47. Architects of Defense with Lori Crooks
Welcome everybody to episode 47 of unhacked. I did it right this time. This is take two, guys, because I really screwed that up. Somehow we we reverted to episode 17. I don't know.
Justin Shelley:Time machine engaged. Guys, we, as always, have a a special guest here today. We're gonna do some quick intros. Unhacked is a podcast where we sit down week after week, and we talk about how we could keep business owners like you from a, being breached by the Russian hackers. And as Mario pointed out last week, it's more than just the Russians, but I do like to pick on them.
Justin Shelley:B, keep the government out of our bank accounts and businesses. I mean, they're there, but we wanna keep them happy anyways. And C, if all that fails, we want to make sure that the attorneys don't come sniffing around and taking the rest of our money. So a lot at stake here, and we are here to prevent all of it because here's the reality of it. 97% of these breaches that we read about were preventable.
Justin Shelley:Basic security measures. We're going to talk about frameworks. We're going to talk about how to put these measures into place. But if you don't do that, and if you get hacked, you're done. It's game over a lot of times.
Justin Shelley:You really cannot get unhacked. So it's a little bit of a misnomer. We are not talking about how to fix it after the fact. We're talking about how to make it never happen in the first place. I am Justin Shelley, CEO of Phoenix IT Advisors.
Justin Shelley:I work with businesses in Texas, Utah and Idaho. And I'm here as always with my faithful loyal co host Mario. Mario, tell everybody who you are, what you do, and who you do it for.
Mario Zaki:I'm Mario Zaki, CEO of Mastic IT. We specialize in working with small to medium sized business businesses in the New York, New Jersey area. We've been in businesses business oh my god. I might have to take my own dick.
Justin Shelley:It's all of us today. I don't know. Laurie, you're next. You better screw something up.
Lori Crooks:Oh, boy. Trish is at it.
Mario Zaki:Twenty one years now and, you know, we we specialize in, you know, everything Justin just said, keeping businesses safe from all those hackers around the world. And we specialize in helping business owners sleep better at night.
Justin Shelley:See, Mario's afraid of the Russians. That's why we he won't call them out by name. Chew them up and spit them out for fun. Not true. Okay.
Justin Shelley:So Mario, as always, thanks for being here. And now I'm gonna go ahead and introduce our guest. Laurie Crooks is the founder and CEO of CADRA Inc. Is that how I did I say that right Lori?
Lori Crooks:Yes, you did.
Justin Shelley:Your organization focuses on security assessments and security management projects. So there's some some similarities to what we do. A career focused in information security assessments, developing policies and procedures, everybody's favorite topic, and advising clients regarding their information security requirements. Laura, you bring an understanding of information security controls to all of your clients. Say hi and tell us a little bit about yourself.
Lori Crooks:Sure. Hello. Thank you for having me on the podcast today. So as Justin mentioned, I am the CEO of Quadra. I live in Atlanta with my husband and my dog.
Lori Crooks:I've been doing audits and assessments for about twenty years now, so I've been been around and seen a lot of changes and excited to talk about it today.
Justin Shelley:Nice. Awesome. Assessments for twenty years. Everybody's like, yes.
Lori Crooks:Yes. Dream come true. This is what I grew up wanting to be when I was a child. Alright.
Justin Shelley:Alright. Mario, Just a quick
Lori Crooks:I
Justin Shelley:gonna
Lori Crooks:ask you I was gonna ask
Mario Zaki:you one question, but now I wanna ask you two questions. A, what's the dog's name? And b, when you work with with these when you do this, do you work with, like, companies like us, like managed service providers, or do you work directly with the company themselves?
Lori Crooks:Sure. Well, we'll cover the most important thing first, my dog. Like, she is my pride and joy, but her name is Georgia. I know that's we're living in Atlanta, but she was born in Brandon, Georgia. So her name is Georgia, so she's a wicked spaniel if anyone's familiar with that.
Lori Crooks:She's the sweetest So back to the not so boring,
Justin Shelley:but still boring
Lori Crooks:side. We work with all types of clients, to be honest. We work directly with customers, helping them prepare for their audits, prepare for their assessments, document the policies, procedures. But we do have some partners who are MSPs, and we help them with their clients, again, preparing for any audits, spot checks, gap assessments, that type of thing. So we're happy to work with with anyone who needs assistance.
Justin Shelley:Awesome. Now Laura, you said something and I've been poking fun at the policies and procedures. It's mostly because when I go out and try to talk to somebody about this, they just don't get excited with me. I actually do love this kind of thing, but you said it's exactly what I wanted to be when I grew up and I thought you're being serious and then dot dot dot I lie. Sounds like there's a story there.
Justin Shelley:Tell me how you got into this if it's not what you dreamed of doing as a little girl.
Lori Crooks:Yeah. You know, you go to college, you have these big dreams of becoming a medical doctor or physical therapist or something like that. But once I started getting into those classes, I was like, this is not for me. So I kind of laundered a little bit. I went down the teaching degree for a little bit.
