64. The Hidden Threat: How Vendor Breaches Can Destroy Your Business - with Jolie Grace Wareham
Justin Shelley (00:00)
Welcome everybody to episode 64 of Unhacked. We're here to help business owners navigate the chaos of cybersecurity and come out hopefully stronger, smarter and potentially more secure. Right, Brian? ⁓ That's the hope. ⁓ I'm excited. Today we have a special guest, Jolie Grace Wareham, CEO of Protosec. And Jolie, go ahead and say hi. ⁓
Bryan Lachapelle (00:12)
Once in a while. Every day.
Justin Shelley (00:29)
but full full intros are coming later. So that's all you get to do is say hi right now. We're going to talk about, we're going to talk about vendor risks today, which, you know, cause it's not enough that we have to protect our own companies, our own clients, our own data. ⁓ We got to worry about the people that we are giving access to our systems. And we have to worry about, ⁓ I mean, really just if they're protecting themselves so that they don't come in and
Jolie Grace Wareham (protasec) (00:31)
Yeah. Well, hi. ⁓
Justin Shelley (00:54)
And full less. And that's the story we're going to tell today. But first, let's do some quick introductions. I am Justin Shelley, CEO of Phoenix IT Advisors. I help companies use technology to build their wealth, grow their business, and then protect that asset, which is usually our biggest asset. You know, from the likes of the Russian hackers, the government fines and penalties and those attorneys that like to sniff around if we do get breached. You know, there's there's never a lack of threats out there. So that's what we're here to protect people against. And I'm here, as always, with my good friend and
loyal faithful co-host Brian LaChapelle. Brian, tell everybody who you are, what you do and who you do it for.
Bryan Lachapelle (01:29)
Excellent.
That sounds like a dig at Mario if I've ever heard one. Just kidding. ⁓ My name is Brian Lashpell, CEO of B4 Networks. We're based out of the Niagara region in Ontario, Canada. And we help business owners remove the frustrations and headaches that come with dealing with technology. And we do it in a way that is essentially becoming a little bit better every day, improving every day and just being on the journey of either cybersecurity and or improving our businesses.
Justin Shelley (01:32)
Ha
Absolutely excellent. And I don't know. You said something about a guy named. What did you say? Mario Mario? I don't know. I don't know what you're talking about. ⁓ If that's important, clarify. But otherwise, we're just going to move on. And listen, I'm pissed at him. He's sitting on a beach. He's sending us pictures from this beach in Egypt. Like he's trying to be all sexy. You know, he's got his whatever. And I'm just like, you bastard, you bastard. ⁓ And by the way, I'm packing my bags because I'm heading to have him head into that beach.
Bryan Lachapelle (02:00)
Mario, some guy Mario.
Hahaha
We'll move on.
Yes
How dare you.
Justin Shelley (02:26)
I, Mario, Mario doesn't know this, but I actually got access to his credit card and I bought myself some plane tickets and stuff. So I'm, I'm, I'm heading over there to see him. Yeah. Well, you guys are, you guys are welcome to come along as well. Anyways, ⁓ let's go ahead and finish introduction. So, ⁓ Jolie grace, you have, you brought kind of an interesting story that ties into one of my biggest fears. One of my biggest frustrations.
Bryan Lachapelle (02:31)
Beautiful.
Jolie Grace Wareham (protasec) (02:32)
You'll be joining. All right.
Bryan Lachapelle (02:34)
Perfect.
Justin Shelley (02:52)
And so we're, we're going to dig into that today, but first let's talk about who you are. You are the, ⁓ the CEO of tell me a little bit about your company. because I just lost my place in my notes and I had this whole introduction prepared, but I sucked it up. So Julie, Julie, Grace, go ahead and introduce yourself.
Jolie Grace Wareham (protasec) (03:03)
Sure. You know, improv.
I think we're, I see your guitars. might both be musicians so we can improv here. Yeah, certainly. Yeah, yeah. So first off, thank you all so much for having me on. Excited about this conversation. I think it's really relevant to the minds of a lot of folks. But yes, I'm Jolie Grace Wareham. I serve as CEO of Protosec and we are a cybersecurity advisory firm. And so.
Justin Shelley (03:14)
⁓ we could talk about that, yes.
Jolie Grace Wareham (protasec) (03:33)
What that means is we do a lot of business coaching. We prefer that term over consulting for a few reasons. But we're really kind of business coaches with this niche in the cybersecurity information security, the digital world and ensuring that we are ⁓ confirming that everything that you're doing from the technical, but really also the human level ⁓ is something that can help ensure the longevity of your business, not lose your livelihood, your reputation.
get you some nice government fines, we wanna avoid that, all that good stuff. And so ⁓ we specialize in serving in those mid-size and smaller businesses because a lot of times we recognize that those smaller businesses are kind of priced out or they have very unique needs that some really big firms or really big, maybe tech solutions just think they need a little bit more of ⁓ a bespoke personal approach. And so ⁓ we really connect, like I said, that tech and that human.
You know your technology and your tech stacks only as good as do your humans know how to implement it and use it and do they know how to communicate with each other when something looks weird? And so so that's a little bit about what we do. We work in the commercial space and I have a background in government and politics as my business partner also comes from military. So we really approach everything that we do from a national security global security perspective and even the smallest entities in our communities play a big part in all of that. So again, thanks for having me.
Justin Shelley (04:59)
Yeah.
Oh, I completely agree with the smaller groups that not only do they kind of get overlooked sometimes, but I believe that they also get into a place where they feel like it's hopeless. Cause they look at the big companies and we talked about this on last week's episode where they're, they seem to have endless resources financially, you know, manpower, HR, all that. And yet they still get hacked. And it's like, well, if they can't figure it out, what hope do we have? um,
Bryan Lachapelle (05:04)
you
Jolie Grace Wareham (protasec) (05:08)
Yes, certainly.
Bryan Lachapelle (05:21)
you
Yeah.
Jolie Grace Wareham (protasec) (05:24)
Exactly,
However, sometimes it's the small businesses that can kind of, know, proof of concept, different cyber operations and the big companies can really learn a lot. But a lot of what we do comes from education and empowerment. We as business owners, I know you all talk a lot about, when you're a business owner, you wear all these hats and sometimes this one feels really daunting and you don't have to do it alone and you can truly feel empowered to be stewards of your own security and ultimately long jump into your business. So yeah.
