UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 55 of Unhacked. We are cybersecurity made simple for small business owners. I'm your host Justin Shelley and I am joined as always by my good friends Bryan LaChapelle and Mario Zaki.

Mario Zaki (00:15)
What's up, everyone?

Justin Shelley (00:16)
Every week we cut through the noise, bust the myths and help you protect your empire. Guys, if you're not building an empire, you're doing it wrong. ⁓ Today we have a special guest. We are joined by Mike Ritzema, founder and president of i3 Business Solutions. Mike, I guess you've got extensive experience, as so it says, guiding companies through cybersecurity breaches. ⁓ Hopefully those are not active clients. ⁓ Okay, because... ⁓

Mike Ritsema (00:40)
Absolutely not. ⁓

Our clients are perfectly protected.

Justin Shelley (00:45)
Cause we're here to tell people how to avoid this stuff. So, but you know what, that is, that's the reality is when it happens, we have to know what to do. So, I love that we're going to get to break down some practical steps on both how to prevent and then what, happens when you find yourself at ground zero. So Mike, thank you so much for joining us. Tell us a little bit about yourself and your business.

Mike Ritsema (01:06)
Glad to be here. Thank you, Justin.

Yeah, I think I think experience. Yes, I've been in technology for decades, started with IBM and ERP and DRP software side. And in the great recession in 07, we rotated hard to manage technology services and built essentially a cybersecurity practice, right? So today we're managing somewhere around 4500 endpoints over 125 clients.

and helping them improve productivity, AI, automation, the new thing, and then certainly risk management, cybersecurity on the technology side. And that's what we do here in Grand Rapids, Michigan, i3 Business Solutions.

Justin Shelley (01:45)
Good, good.

So

you do in fact help them build their empire. I'm very glad to hear that. Very glad to hear that. ⁓ all right, Mike, so this you've got the inside scoop and this is what I absolutely love to be able to break down because we're going to talk about the very thing we try to avoid to protect against. And I've never heard anybody say, Hey, we were breached. had a ransomware attack and it was a good time. tell me, tell me what your experience is here.

Mike Ritsema (02:19)
Yes.

Well, ⁓ you know, imagine you're sitting at Qdoba on a Friday night and it was 6 p.m. with my wife and the phone rang and I looked at the name and I answered it and it was a major accounting firm and an acquaintance who said, do you guys do incident response? Do you handle breaches, hacks? And I'm like, absolutely, yes, we do.

And three hours later on a Friday night, I was sitting with a number of my techs and team in the conference room of a 300 employee company that had been 100 % encrypted across all their servers and they were out of business. I will tell you that over the weekend when we helped them recover and we just all hands on deck.

was very emotional for me, very emotional as a business owner responsible for so many families, so many lives to see the owner of this company who I know because ironically I worked at the company decades prior. And yeah, that's, you know, an irony to see that owner was older than me, uh, pacing the hallways wondering if his whole

Justin Shelley (03:32)
really?

Bryan Lachapelle (03:33)
wow.

Mike Ritsema (03:45)
business is collapsing around him. I'm getting emotional right now because ⁓ it's such a powerful situation to observe and be in. It's just, it's really tough.

Bryan Lachapelle (03:54)
Mm-hmm.

Out of curiosity, Mike, what was the long-term reputational damage that they experienced, if any, at all?

Mike Ritsema (04:06)
I think they've they found their way through it. I mean, we helped them recover by Monday morning and they were back on the road delivering product. ⁓ so they were, ⁓ to, my knowledge and, I didn't, I can't say that I did a full breakdown on, ⁓ loss of revenue or loss of clients. but they were back on the road by Monday morning. This happened on a Friday night, which is when, ⁓ the bad actors hit, right? Yeah.

Justin Shelley (04:31)
Wow.

Mike Ritsema (04:35)
So I'm not sure how bad the reputational damage was, Bryan.

Bryan Lachapelle (04:41)
Okay, fair enough.

Mario Zaki (04:41)
What did you have

in place to help you recover so quickly?

