UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 79 of Unhacked. are I don't know if we're midstream, but we're we're well into our mini series on cybersecurity basics. I don't think that's what I've called it before, but it's something like that. Like we're just talking about, you know, because we always say. Breaches are preventable if you just do the basics. Well, what are the basics? Here we go. Listen to the 12 episode mini series. It's only, you know, 12 hours out of your life. You'll get through it.

God, that was a terrible introduction, wasn't it? Right, as I said, we're gonna try to keep the introductions short. So let's roll. I'm Justin Shelley, CEO of Phoenix IT Advisors. You know, my company would help businesses make more money, build their wealth, and then protect that money from the Russian hackers, the evil government, the fines and penalties, and the class action lawsuits from them greedy attorneys that come sniffing around after something goes wrong. That's what we do. Mario, tell everybody who you are, what you're doing, who you do it for.

Bryan Lachapelle (00:31)
Hahaha

Mario Zaki (01:00)
Yeah, Mario Zaki, CEO of MassTech IT located in New Jersey, ⁓ rainy New Jersey today. ⁓ We are a managed service provider helping small to medium sized businesses stay safe and specialize in giving the ability for the CEO to sleep better at night knowing that their company will be there the next day from those Russians and other hackers.

Justin Shelley (01:26)
See fine print Brian.

You're up next. Tell everybody who you are and what you do.

Bryan Lachapelle (01:30)
Yeah, I'll keep it super simple. My name is Brian Lashpuff, based out of beautiful Niagara, Canada. We help business owners remove the headaches and frustrations that come with dealing with technology.

Justin Shelley (01:43)
And I'm here to attest that those are many. There's a lot of headaches. I mean, I know what the hell I'm doing and I still get headaches and frustration. whatever. All right, guys, today we are going to talk about something that I know excites both of you, especially you, Brian, data backup. And as I introduced the title, ⁓ you had a rather negative reaction. Brian, tell me how you really feel about data backup.

Mario Zaki (01:47)
Mm-hmm

Bryan Lachapelle (01:47)
Many,

Well, I think my reaction was like this again, like, ⁓ my gosh, I'm just, ⁓ I guess I'm just like exhausted talking about backups. it's, to me, it's almost like it's a no brainer. It's obvious like, Hey, you know, you have to, you have to back things up. And it's like, we're a broken record player and ⁓ it's exhausting having to repeat the same thing over and over again.

But it seems like it's just such an important piece of the cybersecurity stack. It is literally the last line of defense, right? If you have lost everything else and you've gotten a breach and you've lost it all, the only recourse you have is to go to your backups. And it's still shocking to me how many people still have archaic backups or no backups at all. So I guess I'm just exhausting.

Justin Shelley (03:00)
I feel like you just

summarized the entire podcast unhacked. Also, my life, your life, Mario's life, it's exhausting telling people, these are the stupid things you've got to do all the time. And then you go out and you bring in a new prospect and you start poking around and you start asking them what kind of data backup they have and what do they say Mario?

Bryan Lachapelle (03:05)
All we're done.

Yeah.

Yeah.

Mario Zaki (03:25)
We don't have one. Or we don't know.

Bryan Lachapelle (03:25)
⁓ well, my IT guys got

Justin Shelley (03:26)
No,

Bryan Lachapelle (03:27)
that covered.

Justin Shelley (03:28)
no, no, no. Go back to what you told us before I started recording.

Mario Zaki (03:33)
Me? ⁓ sorry. ⁓ we have a...

Justin Shelley (03:36)
Guys, I love you

softballs and you miss them every time! Jesus Christ!

Bryan Lachapelle (03:41)
Hehehe

Mario Zaki (03:43)
They say that, we have tape backups that we're rotating every day.

Bryan Lachapelle (03:48)
My reaction was like, are we in 2026 and people are still using tape backups? Like, what?

Justin Shelley (03:55)
I didn't know you could even

buy, can you even buy tape media anymore?

Bryan Lachapelle (03:58)
I just...

Mario Zaki (03:59)
No, but they're probably using

Bryan Lachapelle (03:59)
I have no words.

Mario Zaki (04:00)
the same ones that they got in like 2006 and probably have last time they tested it was in 2006.

Justin Shelley (04:03)
Now.

So

I was gonna ask, did you test? Like, do you know that there's actually data on these backups?

