UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 76 of unhacked. ⁓ I almost said 58 guys. ⁓ Maybe the time warps kicking in. I don't know. But you know, we show up here week after week with the ultimate goal of protecting businesses from game ending cyber attacks. ⁓ You know, and I've said a while ago, technology for a while kind of got boring to me. I love technology because it constantly changes. And then it just stopped changing at plateaued for

God, a decade? I don't know. And then AI hit and holy hell, ⁓ that's over. Now we're back to, don't know which way's up. So we're going to help discover which way's up and then teach all you guys. am Justin Shelley, CEO of Phoenix IT advisors. And you know, at Phoenix IT, we help businesses build wealth with technology and then protect that wealth from all the hackers, notably the Russians, government fines and penalties.

and class action lawsuits because there is not a shortage of individuals out there trying to take our money from us. So that's what I do. And I am here with my loyal, faithful co-hosts and good friends, Brian and Mario. Guys, tell everybody who you are, what you do, and who you do it for. Mario, you go first, and then Brian, it's all yours.

Mario Zaki (01:20)
Yeah, Mario Zaki, CEO of Mastic IT located in cold as shit New Jersey right now. Um, we've been in business for 20, almost 22 years now, um, helping small businesses and owners sleep better at night knowing that their businesses will be secure and safe and there the next day.

Justin Shelley (01:26)
Hahaha

Mario, are you a South Park fan by chance?

Mario Zaki (01:46)
Yeah, I haven't watched it in while, but I am. It is.

Justin Shelley (01:49)
It's a Jersey thing. Does that ring any bells? All right. That's all I got.

That's all I got. Brian.

Bryan Lachapelle (01:56)
Yeah, Brian Lashford with B4 Networks. We're based in, as Justin said, beautiful Ontario, Canada. We help business owners remove the headaches and frustration that come with dealing with technology and cybersecurity.

Justin Shelley (02:10)
Beautiful. mean, you can't leave that out because you say it every single time that you introduce yourself. So and then you start type. had to correct you and you start typing it out and you leave out beautiful. I'm not the fucker. Did it turn ugly? I mean, is it just because it's winter? I don't know. All right. Enough of my horse. Let's start talking about security. ⁓ Guys, as I was prepping for this, I just stumbled upon a headline. This was new to me. I don't have any personal reason to care, but it definitely caught my attention.

Bryan Lachapelle (02:14)
Beautiful Niagara.

I did, I did leave out beautiful.

Mario Zaki (02:20)
you

Justin Shelley (02:39)
The courts have recently ruled that all of your chat history in AI is now available for discovery and legal issues. So everything you say in chat and in chat, GPT and whatever platform you use, you can delete those chats. But the courts just ruled they can pull them out and they can hold them against you. So that's your friendly tip of the week. Be careful what you put into chat GPT. If you're planning crimes, don't don't give that away when you're

using chat, so. ⁓

Mario Zaki (03:11)
They look at mine,

they're gonna say like, wow, look at this idiot. He can't even write a simple letter.

Justin Shelley (03:14)
Hahaha

you

Bryan Lachapelle (03:18)
just gonna let everybody use my account and that way they can't figure out what was mine and what was somebody else's.

Justin Shelley (03:22)
think they'll just blame all of it on you. I don't know that that's a great strategy.

Bryan Lachapelle (03:25)
We'll see. ⁓

Mario Zaki (03:28)
I actually, you wanna laugh. I use mine, my admin uses mine for creating like ⁓ posts and stuff for like social media. And my wife uses it to help the kids with like their homework and tests and stuff like that. So you look at my chat history, it's all over the place.

Justin Shelley (03:37)
really?

nice. Okay. Well

now you're to get sued for sharing an, an account where it's you're supposed to have a different account for everybody. I guess. I don't know. ⁓ I, I have, this is way off track, but it's something weird about me. I swear like a sailor. And when I'm talking to chat, chat, GBT, I won't say swear words in there. I don't know why it is. Like I want to keep that conversation professional and stupid because even with my clients, I'm not like that elsewhere. Them. don't know, but somehow.

Mario Zaki (04:09)
polite.

Bryan Lachapelle (04:16)
I always say please and thank you because one day when they take over, they remember I was the nice guy.

Justin Shelley (04:17)
Yeah, well, maybe that's it. Maybe that's it.

I have noticed that ⁓ the the Alexa version of I have to careful saying it because it's picking me up now. ⁓ There's there's definitely a temperament involved. She gets a little sassy sometimes with us. I don't know, guys, I don't know. I wish I had a crystal ball. Maybe not. Maybe it would scare the shit out of me.

Bryan Lachapelle (04:39)
Interesting.

Justin Shelley (04:46)
I don't know what the future holds, but my God is technology an interesting game at the moment. So let's talk. No.

Mario Zaki (04:54)
Have you seen the

one in Tesla's, the new Tesla ones where I think they call it unleashed and it will literally just curse at you like, hey dumbass, you just missed the exit, know, pop the next freaking you. Yeah. It literally, actually, it actually people have been complaining that it needs to have like an option to like when you're hopping in, like I have my kid in the car, you know, tamed down.

Justin Shelley (05:00)
No. ⁓

No way.

that's beautiful.

Mario Zaki (05:23)
because it like watch some videos it's literally it's it's at another level of like profanity like it makes you look like a little schoolgirl just

Justin Shelley (05:34)
Well,

listen, I for a long time, I've been saying that I wish that my GPS had a wife mode so I could turn it on so that it could say shit like, hey, you just passed the exit there. I'm just curious. How the fuck do you drive when I'm not in the car with you? I don't know how you get anywhere without me telling you which way to go. That's like why isn't it more realistic instead of do turn here? Do recalculating. That's not how it works. Anyways. All right.

