45. How to Protect Your Business When Using 3rd Party Integrations
Welcome everybody to episode 45 of Unhacked. Mario, we're a little bit lean today. There's there's just two of us. It's it's kinda weird. Used to be when I did podcasts, it was always two people, and now I've gotten really comfortable having a few more voices.
Justin:So you might have to help carry the the episode, Mario.
Mario:My pleasure. Was it were we both me and you by we were by ourselves last week too.
Justin:It's it's a couple weeks in a row, and it's like, yeah. I'm I'm my nerves are are tingling. So anyways I'm sorry about that. Okay. Good.
Justin:Let's let's go ahead and get started. We're gonna talk about third party integrations today, and I know that that's got everybody on the edge of their seats. But first, let's go ahead and introduce the, the podcast, Unhacked. You know, said all the time, it's a deliberate misnomer because, really, you can't get unhacked. The good news is ninety seven percent of breaches are preventable with the basics.
Justin:And that's what we talk about every week is what are these basics and how do we prevent the preventable. But if you don't do that and you get hit, getting unhacked really isn't a thing. So here we are helping business owners outsmart Russian hackers week after week, you know, and now we're bad at the list, the government, we have to outsmart them because they want to come in and audit things and cause problems. And that's not bad enough. The attorneys are sniffing around trying to sue us for stuff, you know, problems.
Justin:So anyways, I am Justin Shelley, CEO of Phoenix IT Advisors, and I work with businesses in Texas, Nevada and Utah. And like I said, keeping the hackers, the government and the attorneys out of their bank accounts. And today, it's just you and me, Mario. Tell everybody who you are, what you do, and who you do it for.
Mario:Yeah. Mario Zacke, CEO of Mastech IT. We are located in New Jersey. We're at outside of Manhattan. And we work with small to medium sized businesses protecting their IT network and providing the business owners better sleep at night so that they know the businesses will be there the next day.
Justin:I mean, that's always a bonus when you wake up and your business hasn't just been annihilated overnight. God, it is Well, mean, it really you say that and I mean, it it really is a thing. I lose sleep over this. It's crazy. A crazy world and I don't want like to instill fear in people and yet kind of I do because it's a it's a real threat.
Justin:It's a real problem.
Mario:Yeah. It's funny because I tell people all the time like, yeah, we help business owners sleep better at night. But for me, you know, I don't sleep, but that's because I'm always thinking and I know you're the same way. We're always thinking, hey, can we can we add this? Can we do this?
Mario:Should I look more into this? You know, like, we're constantly looking to improve security. We're always trying to be, you know, a couple steps ahead of business owners keeping, you know, what we call in like an industry, our security stack, you know, strong. And we're always adding layers, you know, the Yeah. We're trying to, you know, if they get past this, can they, you know, should we do this?
Mario:Should we do this? Should we do this? And this is the stuff that keeps up at, like he just keeps us up at night, know, so
Justin:Well, mean, it's a cat and mouse game. Right? We can Yeah. We can put everything in place and then tomorrow it changes. Mhmm.
Justin:And yeah, it's a it's a fun game. And, you know, I've said before, I I did not get into the world of cyber security and crime prevention on purpose. I was kind of kicked into that world. You know, I got into this because I like computers. I like pulling circuit boards apart, you know, and plugging in modems and sound cards back in the day.
Justin:And and that one, one fateful Friday afternoon, I had a client get breached and I realized I was no longer in the computer repair business, but I was in the crime prevention business and the, you know, extortion prevention business. Jesus. Yeah. Yeah. Okay.
Justin:So Mario, today we're going to talk about integrations because I had a company reach out to me and they were considering an integration and they wanted me to help, you know, talk with this third party vendor to get it set up. And so leading up to it, I reached out to this third party and I'm like, hey, we've got a meeting next Tuesday. Before that, I would like to have because this was in the healthcare industry, I'm like, please send me a copy of your BAA agreement, business associate agreement, so that I can review that. And I'd also like to know what kind of data you're gonna have access to, what you're gonna do with it, and you know, I just and I wanna be prepared for our meeting when we're when we're setting this up. And what would you imagine I heard back from the third party?
