UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
to the episode 78 of unhacked today, we continue our, what a little mini series, I guess we're going to call it 10 to 12, roughly episodes about baseline security. ⁓ because we say it all the time, you know, 97 % of breaches could, what did I say? See, I haven't, I haven't said it in a long time and now I forgot it. 97 % of breaches were preventable with basic security measures, but what are those? So that's what we're.

Bryan Lachapelle (00:25)
Yeah.

Justin Shelley (00:28)
I am Justin Shelley, CEO of Phoenix IT advisors. And I like to help companies build their wealth, build their business, make lots of money, and then protect it from the Russian hackers, the evil government who's going to come in and find you and

Bryan Lachapelle (00:40)
You

Justin Shelley (00:42)
let be all kinds of penalties and all that other horse shit. And then the attorneys come in and they Hoover up whatever's left. That's what we try to protect you from. And I'm here as always with my faithful, my loyal co-hosts and my good friends, Mario and Brian. ⁓

Guys, go ahead and tell everybody who you are, what you do and who do it for. And Brian, we are going to start with you today.

Bryan Lachapelle (01:03)
It's like roulette, you never know who you're gonna pick.

Justin Shelley (01:05)
You never know. like to keep you guys.

Mario Zaki (01:05)
Okay. Okay.

Justin Shelley (01:06)
Listen, if I, if I let you guys get prepared, the conversation would go stale. I learned that a long time ago.

Bryan Lachapelle (01:11)
This is true, it's true. All right, I'm Brian Lashford, President and CEO of B4 Networks. I'm located in beautiful Niagara Region, Ontario,

Canada, and we support the Niagara Region and Simcoe County. We help business owners remove the headaches and frustrations that come with dealing with technology.

Justin Shelley (01:28)
Enough, Mario, you're up.

Mario Zaki (01:30)
Mario Zaki, CEO of Mastec IT, ⁓ located in snow-covered New Jersey. And we help ⁓ small to medium-sized businesses stay secure, and we specialize in helping business owners sleep better at night.

knowing that their company will be there the next day. Within the last couple days, we got like, I think, like 17 inches of snow.

Justin Shelley (01:51)
which is always the ⁓ Russian roulette that we play. ⁓ Mario, you got snow up there. We just have like, how many, how many inches of snow do you have right now?

gee, what's on that? What's on the ground right now? Still same 17 because that's about, we're about one for one except ours is mud. I've got about 17 inches of mud out here on my, on my beautiful 40 acres. ⁓ We just are swimming in mud. It's terrible. We have had almost no snow this year. It's been a very strange winter, but

Mario Zaki (02:09)
Yeah, yeah. Yeah, yeah.

You

Bryan Lachapelle (02:23)
boy.

Mario Zaki (02:28)
We

actually have had like record breaking. the New York, New Jersey area, for some reason they said like, and I didn't know this until they mentioned it, every 10 years on the sixes, we keep getting blizzards. All right, we got a blizzard in 1996, 2006, 2016, and we got one in 2026.

Justin Shelley (02:43)
Really?

Okay. Not multiples of six, the actual digit six. Got it. Got it. Okay. That's kind of weird. I don't know. I don't, I, I have no theory on how any of that stuff works out. ⁓ all right guys, so let's continue our series. We up until now have been, let's just say we've been mapping the battlefield and today we're going to start building the fortress. ⁓ episode one in this series was

Mario Zaki (02:56)
Yeah. Very weird. Okay.

Justin Shelley (03:22)
frameworks, who owns the risk, how do we measure it? ⁓ And really, it comes down to if we aren't doing the same thing, if we don't have a plan, we can't do any of this right, you've got to start with a plan. I don't care if it's CIS, I don't care if it's NIST, I don't care if it's HIPAA, don't care. Like if it's government mandated, I don't care, but get something and, and use that as your blueprint. Because if you don't know what you're trying to do, and how you're trying to do it, you're you're not getting anywhere. So we started with that.

Mario Zaki (03:33)
Okay. Okay.

Justin Shelley (03:52)
Then we talked about identity. Who has access to your stuff? You've got to figure out who your people are and what

Bryan Lachapelle (03:54)
Yep.

Justin Shelley (03:58)
you've opened up for them, right? Then you've got to figure out what stuff you actually have. What are these assets you're protecting? ⁓ Know every device on your network. That's the good old days. Now we have to know every goddamn device, every piece of software, every cloud app, every whatever that every employee and contractor

Mario Zaki (04:03)
you

Bryan Lachapelle (04:19)
you

Justin Shelley (04:21)
that touches

your business has used ever. Fair? mean, am I making it? Am I being too dramatic here? Maybe a little. Okay. Okay, okay. You said it, not me. ⁓ So like these are huge lists. We're starting off by saying, go out and write the Harry Potter series. The whole thing start to finish. That's about how many pages we're talking about going. It's crazy. It's insanity. ⁓

Mario Zaki (04:27)
Not enough.

Bryan Lachapelle (04:29)
No, absolutely not.

Not enough. Yeah.

Mario Zaki (04:34)
I'm

Justin Shelley (04:49)
But let's say you've already done your homework. You have Harry Potter up there on the shelf. ⁓ you've, you've got it all documented today. get into protecting it, right? How do we make things we already identified defensible in the real world? So let's get started. ⁓ and I'm just going to throw this out there, Brian, let's say that I get ahold of your laptop tomorrow and you forgot to lock it. You forgot to control, delete or auto timeout. And I've, I'm logged into your laptop.

What's the plan? And what do I have access to?

Bryan Lachapelle (05:23)
Okay, well, I if you were if you were me, you probably wouldn't have access to a lot. ⁓ I'm the one who has the least access to things in my company. That being

Justin Shelley (05:32)
Guys, write that down. Owners

out there, write that down. Brian, say that again slower.