Mario Zaki (05:41)
You

with the

Bryan Lachapelle (05:55)
Uhhh...

Mario Zaki (05:56)
It's like that.

Justin Shelley (06:03)
Now you got me all fired up Mario. want I'll go. I don't like Tesla, but I'll go buy one just for that mode. Just so that the passenger can talk to me the way I'm used to, you know, at, at PS I'm talking about my ex, not my current girl. So she listens to these. have to clarify. ⁓ Anyways, guys, let's talk about something super exciting because we're doing this a multi-part series on just the baseline security. We talk about it all the time. We're going to be breaking it down for the next 10 to 12 weeks.

Mario Zaki (06:08)
Yeah, it.

Bryan Lachapelle (06:12)
You

Justin Shelley (06:32)
Today we're gonna talk about identity and access control. I've specifically not named it passwords because remember our episode on passwords that nobody listened to. ⁓ But I'm gonna introduce this this way. It used to be, if we all rewind, all of us in this ⁓ recording are old enough to remember the days when security meant a good firewall and strong passwords on the server, period, right? And backups, you know. But that was pretty much it. That's all we needed. ⁓

What's it look like today, guys? Where are we at with that? Is that enough? Do you even have firewalls anymore? There's a debate.

Bryan Lachapelle (07:06)
Well, my favorite thing.

Yeah, my favorite

thing now is like security is like an onion. You need all these layers, right? And so the layers just keep getting more and more and more. ⁓

Justin Shelley (07:18)
All these layers in all these different places. It's not even just like one onion anymore. It's like a goddamn bag of onions, a truckload of onions.

Mario Zaki (07:26)
Yeah.

Bryan Lachapelle (07:27)
It used to be that you only had the network to protect, right? I'm in my office, I have to protect my network. Well, now people work from home, they work from airports, they work from all over the place and some companies don't even have an office. So the network has now been expanded to everybody else's network. ⁓

Justin Shelley (07:29)
Right.

Right.

The world? Yeah.

Mario Zaki (07:43)
Microsoft.

Yeah, no, mean, we're not only rotating passwords, we're putting, just to get onto the server, we're putting an MFA on there, we're doing several things. And, you know, and we've always said, if security's convenient, you're doing it wrong. you know, it is sometimes just hop on a server to check, like, change a simple password. can take like 10 minutes to get through all the layers.

Justin Shelley (07:47)
So.

Yeah. you know, yeah, cause back in the day you could break into a firewall and then, then you were screwed. Like if somebody got through your firewall, you were screwed. You could sit on your firewall and look at your logs and you could see all those, you know, pings that were coming through somebody trying to brute force. ⁓ I'm not saying that's gone away, but I don't know that that's the thing that scares me the most anymore. So now instead of breaking into a firewall, what users are, what the bad guys are doing.

Mario Zaki (08:25)
you

Justin Shelley (08:42)
is they're, getting a hold of logins credentials, right? Username and password. So that becomes the, the very first thing that we have to look at when we're talking about baseline security is identity protection, access control. Let's, let's lock down somebody being able to impersonate us. Do you guys remember if we go way back to, um, our episode on the MGM grand, like that was the first episode we did together, right? Do you remember how the bad guys got in?

Bryan Lachapelle (09:09)
thermometer in the fish tank.

Justin Shelley (09:11)
they well but they impersonated somebody didn't they? Or did they come up with new information? I don't know because that was right after it happened. I actually went back and listened to that episode the other day. On accident. YouTube just auto played it for me. I was like, God, I remember this. ⁓ Yeah, somebody

Bryan Lachapelle (09:14)
I can't remember now.

Yeah. Now,

yeah, now the gold standard is like if they can get into your Office 365 account, they've got everything. They've got your files, they got your email, they can personate you by sending messages to people. mean, it's the holy grail if they can get into your 365 account, especially if it's somebody higher up in the food chain at the company ⁓ that they breached into, can start impersonating them, either the president or the CFO or whatever the case may be.

Justin Shelley (09:32)
Correct.

Right.

Mario Zaki (09:53)
And all they need is just a simple click, you know, a simple click that could really go far.

Justin Shelley (10:00)
So let's take this, we're gonna go two routes with this. I try really hard to stay out of the weeds and not get too technical. ⁓ So I wanna start with, we're talking to a business owner, CEO, like what do I need to know running my business to protect myself and my clients and my employees from a breach? Let's just talk about Microsoft 365. This is the one layer of one onion that we're gonna talk about. Give me some things that I should know as a business owner, non-technical.

What do you guys think?

Bryan Lachapelle (10:32)
Oh, I can give you three and then I'm sure you guys can add more. The password you're using for 365, if you're using a password still, because some people are using pass keys, you're using a password, it should be a pass phrase, something that's long, it doesn't have to be complex, the whole use symbols, numbers, uppercase, lowercase, all that stuff has gone the way of the dodo bird, now they're just talking about a nice long phrase, maybe five words put together.

If you have that and multi-factor authentication, then you're in a good place. ⁓ But the third thing, so those are the two first ones. The third thing would be to put in place conditional access, which would be if you don't normally travel outside of your country, maybe lock it down that you can only log into your 365 account from within the borders of your country. That way, ⁓ if an attacker is coming in from the outside,

another country, they're trying to log in your 365 account, it'll automatically deny and log it and notify you. So that'd be the three main ones I would put in place right away.

Justin Shelley (11:39)
Mario, do you have to add to that?