Justin Shelley (05:30)
Mm-hmm.
Yes.
Tell me a little bit about the company. How long have you been? Are you the founder? I know they're CEO. Did you found the company?
Jolie Grace Wareham (protasec) (05:59)
So, my business partner ⁓ actually brought me on.
I guess ethically, legally, I can be considered a co-founder. I was around when we had our first operating agreement, but I'm not gonna steal his thunder and call me founder. ⁓ But I actually got to know him through some work that I was doing in the electoral space. ⁓ I come from electoral politics. It's one of my future or my past lives. ⁓ And I had a small incident there that got me into thinking so much more about cybersecurity and the importance of...
Justin Shelley (06:06)
Okay.
Jolie Grace Wareham (protasec) (06:30)
you know, really thinking about this whole of society approach when it comes to cybersecurity and, but needed some more technical chops on me. And so that's how I got connected to my now business partner, a friend's mutual friend connected us, ⁓ pulled him onto that project. And ultimately he pulled me onto his company. So, he had found it. We really had this shared thinking about who's not being, you know, talked about who's in what we would call maybe a cyber coverage gap. And, ⁓ they have, they have important things that they're contributing to society. How do we help them?
And so he had gotten the concept and then brought me on pretty early stage and it's been a lot of fun. I've been part of the business, I guess, officially since about early 2022. And we've been growing really since then. It's been a fun journey.
Justin Shelley (07:14)
Nice. All right, Brian, any thoughts or questions before we move on?
Bryan Lachapelle (07:15)
Excellent.
I actually do have a question, because ⁓ I read through your profile, read through some of the information you have, and you talk a lot about making cybersecurity more human. And I'm curious, because a lot of the people that we deal with on a day-to-day basis are business owners, ⁓ and they don't often get what we do and how we do it. What does that mean in practice, and why do you think so many small businesses still see it as just an IT issue versus an everybody issue?
Jolie Grace Wareham (protasec) (07:29)
Yes.
Certainly.
That's such a good question. It's something we think and talk about so much. I often talk to folks to kind of help really, I guess, be on the same wavelength. And I say, you know, let's think about what comes to mind when you think of the word cybersecurity. A lot of times what comes to mind is like a guy in a black hoodie in someone's basement hasn't seen the light of day for maybe three years and is hacking away and it's all ones and zeros. And I always explain that's really not
at the end of the day, what cybersecurity is. ⁓ Oftentimes it's a bad guy decides to do a bad thing and a good person falls for it. Like that's oftentimes ⁓ what causes these attacks that we hear about or we don't even, you know, they go unnoticed, unfortunately. And so ⁓ really, we really try to help folks understand that it's human action and it's business operations and it's relationships between teams. It's cross-functional team building. It's all that nerdy organizational infrastructure
Justin Shelley (08:24)
Mm-hmm.
Jolie Grace Wareham (protasec) (08:45)
development, all those things that really help with that whole of organization approach.
when it comes to cyber strategy and that security posture. so, but still a lot of times folks hear that term cyber security. I think we still have that mentality of this is all ones and zeros. And it's really, just the, that's just the landscape of where an attack and where that intrusion is happening happens to be digital, which obviously is all that is really technical. And I think over time, hopefully people will start to understand that it's really humans are really the ones that cause.
and kind of enable the ability of attackers to do that attack. And so ⁓ I think it's interesting. I think one of the biggest misconceptions I hear is that cybersecurity equals IT. And... ⁓
It's, know, that Venn diagram, there's a Venn diagram, there's a lot of overlap, but it's, it's definitely not the same thing. I know I was talking to an orthodontist a few months ago and I was talking about her cybersecurity. has a small practice and she's like, well, we have IT and I'm like, wait, no, ⁓ that doesn't necessarily mean you have cybersecurity. And there are some great, you know, IT providers. mean, y'all work, you know, in this space, I work in this space, we know people that are doing great work, but sometimes those things are conflated as the same. And I often explain to people that.
⁓ It can't just be something in your IT team, your operations team, your HR team. They all need to be engaged. At the end of the day, it's a lot of policies, it's procedures, it's knowing how to read things. And so really helping folks understand that is really helpful, but to this day still that mindset of that hacker in a basement is still that cybersecurity, I guess, frame of mind. I mean, it doesn't help because,
social media and everything has that's what you see when you Google hackers or you're seeing things cool, it sounds fun, but at the end of the day, it's really a business operations thing. I don't know if that answers your question, but we're always teasing that.
Bryan Lachapelle (10:30)
Yeah.
It does. Yeah.
Justin Shelley (10:38)
Well,
Julie Grace, I'm going to interrupt right now and because I'm taking a lot of offense to what you're saying because of our current logo, which I did get AI to design. It's the way exactly what you're describing. Like Justin's logo is not what cybersecurity is all about. I'm just kidding. But you're, staring at that as you're talking. I'm like, she just described unhacked logo.
Jolie Grace Wareham (protasec) (10:48)
I love it though, it's cool. Yes, look.
No, no, I think it's missing.
Bryan Lachapelle (10:58)
Thank
Yes.
Jolie Grace Wareham (protasec) (11:03)
Well, I actually appreciate you bring that up because that is the thing that's catchy, right? It's interesting. It's exciting to look at. It's great for branding and
Justin Shelley (11:09)
Mm-hmm. Yeah.
Bryan Lachapelle (11:09)
Right.
Jolie Grace Wareham (protasec) (11:12)
But it has to be the tip of the iceberg. And I think that's where a lot of business owners stop. They think, oh, that's something. And it's also intangible that somebody doing, oftentimes they're doing it around across the world. And it just feels intangible. But I appreciate you bring that up because it's the thing. There's a reason for that because it's cool. It's exciting. It's what gets you thinking and looking. oh, I need to see the pictures. Oh, I'm excited.
Bryan Lachapelle (11:31)
Yeah.
Justin Shelley (11:33)
It's what I'm going to be for Halloween too, just so you know. I've got a custom ⁓ costume being designed as we speak. ⁓
Bryan Lachapelle (11:35)
Yeah.
Yeah, I love
that that you brought that in like the way that you described it because I often present in front of groups and one of the things I talk about and what I'm presenting in front of groups is cybersecurity. The first question I ask is who's responsible for cybersecurity and often I get the answer, you know, the IT person, this and that. By the end of my presentation, the entire presentation is geared towards everybody is responsible for cybersecurity, especially the leadership. It has to be top down approach and the people that are breaching us, the people that are attacking us,
Jolie Grace Wareham (protasec) (11:54)
us.