Bryan Lachapelle (05:37)
I have the least amount of access in my company. ⁓ That being said, I have one phone call to place. I place a phone call to ⁓ my senior tech here at the office and they lock out my 365 account. And that 365 account is effectively what holds all the keys to everything I have in my laptop. So if it's already logged in, ⁓ if it's already logged in, ⁓

Justin Shelley (05:58)
What's?

Bryan Lachapelle (06:03)
they would have to be online, first of all, in order to try to access anything. And the moment they went online, they would get logged off. And the computer would lock itself, and ⁓ the password would have been reset by my team, they would have logged out of all the sessions. So I only have one phone call to make, and my team, thankfully, has it configured in a way that it is ⁓ unusable. And once the device is locked, ⁓

if they tried to access the data on a laptop, it's also encrypted.

Justin Shelley (06:33)
Is there a particular member of your team you have to talk to? Or can I just call the basic help desk, put on my Brian AI clone and lock you out of everything.

Bryan Lachapelle (06:41)
⁓ I'm gonna keep that information to myself.

Justin Shelley (06:43)
Just just curious, just curious. ⁓ We have fun here. Anyways. Okay.

Mario Zaki (06:47)
You

Justin Shelley (06:52)
Well, good. So you got a plan. And while it it, it really isn't the primary topic for today, but I'm going to point that out that that's huge is that you have a plan and that you've

Bryan Lachapelle (06:54)
We do, yeah, absolutely, yeah.

Correct.

I am not an admin of anything on my computer. I'm not an admin of our global administrative accounts for 365. I am not an admin in any of our tool sets. ⁓ There may be some files on my desktop, but they're far and few between. Everything is cloud-based. So really, they would have to be online in order to use anything on my laptop. And then the moment they go online, as long as I knew that I lost my laptop, my team would have locked them out almost instantly just by

resetting all the sessions and sending a signal to lock my computer the moment it gets connected to the internet.

Justin Shelley (07:38)
Nice. All right. You pass Brian. He'll pass a test. Number one. Now let's, let's, let's talk about endpoints. you know, and this is not the first time I've said this. We talk about it quite a bit back in the day, ⁓ securing a company was pretty simple. was geographically, you know, you, you had these perimeters. ⁓ what's the perimeter now? It's, it's not, it's not a building. Okay. Yeah. Kind of.

Bryan Lachapelle (08:03)
world?

Justin Shelley (08:07)
but not the whole world, because we can't, I can't be responsible for locking down the whole world. So for me, Brian, you're my IT consultant. What is my perimeter? What is it that I am trying to protect?

Bryan Lachapelle (08:22)
I mean, I don't know, because I don't know your company, and I have to have an assessment done. But effectively, it's every device that has access to important data, every login and password on all of your cloud applications that have access to important information and data, and any of the vendors that you're using that also have access to that same data. So it really.

Justin Shelley (08:44)
I wish I could share my

screen right now for our listening audience and show the headline of point number one on the outline I just gave you. Endpoints are the real perimeter now, Brian.

Mario Zaki (08:54)
.

Bryan Lachapelle (08:55)
Well, yeah, well, I mean, I'm looking

at the document, but it's not just endpoints. It's, yeah.

Justin Shelley (09:03)
Well,

okay. So that's a great, I'm glad you brought that up actually. So I'm actually going to punt this to Mario because he's sitting over there way too comfortable and way too quiet. define an end point because I think Brian, you're hearing me say computer.

Mario Zaki (09:11)
I'm just watching it.

Bryan Lachapelle (09:22)
Yes.

Justin Shelley (09:22)
All right, Mario, what's an endpoint?

Mario Zaki (09:24)
It's a computer that you use. ⁓ I guess it can also be a phone that you use as well that you that accesses your like 365 for any of your tool sets.

Justin Shelley (09:38)
a smart fridge.

Bryan Lachapelle (09:41)
Yeah, access point, smart plug.

Justin Shelley (09:41)
⁓

a website, an Azure database. mean, this is why we have to start by doing all the inventory first, right? And figuring out what we have and where it lives. ⁓ Because the endpoint is not, this isn't a simple answer, even though we kind of tried to frame it that way. And I got Brian to take the bait. ⁓ So,

Mario Zaki (09:44)
Yeah.

Bryan Lachapelle (09:45)
thermometer and a fish tank.

Justin Shelley (10:09)
We've got all these identified. Let's get into the weeds a little bit and let's talk about how endpoints are abused. Real world examples if you've got them. We'll get a little bit technical. That's okay. And then we're going to bring this back to CEO executive boardroom conversation and talk about what it is that we need to do to protect these. So open discussion guys. Go for it.

Bryan Lachapelle (10:32)
Okay. ⁓

I'm gonna use a very odd endpoint because it's not an endpoint that most of us would think of in a traditional sense, ⁓ but VPN connections, VPN connections that are available and open ⁓ for people to connect to ⁓ could be used on any endpoint, but in and of itself can be used on ⁓ any device, even if it's not registered with the company in most cases. And so it becomes an endpoint on its own. ⁓ And there was an incident that we had

Justin Shelley (10:42)
Mm-hmm.

Bryan Lachapelle (11:01)
a while back ⁓ that there was a user who had

Mario Zaki (11:06)
you

Bryan Lachapelle (11:07)
not selected a very good login and password. And that particular account was ⁓ involved in a, what do they call those, not a dictionary attack, but a brute force attack where it just kept trying to use the login and password to connect the VPN and lo and behold, they were able to get in. And so that they had access to the internal network at that point based on whatever credentials that person had, whatever access they had.

Justin Shelley (11:19)
Mm-hmm.

Bryan Lachapelle (11:31)
So that would be one way that attackers could abuse an endpoint is by ⁓ trying to log into that endpoint, whether it's physical or virtual like a VPN.

Mario Zaki (11:40)
I'm going

Justin Shelley (11:44)
Well, I love that you brought that up because you

know, firewalls, this is, I believe one of the technologies that is the least monitored and has the biggest attack surface. These things just sit in a closet somewhere. People forget they have them. They don't update their licenses and that thing's building a log that has millions of lines long. Nobody's looking at it. And most of those entries are some sort of an attack coming in that people aren't paying attention to.