Lori Crooks:I did psychology for a little bit. Like, I couldn't find anything that fit. And then I finally ended up with financial accounting of all things, and it just the numbers made sense literally for me. And so I ended up doing financial auditing for a while. Did that as a career for about a year and a half before I got board Crunchy Members and was working for the state of Georgia and somebody literally upstairs was hiring for cybersecurity auditing and they asked me to apply.
Lori Crooks:And I said, sure. And I applied and never looked back. So long story short, that's how I ended up in cybersecurity, not what I wanted to do, but that's where I'm at, and I actually enjoy it a
Justin Shelley:lot now.
Mario Zaki:Think that's what we all have that same answer.
Lori Crooks:Yeah. Oh,
Justin Shelley:not what I wanted to do. I mean, listen, I I've told this before many times, but I got into this business because I like pulling circuit boards out of my Apple IIe and plugging in something different, know, adding memory back when it was like 12 bytes or I mean, obviously not true, but it just started blowing my mind as as things developed and constant change and technology kept getting better and better and cheaper and cheaper. And it was just a rush. I loved it from the time I was a little kid. Then one day a client got hacked.
Justin Shelley:I'm like, Oh shit, I'm not in the business of putting in sound cards. I'm in the business of fighting Russian hackers. And they actually were from Russia. So that's why I say that. Then it's evolved even more because it's like, we're not just fighting the hackers now we're fighting the government, we're fighting attorneys.
Justin Shelley:It's turned into a lot of legal stuff. I'm not an attorney, but now I have to act and think like one. I'm not an auditor, but I have to prevent against those. So interesting developments, right?
Lori Crooks:Yes. We have
Mario Zaki:to fit employees now too, because these employees are just clicking and opening and deleting and all this stuff. It's like, come on, you know, like, why would you just do any of this stuff?
Lori Crooks:But Yeah.
Justin Shelley:No it's a typical day. I might have to add that one into my rant. We're protecting against our employees. And that's the well meaning ones because we don't really talk much about the malicious ones that on their way out they set kill switches and stuff like that. That was a recent headline I read.
Justin Shelley:Good stuff. All right. So on this note, I've been intentionally playful about this. Why do I care? And that's what I want to talk about.
Justin Shelley:So I'm going to put my business owner hat on because it is what I am. And like realistically, don't I don't have any anticipation that I'm gonna get audited. Probably. Not a lot of regulations apply and this is kind of a scary fact, but in the IT world, we are not directly regulated. Indirectly, we kind of are through our clients, but directly we don't have frameworks that we have to follow.
Justin Shelley:I have good security in place. Why, Laurie, does compliance matter to me?
Lori Crooks:Because it should. That's an easy answer. But no. Because you have data protect, you have your clients to protect, it's like you at home. You wanna protect your house.
Lori Crooks:You wanna protect everything in it. That's basic compliance. You're trying to protect your business. You're trying to protect the data that you have inside of it. You don't wanna become hacked, like you said, beginning of this.
Lori Crooks:So what are some ways to prevent that from happening? Well, it's basic cybersecurity compliance. And compliance is great because there are frameworks out there that can tell you what controls should be in place to help prevent against anybody trying to steal that data that you need to run your business. And if you lose that data, you could lose your company, you could be sued, you could end up paying millions of dollars of fines for various things. It's scary if you don't have compliance and security in place.
Justin Shelley:So I will agree a %. It's a prevention, right? I mean like for being honest it's insurance. We have to buy life insurance for example. But here's the truth, I don't plan on dying.
Justin Shelley:So do I really need life insurance? I mean, if I do but it can be a hard sell from our perspective and as a client who's getting ready to write this big check because compliance is not cheap, it's a significant investment. So while prevention is a huge part of it, % agree. Let's see if we can maybe brainstorm some actual benefits that besides just because here's the best case scenario when we're selling compliance and cybersecurity in general protective measures, it's best case scenario, nothing happens. The ROI is nothing.
Justin Shelley:You get nothing for what, for your investment. Right? That's it. One example though, that I can point to, for example, CMMC, Right? Here's here's a if you are doing manufacturing and you're working for government contracts, specifically Department of Defense, you have to be compliant.
Justin Shelley:You have to go through their process. Now the benefit there though, is you can actually can get a lot of contracts that your competitors aren't. You can gain a competitive advantage with compliance. What about that? What else is there besides that, that where where compliance where this investment can actually turn into something, an ROI of sorts instead of just a check that we write with the best case outcome of zero.
Justin Shelley:Mario, thoughts, Lori, anybody?
Mario Zaki:Yeah. No. It it it it's absolutely true. So like, you know, using your example, like in the managed services world, and we we know, you know, somebody in our weekly group group that is compliant with CMMC and only works with companies that, know, require to be certified in CMMC or compliant in CMMC. You know, he's able to charge top dollar, you know, for his services because it's a group, you know, select group of people that can help him become compliant and stay compliant with that with that certification.