Bye bye.
Yes, Right. Yep.
Bryan Lachapelle (12:09)
They aren't people sitting in a basement. In most cases, they're large organizations, 100 % geared and set up to take advantage of other businesses. They run their operations like a business. And the faster people can get that message across that it's not just somebody sitting in a basement doing it for kicks and that it's, you know, they're out there trying to get dollars and cents from all of us and it's a numbers game. Yeah.
Jolie Grace Wareham (protasec) (12:17)
Right.
Right, right.
Right.
Exactly. A lucrative business.
I oftentimes know some people also when you start talking about cybersecurity, people are like, I'm not smart enough, or I can't understand that. And sometimes I often bring it back to, know, it's not always high tech, you know, with AI happening, you can use AI to create a phishing email, you know, just by saying, hey, find what you can about me on the internet. Some AI, gender divide is ethically not allowing you to do that anymore. But some is still allowing you to do that.
I mean, you know, threat actors and their groups are having their own versions of gen AI, right? But I also talk about often, know, there's mother nature is a cyber threat actor in a lot of ways. ⁓ I live in Tennessee and we have so many tornadoes that go through each year now. And ⁓ if you don't have...
you know, your servers, ⁓ you know, your servers are in the path of a tornado and you don't have backups for that, that's a cybersecurity issue. Or, you know, you only have physical documents and unfortunately, you know, a storm came through and you don't have those anymore. That's a cybersecurity issue. So I often try to explain to people that ⁓ sometimes it's nature that might cause something. then the only thing that you can account for is that human piece a lot of times. ⁓ and ⁓ I also appreciate the story you brought up one time we were doing a
tabletop
exercise with a company, you're testing out an incident response plan. And one of the biggest takeaways was that the IT team needed to collaborate more with the HR team and have pre-written and pre-approved corporate-wide ⁓ emails, ready-to-go templates to send to employees in the event of a cyber incident. If you have a phishing attack, IT gets notified of it. Think about how much time goes in to communicate with HR.
build the draft of the email, send it up the chain, get it approved, get it edited, and then finally get sent out to employees. How many more employees have clicked on that email? And so one of the biggest takeaways was we need to become better friends and collaborate more ahead of time, HR and IT. And so that's just an example of, know, it really is everybody's responsibility. You just have to know what your specific role in that is.
Justin Shelley (14:39)
Yeah, I think HR needs to be involved a lot in cybersecurity, probably as much as, more than any other department in an organization. It is an HR function at least as much as it's an IT function. Of course, now it's climbed clear to the top. It's a C level function, but you know, it's like all of this stuff has to, has to be, ⁓ living together and getting along.
Bryan Lachapelle (14:39)
Beautiful.
Jolie Grace Wareham (protasec) (14:41)
Certainly.
Yes. Yep. Yep. I totally agree. Sure.
Certainly,
certainly.
Bryan Lachapelle (14:59)
Especially
from a cybersecurity awareness training component, a lot of people don't want to do cybersecurity awareness training because they think it's not important. And they're the ones who are the most likely to get breached. And so from when I talk to my clients anyway, I always talk to them, you should treat cybersecurity training like you would health and safety training. If they don't want to do it and they refuse to do it, it might be time to walk them out the door because they're going to be a bigger threat to your company than not.
Jolie Grace Wareham (protasec) (15:02)
Yes.
.
Right.
Yes. Right.
Right.
That's an existential threat to your business at that point. And I think also when you show that even the C-suite is doing those trainings, ⁓ that's a really great thing for the rest of the business. know I used to work at Vanderbilt University and they did a really great job of having, ⁓ you know, really keeping track of who's done this, who has it and really putting that pressure on ⁓ everybody. But they also really did a great job of showing, hey, our executives are doing this too. We take it seriously. And so that was really cool to see from my perspective as an employee.
someone in this world.
Justin Shelley (15:59)
All right. So listen, guys, I'm going to, I'm going to take this thing and twist it around a little bit because we talk week after week about what we need to do to protect our companies from direct threats. And today we're going to talk about an indirect threat and, Jolie grace, you have a very specific incident that you brought to my attention. And I want you to just paint that picture for us right now. What happened and what did you do to, because, and I'm going to start with this though.
Jolie Grace Wareham (protasec) (16:18)
Certainly.
Justin Shelley (16:25)
What I don't want to do is scare the shit out. Well, I do. want to scare people because that's the only way we take action. So I want to scare everybody to death. And then I want to bring it back to what are the things that we can do to protect against this. So with that, take it away.
Jolie Grace Wareham (protasec) (16:29)
Let me take action.
Right,
Certainly, yes. Now this is a really interesting story. ⁓ Earlier this year, our business ⁓ received an email from, we received communication from a business and ⁓ we are under, like I know Justin, talked about we're under an NDA with this client as well as we are with many clients. So if I'm stumbling around any words, I'm just trying to be careful here. But. ⁓
Yeah, so this was a client and they reached out to us and they had been navigating an issue that actually was caused by one of their vendors. So we actually were, they reached out to us and ultimately they were telling us that some money went to the wrong place and it seemed to be as a result of an attack on one of their vendors. But this vendor was trying to turn it around and tell them that it was them who had been compromised.
So ultimately they wanted us to go in and do a little bit of an incident response. ⁓
⁓ activity there, but ultimately they wanted us to kind of go in and say, yeah, we're not seeing any, you know, any sign that this was y'all's fault. And so we worked with them. And what ultimately ended up, you know, we ended up realizing what happened was they are a business and they're about, they're less than 5 million annual revenue. And ⁓ to speak really generally here, they're in an industry that has a lot of vendors and relies on a lot of vendors.
being built and there's a lot of different players and so this is an interesting
Justin Shelley (18:07)
So Julie Grace, let me pause you real quick
and let's because NDA and just general best practices, we're not going to give names, but because there's two organizations in here, let me get you to just call them company A and company B and company A is the one that was ⁓ the one that called you correct. And company B is the one that had the, the BEC attack. Right. Okay. So let's, let's use that because my poor brain can't keep these stories straight.
Jolie Grace Wareham (protasec) (18:18)
Yep. That's perfect. That's perfect.