Mike Ritsema (04:46)
Well, we have access to resources. So absolutely. We have consultants we work with and then ⁓ also, you know, we have a tech team that's pretty substantial. So we brought in outside consultants and our own tech team and just got to work on it.

Mario Zaki (05:05)
So they had like backups and stuff like that that you were able to restore from.

Justin Shelley (05:05)
Yeah.

Mike Ritsema (05:08)
Pretty ironic,

we've helped three companies in the last five years recover and backup is always interesting. ⁓ And in this case, get this guys, they were backing up to tape and carrying it across the street. They had literal tape. This was five years ago.

Justin Shelley (05:24)
How long ago is this? This is like 30 years ago?

Bryan Lachapelle (05:24)
no. ⁓

Justin Shelley (05:28)
What?

Bryan Lachapelle (05:29)
no.

Justin Shelley (05:30)
What? ⁓ my God.

Mike Ritsema (05:32)
I'm telling you,

was it air gapped? Yes, it was. Could the bad guys from China or Russia get to it? No, they couldn't.

Justin Shelley (05:34)
Sure, yeah, yeah.

Did the tapes work? I exactly pray to pray to God, whatever you like you believe in that those tapes were actually ⁓ working.

Bryan Lachapelle (05:42)
surprised I'm surprised I'm surprised they could get to it

Mario Zaki (05:46)
He he he.

Mike Ritsema (05:53)
tapes worked here was the biggest challenge. mean, if you've got a business of any substance that has integration and complexity from multiple systems and they did on premise, right? Everything from shop floor, warehouse, EDI, et cetera. And they had a lot of customization over the years. So ⁓ some of it, well, they, they had various types of backup, but when you restored, you had to knit it all together and they had code.

and passwords and logins that they couldn't find. They just couldn't find, they didn't have it documented. So making things work together was as big a part of the challenge as anything.

Bryan Lachapelle (06:38)
So out of curiosity, what was the financial impact? Like how much did it cost them to recover from this incident? Just the initial phase, maybe your portion of it or the initial portion.

Mike Ritsema (06:51)
Well, the first thing you do is call your attorney. The second thing you do is call your insurance company. ⁓ The third thing you do is call the FBI or the police. And so I don't know what the legal costs were. And I don't remember if they had cybersecurity insurance. But our bill was somewhere around a quarter million to a half a million dollars. ⁓ So it's, yeah, it's nice.

Bryan Lachapelle (07:15)
Yikes.

Mario Zaki (07:16)
It's a nice weekend for you.

Justin Shelley (07:18)
Yeah.

At first I felt bad that you lost your weekend. Now I'm like, I'll do that.

Bryan Lachapelle (07:23)
You

Mike Ritsema (07:23)
Yeah. Now,

Mario Zaki (07:23)
Hahaha

Mike Ritsema (07:25)
⁓ ironically, ⁓ so, you know, my big message in cybersecurity is number one, backup your stuff. I mean, just make sure you have an air gap, the offline backup that nobody can get to. And recently we helped the company recover and they had a great backup system in place, Veeam, ⁓ backing up all their servers and going to the cloud, going to

Wasabi in the cloud. But somehow the bad actors found, I don't know how they found the login, but they found the login to Wasabi. They changed the email address to like an AOL or some crazy email address, deleted the email and the backup and they couldn't get to it. They couldn't get into it. This one, similarly talking to the owners is just, I mean,

the amount of responsibility I feel to help. And the owner said, can you call Wasabi and see if they can get it back? So I did, you know, track down Wasabi, got to the tech and the rep and said, you know, we know that on a cell phone, the FBI can get your cell phone, reverse the digits and find the data, right? You think it's deleted. No, we can reverse the bits and bytes. We can get it back.

But not when you put it in Azure or Google or Wasabi, Amazon Cloud. If I'm Wasabi and you have HIPAA data, you have PII, PCI information and you delete it, you don't say, well, we deleted it, but we can get it back for you. No, it is gone forever. And that was the answer. It is gone forever. Your backup is gone. And theirs was 100 % gone. Every backup gone.

Justin Shelley (09:08)
Yeah, has to be.

How did they recover from this one?