Mario Zaki (11:56)
Yeah.

Justin Shelley (12:13)
So yeah, that's a very good point that VPN goes somewhere who's monitoring that piece.

Mario Zaki (12:18)
Yeah, and

with those a lot of them have to be updated manually and you don't want to update it in like in the middle of the day because most likely you're gonna lose internet access so you have to find a time where you can update it manually after hours and nobody wants you know five o'clock everybody wants to go home

Justin Shelley (12:22)
Yeah.

Bryan Lachapelle (12:23)
Thank

Justin Shelley (12:37)
Yeah. I, you guys tell me if you see something different out there, but for me, that is the piece of technology. We'll, wouldn't call it hardware, but that's the piece of technology that has the biggest risk with the least amount of oversight.

Mario Zaki (12:51)
Yes, I agree.

Bryan Lachapelle (12:52)
⁓

I would say that, yes, combined with ⁓ insecure wireless access points. ⁓ What I mean by that is you've got a lot of people who have wireless access points all over the place in their business and at home, and they're using subpar passwords, passwords that could easily be breached. And because it's just floating around in the air, they can try to that login and password all day long and you'd never know it.

Justin Shelley (12:59)
Okay, yeah, yeah.

Bryan Lachapelle (13:18)
And the other danger with access points is that people, when they people leave the office, that's the last thing people think of is like, I got to change all these other passwords, but they forget to change the login and password their entire staff use to log into the Wi Fi. And if they still have access to that, it's no different than them having a long network cable directly plugged into your network plugged into whatever laptop or device that they have. Yeah, you might have other things secured inside it, but they're still direct tunnel directly into your your network.

Justin Shelley (13:38)
Right.

Bryan Lachapelle (13:47)
that they're utilizing or can utilize to just continuously try to break into something else.

Mario Zaki (13:53)
Well, to add on to that, you'll be surprised, or I'm surprised how many guest networks are configured improperly. You know, people think that they can just create another SSID.

Justin Shelley (14:06)
It's called guest

Mario. Clearly they can't get into the mains network. It's called guest.

Mario Zaki (14:11)
clearly,

clearly. ⁓ You I sat with a prospect a few weeks ago and I was on their guest Wi-Fi, you know, because I needed to pull up the document that was emailed to me. And during our conversation, something made me like want to do an IP scan for them. And I'm on the guest network.

I was able to see every computer, every phone, every access point, every, they had ring doorbells I was able to access, you know, the firewall, the server, every, it was like 200 like devices that I was able to see. I, I tilted over their, their, uh, my laptop and I'm like, this is what you guys are doing now. You know,

Bryan Lachapelle (14:46)
So.

Justin Shelley (14:51)
Wow.

Bryan Lachapelle (14:52)
Wow.

Instant

Justin Shelley (14:59)
Shit.

Bryan Lachapelle (14:59)
sale and you got the instant sale, right? You were able to sell them like that.

Mario Zaki (15:02)
It's the the signature is pending but I feel good about it. Yeah But yeah, but to add on to that people think that they can just create a new name and that it's done that that's not even You know half of it, you know You have to there's V land and stuff like that that have to be configured in the back end that nobody ever does Or I don't want to say nobody unless you know what you're doing. They yeah, we do too

Bryan Lachapelle (15:07)
Good, good.

We do.

Justin Shelley (15:29)
Listen,

Mario, you just touched a nerve and now I'm to go on a tangent and I'm just going to rant for a second because I've got a, ⁓ a former, what are they, call them unconverted leads, I guess, you know, in our, our group. So this company came to me almost a year ago and they have a very small network. They use a windows workstation as their primary file server. All of their company files are on this one computer.

Mario Zaki (15:36)
Okay. you

Bryan Lachapelle (15:43)
Mm-hmm.

Love it.

Justin Shelley (15:58)
And they called me up and it wouldn't power on. I'm like, Holy shit. Like this is bad. I was like, I, I'm not promising you anything, but let me look. I was able to pull the drive out, put it in a little, we call it a toaster, you know, like a docking station, the drive itself. And I was able to get them all their data back, sell them a new computer. And then I came in. This is where I went wrong. Cause I, fixed the problem first, you know, and then go in and try to, Hey, here's how we make sure this never happens again.

Mario Zaki (16:10)
in you

Bryan Lachapelle (16:11)
Mm-hmm.

Justin Shelley (16:25)
This is what we prevent. You'll never have to worry about this again. And here's how we do it. And you know, here's, you know, do, this something you're interested in? yeah, definitely. Let's do it. And I said, do I need to talk

to the owner? And I'm, working, this is a law firm and I'm talking to the, ⁓ the admin, know, then she's like, no, ⁓ they are not technical. They want me to do everything. I make all the decisions. I have all the say, just give me the paperwork. We'll get it done. All right. Here you go. Crickets, you know, you guys, you guys are way ahead of me. I know this. ⁓

Mario Zaki (16:36)
Okay.

Justin Shelley (16:54)
And, know, I follow up a few times and like, yeah, well, we just, we just want to be able to call you when something breaks. I'm like, yeah, it doesn't work that way.

Bryan Lachapelle (17:01)
Yeah, the best thing I heard was, I think it was something to the effect of ⁓ success breeds complacency, complacency breeds failure. Success in this case is that you were able to successfully retrieve their information. And so now they think, ⁓ we don't have to do anything. We can always retrieve our information. So they were successful in the sense that they were able to get their data back. The reality is that's the fluke. Like you probably.

Justin Shelley (17:13)
Yeah.

Correct.

Yeah,

shouldn't have happened.

Bryan Lachapelle (17:29)
in most cases would not be able to get that data back. And so

Mario Zaki (17:31)
Yeah, yeah.

Justin Shelley (17:32)
Shouldn't have happened.