Mario:What did he say?
Justin:Crickets. Nothing. No response. So I emailed him again, you know, two or three times and and never really heard anything back. And so as soon as we the meeting came, know, I jump on the call and I'm like, hey, guys, been emailing you.
Justin:Do we have a business associates agreement in place? Because I can't in good conscience, give you access to patient records. Again, this is all protected by HIPAA without having that agreement. And the guy's like, no problem here. You know, I'm we're both remoted into this computer and he's like, here, here's the BAA right here, sign it.
Justin:Like, I'm not gonna sign it. I'm the IT guy. I'm a third party IT guy. I can't sign on behalf of this healthcare clinic. It was just, it was crazy.
Justin:And so I just, I just put the brakes on it and like, know, because the client wasn't even on this call and I reached back out to them. I'm like, listen, I'm not super comfortable. I put the brakes on this and we need to get some things handled first. And I thought she was getting mad at me and, you know, to my relief, she just kind of sighed is like, thank you. She had kind of been had a little pressure to go in and do this integration from her higher ups.
Justin:She was a little bit uneasy about it. So it was it was validation for her that I I also had some reservations. And so that's kind of what introduced this today is like, we have a lot of they call this a supply chain attack, right? If we and and Mario in our industry, like how many different vendors do we do business with and and have some sort of a tie in to what we do?
Mario:A lot. You can't even
Justin:count it. It's a it's a ton and that's the direct integrations, the direct vendors that we do business with, but then they have theirs, right? This just goes, that's why they call it a supply chain. This chain goes back to the, you know, Adam and Eve, don't know, to the beginning of time. So many pieces to this puzzle that we have to be watching for.
Justin:So that's my story. As I was telling you what happened, you said that you had a little bit more personal story or you were the vendor, right? Yeah. Yes. Tell me.
Mario:So now this is a couple years back. Right? So we, you know, with our IT company right now, we do one of the services that we offer is voice over IP. So we Okay. Have the ability to, you know, obviously set up office phone systems and we have, you know, ways to do integrations and stuff like that.
Mario:So a colleague of mine, you know, from another company asked me one time, he's like they specialize in medical software. He asked me if we have like an integration to do like appointment reminders, you know, through our phone system. So I'm like, no. But you know, that is actually pretty interesting. You know, let's talk more.
Mario:I ended up hiring some people, you know, overseas, but it wasn't like somebody, you know, just sitting in their basement in their underwear doing programming, but it was, you know, an overseas company. And I had them built me a platform that would integrate with my phone system and doctor's office, the appointment reminder. I'm sorry, the office hours programs. So it took you know, it was a good amount of money. It took a good chunk of money and we built this integration.
Mario:It's you know, we we tested it. We went through everything and went live and installed it on a bunch of different doctor's offices. And thank God we didn't have any breaches or anything like but later on, I realized that it was a money pit and we weren't scaling enough, you know, to a point where I would start seeing like an ROI on it for for a while. So I decided to, you know, sunset the whole thing. You know, I you know, we we sunk a lot of money into it, but, you know, we, you know, didn't break even was and, you know, a shot that I took in didn't work.
Mario:But more I think about it, the more I went back and again, this was a couple years back now that we are so laser focused on security, I realized like, holy shit. You know, if this thing would have stayed live, you know, for a long period of time, you know, we had access even though we were only taking, you know, the patient's first name, Their appointment time. And their phone number we're only taking those three things because that's all we need so. It wasn't necessarily a HIPAA violation because we're only taking the first name. We're taking their appointment time.
Mario:And their phone number. Okay? A lot of it is public records or two of the three's public records.
Justin:Right.
Mario:What ended up Nothing happened, but if something would have happened, our integration was only pulling those three information that information, but we had access to the entire database for the entire medical facility. Right. You know? So, you know and just like we've talked about it in the past, unfortunately, when you do some of the stuff you're so eager to go live and start testing and, you know, start making some money, then after the fact you realize like, you know what? Maybe we should start putting in some security.