Mario Zaki (11:41)
Yeah, well, a couple of things to add. with like Justin was, I'm sorry, was like Brian was just saying, like with, you know, you can have multiple words, you know, most people don't realize they can actually put spaces in their, in their passwords. So you can actually have something that you'll remember, like, you know, the green sky is falling, you know, something like that, you know, and, know, it'll be something you could remember and

By adding spaces and stuff like that. You're just adding an extra like special character, which makes it even more difficult to crack so that's one thing and then What I would do is you know like what we do for all our customers is we add an extra layer of security with like a SOC team, know, like where they will inject More than just the conditional access, but it's based on the conditional access, you know, so for example ⁓

Justin Shelley (12:31)
Mm-hmm.

Mario Zaki (12:40)
denying them or alerting if a email mailbox forwarding rule was created because that's one of the things that hackers will do is they'll set up a mailbox forwarding to like themselves. So we will get alerted if somebody, you know, enables that. Even if they log in, I forgot what they call it. I mean, it is part of conditional access, but even if they're logging in at somewhere else in the country, like from New Jersey, and then all of sudden they're logging in in Las Vegas.

Justin Shelley (12:47)
Yeah.

Bryan Lachapelle (13:09)
two places that are far enough apart that, yeah.

Mario Zaki (13:12)
you can't travel in that period of time, it blocks. And I tell our customers, I rather apologize to you because something happened and we blocked you out from accessing your email than apologize to you because your email was coming.

Justin Shelley (13:25)
Geofencing, I think is what that's called, right?

Mario Zaki (13:27)
Yeah, yeah, somewhere, yeah.

Justin Shelley (13:29)
Yeah. And I'm going to add to all this. So those are solid. ⁓ Especially talking to CEOs, business owners, we carry an ego with us. Don't be an admin. Like just knock that off.

Mario Zaki (13:43)
Mm.

Bryan Lachapelle (13:45)
I have to have that conversation with people all the time. It's like, yeah, but I'm the boss. I should have access to everything. It's like, I'm the boss and I don't have access to everything. I don't want access to everything. If I need it, I can ask for it. Right. Right. That's what I have. I actually have a separate account as well.

Justin Shelley (13:46)
Jesus Christ!

Also have access. It's a separate account. Don't ever fucking use it.

Mario Zaki (13:56)
Yeah.

Justin Shelley (14:04)
Yeah,

same. ⁓ I can't make changes in Microsoft with my account. And I have to go look up the I go to I don't even know the password for the admin account, you know, like, and I have my own admin account and my techs have their own admin, like, I don't know, I just, I get so angry at clients that want to be admins and log in as admins and have their email, you know, it's just like, really bad.

Mario Zaki (14:05)
Yeah, same here.

Plus,

know, most people don't realize that you still need to back up your entire 365. You know, they think that, you know, because it's on Microsoft or the cloud, that it's safe or that it's, you know, something, you know, something happens, you know, we can just click a button and go back. You know, Microsoft does not back up your shit. You know, they say we don't back up your shit. You know, you need a third party, you know, company to back up ⁓ your stuff.

Justin Shelley (14:46)
Right.

Brian's got the phrase for that. Brian, do you remember this phrase you always share? Shared, what do you call it? Shared ownership, shared responsibility, shared. You don't say that anymore? ⁓ God. Brian, I got to help you remember all of your catchphrases. Yeah, when we're talking about security.

Bryan Lachapelle (15:06)
Shared response, oh, right,

Mario Zaki (15:06)
Ha ha ha!

Bryan Lachapelle (15:09)
right, right. Yes, with 365, it's a shared model. I can't remember the terminology used, but we're both responsible. They're responsible. Yeah.

Justin Shelley (15:19)
Yeah, Microsoft's like we're doing some stuff, but ⁓

ultimately if it breaks it, we're not going to claim it. We're not owning it, so you better do your part.

Bryan Lachapelle (15:26)
They're responsible for the

infrastructure and how it's set up and the configuration, everything, and you're responsible for the data, right? Like you've got to make sure your data is backed up elsewhere. Because if their infrastructure fails, they'll restore it to potentially a backup, but it might not be the most recent. It might be just whatever they have available. They back up their systems for themselves, not for you.

Justin Shelley (15:30)
Yeah.

Mario Zaki (15:32)
Yeah.

Justin Shelley (15:32)
Yeah.

Mario Zaki (15:46)
Yeah, and good luck trying to get in touch with Microsoft to do this.

Justin Shelley (15:50)
What, you don't have them on speed dial?

Mario Zaki (15:52)
I do, they have me blocked or something.

Justin Shelley (15:57)
Hey, we had, we had one of them on the podcast. They're not that inaccessible. All right guys. So we've got Microsoft. I said, I wanted to start with, we're talking to business owners. What, let's say you're talking to your technicians or, or, or a peer and what is it that, and I talked to me, Brian, Mario, I'm a new guy in the IT world and I work for you and I'm going down to lockdown. ⁓ our clients.

Bryan Lachapelle (15:57)
There you have a phone number.

That's true, yeah.

Justin Shelley (16:25)
accounts. What is it that I need to do?

Bryan Lachapelle (16:28)
Okay, well, one thing I would tell you if you were working for me, the very first thing would be if a client calls you and asks you to set up a shared account amongst five different staff members, the answer is absolutely not. It is very, very complex to manage one account that is shared between multiple staff members. very rarely will the client ever call you to let you know one of those people have left or have quit the organization because, oh, you know, everybody else knows the password, so business as usual.