Yep, let's do that.
Yes. Let's go. Perfect. No, thank you. That's a great
way to I appreciate it. Yeah. So company A, so we go meet with company A and we're investigating what happened. And ultimately it looks like company B, which is one of their vendors that they needed to pay, ⁓ had had a business email compromise or BEC attack. And ⁓ ultimately ⁓ as a result that
Bryan Lachapelle (18:39)
you
Jolie Grace Wareham (protasec) (18:54)
Company B, the one who had the attack, had sent the payment link to company A with payment wiring instructions. And they said, hey, we have a new bank and this is the new wiring instructions. ultimately the money was sent to the wrong place. was actually two different companies reached out to me about very similar things in the same week. It's like, this is happening all the time, right? Yeah.
Justin Shelley (19:07)
Classic scam, right?
wow. Yeah.
Jolie Grace Wareham (protasec) (19:21)
Ultimately, when we looked into it closer, and it was interesting because company B was trying to blame company A for the attack, right? But when we looked closer, company B, their vendor, ⁓ had actually had a cyber attack, like a phishing attack recently, like a few months before. And when we looked, ⁓ the email with the wiring instructions was caused, it was brought by... ⁓
Bryan Lachapelle (19:40)
Thank
Jolie Grace Wareham (protasec) (19:48)
a spoofed email account, right? And so this is what we see all the time. It was really, really close to the same email that they usually email with, but they added an extra letter or it was Ben, but then it was Benjamin kind of thing. And so our client company, didn't realize this. But after we looked closer, this kind of spoofed account had been sending emails for a while to them, had been in the...
Justin Shelley (19:49)
Mm-hmm.
Yeah.
Jolie Grace Wareham (protasec) (20:15)
that compromised companies ⁓ email for a while so they knew how to pretend to be them. They knew.
Justin Shelley (20:21)
So let me clarify real quick. don't want to interrupt you, but, ⁓
so this, this wasn't a case where they registered a look-alike URL. This is a case where they had actually gotten inside of company B's email account. Is that correct? Those are all because those are almost impossible to protect against, right? Those are tough.
Jolie Grace Wareham (protasec) (20:35)
Yes, that's what it looks
Yup.
Yes, that was, and, and ultimately after talking to our client company, a, they said, well, company B had told us a while ago, they'd had a phishing attack. And so we knew that there had been a threat actor in companies, B's company B's email domain ⁓ for a while. And so that person was then able to create a fake email and have access to, know, the PDFs, the work orders, whatever, and send an email that looked really, really obvious, really, really clear and believable to company.
Bryan Lachapelle (21:03)
you
Jolie Grace Wareham (protasec) (21:12)
And then ultimately company a did set did wire the money and it went to the wrong place But then it became it was not their fault because for that reason Ultimately, then the bank it actually then became a question This was out of our kind of domain with with review of this situation, but eventually it kind of also became the banks ⁓ They didn't do their due diligence. It looked like so ⁓ yes, you know So
Justin Shelley (21:19)
Yeah, yeah.
bank didn't really and did the bank take any ownership of that because they don't usually
Jolie Grace Wareham (protasec) (21:39)
Yeah,
so it was when we had been engaged, I need to reach back out because it was kind of a, TBD. And I actually need to go reach back out and see how that ended up. But it was a situation where the bank was trying to be careful and not take that responsibility. ⁓ But yeah, that was the kind of situation. And so what was the unique thing here was company A, our client, was aware that company B had had a phishing attack recently.
Bryan Lachapelle (21:39)
you
you
Jolie Grace Wareham (protasec) (22:05)
So all signs pointed to, you know, it was their fault, but company B was still trying to blame them. And, and so really that's kind of why we were brought in was to kind of clear their name in a way. Exactly. Exactly. So, but anyway, did I, I know that's, that sounds really probably abstract and opaque at the have to make a situation correctly between company A and B there. Yeah.
Justin Shelley (22:09)
Right.
You're like, mom, mom, he did it first. No, they did it first. You had to, you had to play that game.
No, not at all. That's perfect.
Yeah, the problem
is I didn't introduce company R, which was the Russian hackers. I should have because that's who got the money. That's who was the bad actor. That's who was really the problem here. ⁓ everybody else is a victim.
Jolie Grace Wareham (protasec) (22:34)
Yeah, exactly.
Yep.
Right, right. mean, it truly is. mean, and these, this is a company that's less than five million annual revenue. They had three full-time employees or they have three full-time employees. And, you know, they're, trying to.
do their operations, they're a lean team, they're trying to get everything done. Everyone's wearing multiple hats and doing multiple roles. That vendor is probably in a similar situation. And so this just really slowed them down operationally. They had to spend hours with us figuring this out just to kind of clear their name to this vendor too. ⁓ And so it definitely...
Justin Shelley (23:05)
Right.
What was the dollar amount?
Did you already say that? And I might've missed it. Or can you not say that?
Jolie Grace Wareham (protasec) (23:17)
No, I, have to go
back. Yeah, I have to go back and I don't actually have that document on me. ⁓ but it was for completion of a project. So it was pretty significant. ⁓ it was, yeah, it was a pretty significant amount.
Justin Shelley (23:31)
We're
talking at least five figures and maybe six, right? I mean, it, it's up there. These, these kinds of things. Okay. Okay. Lots of money, especially for a small lean lean team.
Jolie Grace Wareham (protasec) (23:34)
Yeah, probably more than five. Yeah. Yeah. I'm thinking so. Yeah, lots of money.
Exactly. Exactly. Yeah. Yeah. So that was an interesting situation. ⁓ it was, it was, was, they're a great team. There, you we was really entertaining because, you know,
just hearing about the little bit of the drama of, our vendors trying to blame us when they clearly had a phishing attack three months ago, someone's been in their systems. Like, it was so obvious to us, but I think it shows just how much, you know, when you're in that fog of war, as we call it, when you're in the middle of an incident, you you want to blame, you know, anybody except yourself. And there's, you know, ego, there's embarrassment, there's fear, there's anger, you know, all of that.
Justin Shelley (24:11)
Yeah.
Bryan Lachapelle (24:12)
you
Yeah.
So wrapping that back around to the conversation we had earlier about everybody being responsible for cybersecurity, ⁓ what could have been done by both companies to prevent this type of, or what can a company do to prevent this type of attack in the future on both ends?