Mario:Yeah. You know?
Justin:And Yeah.
Mario:That was that, you know, that this was, you know, speaking from personal experience, that is something that we ended up doing. We I
Justin:mean, we
Mario:we we pushed back security to later on.
Justin:Yeah. And we talk about that a lot that that's kind of the I mean, it's just the way it works. It shouldn't be, but it is the way it works and hopefully we, you know, in our industry we change that. But when we're developing software or hardware, our first priority is to solve the problem. Right?
Justin:That's that's where the money is gonna be made and then it's kind of this, oh, we also ought to make sure that the Russians don't get in here and then we don't get sued on top of it. So, you know, and and you're mentioning not only first of all, you had access to everything so that that if somebody were able to breach your software, they could go in and pull much more than you were pulling out. Exactly. But not to minimize even the amount of information you had, a first name and a phone number. And there's actually a technical definition of what qualifies as PII and it has to be a couple of pieces of information that tie together so that you could actually identify somebody.
Justin:And I I'm I might be speaking out of turn here, but with a phone number and a first name, you probably could identify somebody or you can make get reasonably close. There's only so many phone numbers with the same first name tied to it. So even that little bit of information is significant.
Mario:So Yeah. And we we weren't pulling like the last name. We weren't pulling, you know, social security. We weren't pulling any medical records. You know, We were just pulling those three pieces, but again, we built a bridge that we literally were sitting on the server.
Justin:Yeah.
Mario:And every five minutes it was it was pulling and pushing to our our database. Now, we did have like some things in place. Know, we had like SSLs, you know, the connections to secure and stuff like that. But a couple things that we didn't do is like to FA you know, on the platform. We didn't do some verification checks and stuff like that.
Mario:We we you know, I don't wanna make it seem like we were completely neglecting security, but it wasn't, you know, thinking back about it now as I realized like, you know what? We could've there there could've been things that could've been breached. And if that would've been breached, you know, could they have, you know, turned a one way bridge? Actually, sorry. We had a two way bridge because, you know, in, like, version two, we would Push the confirmation back.
Mario:We would push the confirmation and say, okay. Yes. They either replied with, you know, canceled or did not reply at all. So there was a two way confirmation, a two way bridge. But, you know, thank God, you know, it it we pulled it before anything happened.
Mario:It was it could have been, you know, it could have been serious.
Justin:Yeah.
Mario:You know? And it brings back to, you know, what you were mentioning earlier. We didn't have any of that, you know, things in place, you know, like, you know, we weren't compliant, you know, for for, you know, HIPAA or SOC two or any of that stuff, you know, and that was one of the reasons that I I decided to to pull the trigger.
Justin:Right. Well, and here's the thing. So you didn't have direct control over who wrote the code. Right? Because that was outsourced.
Justin:You don't know what libraries they're using. So when when writing code and I mean, this is dating me right now because AI writes all this stuff these days, but you would you would either buy or you would use publicly available DLL's are called, which is just a a chunk of code that you would use to simplify your own writing of code. The problem comes if that DLL that you get becomes in in some way that gets breached, that code gets altered, you know, you run an update or it automatically updates or whatever and now your code is infected and you have no idea because you don't really know what's going on behind the scenes. And and I mean this is a great example because it's exactly what was on my mind as I'm being asked to give some unknown third party vendor complete access to a clinic's patient records. Like I don't know what they're doing with it, don't know what the integration looks like, I don't know what data they're pulling And regardless of what they're pulling, what do they have the ability to pull?
Justin:Should they get breached or should they just be malicious? You know, maybe maybe they're just bad guys all the way around. I don't know. And one of the things that really stopped me in my tracks as I was doing this, I told you they presented me with a BAA, right? Well, problem is the name on that BAA was their third party software that they were using.