Mike Ritsema (09:21)
This is so ironic that it was a day or three into the recovery that the IT manager said, I think I've got a backup in the closet on a terabyte drive. And he did. He had a two year old backup for parts of the business. Cause there were six divisions and multiple locations. So in that respect, he had one, a software vendor that did an upgrade to their software.

Justin Shelley (09:32)
What? No way.

Mike Ritsema (09:49)
actually had a backup that they had done in the cloud before they did a revision. So they got bits and pieces of it back. But other than that, just start pounding in names and starting.

Justin Shelley (10:03)
Wow. They survived, take it, because not everybody does.

Mike Ritsema (10:07)
They

did survive. They found their way back. Ironically, in this situation, a manufacturer type situation, shop floor production went on. They just lost all order information, financial information, and so on. So they were able to find their way through it.

Justin Shelley (10:29)
crazy stuff. So listen, we, I like being able to talk about these, but mostly I want to know how to never get here. Right. We want to never ever, ever be here. And one of things that just drives me batshit crazy is when I'm talking to a prospect or just a business owner, maybe they're not even a prospect yet. And I'm like, Hey, can we do a, an assessment? Can we help you out? Put another set of eyes on your, security setup. And the most common answer is

Mike Ritsema (10:38)
Yeah.

Justin Shelley (10:58)
Pop quiz guys, what's the most common answer? We're covered. All right, you guys got that handle. And I love to follow that up with how do you know? And I've never had anybody give me a good answer to that. And so Mike, I'm going to ask you, how do you know?

Bryan Lachapelle (11:00)
we're ⁓

Mario Zaki (11:00)
We're good.

Mike Ritsema (11:14)
How do you know that your cybersecurity is up to date? You do an assessment. I run ⁓ a pretty substantial technology company and we bring in other firms to assess our own technology and find a hole. Please find something and we'll patch it up. mean, we ⁓ implement the, I say we use the NIST framework.

Bryan Lachapelle (11:28)
Mm-hmm.

Mike Ritsema (11:41)
⁓ implemented through CIS version 8. These frameworks actually have 18 controls, 18 areas that we want to manage to.

Justin Shelley (11:51)
I was going to say a control is like a subject, like a chapter, not like a bullet point, right?

Mario Zaki (11:55)
Yeah

Mike Ritsema (11:58)
Exactly. Areas, you know, the human firewall being one, educate your team. Inventory, if you don't know what you have, how can you even protect it? So 18 areas we look at, 153 safeguards. So Mr. or Mrs. business owner, have you hit all 153 or do you even know what the top 10 are?

Justin Shelley (12:14)
go.

Mike Ritsema (12:23)
Does your IT manager or the person that handles it, do they know what all 153 are or where to start? That's why we do assessments.

Justin Shelley (12:35)
And yeah, you have to have some sort of a framework to work from. There was a Bryan and Mary, you guys remember this story, the guy I found on Reddit who had been in business for, I don't remember, 25, 30 years. And a prospect asked him like, you know, what are these industry best practices you guys speak of? So he gets on Reddit and he's like, it made me think, what is it that we believe in? So I went to my, I went to my RMM to find out.

Bryan Lachapelle (12:58)
Ha

Justin Shelley (13:02)
Now guys, ⁓ the average business owner doesn't know what an RMM is, but tell me this. ⁓ Is that where you go to find out what your cybersecurity controls are?

Bryan Lachapelle (13:12)
Nah.

Mario Zaki (13:12)
No

Justin Shelley (13:13)
Okay.

So when, when a business owner, tell me, you let me square in the eye and you say, guy's got it covered. You better be checking up on him. So let's.

Bryan Lachapelle (13:23)
Yeah.

Mike Ritsema (13:23)
Exactly, yes.

Mario Zaki (13:24)
Yeah, I mean,

you ask them, like, okay, where's the last backup report that he sent you? How do you know your shit is backed up? And they're like, no, he's never sent us that. And then you see them writing it down, like, ask for a backup report. That's exactly what we're talking about. How do you know?