Mario Zaki:So, you know, you become a a specialty, you know, when, when you're compliant with with some of the stuff.
Justin Shelley:Okay. Laurie, any thoughts there?
Lori Crooks:No. I agree. I think it definitely is an advantage. You'll see a lot of times contracts now have security as a baseline that you'd need to have some basic cybersecurity in place to protect the customer's data. And if you already have that in place, it does give you that competitive advantage over somebody else who might not.
Justin Shelley:K. Here's another thought. Let's say that I don't fall under any regulatory frameworks. I don't I don't need CMMC. My clients don't require it.
Justin Shelley:I don't, I mean I actually have to comply with HIPAA because I have health clients in healthcare, but let's say I don't. None of these things directly apply to me. Is there a benefit there? I mean again, we've got the obvious of we want to protect everything that we have. I mean, even related to that or what other benefits are there where compliance isn't required, but might still be an advantage to a business?
Justin Shelley:Any thoughts?
Mario Zaki:Well, I think it also depends on the type of compliance you're you're you know, everybody has some sort of compliance that they have to go through. So for example, and we actually just renewed ours yesterday, our PCI compliance.
Justin Shelley:So if
Mario Zaki:you take credit cards at all, if you accept credit cards in a matter, if it's, you know, a physical machine on your website, verbal or something, if you take any type of credit cards, you have to be compliant. If you which we definitely recommend and we've mentioned it in all 46 other episodes that we've done. If you have cybersecurity insurance, you have to be compliant with what they're requiring. Some of the things that they're asking is, do you have two factor authentication? Do you have backup?
Mario Zaki:Do you have this? If you're saying yes to any of it, that you have to be compliant by that. So there's some everybody, 90% of the business out there you know, fall between certain of these certain categories like PCI, you know, cybersecurity, even some states like New York state require you to be compliant with certain things. Just if you are doing business in in that state, you have to be compliant in that state. Right?
Mario Zaki:Lori, go you know, you I'm sure you know about it more than I do.
Lori Crooks:Yeah. No. Definitely. I I agree. There's a lot of different standards out there that you have to be compliant with.
Lori Crooks:Like you said, credit cards, health care information, you have to be HIPAA. It's kind of going back to Justin's comment too. Like, if you don't have credit card data or you don't have health care data, there are standards out there that you can still apply if you have to have some sort of compliance for industry or for insurance purposes or state purposes. For example, like the NIST cybersecurity framework, CSF, that's a great starting point. And that really is for small businesses.
Lori Crooks:They've just kind of redone it where they make it more accessible to small organizations to actually have some sort of framework that they could use for cybersecurity. Or you could look at, like, ISO twenty seven zero one, which is more of an industry in this international standard. And so that's really talking about management systems and being compliant for management system from the top down. And so a lot of organizations who, again, might not have to comply with stuff and actually choose to put all this in, there are options out there for them as well.
Justin Shelley:So here's two things that come to my mind. Number one, and I'm putting my just my CEO hat back on, I'm not a cyber security expert right now and let's just say I don't really know anything at all about cyber security, but I'm writing a check every month to the company who is telling me that I am properly protected. How do I know? And this is something I run into all the time too when I'm talking to prospects, I'm like, hey, we can do a third party assessment for you or whatever. Listen, I get it.
Justin Shelley:They don't know who I am yet. They don't trust me yet. But I always hear this phrase, we're covered. My IT company has us covered. My IT guy has me covered.
Justin Shelley:And I don't push, but what I'd love to say is prove it. How do you know? How do you know? Because you're writing a check. That's all you need to know to know that you're safe.
Justin Shelley:Well, what? When you get breached, you know who they're coming after? It's not your IT guy. I mean, might indirectly, but Mr. CEO, Mrs.
Justin Shelley:CEO, they're coming after you. That's who you're going to that they don't care about anything else. It's still your fault that these protections weren't in place. So if you're writing that check and you're happy and you're sleeping well at night and you don't have any way to really hold your IT company accountable, I'd be worried, I'd be nervous. And then this is one that really never gets talked about is in marketing.
Justin Shelley:So if we just kind of flip the roles now, whatever my industry is, and I'm trying to sell something to a client or a patient or a customer, whatever you call your who you're serving and I'm in this transaction, they're giving me personal information. I'm gonna lead with that like, we're whatever we can do NIST, we can do CIS, we can whatever we can prove now. And last week we talked about SOC two, which is another great one. But when we can say here is the framework that we're following, here's our audit, our assessment, even if it's internal, we really would like that to be a third party assessment. But now we know that people do business with those that they know like and trust.
Justin Shelley:How do we get that trust piece? So I think it's a missed opportunity where we can use compliance as a way to really promote our businesses. So my soapbox is over. Guys, any final thoughts on why we should care as business owners about compliance?
Lori Crooks:Yeah, I'll speak to that just a little bit. Talking about depending on your IT provider, just an example that I had recently who again, small business had IT provider that they knew and trusted. And we came in because they had to go through a kind of internal assessment. We came in. We started looking to see what this IT provider was doing, and not everything that IT provider said that was being done was being done.
