done it.

Right.

We we need a good accountability around it. And and, again, we'll we'll we'll come back to culture. So now let's move on. We've got annual training. We've got the regular micro trainings just to keep it top of mind.

And then what else do we need to do?

Well, I can tell you what we do. We we I like having phishing simulation. And just for those of you who are not familiar with what phishing is essentially, you know, cyber criminals will try to, like, send an email out, try to trick you into clicking something, entering information in, visiting a site, whatever the case may. That's called phishing. And what we do is we send out our own version of that to test, and we let people know.

They know what's gonna happen. And and in fact, they're on the lookout for it because we let them know, hey, every month we're gonna be sending you 1, 2, or 3 phishing simulations. And because they're on the lookout for hours, they're looking out for everybody else's as well. Right? They're always on the lookout, so it keeps it top of mind.

So phishing simulations, and if they if they fail, if they click a link, if they accidentally give information they're not supposed to, we can then either go to the ownership of the organization or the leadership and let them know, and then perhaps offer remedial training. Or if it's a repeat offender, we'll talk about that in culture. Right. Right. Right.

So phishing simulation is, like, really important. When when we started off, we were like, okay, what are the top two ways that attacks happen? And second one was passwords. And then the number 1, we kind of said, you know, the human element or whatever people.

Right.

But this in particular is how it happens. It is some

So yeah. How often do you test somebody? Right? If you if you're teaching somebody how to do something on a on a little machine, and you say, like, here's how you build our widget, and then you go, okay. Now show me how you build the widget, and they they repeat it, and they show you what to do.

How do you do that effectively with cybersecurity training? You can. Right? Like, the only way to do it is by simulating an unknown event. Here's you know, we're sending out something that is unexpected.

I mean, they kinda know it's coming, but they don't know when and how and where and what capacity. And so that's the way we test. That's the way we verify that they actually have retained the information that they've been taught. Exactly.

And and it's so critical because this is how the criminals actually they get us, right? So it I I talk a lot in my seminar series about psychology, the the psychology that the predators play on, the the criminals play on. Right? So number 1, as humans, we are wired to wanna avoid conflict. Yeah.

And number 2, we are wired to wanna help other humans. Right? These are these are just built into us. It's in our DNA. We cannot help it.

I mean, there are exceptions to everything. Don't wanna talk about that. But as a rule, humans do this. So phish phishing simulations, most attacks in general that are launched at humans play on those two things. Right.

So it's like, oh, please help me help me help me whatever or it's, if you don't do this, I'm gonna you know, you're gonna get fired. You're gonna I'm I'll I'll go to your boss or whatever. And so they but they they tap into like, they hack our brain, Brian.

Right.

Where they can't hack technology. They hack our goddamn brain.

Yeah. Have you ever seen some videos on people, like, doing social engineering which is basically where they they they call in or they they try to circumvent securities by by exploiting people? Right? You know, hey, I've I've got a baby crying in the background. You know, I I have a recording of a baby crying in the background, and I'm trying to, you know, get access to my account and, you know, oh, I'm distracted.

Now the baby's crying even louder, and it's, like, can you please help me? I'm really stressed out. And, you know, the person at the end of the phone is empathetic, and they're trying to help. And they're like, okay. We'll we'll forego the security, you know, questions I normally would have to ask to verify.

And, and we'll just we'll get you your help you need next thing you know that there was actually a cybercriminal playing, you know Yep. Acting the whole time.

Yeah. And it it's crazy how effective it is. And so that's why I'm like annual training. That's our baseline, but that is not enough. That will not cut it.

We are not only trying to fight cyber criminals. We're trying to fight our own damn brainwidering. Yeah. It it's almost impossible. And so we have to be super vigilant.

The the phishing simulation in conjunction with annual training and micro training, those three pieces together, this is this is crucial. We aren't we are not gonna win the battle without that. Okay. Now, where education is concerned, I I insist on including policies and procedures and coming back to that because like I said, you you bring a new guy in and or gal, sorry, and you you slap a bunch of documents in front of them and and force them under duress to sign them because, like, what are they gonna do? Say no, and now they've gotta go back out on the job market.

They're not doing that. So they're gonna sign it and they don't care. They just want their 1st paycheck. So if these policies are really important to us, then we have to figure out a way to build them into our culture. So do you have any thoughts on that, Brian?

How do we take the most boring topic in the world, legal documents, and work them into our company culture?