Justin:So we're now, you know, it's not even the company that I was initially working with, I'm now working with some completely unknown name and it's not even in English like I don't I don't I can't pronounce the name of this third party that has their name on the BAA. So yeah, I just shut it down like we clearly have more work to do here and so let's go ahead and pivot there. What do we do? Because it's and I think when we were talking about, you know, prepping for the session, you said something about, we don't really have any choice. If we're gonna do an integration, we don't have a lot of say in what they do.
Justin:Or or I think you said maybe it was like the only option is to not do it. Right? Do you do you remember that? Okay.
Mario:Yeah.
Justin:Yeah. So I wanna talk about a, first of all, if if you can't be secure in the integration, then it probably is the better option to not do it. Right. May maybe you'll lose some functionality, but maybe we just go find a different vendor at that point. But let's talk about how do we evaluate third parties.
Justin:How do we evaluate them? How do we know? Like even even have a hope that they're taking care because I and by the way, I still have to do this with these two now two third party vendors, have to go out and assess them and find out, know, make a recommendation back to the client to see if this is a a safe option. So Mario talk about that. What What do we do?
Justin:How coach me through it as if I'm an idiot. How do I make sure before I give this company's company, the third party's third party complete access to my client's data?
Mario:Well, I mean, first you need to find out from them what information they actually are going to be pulling from your client.
Justin:Right?
Mario:You you know, if it's, know, like we said, it's a doctor's office. What what information do you need access to? Right. Okay? And when you pull this information, like, let's just say, you know, for example, you know, there's similar situation.
Mario:They're pulling the patient's first name, you know, phone number, and appointment time. Alright. Well, first of all, are you pulling it and putting it onto your server? And is this being encrypted, you know, in transit? Like, as the data is being pulled, is it encrypted?
Mario:And is it sitting on your server encrypted? And how long are you storing that information for? So for example, in in my situation, we were pulling two weeks worth of appointments and only holding it onto our server for four days. At any given time, we only had, you know, no you know, a little less than three weeks worth of patient information. Okay.
Mario:And then after four days, we would just, know, delete it.
Justin:So you had a, I guess some automation that just went in and purged the older data from your software, from your database. Yes. Okay. Yeah.
Mario:You know, And so the so we stored it for no more than three weeks. But now, you know, again, systems offline help, so I could easily say it. But at first, we were storing it on Wasabi, Wasabi is a data storage company with very pretty good prices. We later moved it on to AWS, but, you know, at first, just to kind of get rolling, we were putting it on Wasabi. And I, you know, I don't quote me on this.
Mario:I don't think Wasabi's security is really as good as like what you would say AWS is or,
Justin:you know,
Mario:and Microsoft and stuff like that. But we didn't have like two FA or anything. We did have, you know, the at least the guys overseas told me that the data was encrypted, you know, in transit and sitting on our server encrypted. But you're also relying, you know, that's one of the questions that you you would need to ask is like, who's working on this, you know, and where are they? And are they your employees or are they subcontractors?
Mario:Because that makes a difference because you could only sign paperwork and go through certain things that you're responsible for. But how do you know the other company is compliant? How they how do you know what they're doing with the data? How do you know what you know, if they're SOC two compliant, you know?
Justin:Well, okay. So that's I'm I'm glad you mentioned SOC two because that's that's where I was gonna go next. First of all, I wanna back up a little bit. Do you remember it was back in episode 41, I think with Jonathan Steele, he was an attorney, divorce attorney, and that was a point that he made that I really liked is don't store data that you don't need. You can't lose what you don't have.
Justin:I love that you at least had that safeguard in place where you were purging that data after a few weeks. But now let's let's talk about SOC two and why the the thing that I love most about this because I mean, said it yourself, your your developers who you hired, who were overseas told you it was encrypted, but you couldn't personally confirm that. Right?
Mario:Correct.
Justin:And even so you could say, you know, whatever you want to a client. SOC two is kind of a a third party assessment or or validation of, you know, how you are protecting your client's data. So it's somebody else going in another, you know, it's a framework, it's a set of, know, standards that you have to prove to somebody else, to a third party that you're doing it, that you're keeping your, you know, the information safe. So I love that. If if I just had, you know, the best way, if you just wanna tell somebody the best way, do you know if if a third party is is solid, if it's a safe bet, at least it's a reasonably safe bet, get their SOC two certification.