Lori Crooks:For example, VPNs weren't being encrypted. So all the information that they were sending back and forth was out in clear text. They could better intercept it at any point in time, and it was sensitive data. Antivirus wasn't turned on for all computers. Simple things like that.
Lori Crooks:So it goes back to my motto, trust but verify. Like, there should be some sort of check on that IT provider, whether, like you said, is it internal assessment? Is it external assessment? And it really goes to continuous monitoring these days as well. It's like there's you should always be checking and just double checking to make sure that things are in place because you never know what might get turned off accidentally or it just never got put in place in the first time.
Justin Shelley:Me ask you a question on on the this transaction, this relationship. What was the confidence level of the one writing the check-in their IT provider previous to the assessment?
Lori Crooks:It was good. Was full trust, know, fortunately it's a small business, they don't know anything about security or IT. Right. You know, they're focused on their part of the business, and they had outsourced it to somebody and thought it was being done and didn't know to check, and it could have been bad at the end of the day.
Mario Zaki:So, Laurie, you you need to tell me you have to turn on the antivirus on every single computer?
Lori Crooks:At least centralized. Sure. I I need that the right track management system. Yes. Yeah.
Lori Crooks:Please every computer should be encrypted, have antivirus.
Justin Shelley:Well listen, we're laughing but Mario, do you ever have your client well prospects, I don't really get this much from clients, but where they say, know, because we're we're in the negotiating the price phase and they're like, we don't really use this computer that much. Let's leave it unprotected. Do you ever get
Lori Crooks:that one?
Mario Zaki:Absolutely. Absolutely.
Justin Shelley:I get that all the time. All the time. Probably almost a % of the time.
Mario Zaki:And I tell them, I'm like, listen, we we don't have we don't make you run through a lot of hoops. You know, we we you know, a lot of white glove, you know, support and stuff like that. You know, we only have one rule and that one rule is everything has to be covered, you know. And I tell them, you're only gonna be as strong as your weakest link. If you have that computer that only the intern uses during the summer, then that computer needs to be disconnected, you know, all year except for when they're coming, you know, coming in.
Mario Zaki:And then that's when we reconnect it and that's when we put the security on. But if it's not being used for nine months out of the year, that needs to be disconnected, put in a closet somewhere, it cannot be active.
Justin Shelley:Right. Alright, guys. Let's go ahead and move on to the next section. Mario, I'm gonna go ahead and punt this one over to you.
Mario Zaki:Yeah. So Gloria, I wanted to kind of paint a little picture here. So let's say I'm a CEO of like a company, say 50 employees, specializing in, I don't know, construction industry or something like that. And I'm the CEO and I wear a million hats and something like this slips through the cracks. And I realized, oh, you know, what it's time I have to do this or somebody's, you know, requiring this.
Mario Zaki:Kinda run through with me, what does it look like? You know, how do you get started? You know you know, how how does that picture look like?
Lori Crooks:Yeah. Sure. So it starts off with a phone call most of the time. And then I talked to about what kind of data they have, where is this requirement coming from, and just trying to figure out what, if it is a regulatory standard, what they have to comply with so we could kind of go from there. Typically, we do a gap assessment as well.
Lori Crooks:So once we signed the contract, then we kind of get in there. We take that standard and we do assessment against it, just kind of an internal assessment to see what is in place, what isn't in place, and then work with them through remediation process for anything that's not in place. Typically, those also don't have policies and procedures. Again, you're a CEO of a construction company, you have a billion things going on, you're not gonna have time to document stuff. So we help document any of those policies, procedures that are necessary for your organization and for the compliance standard that you have to meet.
Lori Crooks:So it's a lot of back and forth. It's a lot of us kind of helping you throughout the process, understanding, getting an understanding of your environment, and helping you fix what might be broken.
Justin Shelley:I've got a question on that though. Because again, I've kind of been talking about the the pain of the process. We're I I wanna know if there's some value in it on the other side. But can I ask you what the price tag is on this? And and again, we'll use great example, Mario.
Justin Shelley:Fifty employee construction firm. I'm not sure which framework we're gonna talk about there, but let's say they're building something for DOD. Let's call it CMMC. What timeframes and cost? What are we looking at?
Lori Crooks:Gosh, that's a good question because it can reach
Justin Shelley:Give me the range. Know that. So let's do without putting you on the spot, let's just do a high and low, a best case and worst case scenario. Yeah.
Lori Crooks:For full implementation, I would probably say and this is with, like, tooling and stuff probably mid five figures, like, maybe starting 50,000, maybe a little bit more. 6 3 to 6 months is probably the short end of it. Again, that's just really small in the tooling. So it could be a little less depending on the tools that you get because there are tools out there for CMMC that you just put your environment their environment and then you're covered, but those typically come at a little bit higher cost because they're managing and taking most of the risk. Right.
Lori Crooks:And that the higher end could be, you know, 6 figures, 12 plus months.