Jolie Grace Wareham (protasec) (24:27)
Right.
store.
Certainly.
Yeah, that's a great question. So I mean, we can start with company B, the one who had the business email compromise, our client's vendor. ⁓
You know, when there were probably things that they could have had in place that would have prevented that initial phishing attack, right? ⁓ And the ways that, you know, we talk about this as you all do all the time is the best ways to identify, you know, prevent phishing attacks are, ⁓ you know, a lot of times it's employee education and awareness and knowing what to look for.
Obviously with AI, these phishing emails are getting even more advanced and believable, but still having that human eye knowing what to look for is really important. ⁓ Also, obviously really good credential management as well is really important in case someone does get in your system, how far can they get? ⁓ Having good tech stack, know, when it comes to security so that you're keeping an eye on anything weird looking, but also that company be that vendor. ⁓ When they knew that they had a phishing email,
⁓
situation and they were compromised. There were definitely steps that they did not take ⁓ considering somebody was in their system and reading and getting access to documents and ⁓ knowing ⁓ which of their own clients be emailing for money. ⁓ And so there definitely were some steps that that business could have taken, especially, you know,
calling in someone to take a look at their system as a whole and figure out where else are we compromised? How do we make sure if it's shutting down emails and reopening them, is it communicating to your client saying, please confirm the email address of anything that you receive from us? Cybersecurity and cyber attacks are so prevalent today that simply emailing your own customers and letting them know that something happened to you, it's a really good direction to go versus have something like this end up
happening. And so ⁓ I think there were a lot of things from the tech, from the operational, from just the communication standpoint that that
the company that had that compromise didn't do. ⁓ And then from our point, ⁓ from our client's point of view, there were a couple things that looking back, ⁓ definitely they could have done. We talked about how company B who had that one of their email addresses had been spoofed and how they had ⁓ created like a fake email saying, know, Ben versus Benjamin or added another letter to the name or something. ⁓
We know that when you send an email or you receive an email from somebody that you email regularly with, you get a friendly name, right? ⁓ And so when you get an email, it just says the person's name versus the email address in whole. ⁓ When our client went back and looked at those emails, they realized that it wasn't the whole email had been written out versus that friendly name. so... ⁓
I'm not sure if y'all's listeners are familiar with that concept, but you know, like when you get an email from your mom, it says your mom's name versus her full email address. And the same thing goes with people that you email a lot. so keeping an eye on that is actually a really big tell. ⁓ You say, I think I'm getting this email from Ben Jones, but it's saying Benjamin.Jones.whatever. And that's unique, you so keeping an eye out for those things. But also, you know, if there is ever you get an email that
says, hey, we changed how we wire ⁓ information or wire finances. Just pick up the phone and call your contact at that company and just make sure. ⁓ In this day and age, no one's going to think you're silly for doing that. They're actually going to appreciate you and maybe want to do more business with you. so just those things. anything, stay diligent. Keep your eyes open. If anything just looks a little off, ⁓ just pick up the phone and call that person and say, hey, was this actually from you?
Bryan Lachapelle (28:22)
Yeah, that's
a perfect example of a cybersecurity solution that has nothing to do with technology. It's completely 100 % process driven. And in fact, that's the recommendation we make to our clients is you should never change payment information without verifying it by telephone with the number that you have on file so that there's no accidental, like, you know, they're putting a different number there in the email or anything.
Jolie Grace Wareham (protasec) (28:32)
Right, exactly.
No. Of course, yes.
Right. Exactly.
certainly. I I appreciate you brought up that different phone number too, because yeah, call the number that you have for that person, not whatever they put in that email, because ⁓ I don't know what the current statistic is. A couple months ago when I was checking, think it's... ⁓
You only need three seconds of someone's voice to clone and do deepfakes with 87 % accuracy and that's only gonna get better. So that's just wild. And so yeah, really make sure you have personal phone numbers, work phone numbers, whatever you need for the people that you communicate with a lot.
Justin Shelley (29:08)
Yeah.
Bryan Lachapelle (29:14)
Yeah.
Justin Shelley (29:20)
Well, fun fact, I'm not really here today.
Jolie Grace Wareham (protasec) (29:22)
You have a whole thing there. I love it. Yeah, yeah.
Bryan Lachapelle (29:23)
You're never there, Justin, never.
Justin Shelley (29:31)
⁓
yeah. I mean, this is a crazy world we live in. ⁓ one thing that did come to my mind though, that did you mention, I think you said that company B actually had, ⁓ the company R got into company B's email tenant and created a new mailbox. Is that right?
Jolie Grace Wareham (protasec) (29:47)
Yep.
So I'm trying to remember exactly that this was several months ago. So I don't wanna miss quote this story here, but ⁓ it was either that or they either created a whole new mailbox or they created one that was almost in the exact domain. ⁓ I would need to go back. We had very limited ⁓ access to company B's information.
Justin Shelley (29:53)
Okay.
Okay.
⁓ cause they were not your client directly. So I had
a, I had a case like this. and actually company B in my case did hire us to go in and investigate. So we had full access to both sides, which was great. And, and we did find that the, the threat actor company are AKA the Russian hackers and bastards. They, they got in, they didn't create a new mailbox, but they created rules. So this happens a lot, right? So they're, they're sending emails out, which will.
Jolie Grace Wareham (protasec) (30:28)
Okay. ⁓
you
Okay.
Justin Shelley (30:46)
that email will always live in, you know, if I were to get breach, would somebody send it on my behalf. I can go into my sent email folder and it'll show up. And then when somebody responds to me, it shows up in my inbox. So the bad guys will go in there and create rules to delete those or, or, you know, push them somewhere else. So that's what has happened in this case. ⁓ And whether they did something like that, or they ⁓ created an inbox or, but if they were living inside of company B's
Jolie Grace Wareham (protasec) (30:49)
Right.
Yes.
Right.
Justin Shelley (31:14)
you know, assuming Microsoft 365 tenant or whatever email service they use, you can set up alerts so that anytime something changes like that, it will alert. It should alert your IT team. It should alert ⁓ management. know, hopefully multiple people should be alerted anytime something suspicious like that happens.
Jolie Grace Wareham (protasec) (31:24)
Yup. Yup. Yup.
Yes.