Mario Zaki (04:12)
I don't know. This is a prospect. It wasn't a customer. know, you know, he was saying it was there. They have like one server backing up to another server and then they have files thinking, you know, literally he's got a, uh, he's using Robo copy to transfer from one server to the other. And then he backs up the whole thing with tape backups. It was like, Oh my God. I'm like, yeah, this is a disaster waiting to happen. You know,

Justin Shelley (04:14)
You haven't seen them yet. Okay.

Bryan Lachapelle (04:41)
Yeah, and let me guess those tape backups are stored in a fireproof vault on site.

Mario Zaki (04:46)
I didn't even ask him about that because I-

Justin Shelley (04:48)
don't worry, the

the manager is also rotating them out every week and taking a copy home. Therefore air gapped and offsite and you know cloud based.

Bryan Lachapelle (04:56)
Yeah.

Mario Zaki (04:57)
Yeah, yeah,

Bryan Lachapelle (04:57)
Yeah.

Mario Zaki (04:58)
it's secure in the owner's basement every week and whenever he remembers he brings the other copy in and and You know one day they'll test it

Bryan Lachapelle (05:06)
Yeah.

Justin Shelley (05:09)
I mean, listen guys, this is, and Brian, you're right, because we've talked about this so many times, but I am gonna say it again. This used to be normal. And that's why it's so important that we talk about it now, because we are not living in the same world we were when backups were simple. We're talking about this today. We have a full episode on it because backups are not simple. ⁓ I'm ⁓ gonna give you three examples, all right? Three little war stories. And then if you guys got some more, Mario, you already...

Bryan Lachapelle (05:19)
Yeah.

You're not.

Justin Shelley (05:37)
You're off the hook because you just gave that one. But ⁓ if you got any frontline stories down in the trenches, I want to hear them. But here's mine. This was God. Probably 20 years ago, right? So we're going way back. A local library called from from a community college. They call up and they say, our server is dead. And turns out they rebooted it for some reason ⁓ and it didn't come back online. So I bring in the shop. We start working on it.

Mario Zaki (05:39)
the

Justin Shelley (06:05)
I'm sure as shit like it's not coming back. The hard drives are cooked. ⁓ We're done and I'm like, you know, I see this nice little tape backup device on your server. Please tell me you have some tapes like yeah, no problem. So they bring me this cardboard box. I should you not filled with tapes. I start you know going through one of the time. There is not a damn thing. There is not a damn thing on these tapes. They've never run. OK, ⁓ point number one.

Bryan Lachapelle (06:26)
cataloging them.

Justin Shelley (06:34)
Make sure your backups are actually running. right. Number two, I had a client and I'll admit that this was a client and this was a process that was broken on my end. I don't have a problem admitting this because I learn every day because everything every time somebody surprises me. And they come back and they're like, Hey, I need you to restore our QuickBooks file. I'm like, all right. We go into our backups and like, there's no QuickBooks file. like, well, where's your QuickBooks stored at? it's on my one.

one driver some I don't know if they had moved it. They they were putting it somewhere else and it wasn't being backed up by our system. So what I learned is we have this was a long time ago by the way, but we have to go in and constantly have these conversations with our clients about what kind of data do you have and where are you storing it so that we can properly back it up? Right? Because if we don't know about it, you made a change. We're all cooked. Number three, and I talk about this one all the time. Ransomware, right? We had a client that got ransomware.

we had backups that were rock solid. And ⁓ unfortunately it was backing up infected files. So when we had tried to do a restore, ⁓ it was just restoring the bad guys. The Russians, this is why I always talk about the Russians, because it was Russian hackers who had planted stuff in probably at least months back and maybe even as much as a year back, they had gone undetected living on that network for a very long time and had very deep roots. So we had to rebuild from scratch. So the point of that is,

Backups are not a one size fits all, end all be all. You have to have more lines of defense than just a good backup. So with that guys, let's dive in and let's start talking about ⁓ how do we untangle this mess that used to be very simple. Tape backups were fine. Now what? What do we do? I'm punting to you guys.

Mario Zaki (08:24)
I I would say if you're not gonna consult with a professional that does this day in and day out, and I usually have dedicated people doing it, ⁓ at the very minimum, you have to pick a good solution and test it over and over again. Maybe like a...

Bryan Lachapelle (08:24)
Well, I'll go ahead, Mario.