Justin Shelley:Oh, 6 figures. That's I mean, this is exactly the problem. Right? This is and where I'm asking, what if these don't apply? Should we still do it?
Justin Shelley:Here's where the pushback is. Because this is not simple. This is and definitely not cheap.
Mario Zaki:Yeah. I mean, most of the time, if it doesn't apply, they're gonna avoid it, you know. Yeah. You know, especially when we're talking about even on the low end, like say $50,000, you know, that's you know, even if it's $10,000, you know, it's something that nobody's gonna wanna just voluntarily do. But it's they have to understand that, you know, if they need it, if they're in an industry that requires it, they have to do it.
Mario Zaki:But it also pertains to a lot of the stuff that we've been talking about for months is getting those in the event a hack happens or a breach happens, all right? What's gonna end up happening is those lawyers are gonna come around and lawsuits are gonna come around. And if you say, hey, we've taken the proper precaution to protect ourselves. You know, nobody's gonna guarantee a %, you know, protection, but hey, we're we're compliant. We you know, here's our latest compliancy report.
Mario Zaki:You know, we we've been proactive in upgrading this and this and this. You know what? There's no case. You know? It just you know, the hackers ended up just winning that day, but, you know, you did everything you were supposed to do.
Mario Zaki:And, you know, chances are there won't be a valid lawsuit at least.
Justin Shelley:I'm gonna throw an example out there and I'm gonna I'm gonna get a little shout out to HATZ AI, h a t z, HATZ AI. Mario, are you familiar with oh god. I can't talk. Are you familiar with them?
Mario Zaki:Yeah. Briefly. Yeah.
Justin Shelley:Okay. So one of the problems with AI is that the the data that it ingests, when we feed it information, uses that to train future models that that becomes part of the the IP of the AI engine. Right? So they now own your data. This can be a major security problem.
Justin Shelley:So HAT AI, what they do is they've got these their own secured environment where I can put my stuff into that and I know it stays there. Now back to my point of using this as a marketing advantage, they're not required by any regulatory agencies to be secure, but they've gone out and got their SOC two. I think they have type one and they're getting ready for two. So they've been assessed by a third party, they're following frameworks, That's their proof that they're keeping my data secure. So I am much more likely to pay them and I'm actually getting ready to cut out some other services that I've been using, because I don't have that same level of assurance from them.
Justin Shelley:So now all of a sudden this investment which is large, we can use as a major competitive advantage and and possibly even squeeze out some of the competition. I I do think that there is definitely a financial benefit to becoming compliant even though it's nobody wants to be have it forced down their throat by the government, which is where this usually comes into play. Alright. Any other any other thoughts on this one guys? Either one of you.
Lori Crooks:Just to your point too, Justin, a lot of my clients come to me because they are their contractual obligation have to go through your SOC two. Right. So it's something that their customers are requiring. They're like, okay. If I want to sign this, you know, I need this type of auto.
Lori Crooks:So it is happening a lot.
Justin Shelley:I mean, really we can look at it as developing skills, investing into our, you know, anything, anything, Jesus, it's one of those days, All the stuff that we the time and the money that we put into bettering ourselves and bettering our business. This really is a place where we can do that. And if done properly with the right mindset, we can leverage this to really springboard our organization. So Lori, one thing you said which kind of caught my attention when Mario asked what the process looks like, you said what you find on your initial assessment is that they usually don't have policies and procedures in place. Tell me a little bit about that.
Justin Shelley:What do you find? Do they have anything?
Lori Crooks:Honestly, they'll usually have some technical controls in place. They usually have a firewall. They might have some basic AV. So they'll have some technical controls in place, but when it comes to some of the management operational policies, procedures, those are usually lacking. There's not usually a risk assessment.
Lori Crooks:There's not usually vendor assessments, you know, those types of things. So they they're trying with the technical piece, which is great. But for cybersecurity compliance, you kinda need a little bit of everything.
Justin Shelley:Do they have do you find the basics? I mean, let's talk about BYOD policies or acceptable use policies. Do you usually find those in place or no?
Lori Crooks:Sometimes. I'll sometimes see acceptable use policies, rules of behavior policies. Those are the most likely that I see because usually from a technical standpoint they might have to have users signed up as part of the onboarding agreement.
Justin Shelley:So let's take that example, one that you do find in place and you just said the attorneys made them do it. This wasn't really something they wanted to do. What happens generally speaking in your experience, they've created the policy, make people sign it when they onboard, which by the way is making somebody sign something under duress if you think about it. And fun fact, my attorney once told me that you cannot retro like I can't bring in a new policy and make my employees sign it. I can entice them to sign it, but I can't make them sign it.
Justin Shelley:You can do it when you bring them in, But once they're hired, you can be like, Oh, new policy here, sign this. So there's there's some fun ins and outs there.