Well, you can in the micro trainings, a lot of the things that could fall under your policies and procedures can fall into micro training. And if they don't fall into the provided micro training by whoever is is is supplying you that, you can loop it into, you know, some sort of, sessions where, you know, like, maybe a a a huddle in the morning, or, you know, a a like a one second, you know, sort of presentation, at the beginning of of every every meeting where you just remind people, like, one little piece of a policy just so it's constantly reinforcing and and learning. And then you just rotate between the different policies as you go through. So maybe today, I'm talking about the acceptable use policy, and it could be just a a 10 second talk. Like, don't forget, you're not allowed to use solutions and software that aren't aren't sanctioned by the company, because of this.

And then you just end it and then move on, you know, to the to the regular meeting. And the next time you have a meeting, you maybe bring out another one. Like, hey, by the way, don't, you know, hold the door open for anybody. They have to scan with their own ID badge because you don't know if the person behind you is somebody who works for the company or so on and so forth. Whatever, you know, depending on what kind of organization you are.

Right? You just pick different policies throughout and just remind people as they go.

Agreed. 100%. I I think that, you know, we pat ourselves on the back and rightly so if we have the policy at all. Right. If we have our employees read it and sign off on it at all, that like, those are good first steps.

But now we take the the initial duress of, a new job, and and we weave it in with exactly like you're saying. We we we take little short, you know, make make your own video clips or or just have maybe you create a second document that has key points. Like, here's 10 pages of acceptable use. And by the way, here are the 15 key points we want you to understand. That then could be used in in let's say quarterly employee performance review meetings or or if you have weekly or monthly meetings within your organization or maybe you have a social media, internal social media platform or something.

You know, I know you guys are great at this, by the way. You've you've got your little video shorts. You've got TikTok videos, right, where you kind of put your company culture out there. Great. I mean, there's a lot of ways of bringing this into your culture, but it does have to be brought into your culture.

It does. We

take policies and procedures, the worst topic on the planet, and and now just start truly educating, gamifying, and maybe even, God forbid, entertaining people with these with these topics.

I like the idea of gamifying because that that ultimately, helps the remind people remember people, like, remember. So you can yeah, you can definitely gamify it, have little quizzes. The one that has the the highest score on the quiz, gets entered or if they get it all right, they get entered into a draw And and then you draw, like, you know, something for, like, a free lunch or free dinner on on the company or something like that.

Yeah. I used to keep, I don't I don't anymore. I gotta get back to this. I used to keep a stack of, like, $5 and this dates me because that meant something back then. $5 Starbucks gift cards.

Right? And now that Right.

Now you can buy some copy.

Yeah. So you'd you'd have to up your game employers. Yeah. We're gonna have to pony up a few more dollars. Maybe it's a $10 $10 card.

Oh my god. Yes. Gift card. But, PS, $10 is really cheap when we're trying to prevent a game ending disaster, which these cyber attacks can be. So, you know, it could be the one with the highest score gets a $100 gift card and and anybody who, you know, does the micro training, you know, gets gets $5 or, you know, just just stuff like that.

However you wanna do it, but reward, reward, reward. Gamify, make it part of your culture. But but I have to add this too is even though I don't like talking about this. If you can't through gamifying, through rewarding, through culture, if you cannot get somebody to enact these best practices within your organization, you have to get rid of them. You cannot let somebody leave your front door open day after day after day without taking action.

Do you agree to that?

I absolutely. And and, that was gonna I was gonna try to play devil's advocate, but I don't I don't even think I can because I believe in it so strongly. It would be like having an employee in your organization who treats safety like it's nothing. Right? If if you work in a factory and they say, you know, you have to honk the horn when you're you're passing by in in the in the lift truck or the the forklift, or, you know, you have to you have to walk in a certain walkway or you have to do a certain thing and and they completely blatantly ignore those things and they get hit by a a a or they you know, the person hits somebody with their lift truck.

You would fire that person. You would say, like, you didn't follow company policy. You are putting people in jeopardy. We have got no choice. We you know, you 1st strike, fine.

2nd strike, you're out. Or 3rd strike, you're out. We have to start treating people who ignore cybersecurity, like, blatantly ignore it and and and and just outright not following it. And this includes from the top level all the way down. We have to treat them just like we would if it was something that was safety related because it's in fact I wouldn't say more deficit because human life is important, obviously.