Mario Zaki (08:50)
You know, in the beginning, do a weekly test and maybe you can go to a monthly test and stuff like that. I wouldn't wait too long. I wouldn't wait longer than what you can afford to lose. You know, if you can afford to lose stuff over a week, then test it weekly.

Justin Shelley (09:10)
Yeah, Brian, thoughts?

Bryan Lachapelle (09:13)
Yeah, I will add in that the backup landscape has changed a lot in the last 10 years. We're no longer just talking about backing up your desktop or your server. We've got dozens, if not more, cloud applications and the data is dispersed throughout all these different cloud applications and Office 365, Gmail, QuickBooks Online. There's lots of places where the data could potentially live now. It's no longer just in one nice little storage area.

⁓ And these days you also want to consider backing up multiple times per day, depending on how much the data is changing and removing the human element from the mix, right? The days where somebody is rotating a tape or rotating a drive or is responsible for ⁓ switching something to make the backups happen, that has got to go. It needs to be automated. And ⁓ the only place where a human should be involved is in testing.

that the backups are working. And not just looking at log files for the love of God. Let's please actually restore files and verify that the data is actually on the backup. ⁓ The right data, yep.

Justin Shelley (10:25)
The right data, no less. We've had backups

running and you go to restore and like it was giving successful, ⁓ you know, you're successfully restoring the C drive. Great. Until you run the application and the data stored on the D drive. And somehow that one wasn't being backed up. That's why you got to audit this stuff.

Bryan Lachapelle (10:37)
Right.

Right. Yeah.

Mario Zaki (10:42)
Yeah.

Bryan Lachapelle (10:44)
right. So like our restore processes involves typically restoring the entire environment and testing it offsite to verify that it all works. And then that's the last piece, an offsite version of that data. It can't remain on site. It's not something, you could have an on-site component to the backup for Rapid Restore, but you need to have somewhere where it's physically ⁓ separated from your network, air gapped.

in a way that an attacker who has gained access to your network isn't able to go into wherever you have it stored and delete that backup. So that would be the second part to my rant.

Justin Shelley (11:25)
And there's, I don't know if I want to give a pop quiz or just give the answer. We call this immutable storage, right? You guys, you know this term. Anybody want to take a stab at what immutable storage means?

Mario Zaki (11:39)
Go ahead, Brian.

Justin Shelley (11:40)
Back. Alright, I'll do it. I'll do it. I I posed the question. I do give you guys the ⁓ you know the. What do they call it when they do test prep in school is like, you know, here's what you need to study. But you guys don't anyways. Immutable, it's on the outline is what I'm trying to say. Immutable backup is where it's once written. It cannot be modified, overwritten or deleted.

Bryan Lachapelle (11:40)
No, I'm gonna punt it back to you there, Mario. Because now I'm afraid of getting it wrong.

Mario Zaki (11:42)
Hahaha

You

Cliff notes.

Bryan Lachapelle (12:04)
I see it.

Yeah, OK. And that's what I suspected. Yeah.

Justin Shelley (12:10)
So because it's kind of what you said,

Mario Zaki (12:12)
I was just about to say that,

Justin Shelley (12:14)
Brian, which is why I brought it up. Whether you use the right term or not, that's the concept is because one thing that will happen is the bad guys get on like, they'll sit there and watch for a period of time, as I said previously, and they learn what's going on. They learn where your backup data lives, what system you're using. And if they're really good, they'll get the credentials.

And then they can go in and completely undo your backup and delete it ⁓ right. So if you have an immutable backup, it can't be deleted. ⁓ You you prevent that risk as well. ⁓

Bryan Lachapelle (12:48)
Yeah,

I was going say that the type of backup we use ⁓ is immutable. I don't even believe our own team can delete the data. We can say we don't need this anymore. And 30 days later, the client's gone or whatever the case may be. But I don't believe even our own team has access to delete that. Definitely not the credentials used to store the backup or upload the data. That account definitely doesn't have access.