Lori Crooks:But
Justin Shelley:well, had to I had to bribe them basically, to my attorney, and I don't know, this has been a while, but he's like, you have to pay them, like, offer them a hundred bucks to sign the policy, you know, in in consideration. I don't remember all the legal terms, but there there there's a lot of fine print in this stuff. But what is generally the attitude when at least just go for this one that they have in place? Is there any kind of like ongoing discussion or culture around it? Or is it just sign this with the stack, by the way, of 100 pages that you just had to read and sign off on?
Justin Shelley:What does it look like after the fact?
Lori Crooks:Yeah. Like you said, it's usually signed off and then it sits there until the next person gets onboarded that they have to sign it, Especially for, like, separate use policies that those have to go through a legal review again. It usually just sits there and they just sign the same thing every How
Justin Shelley:often do you find them being reviewed on average?
Lori Crooks:Not very often, to be honest. If they don't have to comply with anything, it's usually once and done. I'll go in and have policies that are five, six, seven years old. They they wrote it. They haven't looked at it.
Lori Crooks:They're just making people sign it.
Justin Shelley:It's like, don't use Myspace on company time.
Lori Crooks:Yeah. Now what Exactly.
Mario Zaki:Once you know, you mentioned, you know, the onboarding, the setup, three to six months could be a year. What happens after that one year? Do you do they retain you for like a, you know, monthly, you know, call six months, something like that? You know, what happens after the the initial and then after like, alright, here's our, you know, SOC two compliance certificate, you know, you know, plaque, whatever they give you. I don't know.
Mario Zaki:Trophy.
Lori Crooks:It'd be nice. Think they used to. Very early days, I think, from SOC twos, they would get sent out, like, little plaques. Some companies did. So it's kinda funny.
Lori Crooks:But but yeah. So they they can retain me for a little bit just to on a monthly basis. There's usually a small retainer fee, so I'm available for phone calls if they have questions. But during let's take a step back. Most standards have an annual audit.
Lori Crooks:So once you become SOC two compliant, it doesn't mean you're done for you actually have to go through an audit the following year as well. So what I like to do from that in between period from one year to the next is to make sure, again, controls are still being in place. Continuous monitoring, we call it, is being done. The policies are being reviewed throughout that year, making sure, you know, HR is doing their job by bringing people on, security training is being done, etcetera. So so, yeah, we help them on a monthly basis based on the type of framework that they have and the controls that they need reviewed throughout that year.
Lori Crooks:And we just kind of spot check throughout the year to make sure everything works properly, and then we help them make sure and prepare by pulling the evidence, gathering it, working with the auditors that they need our help like that.
Justin Shelley:Got it. Larry, I I wanna say that you have confirmed my initial hypothesis that people don't like policies and procedures. This is not something people talk about over a beer after work. What but they're important, right? Can we agree on Like at least in this room, we can agree on that.
Justin Shelley:You have any tips or tricks for a business owner to maybe build a culture or do something to make these things more than just a document that gets signed under duress and then put in a file and never looked at again.
Lori Crooks:Yeah. It really comes from the top. If you wanna build a culture around cybersecurity, it becomes with awareness of training, making it fun. A lot of the training programs now are more interactive. They were more gamified.
Lori Crooks:And so it kinda takes those policies and breaks them down into things that people can actually understand and relate to on a regular basis and makes it fun. I'm using the air quotes as much as you can make policies fun, but they try to make it fun through the through the games, you know, the kind of examples, like quizzes and stuff like that. So I I think that's the best way to do it. It's just a reminder too. It's, like, reminding people monthly every other week, like, hey.
Lori Crooks:Don't forget this tip that's from your information security policy or this tip to don't leave your laptop in the car, so somebody can steal it. You know, those types of things are good as well.
Justin Shelley:Do you have any examples of the gamification?
Lori Crooks:I'm trying to think now now that I say that. I haven't used one personally, but I had there are a lot of more, like, fun videos where you could, like, click on emails to open or you click on like poster boards to try to find something kind of unusual within the room and stuff like that. It's been a while, but I remember kind of going through a while ago. It was interesting.
Justin Shelley:I had a and I this has been a while, but when we in our company, when we we switched to a new vendor for security awareness training Mhmm. And one of the things that they had was a leaderboard. At this time anyways, my techs were very competitive. And so they would run around bragging about their score, their risk score, and like I'm better than you. I loved it.
Justin Shelley:And what what has frustrated me ever since is the same company that has this leaderboard. They when each employee signs themselves up or, you know, goes in and configures their their account, it randomizes their username so that nobody else knows who it is. I'm like, why
Lori Crooks:in the world That's purpose.
Justin Shelley:I know it. And I keep asking them, I'm never gonna quit until they actually develop this. I want a kiosk display with real names where we can publicly reward and also publicly shame and humiliate based on their score of are they clicking on the stupid phishing emails? Are they reading and accepting the policies and procedures? Because that's part of it.
Justin Shelley:Are they taking the annual training? Are they taking the weekly micro trainings? But I do think that until we find a way to really make this part of our culture, we're never going to have anything other than dusty policies.
Lori Crooks:Yeah, agreed.