Mike Ritsema (13:43)
Well, that I mean, Mario, that's I mean, we've helped three companies of substance, 300 employees, 150 employees, 500 employees recover all with an IT manager. And I think the value of our firms is that we have moved from people excellence to I call it checklist process excellence, process excellence in in every situation. And I think some of our best tax, right?

Justin Shelley (13:43)
Yeah.

Mario Zaki (13:48)
Cough

Bryan Lachapelle (14:05)
100%.

Mike Ritsema (14:12)
can just figure stuff out and they love it, right? Give me a challenge, I'll figure it out. We'll fix the problem. That's what we do. ⁓ And that's what great techs in ⁓ one and two man tech companies do is they can figure stuff out, make it work. But in every situation, I mean, the firewall was virtually wide open, no control set whatsoever, backup mistakes,

Justin Shelley (14:38)
Really?

Mike Ritsema (14:41)
across the board. And I tell business owners, your tech person, your one man band, your on staff or yeah, we got a guy is great at fixing stuff, but they're usually not good at that checklist. know, whether it's 15 items every day or every week or 153, it's just not their thing. It is our thing.

Bryan Lachapelle (14:58)
Right.

Justin Shelley (15:07)
So let's do this because I mean, I'm putting on my business owner hat and I've got everything under the sun that I'm responsible for. And Mike, you just told me that there's 175 million things that I've got to look at where cybersecurity is concerned. And I'll tell you what I do in that case. I go on overload and I say, fuck it. I'm not doing anything. So let's, let's, let's go. And I know we do this a lot. So there's some repeat, but if, if I'm a business owner and you guys are consulting me, give me your number one thing that I need to go do.

Bryan Lachapelle (15:07)
Yep.

Good.

Justin Shelley (15:37)
right now today. And I'm just going to kind go around the room. Mario will start with you. I'm sorry, Bryan, I want to start with you and then Mario and then Mike, tell me yours. So Bryan, go ahead.

Bryan Lachapelle (15:47)
So there's quite a lot of them, but my favorite one is just cybersecurity awareness training. ⁓ Getting started by teaching the people what to look out for and what not to. I've said it once and I'll say it again, I could put locks on the doors, bars on the windows, security guards at every entrance. But if somebody goes and props open the back door or with a brick and the criminals can come right in. So what people don't know can hurt you. And so we just got to...

keep it top of mind all the time. And I prefer to do it in small little nuggets because that way it's always something that they're thinking about. And more importantly, testing them on it, right? To make sure that they are paying attention. You let them know, hey, we're going to be attempting to fool you, whether it's by calling in and trying to trick you into giving me information you shouldn't, or by sending you an email and trying to trick you into clicking in or providing information you shouldn't. And if you fall for it,

I won't yell at you, but I'm gonna make you take the training again. And by them knowing I'm looking to trick them, they're gonna be even more hyper aware and be on the lookout for my, you know, my attempt to fool them. And if while they're looking out and trying to pay attention to my thing, they're also catching everybody else's. So that's my favorite cybersecurity awareness training, but more importantly, just get started.

Justin Shelley (17:08)
Yeah. For audio only listeners, we're all sitting here nodding our head like, yes, yes. Start there, Mario. What's your ⁓ number one? Or if Bryan stole yours, what's your number two?

Bryan Lachapelle (17:13)
Yeah.

Mario Zaki (17:13)
Hahaha

Well, prior to us recording, we kind of drew like straws and Bryan stole mine, then Mike stole mine. I'm like, shit, you know, I got to make up something here. ⁓ so my third, which is Mike is going to mention the second one. My third is, you know, just putting in some, like two F a some sort of security in place. ⁓ you know, for, all important stuff, banking, you know, email, ⁓ you know,

Justin Shelley (17:24)
I know.

Mario Zaki (17:49)
If you're whatever program you're using if you set up to FA you've moved up a notch you know because that is simple because usually hackers just they need three things email address password and You know like the domain, know, and the domain is easy to find, know Your email address is easy to find the password. It could be figured out, you know dark web It can be brute force. There's so many different ways that they can get in there

Justin Shelley (17:57)
Yes.