Mario Zaki (13:10)
Yeah, and one more thing I want to have the listeners understand that there's, you you're backing it up for multiple reasons. You know, there's, there's, could be a hardware failure. It can be a hacker or it can be an accident. You know, I deleted something or I even modified something and I need to go back to it. You know, I've had people, we've seen people like, Oh, I updated a template, you know, that we usually leave blank and I

saved it and we overrode it, you know, and it's not on 365. So you can't just reverse it. So there's different reasons you're backing up. You know, all of them can happen at any given time. And thank God, knock on wood, the majority of the time that we do have to restore something from a backup is because something was accidentally either deleted, moved, like they dragged it into somewhere and they don't know the name of it or, you know, they

they overwrote something that they shouldn't have done. But hardware failure happens all the time, which is always good to have a backup and disaster recovery where depending on the company, if you can't afford to have a server down for more than say an hour, you want to have a standby server waiting to just turn back on and resume where you left off. ⁓ Or obviously, hopefully never happens.

Bryan Lachapelle (14:30)
Yeah.

Mario Zaki (14:36)
you know, hackers.

Bryan Lachapelle (14:38)
Something you mentioned Mario made me think about ⁓ another component to back backups that a lot of people I think miss and that is ⁓ it could be that the system you're backing up could be a specialized system that while you have the backup somewhere else and the data somewhere else. Let's say I'll give you an example like a payroll computer. So maybe you have payroll local for whatever reason is an application on Joe's desk and ⁓

Yeah, while you could reinstall the data or the software and you can get it all back up and running, maybe it takes like three, four days to reconfigure from scratch. You can't wait three, four days in the event of ⁓ that system being down and it's the day of payroll. So analyzing different aspects of your business and saying, this is a critical component, this is a critical piece. This particular PLC or this particular computer runs the entire factory floor or this particular factory line or.

It's a payroll system or it's a time clocking system. Having backups of those, even if it's not a data backup, having an actual backup unit for those units, ⁓ those are all things that should be considered when we're talking about backups. It's not just data backups, it's also operational backups. What can we do to get backup and running in the event something critical or catastrophic happens across the environment? What are the pieces that...

⁓ we need to consider and what order should they come back in the event of a complete loss of the entire network, right? Maybe ⁓ getting the server up and running isn't the most important thing. Maybe it's a specific user or specific desktop that needs to come up first because they're more critical than anything else. So just analyzing that piece as well.

Mario Zaki (16:20)
Yeah.

Justin Shelley (16:21)
Yeah, yeah, because I mean, ideally, you've got this all documented, right? Where it's not just. So here's I'm going to what I started doing. And this is like I said, I had that client come up and say, hey, restore this. I'm like, well, it's not where it used to be. ⁓ So I run through this exercise with my clients now. And what I do is I because it's if I just say, where's your data, they're going to point to the one or maybe two if they're getting the gold star places that they know data exists.

Bryan Lachapelle (16:25)
Hahaha

Justin Shelley (16:51)
And so I don't ask him that I start with, you know, data retention period. Like how long do you need? If, if you mess up on delete a file today, what's the worst case scenario where you might need it back? Is it a month? Is it a year? You know, or, do you have regulatory requirements for this? So we start with that. How long do you need to have something, ⁓ be able to restore? And then I go through their, their processes, their business process. So we're going to start with biz dev, everything that is involved in bringing clients or

or customers or patients into your organization? What application do you use? What process is it? Where does that data live? And what's your plan to back it up? You know, what is currently being done? ⁓ And then maybe, you know, a check mark of or a date of when it was last tested. Then we go through operations. What is every piece of software? And I don't even want to talk about software first. I want to talk about the process. Tell me what it looks like when when you deliver your widget.

From start to finish, what does that process look like? And let's talk about every piece of software that touches it. Every place that information might be stored and we write it down. What's the application name? Is it on on-prem or is it a cloud-based server? ⁓ Whichever. ⁓ Where does that application store the data? And you know, prove it. Because it's one thing to say, it's on the server. Well, until it isn't like the QuickBooks file that went missing. ⁓ You know, and then HR, finance, admin. We just go through every single process and ask them what

does that process look like? What software is used and where does the data live? And then, you know, we lock in that plan. So ⁓ is that enough? Is that it? What else do need to back up? Because it's not right, Brian, what do you got?

Bryan Lachapelle (18:29)
Well, this is not about backups. So once you've identified everything you need to backup and where you need to back it up and how often you need to back it up and how long you need to have the backups for, there's another critical piece that we have to consider is if it's going to take a significant period of time to get back up, what is your, how do we survive being down, right? What is your manual processes that you're going to use? So I love going back to the,

Justin Shelley (18:32)
Okay.