No, that person months and months later can come back and still log in and you would never know that they've accessed it because it's a shared account. So yeah, that would be one of the very first things is do not allow a client to create a shared account. And if they do, then we have to send them a decline of service letter to let them know that they're basically breaking every rule of the book. And if they get breached, it's on them and their policies might not cover them.

Justin Shelley (17:18)
Let

me get you to clarify. are you talking about the Microsoft shared inbox account type?

Bryan Lachapelle (17:26)
I'm not,

yeah, I'm not talking about a shared box. I'm talking about one account shared by multiple staff, one licensed user account versus a shared mailbox, which is totally okay if it's shared amongst five licensed users that each have their own independent login and password. Yeah, but we have clients all the time, dentists are the worst for this. They all want their login and password to be like smiles and teeth. So if your password is...

Justin Shelley (17:29)
Okay.

Right. Okay. Just wanted to clarify that.

Yeah. God.

Wait, that's not unique.

I thought my dentist was, yeah, I thought my client was the only one that did that. Anyways.

Bryan Lachapelle (17:57)
Nah,

nah. I mean, you walk in almost all the dentists I know around here, they all use teeth as their password or something. It's very clever like that. Yeah, but we don't have very many dentists as clients anymore. But the ones we do are really great.

Mario Zaki (18:02)
Yeah.

Justin Shelley (18:02)
Mm-hmm.

Mm-hmm.

All right, Mario, you got anything to add to that on the technical level? Let's go ahead and get a little bit, our hands dirty and talk about, you know, what does a technician need to do to protect a client?

Mario Zaki (18:21)
⁓ well, first of all, they need to document everything, you know, so that way they are, you know, we, you know, somebody else can look at it and understand the way, you know, it was configured, but with security in mind, they have to understand that, you know, when you're spitting up like a new tenant or something, a lot of that security is actually not enabled by default. You know, it's.

Justin Shelley (18:47)
I know it's crazy.

Mario Zaki (18:49)
You know, which I like what I like about Google is a lot of that stuff is enabled by default. But with Microsoft, they, it's not enabled by default. have to manually do it or get certain licenses that give you the ability to enable even more security. You know, not every licenses is equal.

Justin Shelley (19:09)
Yeah. I think you kind of started to go there. I'm just going to say the word checklists. You know, where, where you're setting up anything that has to do with security, anything that's important. Let's learn from the aviation industry. ⁓ Checklists, make sure that they are done. You know, we're, we're going through some training. I don't know if you guys are going through it or not. It's available to all of us on, operations.

Mario Zaki (19:16)
Checklist, that's.

Justin Shelley (19:36)
And that was one of the things in the training that they brought up is how much they've, you know, the aviation industry and I'm a, I'm a pilot. haven't flown in a while, but, ⁓ so I can, I can speak firsthand of this, checklists are a big deal and, and lives have been saved. So many lives have been saved accidents prevented because they implemented checklists. Now doctors use it a lot, you know, in healthcare it's used and I wish it was more prominent in the world of it. I think it's kind of getting a little bit of a foothold, but

we've got a ways to go there. We just have to do the same thing every time. And then, you know, make improvements to that. But yeah, you can't leave it up to each individual to decide what it is that they're supposed to do to secure a client.

Mario Zaki (20:21)
Exactly.

Justin Shelley (20:22)
All right,

so let's move on. one of you, don't remember who kind of touched on, but we already talked passwords. We touched on, ⁓ onboarding off boarding employees, but let's, let's talk. Well, I think it was you, Brian. You're talking about these shared mailboxes. They're never going to call you up and tell you that the employee, one of the employees left, ⁓ what, ⁓ what are some best practices there? And again, we're talking to business owners.

or the management, the people that are making policies for their employees, for their company, what do need to worry about?

Bryan Lachapelle (20:58)
Well, from my perspective, there's a couple of things. an ⁓ organization, and often where it comes from, why they want to have a shared account is because they want one group of people, for example, the finance team to have all access to a mailbox. ⁓ Very rarely do we get it where it's because the owner, and I'm gonna use the word, they're just too damn cheap and they don't wanna pay for extra licenses. Very rare is that the issue. And if that's the issue, then we have a whole different.

problem because the amount of dollars it costs for an account is negligible and compares and everything else or the potential downfall, the potential risks. But there is ways of creating multiple different user accounts and all having access to one shared mailbox. And so I would say best practices is don't, if I'm talking to another business owner who's not an IT, I would say, explain what you want as the end result.

not how to get there. We get that a lot where somebody will call in and say, I want you to do this, this, and this. And they're basically describing something that goes against all practices because the ultimate result they want is, you know, why, right? But they're saying, I need you to give me, you know, create an account with a login and password, and I'm gonna share it amongst all my staff. And the answer is like, well, what are you trying to do? Well, I want everybody to access the mailbox. Okay, well, we can do that. We can create a mailbox and we can give access to all of your staff to that mailbox through their own individual accounts.

Mario Zaki (21:55)
Yeah.

Bryan Lachapelle (22:22)
So tell me what you want as the end result. I'll tell you how to get there using industry best practices and using, it's like going into a doctor and saying, know, doctor, I want you to cut me open over here ⁓ to operate on my heart. No, the doctor's just gonna do what his training tells him to do. You just like, I need heart surgery and you know.

Justin Shelley (22:25)
Right.

I thought you were gonna say I want you to cut me over here to operate on my knee. That would have been a better.