Mario Zaki (18:19)
By having two-factor ⁓ in place, it just makes it a lot harder. It's not bulletproof, but it makes it a lot harder to get past that. obviously, awareness is very important. ⁓ What I also would add is having two-factor authentication, because that is also something you don't necessarily need an IT professional to do for you. Everybody has the ability

to set up 2FA as much as it's annoying and we talk to people all the time, like, I don't want to keep having to enter a code every time I go into this website or log into my computer or do whatever, you know, but just like Mike mentioned earlier, like being attacked is a lot more inconvenient than entering a six digit number once or twice a day.

Justin Shelley (19:11)
I mean, I don't want to call you out too much, but I can't tell you how many end users I've had to help set up 2FA because I couldn't figure it out. ⁓ So I would replace that with you should be able to. ⁓ And then for ⁓ my techs who complain about, or, you know, clients who should be able to do it on them on their own. I'll just say, this is why you've got a job. ⁓ So listen, ⁓ I, and I only point this out because most things in security are not a do it yourself feature. ⁓

start there, do what you can. But if you are the least bit confused, get some help. Don't rely on a Google search to figure this out. All right, Mike, what do you got for us?

Mike Ritsema (19:52)
I'm number one I'm saying amen to the human firewall. One of the biggest vulnerabilities, Bryan, the human firewall, you, me. And then secondly, two factor authentication is going to two person authentication. There are now systems, Wasabi can now require, if you want to delete your backups, you need two different email addresses, two different people to log in.

Justin Shelley (20:08)
Mmm.

Nice.

Mike Ritsema (20:21)
⁓ In order to delete so and more and more in business certainly I imagine your business if you're gonna change a routing number in finance And you get an email from somebody. Hey change my banking and routing number We require two-person authentication at i3 so two-factor authentication two-person authentication Yeah, yeah. Yeah. Okay. Mine is back up. Look, I don't know I think you guys remember I'm holding a cell phone up here and I don't know three to

Bryan Lachapelle (20:30)
Yes.

Mike Ritsema (20:50)
six years ago, you'd have a friend say, oh crap, I lost my cell phone and three years of pictures are gone. I'm like, those days, I think they're gone because everybody's backing up to the Apple cloud or the Google cloud. So I think it's almost impossible to do that nowadays, but Criminy, back up your stuff. I've been using Quicken personally for 20 plus years.

Justin Shelley (20:56)
Everything's gone, yeah.

Yeah.

Mike Ritsema (21:17)
And I'm holding up a USB drive now. This is my backup and it's, sitting in the drawer right next to me here. And I back it up once a week. It is offline and air gap. So I'm saying if somebody, if I lost my laptop, it's like crap 20 years of quicken gone. And the answer is no, I've got this. I got the backup right in my drawer. So I'm imploring every business owner backup. You know, what are your top?

three to five business systems and usually emails on that list. ⁓ And how is it backed up? Confirm that it's backed up. And I think like Mario said, find the backup report. Somebody give me a report proving that it's backed up. And then.

Bryan Lachapelle (22:02)
Mm-hmm.

Justin Shelley (22:03)
I Mike, I'm

going to stop you right there. And I'm just going to tell like, don't want to brag, but all my shit's in the cloud. I don't need to back it up.

Bryan Lachapelle (22:10)
you

Mike Ritsema (22:10)
Well,

let's make sure, like I said earlier, let's make sure it's air gapped. That is the login to that ⁓ backup best be a different login and password and fully protected so that nobody can get to it. We know the threat actors, the first thing they do is delete the backup. If they can get to the backup, they'll delete it. By the way, we had a client ⁓ that

a title company, not a client, I was called in and 200 title companies across the United States in the cloud. The threat actors got in, wiped out the whole backup, sent the ransomware. They didn't pay it. This title company had closings in process, documents in the cloud, names, information, all gone. They had to start over from scratch. mean, an air gapped secure backup.

⁓ I'm sorry, I'm sorry, tapes across the street or a terabyte drive in a closet counts. It counts. Let's just.

Justin Shelley (23:17)
Oh, it absolutely does.