Yes.

Bryan Lachapelle (18:57)
to that one time where we went to a conference and the hotel we were in had literally just had a breach. We arrived and they were in, yeah, they were in middle of it. And honestly, I was shocked at how smooth the entire process was. They had a person sitting at every floor of this massive hotel.

Justin Shelley (19:00)
Mm-hmm.

They were like two days out from ground zero, yeah.

Mario Zaki (19:11)
In the middle of it,

Bryan Lachapelle (19:25)
that would let people in their rooms, because the key system was down. They had backup payment methods to accept payments from clients, from people like me. So they would send me a text message and I would pay it online because their payment systems were down. ⁓ They had manual processes for everything. And it was absolutely fascinating to see a company and an organization as big as this organization show, and we were all IT people there, which is ironic, show us.

Justin Shelley (19:42)
Yeah.

I know.

Bryan Lachapelle (19:54)
Like this is what happens when we got breached and we're still able to function as a business. And it was actually pretty eye-opening to me. So I guess I go back to the original question is, after you've analyzed everything you could back up and you have a system in place for that, how are you going to survive being between the failure and the restoration? What is your plan to survive that period of time? And how can you put in manual processes to be able to survive it?

Justin Shelley (20:10)
In the meantime, yeah.

Yeah. Good call. Mario thoughts.

Mario Zaki (20:23)
Yeah,

and you know, to add on to Brian, this was literally a couple months after the MGM, you know, Las Vegas breach. And none of us, I don't think any of us were there for in Vegas when it happened, but we all saw on the news how much it was not only a disaster for just one hotel, but it was like several hotels. You know, they had zero things in place as a backup plan, you know.

Justin Shelley (20:32)
Right. Yep.

Bryan Lachapelle (20:32)
Yeah.

Right.

Mario Zaki (20:52)
Forget about the gambling, but people couldn't get into the room. They couldn't check in. They couldn't do anything. the law, yeah.

Justin Shelley (20:56)
The elevators weren't working. I

I think, I don't know, it's been a while, but it was a mess. Yeah. So, so one example of having a good plan in place and one example of maybe, maybe not.

Bryan Lachapelle (21:13)
I mean, honestly, it was a wake up call for me because as much as we've put lot of systems in place to protect our customers, the one piece that I hadn't really dived in too much is what does it look like once you're down? What are the critical pieces of the business that we can continue to operate or that you can put manual systems in place? And now I have that conversation on a fairly regular basis when I'm meeting with clients is, know, what does...

Justin Shelley (21:15)
Same.

Bryan Lachapelle (21:38)
it looked like when you have access to none of your systems. What are we going to do to continue making sure that your clients and your business continues operating as if nothing happened, just like that hotel that we were talking about?

Justin Shelley (21:41)
Right.

⁓ good times, good times.

Bryan Lachapelle (21:55)
Hahaha

Justin Shelley (21:57)
So let's talk about, you I mean, we've, kind of already done this, but I do want to just like zero in on you. You own the business. Like we're talking to somebody who is not technical, who owns his business and who has the, the infamous mentality of my IT guy handles that. How do we take this business owner and equip them with the tools to know that writing a check translates to protected? What are your thoughts there?

Bryan Lachapelle (22:29)
⁓ Go ahead Mario and I'll jump in after.

Mario Zaki (22:31)
⁓

I was actually going to say for some reason you froze on my screen but could you repeat what you said?

Justin Shelley (22:37)
Yeah, so you're talking to a business owner. I'll play the business owner, right? I'm non technical. I'm writing a check, a healthy check every month to my IT company and they tell me that I'm covered and I believe it right? And I say this because I hear it so many times when I ask somebody, you know, can we talk about cybersecurity for me? They're like, my IT guys got me covered. Now I rarely see when I go in and do an assessment on a prospective client.

Bryan Lachapelle (22:47)
you

Mario Zaki (22:54)
Mm-hmm.

Mm.

Justin Shelley (23:07)
I rarely see covered in a way that I would call, you know, healthy. And so I want to equip business owners with a way, because if I, if I say I'm challenging them, right, I'm challenging their intelligence for who they hired. I'm challenging the fact that they're getting ripped off. they don't want to believe that they are. There's, just a lot of mental gymnastics that prevent them from having that conversation with me. So I want to equip them now, no pressure. ⁓ dear Mr. Or Mrs. Business owner.