But if something happens to the organization from a cybersecurity point of view, it could take out the entire company. And now every single employee who works at that place is now looking for a new job because it completely most organizations who end up with a breach of some sort or another, and I know we're not supposed to use the word breach, some sort of security event, cybersecurity event, oftentimes they will go out of business within a year.

Yeah. Yeah. It it's just not something we can mess around with. And you you talked about top down. I don't know about you, but in my experience, getting the CEO of an organization to go through any of the cybersecurity training that we send them is almost impossible.

And they are often the ones that are breached the first.

Well, they're they are the one with the biggest target on their back, right? They're they're the ones who can do the most damage in an organization if if somebody comes after them. So but but on top of that, they are also the, that's where the culture starts.

Right.

So if I, as the CEO of my business, am constantly out yelling at my people to, you gotta do that training, and then I'm out fucking off and, like, causing breaches, who's gonna take me serious? Right. So

alright. So that's a good transition in the culture because there's a there's a lot of there's a lot involved with that. Right? There's we were talks about actually, we already talked about most about these now. Gamifying, policies and procedures, top down video.

Yeah.

Well, I mean, yeah, we've we've these are married together and I

Yeah.

It's kind of hard to keep them separate because we have to educate and to educate, we have to have the culture to back it up. But I do, like I said, I'm I'm pretty happy with how I apply my company culture, but I also love watching what you've done because I I feel like you've taken it to a next level. You've got your avatar. You've got your little characters that I mean, I I don't know that you have somebody in a suit running around dressed up like a goat yet, do you?

No. We need to go that far.

Is that coming? Please tell me that you're gonna have an actual mascot running around your office soon.

No. We do have we do have a, a, we do have a a goat logo, a goat mascot, but, somebody dressed as 1. For those of you who don't know what Justin's talking about, goat is, our internal, why, and that is to help ourselves, our clients, and our peers become 1% better every day and to be our own greatest of all time. Not to be the greatest of all time because that would be very pompous of us to think that, but to be our own greatest of all time. So to me, I'll be better than I was yesterday.

Right.

Okay. So I I wanna unless there's anything else to talk about with culture, I think we pretty much nailed that one. Yeah. I I and maybe the last piece of culture is providing our employees with the proper tools and we've, we've touched on it, but I want to just highlight this for a second.

Why do you think it's important to give people the right tools, Justin?

Well, number 1, I think that our people and I don't like saying our greatest asset, but I mean, this is where this is where a company's made is is just the relationships that we have. So my my number one core value is we take care of our own. And we'll talk about that for a second. What that means to me is that as an employer, I will always have my employees' best interest at heart

Right.

With fine print. It goes both ways.

That's right.

I expect my employees to care about me too. And I don't mean, I mean, in a professional sense, right? We we want to make sure that we're doing the best good for the people around us. If I've got employees who are slandering anybody in the company, including myself, they're gone. We're we're not gonna have that kind of a culture.

But in return, I'm not gonna be, mistreating and yelling at and and degrading my employees. I will never do that. I I get disgusted at, you know, some of the stories I hear about how employers treat their employees. I'm I'm horrified

by it. Like a certain chef we all know and see on TV. Exactly.

And so but we extend this to our clients. We will always our clients, you know, we take care of our own. They are our own. And so we treat them the way we wanna be treated, and it has to go both ways. I will fire a client if they treat my employees badly because I don't want that environment here.

Alright. So if if that's my number one core value, then and I'm walking around my office and I see an employee sitting on a chair that's falling apart, which by the way, I see all the time.

Oh, it's horrible. We sit

and I and most of our clients sit at a desk all day long and they're sitting in these chairs that were bought from Walmart 20 years ago, you know, and held together with duct tape. It's like divide that by the hour, you're talking about pennies per hour to to give somebody a chair that makes them comfortable. So take that as an illustration. We've got to give our employees the right tools to do their job as well. And how often do people cheap out on computers themselves?

We use computers until they're 5 or 6 or 7 years old, but hey, we can make it work, right? Because we have unlimited supports. We're just gonna call you guys and we're good. So you gotta have good computers that are functional. We've got to have, the right tools.

I mean, you talked about it. We're gonna standardize on OneDrive. Great. Is that the right tool? We need to make sure it is.

So I mean, I I like to go down this list and and I've got a new employee starting right now, and it's a new position. It's a new, job function that we haven't done before. And so I tell her, I want you to be successful. I want you to make a lot of money, and I need to know from your perspective what you need to do that job right. Right.