Bryan Lachapelle (22:42)
Yeah,

sure. I'm not a doctor. don't know but

Mario Zaki (22:44)
But you know it is It's the problem is to it's a language barrier and I I don't know about your guys, but my guys Tend to kind of just like have tunnel vision. They're trying to Do what the ticket says or what the person's saying on the phone? So You know a great example to build on to what Brian is saying is like info at Mastac calm you know they want like an info at and

You know, they think that if they create an info at they want these people to be able to access it and stuff. So create me this mailbox and this, so the technicians kind of just want to do what the person wants. You know, they don't, they're not like technicians are, you know, they tend to sometimes lack that communication, ⁓ gift of, you know, conversating with somebody like, well, there's better ways to do this. You know, we can do.

a distribution list, we could do a shared mailbox, we can do whatever without having to compromise security. know, so sometimes, and what I see is like, you know, they're just trying to, you know, have like those ⁓ tunnel vision, just get the ticket done and they're following directions.

Justin Shelley (24:03)
Um, all right. So we, we've kind of overlap this with, um, shared passwords, shared accounts. Uh, we're mostly talking on the framework of office 365 though. And so I'm just going to clarify that this is also incredibly important on everything that you touch, everything that your users touch. So whether that is, you know, if you've got cloud-based services outside of office 365, we're talking about dentists, they all have.

some sort of practice management software. It's either going to live on a server or it's going to live in the cloud. It doesn't matter. Users need their own accounts. If you've got a workstation that you're logging into, whether it's a local user account or you have active directory, you know, a server sitting on this, or you're using Microsoft ID for this, every user needs to have their own account. That said, I don't think that has ever been an easy fight to, you know, it's a war every time I try to get a client to do this.

When you pick up a new client, I mean, damn near 100 % of the time there's shared accounts somewhere. And it's easy. It's what they're used to doing and getting that to change is tough. So talk to me a little bit about it. if, let's just say my workstation, I, we all have one account that we all use and it's user one password, ABC, whatever it is. Maybe it's even a complex password, but then when we get to our other platforms, we all have our own accounts. Is that good?

Bryan Lachapelle (25:33)
No. No. Okay. ⁓ I use a bank. I use a... Yeah.

Justin Shelley (25:36)
Why? Because now I've got to go and make a new account and then they're

going to change the desktop on and then this person logs in the programs aren't there.

Bryan Lachapelle (25:45)
I use the bank analogy. mean, would you imagine having 20 people in your office all having access to the same bank card, right? Where, you how would you even be able to manage that? Like who's spending the money? Who's doing what? There's no way to find out who charged what account with what. Like you're all using the exact same bank card. Everybody knows the PIN number to it. Somebody just grabs it off shelf, goes and buy something, comes back, drops off the bank card, puts it back. Like it would be chaos, right? Like that's just not the way you would want to run a business.

It's the same thing with a desktop. Anybody who's logged into that desktop has access to everything that every user has access to, and where there's no differentiators to who's done what, when, how, where. And so it's incredibly important from that perspective to secure it with individual logins and passwords.

Mario Zaki (26:26)
No, I-I-I-I-

I'm

going to play devil's advocate here, right? You know, because even though I want a hundred percent agree with both of you, there are situations where it doesn't, it's not feasible for, for everybody to have a different log. And that's like in a warehouse is like in manufacturing, if they're on a warehouse machine and they're trying to pull like inventory, whatever, and those computers are dedicated to just pull inventory, you know, they stay logged in and,

And a user will just come up, look up the SKU number, where it is, go get it. You know, there are some circumstances where it really is a pain in the ass to switch, you know.

Bryan Lachapelle (27:14)
I'll

actually go against you on that one. is proximity-based detectors that will, as you walk up to a device, it automatically unlocks based on the fact that you have your phone with you, near field communications, or an access card. As soon as you walk up, automatically detects you're within two feet of the station and logs you in, and you have access right away. There are solutions. They're not easy. The easy out is, ah, everybody gets the same login and password, and it just stays open.

Mario Zaki (27:37)
There are solutions.

Yeah, yeah, I mean,

Justin Shelley (27:42)
What we had?

Mario Zaki (27:43)
even

fingerprint readers, we had a guest, yeah.

Justin Shelley (27:45)
We had a

guy on here that, that solved that very problem, but it is a problem. It, to be fair, it is a problem. And you know, when we're talking to, we're, trying to educate business owners and guys, we're all business owners. we know how goddamn complicated it is to just, just show up every day and, keep things going, keep production the way it needs to be. And, and keep clients coming in and keep clients happy. mean, it's like,

Mario Zaki (27:49)
Yeah.

Justin Shelley (28:14)
There is no lack of things to do. So am I really worried about a shared account somewhere? No, as a business owner, I'm probably not. However, Brian, I do like your analogy of the bank card because now we're talking a language that a business owner might understand. Yeah, I want to track where that money's going. And while they don't necessarily live in the world that you guys, know, that we live in, ⁓ it is important to know who's doing what if we're going to solve problems.

Bryan Lachapelle (28:43)
Well, and the scary part is this, if it's a cloud-based service and you're sharing logins and passwords, now it's like having a bank card that anybody can access anywhere in the world. And so if somebody gets fired and you forget to change that password, they could still log into that cloud-based service from anywhere in the world, right? And so now you don't even know they logged in, you don't know who did it, right? And we've had it happen where somebody is like, well somebody logged into the cloud account and it's like, yeah, well, if you share a password, that's...

Justin Shelley (28:52)
Yeah.

Absolutely. Yeah. Yeah.

Bryan Lachapelle (29:12)
There's literally nothing you can do to stop that.

Justin Shelley (29:12)
Yeah.

Yeah.

Mario Zaki (29:14)
Now

what about, and again I'm playing devil's advocate not because I'm, you know, disagreeing with you, but what about password management that lets you share the password with people, you know, but using their own password manager, they can ⁓ use that password. What do you think about that?