Justin:You know, make sure that they were actually certified SOC two. Beyond that, you know, like you said, where is the data stored? How is it stored? And can you prove it? Because saying it is one thing, but can you prove it?
Justin:That that and that becomes pretty tricky.
Mario:Yeah. And we we have a a like a client of ours that is, you know, always has to be compliant with SOC two. You know, they they work with credit restoration. So they have, you know, their SOC two is not just something that has to be done, you know, once a year. Okay.
Mario:Provide this, this, and this. It's not like, kind of like tax time and you're here's all the information you need and then I alright. I'll hear I I'll see you guys next year. SOC two is year round. Right?
Mario:And one of the things that they have is there's I forgot how many different hundreds of different things that you have to provide. But it's not just saying, are you using MFA? You know, and it's a yes or no. It's yes. Okay.
Mario:Upload, you know, provide, you know, evidence. Right. You know, are is that encrypted? Yes. Okay.
Mario:Provide evidence. You know, everything is providing evidence. And it could be, a screenshot, it could be configuration log that you're uploading or something like that. But it's never gonna take somebody for the on their work. It requires proof along the way, you know, every step of the way.
Justin:Right. And and there is so there's SOC two type one and SOC two type two. It's a mouthful.
Mario:I think there's type three too now too.
Justin:But the the key difference is just that you have to continue to prove it over time and and prove the effectiveness of it. So these are these are great. Know, nothing's absolute, but it's in in the world where we are evaluating risk. That's what this all comes down to. What is a reasonable amount of precaution to take?
Justin:This is probably the best bang for your buck that you've got. Go out and and, you and do business with people that at least have taken that that extra step and become SOC two certified.
Mario:Yeah. And if I could add one more thing too, is SOC two is not something that you're gonna get the certification for in like a week or two or a month. It's It's a lot of work. Takes a while. So when somebody is SOC two compliant, that means they've been around for a while.
Mario:They've invested the amount of, you know, a lot of resources, a lot of manpower to get to that point. You know, these types of companies that are SOC two compliant is has been around and is ready to to to really do business. And, they've taken the measures to have your data secure. In a place like that, it's beyond, in my opinion, it's beyond HIPAA. It's beyond NIST.
Mario:Know, it's beyond PCI. You know, it's one of those bigger ones like PC, you know, SOC two, CMMC, those ones are like the bigger ones.
Justin:Right. Well, a lot of the you know, the a lot of these frameworks are self, you can self assess, you can self certify, you don't you don't have to have somebody else come in and do the assessment for you. So that that is a key difference.
Mario:Yeah.
Justin:Alright, so make sure that you know who you're doing business with. Right? That's that's number one. And then number two is, well, we got to know what software we're even using to start with. Right?
Justin:So the the second thing I would tell people is audit your inventory your software inventory on a regular basis. You know, we have tools to do that. Most of most IT companies have some sort of an inventory system, we call it an RMM, remote management and maintenance. But it it will easily inventory that. Now the problem, the challenge here is that how long is that list usually, Mario?
Mario:On one computer, it's a lot of times, it's like goes up to like four or five pages at least.
Justin:Right. For one computer and now you gotta do this across a department or a, you know, an organization. It definitely gets messy. But we're talking about, like you said, waking up the next morning and finding out that you still have a business or don't. So somewhere we've gotta we've gotta build this process into the the way we work.
Mario:Yeah. It's and like, you know, as far as like software inventory, like a big one that we are always keeping an eye out and we set alerts in case we see this as like TeamViewer. Now TeamViewer is a legitimate remote access program, but out of the box, it's very unsecure, you know? So we always get, you know, whenever we see that, we always like, hey, this needs to go, you know? Right.
Mario:This can't stay on your computer because it's it can be and has been used previously, for malicious activity.