Yes,
yes. Yeah, it's often a like skip the send box like configuration. Yes, that's and that's something that even the smallest of businesses can have toggled on. It's just a matter of do you know how to toggle that on to get that alert and do you know that alert exists? But yeah, that's that's huge. That's that sounds like an interesting situation. You were able to see kind of both sides of it and check. Yeah.
Justin Shelley (31:38)
Yeah, yeah.
It
was, and it was not a good outcome. The company B in my case, they, they were out of business. They hired us. did the investigation. We knew what had happened. We mitigated it, but they did not recover that that company didn't. So within, think it was like six months, they terminated our agreement because they couldn't afford it. And I mean, we're talking a few hundred bucks a month. This wasn't even, it was more like a charity account for us. and, they couldn't pay that. And then, ⁓ next time I checked up on them, the, their doors were.
Jolie Grace Wareham (protasec) (32:00)
Mm-hmm.
that's too fast.
Thank you.
Sure, yeah.
Justin Shelley (32:26)
So this stuff is devastating. you know, you're talking about, these are small, lean companies. They don't have the kind of money to throw around five figures, you know, in, the grand scheme of things where cybersecurity is concerned, that's a small number, you know, 10,000, 50,000, 80,000. These are the small numbers. And most of us can't afford that. Right. So, you know, we, had an episode of a while back where somebody actually came with a formula for the ROI on cybersecurity.
Jolie Grace Wareham (protasec) (32:27)
And it's.
No.
Yep. Right.
Justin Shelley (32:54)
And I love that because we don't talk about that. We talk about it as a sunk cost. The best case scenario is you get nothing for the money you spend on cybersecurity. Well, except that what you do get is hopefully you're, you're at least mitigating and hopefully preventing those devastating losses and the end of the company in a lot of cases.
Jolie Grace Wareham (protasec) (32:54)
Mm-hmm. Yep. Yep.
Bryan Lachapelle (33:01)
Right.
Jolie Grace Wareham (protasec) (33:01)
Let's get, yup.
certainly. No, it's.
yeah, I think that I think the stat is what 60 % of businesses that have a cyber attack or out of business within six months for small businesses. I mean, that's just that I was I was sharing that.
Justin Shelley (33:24)
Listen, jelly
grace, 87 % of all statistics are made up on the spot, including this one. know it is. I know it is. I just have to tell that that's stupid joke.
Jolie Grace Wareham (protasec) (33:30)
Yeah, it's so sad though. No, I love that though. appreciate it.
Yeah, it's a, but, I actually think it's interesting that ROI, it is so hard to formulate because there's so many intangibles that come from improving your security posture. Like, yes, we can take a look at,
Justin Shelley (33:48)
True.
Bryan Lachapelle (33:50)
Thanks
Jolie Grace Wareham (protasec) (33:51)
Okay, what's the percent chance that you're gonna have a cyber incident? What's the cost of that? Okay, now we can have a risk, know, support all of that. But in addition, you know, when it comes to cybersecurity, like we were talking about earlier, it's such a whole of organization ⁓ approach if it's done well, and it's something that forces your business to work together cross-functionally. You're in a way, if you are doing cybersecurity correctly,
who knows, but that's that I don't I don't want to say that term because it's changing today, right? But if you're doing it in a strategic way, we're doing it strategically. Yeah, you're you're actually ⁓ practicing your business's chops when it comes to working cross functionally or
Justin Shelley (34:22)
Right. Yep.
I love that term. Yeah.
Jolie Grace Wareham (protasec) (34:36)
knowing how to communicate with each other or ⁓ you're actually empowering different members of teams to speak up when they see something wrong. the next time that something maybe ethically is looking bad, it's not a technical thing, maybe they're gonna speak up and you're gonna save your business from a scandal. Like who knows? ⁓ Yeah, exactly.
Justin Shelley (34:53)
across the board, your business will come out better for it. There's a return
on that and you should be able to use this to position yourself in marketing as well. I think if you're doing good cybersecurity and not holding that out there to your clients, you're failing yourself.
Jolie Grace Wareham (protasec) (35:04)
Yes.
Right.
⁓ I could not agree more. know we're always talking about, Hey, we're not just coaching you on, you know, your, your cybersecurity. Let's coach you on how you're going to use this as your marketing tool. Right. Yeah. Yeah. Especially new ventures with seeking funding too. Yeah.
Justin Shelley (35:17)
Absolutely. Yeah.
Bryan Lachapelle (35:19)
Mark. ⁓
Justin Shelley (35:22)
Yeah.
Brian, you've got to have some thoughts. You've been quiet for way too long.
Jolie Grace Wareham (protasec) (35:26)
Yeah.
Bryan Lachapelle (35:27)
Yeah.
It's funny because when this topic was brought up, my mind went in a different direction as we talk about what vendors being a threat to our businesses. ⁓ I see a lot of ⁓ clients in our industries that we're dealing with that they have access to our client systems or they want access to our client systems to maintain their line of business application, to maintain ⁓ maybe a specialized unit.
or specialized system, especially in manufacturing. Maybe there's a PLC or there's some manufacturing line that ⁓ the vendor wants to continue to have access to. And ⁓ we're seeing a lot of companies give unfettered access to that system, to that third party, which means now that third party is effectively embedded into their internal network. Where do you see and how do you, what would you recommend to a client who is providing external access to their internal
Jolie Grace Wareham (protasec) (36:16)
Yes.
Bryan Lachapelle (36:24)
systems to a third party, what are some of the things that they should consider and or put in place to mitigate that risk?
Jolie Grace Wareham (protasec) (36:32)
That's a great
question. ⁓ Did you, are you posing that to me or Justin or both of us? Yeah. Well, I want to make sure you know before I, got a story. Okay. Well, I'll say a few bullet points here. ⁓ Yeah. I think, ⁓ no, I think that's a great thing that you're talking about, especially with, there's just so many different plugins. I mean, for instance, you know, with our business, just our business, you know, we have a CRM and I wanted to connect with the other, you know, other
Justin Shelley (36:37)
You're up first and then I'm gonna tell a story, so.
Bryan Lachapelle (36:37)
You're the guest. ⁓
Ha.
Jolie Grace Wareham (protasec) (37:00)
things that other tech that we're using. And just from my own perspective as a business owner, I'm always like, do I want these things to talk to each other? Do I want this to be in my email? Do I want this? And I think that's the biggest thing that I encourage business owners to have is that have that ⁓ questioning mentality always. Like you should always be questioning things. ⁓ In addition, always question when things are free, right? I know we talked about things are never really free. Like your data is valuable, right? ⁓
Justin Shelley (37:24)
yeah.