So I want that feedback. I want you to tell me every day, every week. What is it that's causing you to not be able to do your job? So this is part of my culture. And I think that if we extend that to IT and we get our employees involved on what tools do you need to do your job properly, then, we can kind of hit this shadow IT thing head on.

Thoughts?

Right. I was gonna I was gonna get to that. Like, what what happens if you don't give somebody the right tools? What what is the danger of not and when I talk about tools, I'm I'm talking about digital tools. Right?

Like software, cloud services. If you're not giving them the tools that they need to do the job, what's the danger? What what what what can they do that's dangerous?

You ask, oh, you're posing a question to me. I get them now. Yeah. I thought you were gonna leave it up with the answer. I mean, they're gonna go out and they're gonna get their own tools.

Usually, they're going to be free. And as I like to say, if your software is free, you are the product. So they're gonna be mining that data and selling it, or they're going to be looking at behavior patterns and selling it, or or your data, you just don't know where it is and you can't properly protect it.

Right. And that to me, that I mean, both the other parts you mentioned were were obvious, or not obvious, but valid, very true.

But what

if they just they're buying a tool? They buy it with their own money. They're like, you know, my boss isn't giving me a way to share these big giant files with the client. Client needs to have this big giant file. I can't send it via email.

So I'm gonna buy my own Dropbox. I'll upload it to Dropbox. No big deal. Right? What happens?

What's the danger of that?

I mean, you've lost control of your data. Number 1.

Right. Yeah. Because you don't have a right to that data if that employee leaves. You can't call up Dropbox and be like, hey, this person had an account. There's a personal account, a private account.

Can you delete the data off of that Dropbox? Can't do it. It's it's no longer yours. It's gone. It's it's it's theirs.

Right.

Yeah. Yeah.

And that's just one tool. I've seen entire departments where the the the, you know, the manager of the department, you know, subscribe to a tool other than the one that sanctioned by the company and and the company didn't even know it existed and all of a sudden they lose the data because some breach or something happens and they're like, oh, well, we'll just go back to backup and the people who are doing IT are like, we don't have it because we didn't even know it existed. So that's the other part that's dangerous too, right? Right.

I mean, that's a lot to talk about Shadow IT, which really is kind of the the biggest point here. There are other tools where security is concerned that help us protect our our employees and ourselves. And we talk about them a lot, so I figure we can kind of gloss over this to some extent, but multifactor authentication, 2FA, MFA, whatever you wanna call it, super important.

My favorite. Everybody loves doing that. Yeah.

It's a pain in the ass. And, another thing I'm following up with

is business one day.

If security isn't a

giant business every day.

I mean, it probably does. Brian, if security isn't a giant pain in the ass, you're doing it wrong. Agree or disagree?

To an extent because then, you know, somebody will find a way around it if you make it so difficult. So it's kind of a it's a it's a fine balance.

It is absolutely. It's absolutely a balance. Okay. So we got 2FA. How else can we protect our people where cybersecurity is concerned?

I'm a big fan of password managers because to be honest, I can't remember 50, 60, a 100, 200 passwords. I I can remember 2, maybe, 3? And long and complex. Right. And of course, as as experts in IT, we always tell people don't reuse your passwords because if you were on my website and use a password, I run the website, I have access to both your login name and your password.

If my website gets breached, now the criminals have access to your login name and your password. And your password or your login name is typically an email address and everybody knows that and so they could just use that login name and try the password and see if it works. And a lot of times it does on different various websites.

Right.

So having a different password everywhere is important, but I can't remember those. So password managers where I would go.

Yeah. And on the subject of password managers, like you're talking about, they get breached. Where do they go? They go to the dark web. So probably we should have some sort of dark web scanning or monitoring service in place.

Yeah. And for those who are not familiar, dark web is just a dark place on the Internet that, you know, that criminals hang out and, you know, I won't get into the specifics, but if if, you know, let's say, you know, company x y z gets breached and all of their data is compromised, which includes logins and passwords, that stuff gets posted there and people buy it, and then they use that information to try to log in to your one OneDrive, your 365, your different tools that they they they'll they'll they might believe that you're using, and in often cases, they get in. So dark web monitoring essentially looks for those things and notifies you in advance, lets you know, hey, customer x y z, your email address was found in the dark web along with this password, and it shows it to you and says, like, if this is your password, go and change it because it's out there. Yeah. Yeah.