Justin:Well just to clarify for the audience, Shadow IT isn't necessarily sketchy programs, It's just software that's been installed and is being used or not being used, but it it's in it lives in your system and your IT company or department doesn't know about it. So they're not managing it, they're not maintaining it, they're not making sure it's secure. TeamViewer is a great example of that. It is a legitimate problem product, but either misconfigured or even if it's configured right, somebody gains those credentials and and now they're in. And once they're in they're in they can you know, that's like the drop bridge is down.
Justin:You're you're inside the castle and you can you've got all kinds of access that you just shouldn't have. So
Mario:Yeah. And and TeamViewer, it's out of the box, it's the only program that or one of the only programs is that you all you need is an ID, which never changes. It's linked to your computer and a password that they generate.
Justin:Right.
Mario:Okay. You don't need to unlike splash top or log me in or screen connect, you don't need to authenticate to a website with a username, password, 2FA to get to a computer screen, you know, to just to get to even see which computer has access. All you need is those two numbers and the number and the password, and you're in. You can do it from sitting in a Starbucks in Albany, you know, with a burner phone, you know, like you just download the app you're in. You're, you know, you don't need any authentication, you know, as a username or password or anything like that elsewhere.
Justin:Right. Oh, good times. Right? Good times. All right, Mario, listen, that's
Mario:we'll talk for a minute.
Justin:Yeah, we're gonna go ahead and wrap this one up. It was just one of those things that caught my attention. I'm glad it happened just because it brought something that I know, to the front of mind to put a spotlight on it and something I felt we needed to talk about. It's so convenient to do all these integrations and it's happening more and more and more. IT used to be a pretty security anyways, used to be pretty simple.
Justin:But now, I still remember, don't hear it as much anymore, but people would say, we're fine, we moved to the cloud. Like, Oh shit, now we've got problems, because everybody's in the cloud and everything's got to integrate and talk to each other and anywhere along this supply chain, something can happen that just screws everybody else up. So important topic and, know, let's let's just move to key takeaways. Mario, if if somebody just came to this part, what's the one thing you would want them to know and understand?
Mario:When you're working with a third party system, you need to find out are they how long they've been around? How long are they new to the block? Is what's attracting you? Is it just their price? Because that price is probably because they're trying to just get started with with their company.
Mario:You know, the ones that are SOC two compliant are probably a little more expensive. So, find out how long this company has been around and find out what certifications they have to prove to you that they're legit.
Justin:Right, perfect. And for me, I'm gonna say that part of I've I talk a fair amount about compliance, that's something that we're just really focusing on in in our business, and part of the compliance package is vendor risk assessments, and they are thorough. It's not something that you're gonna do in a few minutes, but there is an actual framework for going and assessing vendors and I would highly recommend when you do these integrations to hire somebody and run through that. Spend a few bucks up front to save yourself the nightmare or the waking up into a nightmare where it's game over. Right?
Justin:That's and and SOC two. I mean, we've already talked about it but find a find a way to actually validate that what they tell you is true.
Mario:Yeah. Unfortunately, some people technically all they ask is how much and how long do I have to sign up for? That's all they're asking. Mhmm. You know?
Justin:Yep. That's exactly right. And you know what what what does it deliver? You know what problem is it solving? As long as it's gonna solve a problem, you know the price.
Justin:That's where it's where the evaluation stops. Actually, that's really where this process should begin before you sign up. Go and do that vendor assessment. If you'd like that done for you, to unhack.live, right? You can get either Mario or my information there or, you know, hire your own firm, but just make sure that this is a process that you follow on a regular basis.
Justin:And guys, you know, every go to the website and you can find our social media links. We always give out a free assessment. We've been talking about that for ages. Haven't mentioned it recently, so I wanted to bring that back up. But there's actually a tab on unhacked.live for the free assessment.
Justin:You can go in and pick one of us, sign up, and and we'll help you out. Take care of you. Mario, that's a wrap. We're gonna go ahead and, close out for this week. But as always, thank you for being here.
Justin:Say goodbye, and and we'll see you guys all next week. Take care, guys.
Creators and Guests