If it works, if it's tested, right? If there's a system around it. But you still dodged my point. I don't if my stuff's on one drive or oh, 365 or SharePoint, it's in the cloud and it's being backed up. So I don't really need to worry about that. And I don't really have anything I need to back up, honestly.

Mike Ritsema (23:20)
Yeah, if it's tested.

⁓

Well, I think the title company is, the example of the bad guys can get to stuff. And by the way, if they can log into your email, they can start wiping stuff out. So, you best be backing up cloud. know whole businesses are in the cloud now. So let's start talking seriously about backing up my stuff that exists in the cloud. By the way, the. Yeah. What we're doing is reverse backups.

Justin Shelley (23:53)
Yeah.

Mario Zaki (23:58)
Unto a tape right? Like and put it across the street?

Justin Shelley (24:00)
You

Mike Ritsema (24:05)
My business system's in the cloud. I'm going to back it up to my on-premise system.

Bryan Lachapelle (24:05)
reverse backups.

Justin Shelley (24:08)
Yeah. Yeah.

Bryan Lachapelle (24:10)
100 percent.

Justin Shelley (24:11)
Well, what I tell clients or prospects is if you can get to your data, so can the bad guys. So don't tell me that it, because it's in the cloud or because it's on 365 or whatever they want to use as the excuse to not worry about this. ⁓ Yeah. Microsoft's got you covered. All right. Good luck. Good luck calling them up and saying, Hey, ⁓ where's all my data? You're going to get, you're, know, Bill Gates going to come out of retirement. He's going to help you out personally. I promise. ⁓

Mario Zaki (24:37)
I

mean, the thing is we talk about hackers doing stuff like this all the time, but sometimes it's employees. Sometimes it's us or employees. We see a lot of times we have to go back to a backup, not because they were ransom, but because somebody deleted a folder or moved the folder somewhere and they don't know where they moved it to. But it's the employees and yourself that are sometimes...

Mike Ritsema (24:38)
Wrong.

Justin Shelley (24:44)
Sometimes it's us. Yeah.

Bryan Lachapelle (24:59)
Exactly.

Mario Zaki (25:06)
You a problem, know, like, you know, you're relying on QuickBooks online to have your data on there. But what if you accidentally just deleted something? You know, you can't just easily call QuickBooks and say, hey, could you go back to yesterday? You know, you need to rely on your own back.

Justin Shelley (25:24)
Well, there's accidental, there's also malicious. Employees sometimes will do this on the way out. It's criminal and you can prosecute them, but that doesn't get your data back.

Bryan Lachapelle (25:24)
you

Justin Shelley (25:33)
Bryan, did you have something? Okay.

Bryan Lachapelle (25:33)
All right, so Justin, well,

I was gonna say you heard Mike and mine and Mario's top one thing, what's yours?

Justin Shelley (25:39)
you're not going to let me off the hook, huh?

Mario Zaki (25:41)
I'm

Justin Shelley (25:42)
no, no problem. Well, I'm going to, I'm going to add to yours for us. So I absolutely a hundred percent believe in the end user awareness training, but I, I add culture and gamification to that. If you don't have a culture around it, that starts at the very top, the CEO, the executives, if they are not involved in the training, then you're not going to get anywhere with it. And then if you really want buy in in the trenches, you better find a way to make it fun and rewarding. ⁓ otherwise, like I've said several times,

You're just sending out an email to take this test, click this link, and you're basically just spamming your employees. So don't do that. ⁓ but to answer your question. So mine, I absolutely believe in a poem and you guys talked, I think it was before we started recording, but where we had the insurance agent on here and you know, that daddy's getting the new boat email versus the daddy's not getting a new boat email from the attorney. If you have a plan of action and milestones, you're not getting sued, or at least you're going to

drastically mitigate the damages. But if you don't, if you show up in court and you say, no worries, my IT guy has me covered. Guess what? You're fucked. ⁓ So I highly recommend documentation. ⁓ And Mike, you brought it up earlier, documentation and how to do the restore, how to, you know, where are all the pieces, what has to be done and in what order.

Bryan Lachapelle (26:52)
That's an understatement.