Justin Shelley:They're just because the government of the attorneys made us do it, or more more realistically, they're just not there at all. Now that we've fully developed this fun topic of policies, let's get into tell me and I know there's a lot of frameworks, but if we just could pick a couple, let's say one, two, maybe three policies that are the most bang for the buck, what would you say those are?
Lori Crooks:We talked about the acceptable use policy. I think that one's important. Again, rules of behavior, how people should be using their computer, how they should be using their computer, how they should be using the data and stuff. So definitely acceptable use policy, I'd say, is one of the top ones. Typically, see information security policy too.
Lori Crooks:This is more geared towards cybersecurity as a whole, more towards some of the IT people as well, but it's good for general users to read through as well. And then I'd say incident response, I would say probably be very round out the top three. As we all know, unfortunately, we're probably gonna have an incident, knock on wood, at some point in time. So there should be a policy for your IT department on how they need to detect that, how they need to investigate that, how they need to respond to that, and how they need to notify people that there is a potential incident.
Mario Zaki:Okay. Have you been seeing a lot of AI policies coming up? I
Lori Crooks:have some. And AI, I think, is getting a little bit better, but kind of what Justin was saying earlier, I hesitate telling people to put stuff in it because you don't know what what where it's being stored on the back end, what's gonna happen. But I think AI could be good to enter into their policies, but you still have to kind of fine tune it for your organization and kind of the people that you have and the tools that you have within the organization.
Mario Zaki:Yeah.
Justin Shelley:So, Laura, you you quickly kinda mentioned what should be included in an incident response plan. Let's talk about the the acceptable use in the information security policy. What are just, like, some some key components headlines that need to be in those policies? How about I write one?
Lori Crooks:Yeah. Sure. Acceptable use is really, as it says, it's what you can use your computer for, what you could use company information for, And this is usually the one that the lawyers like to sign and review because it's telling people what you can and can't do with the company information. So don't post company information on websites. Don't go out x now and, you know, save all the company data or share all the company data.
Lori Crooks:Don't use public Wi Fi when you're transferring sets of information. Like, those types of things should be included in your acceptable use policy for users to understand this is good things to do with the company information. This is bad things to do with company information. And so then you have your information security policy, which really could take a lot of different topics. And kind of roll up into one.
Lori Crooks:So it could include access control. So it could talk about your username and password policy where your passwords are minimum of eight characters and special numbers and special letters and numbers and all that combination. It could include some remote access, so telling users they need to use a VPN as part of logging in remotely from from their home into the work into the work area. So words are hard today too for me, Justin, so you're not the only one struggling.
Mario Zaki:You know, with that last part said, and I I don't know about you, Justin, but I get this every once in a while. You know, almost every new customer we set up for and, you know, tighten up security. We have at least one customer or sorry, one employee for this customer that says, I don't want to use 2FA or I don't wanna use my personal phone for two factor authentication. You know, what we usually tell them is like, this is the same person that's probably sitting there texting all day while they're supposed to be working. But what do you usually, you know, how do you usually attack something like that?
Lori Crooks:That's a good question. You know what? It kinda goes to the company at that point of time. It's like, are they willing to buy them a second phone to have that authentication? Otherwise, you have to use some sort of hard token, which, again, I don't most people are gonna wanna deal with anymore either to plug into their laptop and return their login.
Lori Crooks:So I don't think there's a way around it. I think to authenticate that it's here to stay. Again, it's gonna be either they either buys them a separate zone to use it if the company's good with that, or, you know, they just get push notification to their phone.
Justin Shelley:So Yeah.
Mario Zaki:I usually give them those two options, or I usually give them a third option is tell them to get the hell out of the office.
Justin Shelley:Yeah. Well, there's I I think that and again, on the subject of just creating a a positive culture, we want to make people some skin in the game interested in it. If they're pushing back, first of all, I would wanna find out why. What's what's the real problem with using your phone? Is it that you just don't wanna use it?
Justin Shelley:Then fine. Here's a second phone. Is it that you feel like you shouldn't be financially supporting the company? Then fine. Here's $30 a month or $20 a month or whatever to to offset your cost for your cell phone or to show you that we care, know.
Justin Shelley:But Mario, you're right. Ultimately, we can't in some way get them into this security minded culture, They can't be there. They've gotta go. Like a %, if you've got somebody that's a security risk, fire them. Right?
Justin Shelley:Yeah. Just ask Donald Trump, You're fired.
Mario Zaki:And that's exactly what I've had conversations with. I'm like, you know, if you're asking me to not enable it just for this employee, the answer is no. It's not gonna happen. You know, Unless you wanna sign off on a bunch of stuff saying, you know what? Don't call us when something happens, you know, which nobody ever agrees to, you know?
Mario Zaki:But, you know, we tell them like this this is those are the people that, you know, will end up clicking on something and, you know, causing a problem and, you know, like you have to be firm and you know, like this is the, you know, price of doing business or being an employee of this company. You have to use two factor authentication and you get one of those people like every once in a while. It's like, I don't wanna use my personal phone.