Bryan Lachapelle (29:35)
To me, it comes down to what is it being used for? ⁓ If you're sharing, for example, ⁓ a tool that allows you to log in and create a graphic, like maybe Adobe Cloud, whatever, and I'm not suggesting you share passwords because it's probably against your terms and policies, but big deal. If I just use it to go and license images off the web, damage is relatively minimal.

But if it is my practice management solution that has all of my customers X-rays and all of their medical health information, like now you're probably breaking the law, right, by sharing a password. come on. Right? Like it's, guess at that point there to answer your question, Mario, it becomes what is the risk involved and is the risk too great to have a shared password ⁓ compared to the cost of just having a second account or a third account or a fourth account?

Mario Zaki (30:11)
Yeah.

My point

is like there are some platforms that kind of just have like one login, you know, like you're logging in and you could only, you know, use what you can't do multiple users for one account. My point is if you're going to do it, do it in a way where kind of coming back to a couple of minutes ago, Brian, when that employee leaves, you want it to be able to, you want to be able to kind of eliminate them from knowing or knowing that password. So if.

10 people or five people or even two people know that password. At least do it in a smart way where you're using a password manager where you can easily prevent the person from A, seeing the password and B, if they leave, you eliminate that password manager.

Bryan Lachapelle (31:11)
just change it. Yeah,

I we call it in our office, we call when we let somebody go or somebody leaves the organization, doesn't matter whether they willingly leave or whether we let somebody go. There's a collective sigh that happens across the entire office. The moment they walk out the door, because everybody's Wi Fi passwords change, right, the entire office and there's a collective sigh across the office like, ⁓ again, right, because it's it's automatic. Now my staff knows the moment somebody walks out the door.

Justin Shelley (31:29)
You

Mario Zaki (31:35)
Yeah.

Bryan Lachapelle (31:39)
password's changed because we share a Wi-Fi password. We don't have individual, like some places have, you know, radius or anything. We just, haven't bothered because it's just so much easier to just change a password. But yeah, so I guess in a situation like that, as long as you have a process to change the password the moment that person walks out the door, but you have to understand and know that there is no tracking. You will not know who did what, when, where, how if they share an account. And so,

Mario Zaki (31:55)
Yes, exactly.

Thanks a lot.

Bryan Lachapelle (32:08)
depending on the situation, you might legally be required to have a unique login and password for some applications and some services.

Mario Zaki (32:16)
Yeah, and again, I was not disagreeing with what you were saying. I 100 % agree. But you know, I want to let people know like if you're going to do it, at least don't do it. You know, don't fuck up the whole thing. Do it in a in a controlled environment kind of situation, you know.

Justin Shelley (32:34)
I mean, it really comes out of just knowing your risk, That's, we've said, I have, think we all agree with this. Everything comes at a cost. There is a trade-off for every security measure. Nobody is going to do all of them. Nobody should do all of them. ⁓ What matters is knowing what they are and weighing the cost and the benefit and accepting, know, deciding what is your level of risk that you're going to accept.

That's really what all this comes down to. There's a baseline standard. That's what we're talking about in the next few episodes. but even then as a business owner, the, will always say that like, if you're talking about a specific control and let's just say, ⁓ you know, that you're not a local, you're not an admin, your office 365 account is not an admin account. Right. And if I'm asked that question by a security professional and I, I can either answer yes, that's good. I can answer no. Wait, yes.

I'm an admin. That's bad. ⁓ I can answer, no, I'm not an admin. That's good. Or I can answer, I don't know. And that's the absolute worst answer you can come up with is not knowing what your risk is. I would much rather have somebody know their risk and decide against it than to just have no goddamn idea what's going on and think they're safe. You know, like that's that in my mind is, the absolute worst, tying all of this back into

You know, it really comes down to this is closely tied to the HR team and the HR process. You have to know what your people do when, when you hire somebody know what software they're touching, know what tools they need and have a process to bring them on properly and have a process to walk them out the door properly. Maybe including changing the wifi password for everybody in the company and pissing everybody off. Maybe, maybe I don't know that I agree with you, Brian, but maybe.

Bryan Lachapelle (34:23)
we do it.

Justin Shelley (34:26)
Alright guys, what have we missed where we're talking about access control and identity? Is this I would argue is and also tell me if you think I'm wrong. Is this is this the number one thing people should worry about today?

Bryan Lachapelle (34:43)
It's one of the things that you should worry about today. I don't think there is a single one thing that people should look out for anymore, right? ⁓ Just like in a business, have, you know, finance, you have marketing, you have sales, you have operations, and you have to work on all of them at the same time equally. I think it's the same in cybersecurity. Now we've kind of gotten to a point now where, you know, there's a little bit of everything, and we just got to be, you know, doing a little bit all over the place. And I like to use the word journey, because we can't all do it at the same time. So you know, find

something to change and fix every single week or month or quarter and tackle it step by step. Obviously there's the critical things, get them done as quickly as possible, but everything else, ⁓ work on it over time.

Justin Shelley (35:25)
Yeah. Well, let me ask another question. Is this uniquely and solely an IT function? What we've talked about today.

Mario Zaki (35:35)
No, no, it's a culture thing.

Bryan Lachapelle (35:36)
No, it can't be.

It can't be IT only because we're not the ones who create logins and passwords in some applications and some tools. ⁓ For example, I don't manage the ⁓ electronic processing system for dentists. They manage that themselves. They have an admin who logs into their system, creates user accounts, things like that. We manage the desktop and the servers and things like that. there's applications that...

our clients are responsible for, right? CRA logins or I don't know what you guys call it, but the IRS logins, right? There are certain portals that we don't manage. So it's not an IT function. It's a policy that needs to be created across your company. And everybody needs to be aware and adhere to those policies.