Jolie Grace Wareham (protasec) (37:28)
But I think really understand the ins and outs of the security features of anything that you're getting into your data. you know what? Sometimes that takes a lot of time. It takes a lot of expertise. There are people like us who can, obviously, who can help kind of tease through those weeds. But don't just give...
give access to your information or your data or your, you your networks just because it's convenient and because it sounds like a great tool that's going to speed you up because guess what? If you have a cyber attack, it's going to slow you even more down. So really, I think the biggest thing is ask those questions, dig into, you know,
Bryan Lachapelle (37:59)
Yeah.
Jolie Grace Wareham (protasec) (38:07)
Is this company reputable? Ask some cyber folks or IT folks that you know, hey, I'm thinking about using this. But also a lot of times the default with a lot of these things or it's either give all my access or you have to actually choose which pieces of your access you want. Give if you are deciding to, you know.
work with a third party and you've done all your due diligence of thinking through what's their security, what are their security practices? Have they had any incidents recently themselves? What are the folks in my network saying about them? Give it the minimal amount of access that you can, right? I mean, that's the same as, you know, in your business. Do I give everybody in my company, all employees, access to our financial statements? No, you don't, right? And so it's the same thing with a vendor. ⁓ Give, if you do decide after you've done all your due diligence to, you know, give some
access to vendor, then you do as little as possible. And ⁓ also think through as from a business perspective, who's getting to call those shots about how much access being given, not every employee should have access. That should really be something that your security folks are keeping an eye on and not allowing certain third parties to come into your environment there as well. certainly. ⁓
Bryan Lachapelle (39:18)
soon.
Justin Shelley (39:19)
Okay. So now my blood's boiling. I'm my, uh,
this is an ongoing, potentially never ending saga with a vendor. I had a client reach out. They wanted this integration done. I'm like, all right. You know, put me in touch with them and we had a scheduled time. I get on the call and they're like, you got to remote me into the server. Uh, what are we doing? We're installing software. So I get them onto the server and first thing that pops up is, um, this big, this is a medical.
Jolie Grace Wareham (protasec) (39:27)
Mm-hmm.
Justin Shelley (39:48)
situation. So it's a BAA agreement. They want me as the third party, IT guy to sign. Like I can't do that guys. Come on. Um, so I, I, I shut that down. I called the client back. I'm like, listen, we've got to some due diligence here. They agreed. Uh, and so I, I, I initiated a full vendor assessment. And first thing we do is we go through and like, Hey, I need to know who to talk to. First of all, because we're going to need these documents. We need to know your policies, your procedures, your, know, where the data lives, who has access to it, what you do with it.
And they're like, we'll get back to you next. hear from the client. What's going on? I'm like, I don't know. They're getting back to me. So I call them back up and like, Hey, where is this? ⁓ we, just need you to sign an NDA before we can give you any of that information. And by the way, this is the short version of the story. So I'm like, sure. Send your NDA. We'll sign it. A couple of weeks go by client. Hey, what's going on? I'm like, I don't know. Waiting for an NDA. Get back ahold of them. we're, we're, we're running out the chain, the flagpole. We're trying to get the NDA figured out. What? What?
Bryan Lachapelle (40:21)
you
Justin Shelley (40:48)
Okay. So then, weeks later, I finally get this NDA and they're like, all right, let's schedule a time to, ⁓ install on your server. Like you still haven't gotten me any of the information I asked for. ⁓ I mean, but by this time the client's getting pissed. So they're putting heat on, we got to get this thing going. They've already paid for it, this integration. ⁓ and, finally, it's just like, okay, I guess we're going to skip security on this and you guys have to understand the risks. ⁓
You know, I'm not the one making decisions for you. I'm advising. So we're like, all right, we're going to push through. We're going to go with the integration. I schedule it and they're like, well, we don't have that integration anymore. We have to custom build one. And to do that, you need to give us unrestricted access via team viewer that stays on all the time for four weeks. Like the fuck we are. So that's where it's at right now. And I'm just like,
Jolie Grace Wareham (protasec) (41:42)
Yeah.
Justin Shelley (41:45)
Every time it's a different thing, they won't give me anything about their security posture. They're not socked to, they're not like, they don't have anything at all that they can give me to, and they want me to just light up team viewer and walk away and close my eyes for a month on a production server in a production environment. mean, this is just insanity. ⁓ but you know, I know.
Bryan Lachapelle (42:05)
I don't even do that with my own technicians.
Justin Shelley (42:08)
I it's crazy. So I don't know that I mean, I might piss these guys off my client enough that I lose the client over it. I don't know, but I like, I can't put my name on that. I am not lighting up team viewer for four weeks. And they're like, well, we're going to use a complex password. Like, ⁓ no bad guy ever thought of that. Jesus Christ. So, ⁓ vendors are dangerous. And the problem is they're making some really big promises that the client wants. The outcome is.
Bryan Lachapelle (42:24)
Thank goodness. ⁓
Jolie Grace Wareham (protasec) (42:27)
my goodness.
Justin Shelley (42:37)
worth the risk in their view, but that's because they don't understand the risk that that is my current situation with vendors.
Jolie Grace Wareham (protasec) (42:37)
great.
Yes.
So I mean, we help clients build out kind of their cybersecurity policies and procedures in a lot of ways. And one of the top ones, make sure you have, it's the vendor risk management policy. Everyone in the organization needs to understand how do you assess risk? What's your risk tolerance? Who gets to call these shots? And what are we not going to stand for? Like TeamViewer for two weeks, no. So wow, well, I'm curious to hear how that continues for you.
Justin Shelley (43:12)
I'm not giving them
team view or I'll walk away from the client before I do that. Like I just, won't do it. I won't do it.
Bryan Lachapelle (43:16)
Yeah.
Jolie Grace Wareham (protasec) (43:17)
Yeah,
I don't blame you.
Bryan Lachapelle (43:18)
I remember once, and I'll make the story very short, I remember once we were called in to an organization and they couldn't figure out why the parking software wasn't working for paper parking. The thermostats were going all up and down, like the temperature was changing. Turned out that the vendor who installed the HVAC system wanted to be able to remotely access the system. It was a medical facility.