I mean, back, many, many moons ago before the days of password managers, really. Yeah. I did. I had a password that I used everywhere and Oh, me too.

And it You're open.

It creeps in sometimes if I'm, you know, like, on my phone and I'm typing I'm signing up for something and it insists I put a password in and, there are cases where I can't get my password manager to generate a password and put it in, and I'll still type some version of this old password. But I am super careful about it because it's out there. I've seen it. It's for sale right now, with an old email address and stuff. But, yep.

You you just have to be so careful with, with reusing passwords. All of the ones

I used to use in the past are all on the dark web.

They're all for sale.

All Yeah. Every single one of my I rotated mine often, but it was the same password I would use everywhere. This is before Right. That was less of a concern. Every one of those passwords are on the dark web now.

Every time I download a report, I I see all of those passwords up there.

Yeah. Yeah. It's good times. Good times. What else can we do?

What other tools do we need to give our our employees? Do you have any other thoughts there? And again, we're talking specifically about protecting our people from malicious activity, from cyber attacks.

I can't think of any off top of my head right now, but I'm sure there's always there's always one.

Listen, it's an evolving list. I think we've done a pretty good job of hitting things. Like I've said I I think I said in previous episodes, but it's also on our website. So if you go to unhack.live and you go up at the top, there's a a tab called the formula where I'm I'm just making note of all the things we talk about so that people don't really have to listen to an hour of us droning on in our boring technology voices. But I do have a disclaimer at the bottom of it that just says, hey, cybersecurity is a moving target.

We'll do our best to get this page updated, but please schedule a free assessment to assure ensure your organization has all the basics in place. So that's kind of where we're gonna wrap this up. Everything's on the website. I I love to point out this is not a do it yourself, strategy. Do not trust yourself to protect your business from cybercrime.

Make sure you get somebody qualified and somebody who knows how to be held accountable. Right? Right? And us, ourselves, we need to be held accountable. We can do that by 3rd party audits.

We can do that by adhering to frameworks. There's there's various ways of doing that, but we need to be able to demonstrate to you, the client, that we're doing what you pay us to do. And then we need some sort of, I would say third party accountability around that. Great. Brian, I think, I'm about out of things to say.

So we're gonna go ahead and Put up. And move to close this thing out. Why don't you go ahead and share any key takeaways, final thoughts, and your sign off, and then we're gonna close out. And we'll see you guys next week.

Okay. So final thoughts are, it's a journey. Work through everything that

you

can slowly and methodically, implement new things each week, each month, that can help you. So if you've heard something today about protecting your people that you want to have implemented, you know, pick 1, 2, or 3 things and and just start working through them. And every time you hear something new, you add it to the list, and when you get to it, you get to it. Right? So as long as you're constantly making progress, that's all we're looking for.

And with that, I will, pass the mic back to Justin.

Pass the torch. Okay. So guys, I have said before that I have okay. So we've got the formula. And I will I I like the formula.

It's just a it's kind of a visual. It it allows our brain to put things into buckets. So we are going to do make our best efforts, use published standards to protect our technology, protect our data, know where it is, have a plan for it, and protect our people. None of this is fun. None of this is exciting.

None of it's sexy, but it will protect our business. This is literally survival as far as our business is concerned. As for me, my organization, we are moving to a compliance first mindset. So this is how I want to hold. And and guys on I'm not gonna lie.

I wanna pass the buck a little bit here. I don't want to be on the hook if I've missed something. And so there are a lot of brains out there that are smarter than me and even more, you've got that synergy effect when we're all working together. That's what these published standards accomplish in my mind. So, we will run a very basic assessment for free as far as these frameworks go.

And then when you move up the stack with us, you can get into higher levels of compliance. But even without a regulatory compliance, we have our internal standards that we hold ourselves and our clients accountable to. So, that's kinda my sign off. This is the third of our 4 part series next week as as we next week is gonna be, god. I'm so excited for that, where we've tote taken all the tools, all the, you know, this is how you how you do it, guys.

This is the formula under a hood. What happens to that 3% that still get through? Because we have to be ready for that. We have to have a plan for that, and we're gonna talk to somebody who has been there at ground 0. Attacked, just just horrific.

I'm not gonna give any any more spoilers there, but, really, if you'd listen to nothing else, tune into that episode. Good stuff coming up next week. Alright. Brian, as always, thank you for being here. Prender, Mario Where were you?

Where the hell are you? That's all I've got, guys. We'll see you next week. Take care.