Bryan Lachapelle (17:34)
the next time it happens, it will fail, and they will not be able to get their data back. And then they'll shake their head going, what happened? We were able to get it back last time.

Justin Shelley (17:34)
Yeah.

Well, and here we go again, right? A year later, I get a call. Hey, ⁓ it's not, it doesn't end badly for them yet. It will. ⁓ Hey, ⁓ the, the attorney, the main, you know, HMFIC here is not able to access our server. I put that in quotes server because it's just a windows workstation that's completely unprotected. And so I'm like, Hey, ⁓ good to hear from you. Remember that?

Bryan Lachapelle (17:46)
no.

Mario Zaki (18:06)
Okay.

Justin Shelley (18:12)
service agreement we talked about. that something you're interested in now? Yes. Send me the paperwork. Like, all right, here's a paperwork, by the way, got you connected. And the attorney comes back and says, we're disputing all of this. We never agreed to any of it.

Fuck you. We, we only want to pay you for the one, you know, what, I'm like, not a problem. You guys don't owe me a penny. I'm closing your account. I'm removing all my stuff. Good luck. Good luck. Um, that

Bryan Lachapelle (18:30)
you ⁓

Justin Shelley (18:40)
computer I sold them when I, when they brought it in, it had 500 gigs worth of data. It now is maxed out. The drive I sold them was a

terabyte. It's maxed out at 95 % or something that computer's not even going to run for much longer. Holy shit. I'm just ranting because it's just happened yesterday. And you talk about like having all your eggs in one basket. They literally have everything. Their entire firm is on this one computer that is about to shit the bed.

And I'm charging them a few hundred bucks a month. I'm like, shouldn't even be doing this for them. It's a charity that I'm even doing this for a few hundred dollars a month. I have too much money. We don't want that. Fuck you. don't fuck you. What's your name? Do you guys know that one? Nevermind. I, I,

Mario Zaki (19:18)
Yeah.

Bryan Lachapelle (19:19)
No.

Justin Shelley (19:23)
I won't go there. but anyways, so I just have to rant and I'm just like, I don't know, like seriously, and maybe you guys can help me. I don't know how to get this through to people. When, when we sit here and we talk about this and we're going to go on for a.

you know, a quarter, three months. We're going to talk about what needs to be done and why it needs to be done and how important it is. And God damn it, they don't listen. They don't care. It's like, but then they want to call and their building's burning down. They're like, Hey, come with your fire hose, put out the fire, but make sure when you walk away, the building's exactly how it was before the fire started.

Mario Zaki (19:45)
Never, yeah.

Bryan Lachapelle (19:58)
Justin, I'm really confused here. How do you really feel about all of this?

Justin Shelley (19:59)
I'm done. I'm done. I'm out of here. It's over.

I quit. Holy shit. Okay.

Mario Zaki (20:08)
If he didn't have the microphones dropped at his desk right now, would be a mic drop. ⁓

Bryan Lachapelle (20:14)
Listen, I learned a long time ago that what we do and what we have to offer is not for everybody. And there will always be somebody who is just completely 100 % unwilling to do anything. And that's OK, because they're not my client. They are not the people who I'm looking for. I'm looking for people who understand that technology is the root of their business. If it isn't, then they're probably not my client either. And they're willing to make some significant investments in technology because

Justin Shelley (20:15)
God.

Bryan Lachapelle (20:44)
they value it and they understand that it is a striving force for their business. And if they don't understand that, I'm okay.

Justin Shelley (20:50)
I'm with you to a point, but here's, this I'll get a little bit personal here. ⁓ I, when, when I was young, my parents bought a motel and they ran it into the ground. I don't know what happened. I was 12. but they lost everything. They went out of business. Now it wasn't a cyber attack. wasn't technology related, but I watched that struggle of a family putting everything into, into their business and then having it just get annihilated. And, and the problem is I do actually care.

If I could protect that law firm for free, if they would just say, Hey, you know what? ⁓ we've only got this much. Can you work with us? I would do something. I would do anything to help them, but they won't. And it's like, I'm going to watch you guys. This is a small town. I'm going to watch you go up and smoke and probably you're going to be mad at me for it. And so, you know, what I do is I, I host a podcast with my friends.

Mario Zaki (21:29)
Yeah. ⁓

Justin Shelley (21:43)
And we sit here and we talk week after week and we tell people how to fucking do it for free if you want. Or you got chat, GBT, just go do it. I don't care, but fucking do it. You guys can tell I'm a little emotional, but it's like, God damn it. Everything you have is on the line and okay. I'm going to.

Mario Zaki (22:00)
I mean here

and I completely agree, know, IT just like a lot of other industries, plumbers, electricians, stuff like that. It's not, you know, rocket science. Most people can do it, you know, but just like, you know, like a plumber, sometimes you don't want to sit there and

Bryan Lachapelle (22:18)
Thanks.

Mario Zaki (22:23)
finagle and go on YouTube videos and try to figure out how to fix your clogged pipes Sometimes you want to just bring in a professional have it done in an efficient manner Be done correctly and then you move on with your day, you know IT, you know all the time, you know ⁓ You know Plumbers and electricians. They're not cheap. We're not cheap, you know, but everybody has their place people, you know, we we're not gonna sit there and run

Bryan Lachapelle (22:37)
Sometimes? Like, all the time. ⁓

Justin Shelley (22:37)
Yeah.

Mario Zaki (22:52)
you know, pipes and electricity for you because that's not what we were, you know, we do, but what we do, we do it well. And, know, we're, you know, we're not going to charge you an arm and leg for it, but there's a price and it's not a, you know, an ROI type of price for your company, but it's the price, you know, just like electricity, just like, you know, just like internet and stuff like that. You need it to run your company. IT is the same way. Security is the same way you need it.

to run your company or at least have your company continue running so you can sleep better at night.