These are your tools. This is what you need to do to make sure that that check your writing translates to you truly are covered.

Mario Zaki (23:43)
Yeah. mean, Brian mentioned this last week is go ahead and test it, you know, create, you know, a new file, you know, save it there for a few days or make a copy of an existing file, you know, save it in a local safe area and then go ahead and delete that, that file, right. And test it, see how, you know, tell them I deleted this, you know, I need you guys to restore from the backup and see if they're able to.

You know, that's a very simple, cheap way to test it. You know, ⁓ you don't want to, you know, either them or you be caught with your pants down when something does happen. You know, so this is why we do fire drills, you know, and it's just, you know, growing up as a kid, you know, they embedded it in your head. If, you know, if they're in case of a fire, this is what you do. That's it's the same theory here, you know,

Bryan Lachapelle (24:38)
Yep.

Justin Shelley (24:42)
Yeah.

Mario Zaki (24:43)
In case of a fire, this is what you do because you've practiced it so many times. You know, if you go up to an elementary school and say, what is your procedures in case of a fire? And they just tell you, ⁓ we got that covered. Okay. How do you have that covered? You know, are you practicing this on a weekly, bi-weekly monthly basis in case something really does happen? Because God forbid, know, knock on wood,

⁓ you don't want to have to, to, you know, have a real fire and then say, okay, guys, this is what we're going to do. You know, and you're, think you're going to be able to manage, you know, an entire chaos of company or, know, whatever, in case something does happen. So you want to have everything practiced and documented saying in case of a fire, this is what ABCD looks like.

Justin Shelley (25:41)
I, this, takes me to a story that, um, one of the most terrifying events of my life. Um, I've got, uh, I don't remember how many kids I had home at the time, at least three, potentially four and two o'clock in the morning, our fire alarms go off throughout the entire house. I mean, cause they're all hooked together, right? Problem with that is I have no idea where the fire is. So I jump up, I've got my whole family home and I'm

I'm frantic. I mean, I'm just like, running full speed, checking, you know, where is this fire? I'm in as a two story house, right? And we all sleep upstairs. None of the bedrooms are downstairs. So I'm going from bedroom to bedroom. I'm making sure everybody's okay. I'm looking for the fire. I can't find anything. So I'm like, shit, it's probably downstairs. I go tearing downstairs. ⁓ turns out it's a false alarm, right? That's why this story I can, I can kind of laugh about it kind of. ⁓ But the absolute horror that

struck me is if that fire had been in the stairwell, there's one way out of this house. And we're all upstairs. If the fire had been downstairs and that stairwell, we're done. mean, short of jumping out the windows down to, you know, 12 feet below, which mostly is concrete out front. Those windows are concrete out back. It's grass. mean, I guess take your chances there. ⁓ I tell you what, the next day I had little rope ladders in every bedroom so that we could at least get out that way.

⁓ but I mean, it's, just stuff like this that you don't think of until you've actually run through the drill. We say it all the time, you know, you got to test your backups, but we don't put any real emotion behind that. Shut your shit off and run your business, right? Like turn it off, whatever your system is unsubscribe from your, your web services or whatever, you know, go cancel your accounts. How long can you function?

Bryan Lachapelle (27:34)
Well, careful with the canceling account bit. ⁓

Justin Shelley (27:35)
I know I'm trying to make a point because God damn it.

Mario Zaki (27:36)
Hahaha!

Justin Shelley (27:40)
How do you make this point to people? Because we all have to live and I go back to this all the like our human brains are wired to believe we're okay, even though we're surrounded by danger all the time. Because if we actually focused on every piece of danger that was around us, we'd lose our minds. I mean, every day we're facing death. ⁓ And so, but we have to somehow break out of that mode of nothing bad ever happens to me.

Bryan Lachapelle (27:42)
Yeah.

Justin Shelley (28:05)
and look at what the real risks are and weigh them against the solution and get a plan in place. Right.