It's a shared responsibility, Justin.

Justin Shelley (36:26)
It's shared responsibility, Brian.

Mario Zaki (36:28)
And

the one thing too, I'm going to add on to that is you have to, you know, even if the IT company's not managing something, keep them in the loop. You know, I'll give you an example. We had a customer and I, it was probably about a little less than a year ago. They contacted us and said that, ⁓ they were having an issue with their, ⁓ Dropbox account and you know, information was either removed or something like that.

And we all looked at each other like, what Dropbox account? Like, why are you guys using Dropbox? You know, you have Microsoft, you know, everybody has OneDrive, everybody has SharePoint, why are you guys using Dropbox and how long have you been using it and why were we not aware of it? So we weren't able to help them, you know.

with much of it, you know, of, know, we tried to help with what we can, but we couldn't do whatever they were asking for because we had no clue. You know, we, the only way we found out was after the fact, after the whole thing happened, you know, if we would have known, we probably would have advised, you know, in some way or another, you know, if you're going to, if you're insisting on Dropbox, make sure you're using a business account, make sure, you know, if you don't need it, we can migrate your stuff to like SharePoint.

I, from what I remember, I think they actually were using like a personal account and then they had like nine people with that password, you know, and, and, and I think that was just the nine that was actively employed at that time. But prior to that, they had given it to like a bunch of other people that were no longer there. so my point is keep, keep your IT people in the loop, even if it's a program that they're not expected to manage.

You know, they need to kind of have an understanding of everything that's going on.

Justin Shelley (38:29)
Yeah, absolutely.

Bryan Lachapelle (38:30)
I'm

gonna play on what you just said, Mara, because that to me is terrifying, right? Where multiple people had access to a Dropbox account, not from the point of view of like, hey, you they can do damage. What if they went to work for the competition and they never said a word that they still had access to all of your files and all of your confidential information? Every time you get a new client, they know about it. Or every time you get a new request for a bid on some projects,

Justin Shelley (38:43)
you

Bryan Lachapelle (38:58)
they know about it and then they find out exactly how you're bidding and then they just use that information to underbid you every single time. Corporate espionage. That to me would be the most terrifying thing more than them hacking in and deleting your files. That's the danger is the hidden person who's just using it for nefarious reasons. If you don't think it happens, it happens.

Mario Zaki (39:06)
Yeah.

And I, I a hundred percent agree. And I think the way the reason stuff like this happens and it is like when a one, when one person kind of starts up a company, you know, he's obviously, you know, having, you know, he has a budget in mind or finances in mind. So he signs up with like a free account or a personal account. Then as he's doing well, you know, he'll hire somebody and then he's like, okay, let me give you access to this. You're, you're going to eventually need it.

You know, he doesn't want to sit there and upgrade from a personal to a business. then the problem is start snowballing, you know, right? So instead of going from one man shop to like a two to a five to a 10, they just are like, okay, well, that's something later I have to work on, you know, and then they never really work on it. You know, so they, have to have, you know, that's, you know, they have to keep security in mind. No matter if they're one man.

or a hundred users, have to kind of still understand the process no matter what.

Justin Shelley (40:25)
Yeah, it's like we could have storytime now and talk about all the the horror of horrific things we've seen. You know, I've been self employed since 1997. But I did have a hiatus where I worked for other people for a few years. And that's a long story I won't say tell but at one of these companies when I left and I mean, I quit it was it was fine, but I have a lot of it responsibilities at that organization. And and when I left, there wasn't really anybody there to

go in and turn it off. And it was quite a while that I had full access to their server, you know, and it was like it was very uncomfortable. ⁓ Like you you've and it goes back to the HR, you've got to know who you're giving access to. And you really needed a log a change log, you know, of this person got access to that make sure that it gets turned off when they leave. ⁓ I don't know that I think this is just a it's a messy subject. And they're

there just needs to be some very tight policies around it and needs to be very managed and very monitored. And maybe go ahead.

Bryan Lachapelle (41:28)
you'd be,

as I gonna say, you'd be surprised at how many times that a client, and it doesn't happen often that we lose a client, but it happens, where we lose a client and ⁓ the incumbent MSP, months and months later, still haven't removed or delegated access to their Office 365, and we have to remove ourselves. Like we basically just unregister ourselves as delegated admins because they just didn't do it, right? And that's scary.

Justin Shelley (41:36)
Mm-hmm.

Yeah.

Mario Zaki (41:56)
Yeah, I see that all the time.

Justin Shelley (41:57)
I had a.

We were, we were on somebody's go daddy account for years and I kept telling them, okay, I have full access to your domain. Like I could turn off your website. I could turn off your email. I could reroute it. I could become you. I, I fucking own you and your new IT company. I've told you this and I've told them this over and over and over and I still have full access to it. Like brilliant, brilliant.

Bryan Lachapelle (42:21)
Yeah.

Mario Zaki (42:27)
We were getting, I know I guess it is story time, just a few, like a few weeks ago, I had to pretty much, every time one of our clients systems goes down, we were getting alerted. And I would forward it to the owner. like, Hey, you know, just to let you know, we got this alert, you know, please have your IT people remove us and add them so they know when your system goes down. Okay. No problem.

Justin Shelley (42:31)
Ha ha ha.