Justin Shelley (27:06)
And then you better have risk assessments and gap management. If you, if you can't identify where your weaknesses are and what your plan is to fill those gaps, you're screwed. Um, and by the way, if you think you don't have gaps, bad guys love you. Um, keep, doing that. Keep, keep trying that strategy, uh, because everybody does there's there's, um, like I said before, 175,000, uh, what was the number again? Mike, 153 in,

Mario Zaki (27:23)
.

Mike Ritsema (27:34)
153.

Justin Shelley (27:35)
in

CIS version eight, but ⁓ like there's different frameworks. There's so many different controls out there. You better know which controls apply to you, to your business, to your goals, to your industry. And then you better know where your weaknesses are and what your plan is to fill those gaps. That's my very short winded answer to your question, Bryan. ⁓

Mike Ritsema (27:56)
Yeah. And by the way, the, just read an article and shared it with my team that the biggest threat, basically saying the biggest threat in cyber cybersecurity right now is apathy. And I think that's what you're just saying is, know, we get to a place of complacency. It's like, man, we're pretty good. We're pretty good. And that's when the trouble starts, the human error occurs, et cetera, apathy or complacency.

Justin Shelley (28:08)
Mm. Yes.

There's your mic drop moment. Mic drop moment, Mike, because you said before we started recording when we have those mic drop moments, that was it apathy. ⁓ I marked it. I'm chopping it up. I'm throwing it out on social media because that is absolutely I think our biggest pitfall. ⁓ All right, Bryan, did I cut you off? I think you were trying to say something.

Bryan Lachapelle (28:22)
Criminals never sleep. Yeah. Yeah.

I was

going to basically just say, if you go to sleep at the wheel, the criminals don't stop. They're going to wait for you to fall asleep at the wheel, and they're going to come after you then. So they never stop. They're always innovating. We have to always innovate. Because if we don't,

Mike Ritsema (28:56)
Yeah. And how does that

happen? I mean, my, my phrase I love to use is technology marches on and we're all in this business. We're learning new things, implementing new things every six months to a year. Well, AI, the new thing, the, ⁓ we know this in social media, right? Social engineering is, and my sales rep will go to copilot.

and search out a person. We're no longer going to LinkedIn and Facebook and the website. It's like just go to Copilot. Tell me about this person. Guess what? The bad guys are doing that too. And I always say picture an office building like downtown in your city. ⁓ 100 to 150 people in there in their full time job is go after the money. Where's the money? It's in America. Where's the easiest place to get it?

Justin Shelley (29:32)
yeah.

Mike Ritsema (29:51)
in a small business that's poorly protected. If I run into Mario, that company that has two factor on everything, it's like, this is a nightmare. I'm going to go find somebody else. So, office building, 100 to 150 people. And when they ring one up, they ring the bell literally and celebrate, they are in a business and they're making lots of money.

Justin Shelley (30:15)
Yeah, absolutely. All right, guys, I, I know I've got enough to chew on. So we're gonna, we're gonna wind this thing down. And we already, already went around the room and we mentioned our top control, our top area of focus for cybersecurity and we'll go one more time. And if you've said what you need to say, great. If there's anything else that you feel that, you know, and talk to me, I'm a business owner. I'm sitting here, I'm overwhelmed, I'm stressed. ⁓ And I

I don't know that I like your word apathy, Mike, but I think, ⁓ paralysis by analysis falls into this too. ⁓ I'm so overwhelmed with what I do all day, every day. I just don't have time to do this. So put yourself in those shoes and give your absolute best advice. And then we're to go ahead and wrap up for the week. ⁓ Bryan, you go first.

Bryan Lachapelle (31:08)
Okay, well my biggest takeaway actually isn't get started, surprisingly, because normally that is it. My biggest takeaway is have someone that you can call. So Mike mentioned that he was able to recover a business of 150 plus people because he had people he can call on and bring them into the fold when shit hit the fan. So I would say if you're a small business, partner up with somebody who will be there in your corner when shit hits the fan.

Justin Shelley (31:12)
Okay, okay.

Yeah.