Bryan Lachapelle (28:14)
Yep, and I love the analogy you gave Mario about ⁓ the fire drill. And it reminds me of something that I do at cadets often, as a lot of you may know, I'm an officer with the Army Cadets and I'm a range safety officer. ⁓ And ⁓ during, we're teaching 12 to 18 year olds, right? So they're very inexperienced and we might be having a marksmanship practice and... ⁓

one of the things that they all have to know is if a command is given, they have to know what to do during that command. have to know how to handle that situation. And there's one command that's rarely ever used and that's ceasefire, ceasefire, ceasefire, meaning like they're supposed to follow a very specific set of procedures to lay down their rifles and ⁓ make sure nobody's touching anything. And if I scream that out or give the command and they've never done it before, it's chaos, right? Like, especially when they're new kids, they've been taught.

Mario Zaki (29:07)
Yeah.

Bryan Lachapelle (29:09)
But just because they've been taught doesn't mean they practiced it. And so I regularly do that now, where I'll just throw the command out there, just so they have the ability to know what to do in the event of a real alarm or real case where we have to cease fire. ⁓ And when I first started doing it, chaos. Now when I do it, they all know what to do. They all instantly know exactly what to do. Every single person does it.

by instinct and they don't have to remember how to do it because they've practiced it so many times. That's where I would love for our clients to be able to get to is when something happens, they're just like, yeah, we just got to go to this manual process and here's the incident response process and they just know how to do it and how to handle it because they've done it in the past. It becomes second nature to them.

Justin Shelley (29:58)
Yeah.

And I would suggest or theorize that the first time you run one of these fire drills on your data, it's going to be a mess. It's going to be it's going to be eye opening at a minimum.

Bryan Lachapelle (30:10)
Chaos.

Justin Shelley (30:15)
So, but it is.

Mario Zaki (30:15)
Yeah, yeah, but that's the whole point. You know, it's,

do it so many times that by whatever X amount, you know, five times, 10 times, it's not chaos anymore. You know, your employees have gotten used to it. You know, everybody's used to it and say, okay. And also at the same time too, that's how you perfect the process. You know, you may put something in place on paper and then when you actually do it,

Bryan Lachapelle (30:40)
It sounds great.

Mario Zaki (30:42)
We're like, ⁓ shit, you know what? We didn't think of this, you know? And then, and then you end up doing it over, you know, again, and with the modifications and stuff like that until you've not only perfected it, but can do it, you know, with your eyes closed.

Justin Shelley (31:01)
Alright guys, ⁓ Brian, as you mentioned earlier, we have beat this horse quite significantly. ⁓ I think we've kind of covered it, but if there's anything we've missed, this would be the time to step up. Otherwise we're going to go ahead and call this a wild success of an episode. And we're going to go ahead and wrap up. So ⁓ guys, any any final thoughts or key takeaways? ⁓ This is the time or forever hold your peace or however.

Bryan Lachapelle (31:09)
Yeah.

You

Justin Shelley (31:31)
⁓ And Mario, I'm gonna go ahead and pick on you first and then Brian go ahead and give us your final thoughts and we're gonna go ahead and wrap.

Mario Zaki (31:40)
I mean, I love that we did this and we obviously have this conversations with prospects a million times. ⁓ you know, I had it today with a prospect and from now on, I'm going to say, you know, listen to episode 79 and you'll have the answer to what you should, it should not be doing.

Justin Shelley (31:59)
I mean, that's, that's so you're, I like that. I like that message. It, it resonates with my rant at the end of last week's episodes. Brian, final thoughts.

Bryan Lachapelle (32:11)
⁓ It's kind of funny because this entire series that we've been doing over the last three, four weeks ⁓ starts with identify what you have, protect what you have. I can't remember all the other aspects because brain fuzzy. ⁓

Justin Shelley (32:19)
Yep. Yep.

Well, it's first is basically

people we're going to our identity. So it's who you have. Go ahead. You got it.

Bryan Lachapelle (32:28)
Right. Yeah. Well,

essentially what I'm saying is that when the data backups and data, just analyzing your data, making sure it's all backed up is almost the entire gamut of all of it. First, you have to identify what you have. Then you got to figure out how you're going to back it up and how often you're to back it up and how long you're going to keep it for. Then you got to test it. And then you got to go through fire drills to make sure that when you're going through the recovery process, ⁓ you know what to do in the meantime. So it's kind of funny that just this one component

goes through all of the different phases as well. So yeah.

Justin Shelley (33:00)
Yeah, yeah.