Justin Shelley:And then it comes down to again, I would wanna find out why. Is there a valid reason for it? Fine. I'll accommodate. Is it just because you wanna be an ass?
Justin Shelley:Well, you don't fit our culture and you gotta go. Right? I mean, because if if you've only got a handful of people that are being we can call this defiant again, unless there's a real reason for it, then we don't want them there anyways. If they're not going to follow this policy, what else are they not going to do? I mean, it just seems like there's this person probably needs a therapist more than a second phone.
Justin Shelley:Just my thoughts. Alright guys, listen, we I think we've kind of covered everything that I had in mind for the day. Is there anything else? Have we missed anything Lori that you would like to talk about before we wrap up?
Lori Crooks:Not off the top of my head. Okay. This is a great conversation.
Justin Shelley:Perfect. So then let's go ahead and do this. I kinda like to wrap up with key takeaways. Let's assume that nobody listened to anything but this part of the podcast. What do you want them to know about everything we discussed today?
Justin Shelley:And, Laura, I'm not gonna put you on the spot. I'll give you a minute. I'm gonna have Mario go first. So you've got as long as it takes him to answer this question to think up your own answer. And then I'll and then I'll have you give yours, and then I'm I'll I'll tell people how to get ahold of you, and we'll go ahead and wrap up for the week.
Justin Shelley:So, Mario, key takeaway for this week. What do you got?
Mario Zaki:You know, for me, the a key takeaway for this is that it's every business out there is gonna fall under some sort of bucket, you know, some sort of compliance, you know, like we mentioned earlier or I mentioned earlier, you know, it could be something small like PCI, you know, or it could be something huge or like CMMC. But if at the very minimum, if you have some of these policies in place, you'll you'll be ahead of the game, you know, probably stand out from, you know, competitors and and, you know, have a better workplace, better culture, you know, for your employees and for your customers.
Justin Shelley:Okay. Alright, Laurie. Your turn.
Lori Crooks:Oh, pressure's on. No. I think it goes back to kind of I think Justin said it best too. It's kind of the the culture of compliance and cybersecurity. I think it's important for cybersecurity to start at the top and go down through the organization.
Lori Crooks:And that's really the only way everyone is going to get on board, is if you have that appropriate culture. And I think that should be for every organization, whether there's a regulatory standard out there for you or not. I think it's important and it gives you that competitive advantage.
Justin Shelley:I mean, I I couldn't agree more with the whole start at the top. And it's I say this out of experience because getting the top, getting the leadership to go through the cybersecurity awareness training, they don't feel like they have time for that, Largely speaking, I'm not saying it's a %, but that is that is a constant problem. And I'm sorry, but if you aren't doing that, if if you're not personally taking it serious, you cannot expect those that work for you to do any better. You just can't. So % agree with that.
Justin Shelley:I would say my key takeaway today is that everything that we are dealt in life can be I'm gonna put some asterisks on there. There are exceptions to this rule. Generally speaking, we can look at things as a problem or we can look at them as an advantage. And so where we are forced into a world where we do have to prove that we are taking security measures seriously, whether that's through mandated compliance or voluntary compliance. I really believe that this can be an advantage to us personally, because while I was sleeping ignorantly by writing a check thinking my IT company had me covered, now I at least have some confidence in them.
Justin Shelley:If I know that they're following the frameworks and and maybe even pushing pushing them on me. But then the other side of that when I'm trying to sell my services to somebody else, when I can show that I'm doing this, that I'm taking their privacy seriously and I've got it backed up. I could document it. I really do believe that to be a a competitive advantage where we can probably reclaim a significant amount of the investment to get there in the first place. So that's, that's my take on it.
Justin Shelley:Laurie, thank you so much for being here. I'm gonna go ahead and plug your services. Cadra.com, C A D R A Com. And we always have links to our guests. You can go on unhacked.live and get more information about Lori, who she is.
Justin Shelley:But Lori, if you want to say anything, any elevator pitch or any final words about your business, what you do, who you do it for, you're welcome to do that now.
Lori Crooks:Sure. So we focus on small to medium sized businesses who might not understand cybersecurity compliance and what the need is, and we try to take complex environments and legal language and kind of tone it down so the normal person can understand, and we help implement and walk you through that process. We hand you hand through you through the entire process from beginning to end and help you get through the assessment for whatever compliance standard that you need.
Justin Shelley:And I think I heard you say earlier that you do on occasion work with MSPs like us if they want some help from an outside firm. So we we do get some of our peers listen to our show, so we'll put that plug out there for you as
Lori Crooks:well. Thank you.
Justin Shelley:Alright. Mario, always a pleasure. Thank you for being here. Thank you, Justin. Guys, like I said, if you have any, want to check us out on unhacked.live, we've got all of our links up there to our guests, to our social media.
Justin Shelley:We have free assessments that we offer. Go ahead and hit up unhacked out live. And until then, thank you guys both for being here, and we will see you guys next week. Take care.
Lori Crooks:Thank you. Bye.
Creators and Guests