Mario Zaki (42:56)
happened again like a couple days later, happened again a couple days later, happened again a couple days later. It got to a point where I was so sick of seeing it and forwarding it to them that I actually created a mailbox rule that anytime this comes in, forward it to this person because I was sick and tired of, you know, deleting it or letting them know. And I'm like, it's been like two years since we've been off your system.

Justin Shelley (43:18)
Yeah.

Bryan Lachapelle (43:23)
The irony, the irony Mario is that it'll probably be there for another two years. You probably should have just created a rule to throw it in the trash.

Mario Zaki (43:24)
How were they, you know, how?

Well, I said forward it and then delete it. Forward it and don't even want to see it. But you know like...

Bryan Lachapelle (43:37)
I wouldn't even want to forward

it anymore because eventually it's going to fail and be like, why aren't we getting that message anymore? And then it'd be like, ⁓ it's being pointed to Mario. Why didn't you tell us?

Mario Zaki (43:46)
Yeah, actually,

I should just check to see when does the last time it trigger.

Bryan Lachapelle (43:52)
⁓ gosh.

Justin Shelley (43:54)
crazy stuff guys. All right, listen, unless anybody has final thoughts, we'll go ahead and ⁓ well, let me rephrase that unless there's something you feel we've missed. Let's go ahead and wrap up, we'll do our key takeaways. And ⁓ we'll call it a week. And I'm just gonna say guys, this one, whether it's the first thing you do or not, it's hugely important and requires some serious attention. So this you cannot afford to overlook this. So with that, guys,

Go ahead and, and key takeaways. If there's just one thing you want our listeners to know this week and to take action on what would that be Brian, I'll start with you and then we'll go with Mario.

Bryan Lachapelle (44:33)
⁓ My key takeaway would be to probably just to care about it. Just add it to your list of things that you eventually have to get to because I know it's not a priority for everybody, ⁓ but access and identity controls are extremely important and try to reduce your footprint as to shared accounts and making sure that ⁓

your passwords and things are set up in a way that you're not as vulnerable as you are now.

Justin Shelley (45:07)
Okay, Mario.

Mario Zaki (45:09)
⁓ Create a checklist. You know, you gotta create a checklist, make sure that for every person and we do it and I had to ingrain this into my technicians heads. I don't wanna see an onboarding or an offboarding, you know, go out or get completed without the checklist, you know, no matter what you, you know, whatever, simple setup you think it could possibly be, create a checklist because there's

Bryan Lachapelle (45:30)
Checklist

Mario Zaki (45:38)
always going to be something that could be forgotten. So create a checklist. And the second thing is I'm going to, you know, a little throwback to our earlier episodes, you know, take advantage of one of us or somebody, you know, get another set of eyes to come in, check out what you're, you're doing, you know, and at the very minimum, you know, you're, you may get a green health, you know, ⁓ bill of health saying, you know, everything looks good.

Otherwise, maybe you'll learn something and be able to adjust, you know, along the way.

Justin Shelley (46:12)
Well, it's not ready yet, but I am building an interactive ⁓ self-assessment to go along with this series. So you'll be able to go through and check off some key points and it will have that, I don't know section, which will be beyond a fail. That's like worse than failing. Yeah, we'll, we'll have a way for everybody to just kind of go through and do a self-assessment, but don't stop there. Definitely bring somebody in a professional to put a second set of eyes on it. All right. So my, my key takeaway here is

Like you have to know who has access to what and in its simplest form, get out a piece of paper and every time somebody has given access to something, write it down. And every time that relationship is severed, cross it off when it's been that that access has been removed. Find a better way to do it. Sure. But if nothing else, pencil and paper, I don't care. Make sure you know who has access to what and that that access is removed when the relationship ends. That I, you know, in its simplest form is what we have to do.

Alright guys, that is it for this week's episode of unhacked next week. We are going to continue the fun and games and we're to talk about asset inventory device visibility. Now we're today it's know who has access to what and next week it's like what do you have? What computers do you have? What software do you have? Maybe a little shadow IT. Maybe we'll get into that. You mentioned the Dropbox that popped up and you know nobody's. That's the next that's that's the next thing we've got to tackle, so we're going to get into that next week. ⁓

Bryan Lachapelle (47:20)
fun.

Thank you.

I'm looking forward to that one.

Justin Shelley (47:42)
So guys,

I was gonna say, Brian, Mario, do your homework. Start researching now. you anyways, ⁓ guys go to unhackmybusiness.com for more information, for more episodes, for show notes and for the future release of our self assessment guide. Guys, let's say our goodbyes and then we're gonna wrap for this week. Brian, go ahead and sign off.

Bryan Lachapelle (48:05)
All right, ⁓ well, my name is Brian Lashpro before networks. ⁓ Please ⁓ reach out to us and help us be your guide in your journey to both technology and cybersecurity.

Justin Shelley (48:16)
Mario.

Mario Zaki (48:18)
Are you staying up at night? We're wondering if your company is going to be there the next day. If so, call this number on the bottom of your screen. Just kidding. No, but you know, guys, we're here. We'll help you sleep better at night, you know, keeping you secure and keeping your company there in the morning. Thank you.

Justin Shelley (48:27)
I'm calling you tonight, Mario, when I can't sleep. I'm calling your ass and waking you up.

The next

time you say that Mario, want you to wear that onesie outfit with the question marks all over it. Do you remember that guy? All right. I expect that next week. All right guys. Brian Mario is always thank you for being here. Appreciate your insights, your intelligence and your friendship. I am Justin Shelley. Remember listen in, take action and keep those businesses unhacked guys. We'll see you next week. Take care.

Mario Zaki (48:48)
Yes, yes.

Bye guys.