Justin Shelley (23:26)
Yeah. Right. Right. And as you said, to make sure it's there in the morning, because Mario, this law firm is going to wake up one morning and their company's not going to be there. And I don't mean they won't be able to work for a little while. I mean, they will be done. All of their information is on one hard drive, unprotected from viruses and any other kind of attack unprotected from hardware failure, no backup whatsoever, because I have to turn it off. Even though I've been given it to him for free. ⁓ like, I dunno, I dunno. So

Mario Zaki (23:30)
Yeah.

Bryan Lachapelle (23:33)
you

Mario Zaki (23:43)
Okay.

Bryan Lachapelle (23:56)
Okay, yeah.

Justin Shelley (23:57)
we're gonna, we're gonna, we're gonna like take a little Valium. ⁓ I don't really have Valium.

That's my small print. I'm not really doing drugs that are not prescribed to me. Let's talk a little bit more about, ⁓ what, like, what have you guys seen? So I'm, setting up a scenario that isn't really what we're talking about because it's not directly tied to security, but yet all of this stuff plays in together. We are talking about data loss. We are talking about preventing the unauthorized access or the unintentional deletion of

Mario Zaki (24:03)
Okay.

Justin Shelley (24:26)
of data, that's what we're protecting against.

What have you guys seen other than small law firms who won't protect their stuff ⁓ that either puts people at risk or where you've seen to actually cause problems like loss.

Bryan Lachapelle (24:40)
⁓ Okay, so a couple things here. One, there's things that you can put in place to protect against a lot of things, but there's also the concept of detect, right? You can protect all you want, but if somebody gets through, you need to be able to detect that they're in the system as well, because as much, as many precautions as you can put in place to stop it from happening, it will likely happen at some point where somebody finally makes it through, and having detection

is important too. So it could be things like canary files, ⁓ which is, for those of you not sure what that is, it's just files and or systems that are not accessed by users. ⁓ And they're just sitting there idle. And the moment somebody or something tries to access them, it automatically knows that there's an intruder in the network or in the system and then locks everything down. anyway, there's just different ways that you can detect somebody in your systems. But once you detect

then of course like kind of like Star Trek Shields Up style, right? We had an incident that occurred and I won't get into the specifics of it because it's an incident that's ongoing or not 100 % ongoing, but a attacker made their way through every single defense we had in place. But the system within three minutes detected that they were in the system and locked the entire organization down. Three minutes.

and we were able to keep the client safe and secure because we had the detection protocols in place. So protect yes, detect would be the second piece to that from, right?

Mario Zaki (26:22)
Yeah,

a perfect example to that is your 365. mean, you can put in, you know, a really good password. You can enable, you know, two factor authentication, ⁓ but it doesn't stop hackers from necessarily getting in. I mean, if they get into the computer, they can steal tokens, but

You know, a lot of times and what you see all the time is a user will click on an email or click on a link that think that, you know, it's legitimate. And, you know, once they click on it, they think it's a Microsoft site. They put it in and they've logged in the user right into their 365. So you had the protection, but now you've let them in. And if you don't have the proper detection for that, you will never know that they're in there until.

you know, one of your customers, your vendors calls you and say, Hey, I, we all just got an email from you. Did you mean to send this? And by then it's like, my God, what the hell happened? You know, but if you have the proper detection, it will recognize that, you know, you logged in from New Jersey and then all of a you know, in, you know, Justin's Russia or, know, Mario's China, or even like Seattle, Washington.

And it says, you know what, this doesn't look right. We're going to block out the account. You know, and I tell customers all the time, I rather apologize to you because your account was locked out. You lost access to your email for, you know, 20 minutes or so. Then me apologize to you that we didn't know that this happened.

Bryan Lachapelle (27:55)
Right. Yep.

Justin Shelley (27:59)
All right. So let's, let's talk about, put on our CEO hats and like, we aren't going to do all of this stuff ourselves. I hope. I mean, I mean, honestly, if the, you got time to, to kill, go for it, get chat GPT out or your AI friend of choice and plug in, do I protect my company from all cyber security threats and get to work? But at least that's something, you know, go do that. God bless. ⁓ but let's assume that most CEOs don't have that kind of time.

Bryan Lachapelle (28:19)
you

Yeah.

Justin Shelley (28:29)
⁓ what do we tell them on how to make sure this is being handled within their organization? Because this is what we hear all the time, right? My it guys got it covered. Well, do they, how do you know? Cause you write them a check.

Mario Zaki (28:37)
Well.

Yeah.

Bryan Lachapelle (28:47)
I mean, yeah, you guys have heard me rant

on this a couple of times, but there's a couple of things. ⁓ One is have a second opinion. Always have a second opinion. Always have somebody else watching over. ⁓ If anything, just from a point of view of making sure that the person you have doing it is doing it. It could be a third party or it could be a monitoring system or software, or it could just be you who has a checklist of things that should be in place and you spot check them, right? Are the backups working?

Mario Zaki (29:01)
you

Bryan Lachapelle (29:16)
I don't know, let me create a file today and two days from now I'm gonna ask them to restore that file after I've deleted it, see if they could restore it. That's an easy test anybody can do right now

today to see if their IT company is currently backing them up properly. Because if they are backing them up properly, they're backing up multiple times a day.

Justin Shelley (29:33)
I'm gonna pause you right there. Please people don't go out and delete your entire file server to test your IT company. Or a file, you better move it to somewhere where you know where it is. Okay, okay, okay, okay. ⁓

Mario Zaki (29:35)
Yeah, don't delete, don't delete.

Bryan Lachapelle (29:38)
No, no, no, no, no, no. What I was saying, I said, a file, a fake file, create a file today,

Mario Zaki (29:43)
That's

Yeah

Bryan Lachapelle (29:49)
and two days from now, delete that file, then ask them to restore that file. Yep.

Mario Zaki (29:51)
Yes, me and Justin both

Justin Shelley (29:52)
Well, I'm still clarifying

Mario Zaki (29:55)
cringed. We both cringed.