And so they installed a rocket hub, which is basically like a wireless modem, ⁓ installed it and connected it to the network to give themselves access to the HVAC system. Well, the criminals, the hackers were able to get in through there, through the HVAC system, because they had exposed it completely to the internet without a firewall. ⁓ And they were changing the temperature. And from there, they were able to bounce into the rest of the network because the unit was on the network.
just goes to show you an example of a vendor who had all the greatest intentions of the world not understanding how technology works, doing something that will benefit them but not looking at the bigger, wider picture and not involving IT and giving themselves remote access to something that they never should have had access to in the first place. Now this happens all the time, right? Somebody says, I need this and they just plug it into the network as if there's no rhyme or reason why they need to consult anybody else.
So yeah.
Jolie Grace Wareham (protasec) (44:46)
Wow, wow. ⁓
fortunate, geez. There's so many of these stories out there, right?
Justin Shelley (44:49)
crazy world. know,
I know it's like we're at the end of the time here, but we could go on for days. Um, on that note though, let's go ahead and kind of wind things down. Uh, I'm just going to go around the room and, Jolie Grace, I'll give you first shot at it then Brian and just, you know, this is where we're going to talk about what's the one thing you want people to know if they remember nothing else. And then a little bit about, know, if you have any resources to offer, if you have a, uh, you know, your company, you want to pitch, how would they contact you?
Bryan Lachapelle (44:52)
Yeah.
Justin Shelley (45:17)
And what can you do for them if they choose to do so?
Jolie Grace Wareham (protasec) (45:20)
Certainly, Yeah, I want to bring up one piece of this story that we were kind of been talking about that about our client is ⁓ something really great that they did was reach out to us, right? And to make sure that there was nothing weird and in their system. And it turned into us actually ended up doing a cyber risk assessment for them and then spending a month or so doing some coaching. And now we have a relationship with them. And so they're just a really great example of what to do, ⁓ but really
Justin Shelley (45:32)
Yeah.
Jolie Grace Wareham (protasec) (45:50)
something to always remember is just to stay vigilant, keeping your eyes open for anything that looks weird. And ⁓ at the end of the day, unfortunately, it's not if it's when something is probably going to happen, you know, when we're talking about cyber attacks. so knowing who to call, what to do in the case of an of an incident, ⁓ we do a lot of work in incident response planning and no business is too small to be thinking really strategically and intentionally about what does that incident response plan look like? What do you do at minute zero minute
Justin Shelley (46:02)
Yes.
Jolie Grace Wareham (protasec) (46:20)
to day zero, day two, when you're dealing with an incident. It's the thing that truly saves a business ⁓ when you have a cyber attack. It saves you money, saves you reputation, compliance issues. So it's just really important. ⁓ can find us, so our business again, it's Protosec, P-R-O-T-A-S-E-C. ⁓
You can find us online or our website is just protosec, p-r-o-t-a, I'm going to spell this wrong, p-r-o-t-a-s-e-c dot com. feel like I don't spell out my own company that often. ⁓ And you can also find us on LinkedIn, Instagram, things like that. Again, I'm Jolie Grace Wareham. You can find me on LinkedIn. Always happy to chat. ⁓
you know, let's just, what we're trying to do is at end of the day, building, we're trying to build resilient communities. ⁓ And it takes all of us and it takes all of us inside of each of our organizations to do that. So thanks for having me for this conversation.
Justin Shelley (47:14)
You're welcome. And whether you spelled that name right or wrong, the good news is if anybody listening, you just go to the show notes of this episode right there on Spotify or Apple podcast or wherever ⁓ that link will be there, you can just tap on it and go to the website. So I do that for everybody that joins us on the show, including you, Brian, Brian, what's your final sign off? What's your, what do you have to tell people?
Jolie Grace Wareham (protasec) (47:17)
you
Appreciate that.
Thank
Bryan Lachapelle (47:36)
Sure.
My biggest takeaway today is cybersecurity isn't always a technology ⁓ problem. So the story that was provided by Jolie Grace is that it would have been 100 % preventable had company A had policies and procedures in place to verify manually any changes in payment information. And that should be the standard. That should be the norm.
That should be the policies and procedures you put in place across your organization. Take a few moments and think about what and how will people try to fool you and create policies and procedures to prevent that from happening in the first place. So cybersecurity is not just an IT problem. It is an everyone problem. And that's the takeaway for me. And you can start resolving cybersecurity issues by starting today with small incremental steps.
on your journey to cybersecurity 1 % better every day.
Justin Shelley (48:36)
Excellent. love, I love it. The, the usual Brian, ⁓ listen, so I'm, I'm gonna, I'm gonna kind of wrap this up for me with we've, we've actually started like a weekly webinar series and the next webinar we're doing is on the importance of cutting waste because this all comes down to, we can't afford to do everything that needs to be done in the world of cybersecurity. It's not cheap. That said, a lot of times we, we buy tools, ⁓
Bryan Lachapelle (48:40)
Hahaha!
Justin Shelley (49:04)
and then we put them on a shelf, we throw them in a drawer, I call it the technology junk drawer, and we're paying for them on a monthly basis. And it's just time for everybody to go through and audit all of your spending and make sure that your money's going to the right place. Because if you're spending it on stuff that you're not using and therefore can't afford to spend on the stuff that's really going to protect your business, potentially a game ending disaster, ⁓ that's not right. So we're going to ⁓ do a webinar on just going through your technology spend.
making sure you're spinning it, you know, not wasting licensing fees. Like for example, on Microsoft, so much waste goes there. I think personally, I went and audited my own and we cut like 40 % or something stupid. And that's me. I mean, like I'm telling on myself, but this waste is out there. So join us on our webinar on Tuesday. That link will be in the show notes as well, ⁓ as well as Julie Grace's and Brian's. Guys, Brian, Julie Grace, thank you so much both of you for being here. Really appreciate your time.
Jolie Grace Wareham (protasec) (49:59)
Thank you.
Love it. Thank you so much. Thanks for having
Bryan Lachapelle (50:04)
Thank you very much.
Justin Shelley (50:04)
All right.
All right, guys. We'll see you next week. Take care.
Bryan Lachapelle (50:05)
Bye, everybody.
Jolie Grace Wareham (protasec) (50:08)
Okay.
Creators and Guests