Bryan Lachapelle (31:37)
And if you're another MSP, partner up with other MSPs and other organization who will be there when shit hits the fan, right? Be part of the community, be part of the people who you have a circle that you can surround yourself with and just, yeah, that would be it. Just have somebody in your corner.

Justin Shelley (31:41)
Yes.

I love it. Mario.

Mario Zaki (31:58)
Pardon me wants to say get 1 % better every day the fact that he didn't do it today Yeah Honestly, I I agree with Bryan but my my key takeaway is that you have to Have that checklist no matter if it's for a full, you know this compliance 153 settings or at least have something in place because coming from

Justin Shelley (32:03)
⁓

Bryan Lachapelle (32:04)
You

Mario Zaki (32:28)
A long time ago, you know, me as a one man shop, kind of just doing everything myself, that checklist was in my head. And you know what? There's days where I didn't get enough sleep or I was tired or whatever, fought with my wife and I don't remember everything. But having it on paper or, know, on an Excel sheet or something and going through it and making sure that everybody is taking care of what they're supposed to do makes your job a lot easier.

especially when shit hits the fan. know, so have everything documented, go through that checklist, you know, check it twice, check it three times and make sure everybody else is following your lead and lead by an exam.

Justin Shelley (33:13)
I think I heard you wrong, but I'm pretty sure you said you fought with your wife. Wow. I've never heard of that before. I don't think that happens. You better, you better check into that. Mike, what do you got for us?

Mario Zaki (33:16)
You know, though...

Bryan Lachapelle (33:18)
never happens.

Mike Ritsema (33:22)
So I, you know, I'm going to say as a small business owner and we each are small business owners. And if you're a small business owner or a business owner listening to this, maybe a CFO, COO, I mean, finance responsible who owns the risk? Because I think the number one thing a business owner does is manages risk, financial, physical, technological, and you own the risk. We know this. We lose sleep at night over risk.

and the technological risk. Let's be clear, you as the business owner, you own the risk. Your tech company, your IT person is a steward of the risk. So it's up to you and I get it because my insurance company wants to always sell me more insurance. Seriously, I need to manage risk with more money and that prerogative is on you as a business owner.

And I would implore you to yes, get an assessment of some sort to understand your technology risk and then accept that level of risk where you're at. said before, technology marches on. What you were doing a year or two ago, the bad guys are getting smarter. So take a look at your risk and make sure you understand it because you own it.

Bryan Lachapelle (34:50)
Love it. Love it.

Justin Shelley (34:50)
Yeah.

I mean, it is the truth. We, whatever our goal is as a business owner, that is the baggage that comes with it is, is the risk piece that we are constantly trying to manage. so I'll wrap up with mine and I'm just going to keep saying the same thing. Have, know your blind spots, get a, get a third party assessment. If you're doing it in house, please, for the love of all things, holy get somebody else to put their eyes on it. And Mike, you said it earlier.

hope they show you something you don't know. Right. This we can't fix things we don't know about. So understand your risk, know your risk, have a plan in place to mitigate that. So, guys, final reminder, visit unhacked.live for today's show notes and all the show notes and transcripts and links and guest profiles, Mike, you'll have a profile up on our website there. ⁓ subscribe so you can listen every week and, ⁓

Like share this till if you've got some other business owners associations, you belong to let them know because this we've talked about culture. We've talked about awareness. We have to be this. This has to be what we do. ⁓ just throw it in while you're driving to work or while you're out on a job on the treadmill, whatever, ⁓ make sure this is always what's on your mind. That's it for this week, guys. This week's, episode of unhack. It's a wrap. Let's say our goodbyes Bryan.

Bryan Lachapelle (36:12)
Get 1 % better, start your journey.

Justin Shelley (36:14)
There we go, there it is, Mario.

Mario Zaki (36:17)
Guys, we can't unhack you. Lock down your shit.

Justin Shelley (36:21)
Michael.

Mike Ritsema (36:23)
Be paranoid, be vigilant.

Justin Shelley (36:26)
Be paranoid, be vigilant. And I am Justin. Remember, listen in, take action, and keep your businesses unhacked. See you next week,