Justin Shelley (29:55)
because the casual listener just heard, yeah, I'm gonna go delete shit and see if they can get it back. ⁓

Bryan Lachapelle (29:59)
No!

Mario Zaki (29:59)
Yeah

Bryan Lachapelle (30:01)
Yeah, don't do that. ⁓

Mario Zaki (30:02)
Yeah, because if they fail,

they fail, you A, you have your answer and B, you still have your file.

Justin Shelley (30:05)
Right. Yeah, you don't want that answer.

Bryan Lachapelle (30:10)
No, no. But yeah, just have a checklist of things that that should be happening and and get confirmation that they're happening. If you're paying for a set of things in there, it's on your invoice, make sure it's itemized to the point that you know what it is you're paying for. There's a lot of times I've done assessments and audits for organizations where they say, yeah, everything's covered. And what they're paying for is their 365 subscription, right? That's what they're paying monthly for. They're not paying for anything else. They're not paying for backups. They're not paying for antivirus. They're not paying for EDR. They're not paying for

Justin Shelley (30:35)
Mm-hmm.

Bryan Lachapelle (30:40)
maintenance, not paying for, and if you're not paying a monthly fee for your services, you are not getting services. And there's so many people I've seen around like, why IT guys have that covered? okay, let me see the invoice. they don't send me a monthly invoice. It's just one over we call them. They'll take care of stuff. And there's nothing, there's no proactive services. There's no updates, there's no systems in place to be able to protect you. That doesn't exist. There's no such thing as a...

Mario Zaki (30:46)
Thank you.

you

Bryan Lachapelle (31:09)
Set it once upon a time and then I'll just call you whenever I need you.

Justin Shelley (31:12)
Okay, let's go ahead Mario and yep.

Mario Zaki (31:12)
Now, well, one more thing I'm going to add

and stop me if you guys have heard this before, because I've heard it a couple of times. Just because your data is on the cloud does not fucking mean you're protected. Okay. It just means your leverage is different. Okay. It's not okay. A server that's in the back.

Justin Shelley (31:19)
Okay.

Bryan Lachapelle (31:26)
Mm.

Justin Shelley (31:30)
Sure it does.

Mario Zaki (31:38)
You know that you have to watch it's something else that you have to watch and do you even know what cloud it is? There's a lot of fucking clouds out there, you know, and I I hate it when people just when I when they say oh, we're okay It's on the cloud. You're like, okay. What cloud is it? What do you I don't know my IT guy knows like

Justin Shelley (32:00)
Brian, you're such a smart ass. He's

looking up at the sky. There are no clouds here. Blue sky is where I'm at, Mario.

Bryan Lachapelle (32:04)
You

Yeah, I don't know where you keep your clouds, but I keep mine up there.

Justin Shelley (32:11)
Okay

Mario Zaki (32:11)
In New Jersey, it hasn't been sunny in a while. There's a lot of freaking clouds.

Justin Shelley (32:15)
Let me add to what you're saying, Mario, because the problem with what you just said is that there's enough evidence to the contrary to put people into a false sense of security. Dropbox is a good example. I had a client a while back, ⁓ that was putting, they put everything on Dropbox and I told them like, you know, at the time we didn't have a system to backup Dropbox. They didn't care. They didn't want it, whatever, you know, like I've done was dealt with some shit clients. ⁓ but then one day they call me up and like, all my files are gone. And I get up there and,

Mario Zaki (32:38)
Mm.

Justin Shelley (32:45)
Thank God Dropbox has this rewind feature or whatever they call it. And I was able to get it to restore the files that were deleted. Now nobody knows how they got deleted. ⁓ whole different story, but that is a false sense of security because some of these cloud, a lot of these cloud storage places, they give you the illusion that they're protecting you. They give you just enough information, marketing information to lead you to believe that you're safe. It's not like people are just stupid and they throw it in the cloud and they think they're protected.

They're being led to believe that. So I want to make that point, like just be careful and don't trust it. It doesn't matter because what are you going to do? Stop paying your $15 a month if they lose your data. Oh no, that's going to hurt them. You're still out all your files.

Mario Zaki (33:27)
Yeah.

Bryan Lachapelle (33:28)
Mm-hmm. Yeah

Yeah, it's the same analogy as you know, like I have the right away when I walk across the street They have that the cars have to stop for me. Well If it misses what's the what's the if they don't stop who pays the price? You do right? It's the same thing with your data if they were supposed to back me up They were supposed to take care of my stuff But they didn't Who's responsible?

Justin Shelley (33:35)
Right. That big semi oops.

Yeah. You're still dead.

Mario Zaki (33:49)
And let me tell you, the

big guys, Google, Microsoft, they say right on their website, they're not backing up your data. It's your responsibility to back it up. if.

Justin Shelley (34:05)
But you know where they don't

say that? Where you put in your credit card number. That's not the place where they warn you that you have to back up your own stuff. That's where they make all the promises about how easy it is.

Mario Zaki (34:13)
And the thing is,

sometimes it's not just a matter of protecting just from the hackers. It's, know, errors and omissions, you know, like sometimes you may have an employee that, know, unfortunately it's very easy. Sometimes instead of like clicking on something, they drag a folder, they drag it into another folder and you know, all of a you can't find it or you forgot what it, you know, because, you know, you can search for it, but if you forgot what the name of it is.

Justin Shelley (34:23)
Correct, yeah.

Mm-hmm. Mm-hmm.

Mario Zaki (34:41)
You know, like it's not easy. So sometimes you want to kind of just go back to what it was, what it looked like, you know, yesterday, and then you can easily find it, you know, having the tools like that in place will make your life a lot easier.

Justin Shelley (34:56)
All right, so I'm going to bring this back to endpoint hardening. I'm a CEO. I don't know jack shit about any of this stuff because I don't want to and it's not my job. Give me just enough information that I can hold them accountable. What's the checklist? Cause Brian, you mentioned a checklist and we've kind of thrown some things out there, but let's come up with five things. And I'm going to say, first of all, guys, that's why we started off with frameworks because that's where the answer to this pop quiz lives.

Mario Zaki (35:09)
you You

Bryan Lachapelle (35:12)
Mm-hmm.

Justin Shelley (35:24)
But short of that, since nobody's going to go out and pull a framework and read it, nobody's going to get on chat GPT like I keep telling them to do. Give us five things.

And actually let's go with two each. We'll just go with four. Brian, you go last because you keep talking to Mario, keeps trying to sit there quiet. Mario, your top two things that a CEO should check to know that his endpoints are properly protected.

Mario Zaki (35:40)
⁓

The first thing is make sure that it's up to date, know, make you know, just type in, know, click on your search button and click on update and click on check for updates. Is it actually being updated? Okay. ⁓ The next thing is going to be. ⁓

Justin Shelley (35:53)
Okay.

Windows updates, okay?

Mario Zaki (36:05)
good security tool, not just like an antivirus like a Norton, Semantic or McAfee that comes with your computer that doesn't do anything. ⁓ I'm talking about like a real security detection that will not only prevent but detect if something's in there.

Bryan Lachapelle (36:25)
Okay, ⁓ mine are probably a little easier to check. ⁓ One would be encryption. Are all the device drives ⁓ encrypted? If you're talking about a mobile phone, is it encrypted? ⁓ And there is a check for that. And if it's on a Windows desktop or Mac desktop or laptop, is it encrypted? Is the drive encrypted? The next thing would be

Justin Shelley (36:26)
OK, Brian next to.

Mario Zaki (36:35)
. you

Bryan Lachapelle (36:52)
And there's no reason for anybody to have local administrative access to their local machine. ⁓ So just verifying that the user,

the logged in user is not an administrative account. ⁓ That would be the two checks and balances. Now, it doesn't mean that you can't create a local admin account that the person could use to install software, but they should have to log out of that account, log into another account that's local, install their stuff, whatever they want to do. Of course, the password should be long and complicated.

Mario Zaki (37:06)
Okay.

Bryan Lachapelle (37:21)
and then log out and log back in as themselves. ⁓ That would be the idea of situation. But for the most part, people don't need a local administrative account in most cases. IT can take care of it.

Mario Zaki (37:26)
you

Justin Shelley (37:31)
And God forbid

you're logging into your workstation with a network ⁓ admin account, right? Like, have you ever seen that? Because I swear I've seen that plenty. What's the network or the administrator password for your server? And it's a shit you not on a sticker on their monitor at the front desk and on the server, by the way, and on the server. I'm talking about a very real, very specific case, different from the one I was bitching about a minute ago.

Bryan Lachapelle (37:38)
Don't say that.

Justin Shelley (38:01)
right there on the server and everybody and everybody in the company on the yeah and everybody in the company use the same credentials the domain admin account god damn it guys i need to well i'm really actually disappointed in both you that ⁓ what didn't come up at all was the we call them quarterly reviews or whatever but i would just say if you're not having a heart to heart with the one you're writing a check to to protect you from all of these threats if you're not having an

Mario Zaki (38:03)
We're on the firewall I've seen it on the firewall

Bryan Lachapelle (38:10)
boy. What are you two, Justin?

Justin Shelley (38:30)
face to face, eyeball to eyeball, heart to heart conversation with them on a regular basis. You're not protected. You're just not. I'm sorry. If, like, if you're not holding them accountable for what you're paying them for, you can assume it's not being done. I can't tell you how many times I've talked to a client, to a prospect, not a client, a prospect, and they think they're good. And then I go start sniffing around. Yeah. I mean, I see the invoice. I see that they're paying for it. It's not there.

Bryan Lachapelle (38:59)
Yeah. Why do you... Go ahead, Mario.

Mario Zaki (38:59)
Yeah, let

me I always ask these to prospects and I shit you not probably out of like 300 people we've sat with I think only one person has said yes, I get it

Every time I ask them, where's your weekly backup report? Okay. It's very easy. Any backup system that you use that, know, MSPs use, you can easily put in a, you know, the person's email address and it sends them a daily or weekly or even monthly report says this, server or your computer has been ⁓ backed up. Nobody, no, nobody has it.

Justin Shelley (39:39)
You know what I,

you know what I caught my texts doing a while back. I'm going to tell them myself, at least my company. This was probably seven or eight years ago. ⁓ All of our clients, they would create email accounts for them to send all of our alerts to because the client didn't want all the information. So you could go and say, Hey, where, where is this information? I don't know. It goes to some, you know, we couldn't cut it off. We can't just turn it off. So they just make an account that nobody had to look at.

Mario Zaki (39:59)
You

Justin Shelley (40:08)
for the, the alerts. I'm like brilliant. Fucking brilliant.

Mario Zaki (40:09)
You

Bryan Lachapelle (40:11)
We have clients who

don't want to have the backup reports. So we just bring them to the quarterly reviews either way. ⁓ But a lot of them are like, I just don't want to receive this in my inbox every day.

Justin Shelley (40:15)
Yeah.

Mario Zaki (40:21)
And and and

I do too I do too but the thing is you know We wait for them to tell us we don't want it anymore You know all the other people that I sat there like no, I don't think we've ever you know saw that No, I don't think they offer that well, I'm like, well, how do know they're backing you up? You know

Justin Shelley (40:39)
It is why we're transitioning to dashboards though. ⁓ instead of emailed, cause let's be honest. mean, inboxes are just full and they're full of noise. at the ticketing system, I say that I kind of, taking a dig at my guys. I don't like that they did that. And especially don't like that they did it without letting me know that they were doing it. ⁓ but these ticketing systems are noisy. They're noisy for us and you know, they're, but even for the clients, they're noisy. So, ⁓

Mario Zaki (40:52)
Yeah.

Justin Shelley (41:06)
whatever it is, have some visibility as the CEO, you better know something about what's being done to protect your, your endpoints. Cause if you don't know, if you can't answer some questions, I mean, that's, that's worse. That's the worst case scenario is to not know.

All right, guys, I've got to get to my blood pressure medication. So I think we're going to go ahead and wind this one up a little ⁓ wind it down. I've already wound it up. ⁓ Let's go ahead and, wrap up with just, you know, final thoughts, key takeaways. If we condense this 45 minute. Bitch fast down to 60 seconds each. ⁓ What would your piece be Mario?

Mario Zaki (41:30)
Okay. you

Bryan Lachapelle (41:35)
Hahaha!

Mario Zaki (41:52)
For me, would say, you know, what's that expression? You know, I forgot what it is. Like, you know, when you assume you make an ass of yourself and me or somebody. Yeah. Yeah. Don't assume that because you're paying them or not paying them that you're covered, you know, find out, get more information, you know, just like, you know,

Justin Shelley (42:03)
When you assume you're making ass out of you and me. A-S-S-U-M-E.

Mario Zaki (42:18)
You, you, you, likes to hear the words like when, a client says, what do we pay you for? But no, you need to know what you're paying for it. You know, you need to know that your check every month that you know is being cashed is worth your, you know, worth it's wild or worth your wild, you know, you don't even necessarily need to hold them accountable. Double check their work. Have them.

show you and if they're not like what Justin says, if they're not doing a review with you every couple of months, then ask them, know, okay, well, how's our backup? How's our, you know, show me our security. How many alerts have we got? You know, how many of my people have clicked on bullshit links, you know, stuff like that. ⁓ You know, they may not have every answer for you right then and there, but they should be able to produce something.

Justin Shelley (43:16)
and let them know you're watching them. Like if you really want to know you're getting what you pay for, let them know you're watching.

Bryan Lachapelle (43:23)
What gets measured improves.

Justin Shelley (43:25)
Yep.

Mario Zaki (43:26)
Yeah.

Justin Shelley (43:27)
All right, Brian, what's yours?

Bryan Lachapelle (43:29)
⁓ My takeaway would be this, if you are a business owner, do a tabletop exercise. Pretend your laptop got stolen, pretend your operations manager's laptop got stolen and find out what would happen. Figure out what would the person who has your laptop have access to? What would be the procedure that you would have

Mario Zaki (43:30)
you

Bryan Lachapelle (43:51)
to take in order to lock that down? ⁓ Or do a table up top exercise on testing your backups.

Create a delete it a couple days later, ⁓ and then find out if whoever's doing your backups can restore it. Even if it's internally done, you can still do these type of tests. ⁓ If I were a business owner not in IT, I would have a series of small things that I can do maybe once a month that I can test to verify that the IT company that I'm working with

Mario Zaki (44:05)
So, I'm going to

Bryan Lachapelle (44:22)
is doing what they say they're doing.

and it could be as simple as once in a while I check to see if there's any updates available on my own computer. ⁓ Now, granted there might be some

Mario Zaki (44:25)
. .

Bryan Lachapelle (44:31)
recent ones, but nothing beyond 15, 20 days. ⁓ Is my file restoreable? ⁓ Come up with various tests and test them. That's my takeaway.

Justin Shelley (44:47)
All

right. And I'm going to give the best piece of advice I can give anybody. And I obviously believe this because guys, I put a lot of fucking time into this podcast. I don't get paid for it. I don't get a single penny for this. And I'm going to tell you business owners, this might not be sexy, fun or exciting, but God damn it. Listen to this podcast because just being aware, just being in the conversation anywhere is going to put you miles ahead of your competitors and miles ahead of

of where they are in relation to the acts of devastation, whether they're acts of God or their acts of Russian hackers or whatever, somebody's coming for you. So I'm sorry that you don't like technology or you don't like cybersecurity, but you know what? I don't like finances. If I'm going to run a business, I better know something about them. When I get on the treadmill, I'm learning something about my business that I don't currently know whether it's exciting, fun or not, because I want my business to grow and I want to be able to keep it. So

Mario Zaki (45:25)
you Okay.

Justin Shelley (45:46)
That's my takeaway. It's a shameless self plug for what we do

here, week in and week out and saying it again, guys, you guys don't get paid either. I know I'm not cutting your check. I don't know if anybody else is. but with that, will say as always, thank you very much for being here and joining me. ⁓ I, I don't say I couldn't do this without you guys, but I don't think I would, because I just get tired of hearing my own voice. Who am I kidding? No, don't. ⁓ anyways, God, I'm on one today.

Go to unhackmybusiness.com guys for show notes, for other episodes, for our self assessments, for all the free resources we have. But I will tell you, get what you pay for. And while we do all offer some sort of a free assessment, you probably want to put a few dollars behind it and make sure it's done right. I'm going to say that because our free assessment is, you know, personally at Phoenix IT is not the same as the one that we do for money. It is a high level. It'll give you a, you know, it'll be an eye opener, but it is not a deep dive and it is not a framework.

Mario Zaki (46:18)
Mm.

Justin Shelley (46:45)
alignment process, which is what I really do recommend. So that's what I've got, guys, final goodbyes, Brian, then Mario, and then we're getting the hell out of here.

Bryan Lachapelle (46:55)
All right, my name is Brian Lashpell, President at COB4 Networks. If you're looking for somebody to help you with your business and be your guide, us a call.

Justin Shelley (47:04)
Mario.

Mario Zaki (47:04)
Mario, Mario, Zachy with Mastec. I just want to say thank you everybody. if you guys have any questions, you don't have to be a customer of ours. Definitely reach out to us.

Email us ⁓ any questions. We're always here to help. No matter if you're our customer or not, we want to just educate everybody and make sure everybody is safe and secure and it will sleep better at night.

Justin Shelley (47:33)
Perfect guys. Seriously. Thank you much. Appreciate it. And I am Justin. Remember to listen in, take action and keep your businesses unhacked. We will see you next week. Take care guys.

Mario Zaki (47:41)
On that.