And admittedly, there's a lot of repeat here, but I'm not going to apologize for that. ⁓ Because a not everybody listens to every episode. I mean, I know our fans are raving fans and they listen to most of it, but they're going to miss something here and there. ⁓ Also, you have to hear it more than once to for it really to stick in your brain. And I mean, guys, we live in this world and we have to hear it all the time, right? I mean, I do. I'll tell myself ⁓ it is.

The single most important reason why I started this podcast was to keep myself in the world of security because otherwise it's so easy to get distracted by every other goddamn thing we have to do every single day. It's so easy to get distracted and to focus on other things. More pressing matters. I love my air quotes lately. I don't know why I'm on that kick. You audio guys can't tell that I'm air quoting most of what I say. ⁓

Mario Zaki (33:48)
Mm-hmm.

Actually, I want to add one more thing. And one of you just reminded me of this. And we talked about this months ago. ⁓ another part of this component to know not only knowing what you have, but you need to know what you don't need anymore. So anything, you know, like, you know, you have to find out what your retention is, what you need things for, you know, like in, you know, in the States, like, medical stuff is like seven years. So I forgot what episode it is.

Justin Shelley (33:56)
Okay.

Yes.

Bryan Lachapelle (34:10)
Cool.

Yeah.

Mario Zaki (34:23)
So it pretty much says like, if you need something for seven years, beyond that, you have to archive it. You have to get rid of it so that you're no longer responsible for keeping that data. If you have something there for 15 years, guess what? You're responsible for that data that, you know, from 15 years ago. If it was a client from 15 years ago and you get breached, guess what? You now have to protect them because their information was breached.

Justin Shelley (34:41)
Yes.

That is a solid point, very solid point that we don't talk about enough. We had a guest on here that brought that up a while back. And maybe that's what, what you're even referring to, but it was, I don't want to say it's the first time I've ever thought of it, but it really had kind of put that drive that point home because here again, um, I'll throw myself under the bus. I've got a lot of data from a long time ago and some of it's sentimental because I started this company in 1997. We're coming up on 30 years.

Bryan Lachapelle (34:52)
Good point.

Mario Zaki (35:00)
Yeah.

Justin Shelley (35:20)
I've got some shit from 30 years ago that I don't want to get rid of. Like the very first logo that I built myself on whatever, I don't even remember what stupid graphic program I was using back in the day. And it's, it's hideous, but I can't, I'm not going to throw it away. You know, also I'm lazy and I have met other lazy people who don't want to go through mountains and mountains and mountains of data and find out, you know, what they need to keep and what they don't. And then you've got the, the,

Bryan Lachapelle (35:33)
Yep.

Justin Shelley (35:50)
last whammy is what if you delete it and you did need it and nobody wants to be responsible for that so you know data just accumulates so yeah that's a good point Mario and it's one that we have to fight pretty hard for because it's not easy to go through and get rid of stuff to just be that you know

Mario Zaki (35:54)
Mm.

Bryan Lachapelle (35:56)
No.

Nope.

Mario Zaki (36:06)
Yeah.

And not to mention, you know, we mentioned everything, you know, before about restoring and stuff like that. Say in the event of a hack or, you know, hardware failure, if you have, let's say five terabytes worth of data, but you only needed about one. Well, guess what? That's now five times the amount of time to restore that stuff that you really needed.

Justin Shelley (36:24)
Mm-hmm.

Bryan Lachapelle (36:30)
Good point.

Justin Shelley (36:31)
And it's not quick. I mean,

Bryan Lachapelle (36:31)
Yeah.

Mario Zaki (36:33)
No, no.

Justin Shelley (36:33)
you know, when you do your tests, you're not talking about five minutes versus 25 minutes. We might be talking about a day versus five days or two days versus 10 days. I mean, it's, it's a lot, depending on what system you're using for backup and how you're restoring and, you know, off sites, great until you need to get it back. And it's a lot. I mean, sometimes they've got to put it on a drive and ship it to you because it takes so long to restore over the internet. So

Mario Zaki (36:39)
Yeah.

Bryan Lachapelle (36:42)
Mm-hmm.

Mario Zaki (36:55)
Yeah.

Justin Shelley (36:58)
Good point. Very, very good point to kind of wrap up ⁓ on. I don't know that I really have anything to add to that other than, I'm going to make available the form that I use when I walk my clients through this. It's just a link I'll throw in the notes, but it's simple in nature, but at least I believe it gets everybody thinking through what we've all talked about.

Because if we just say, backup your data, it's really easy to say, yes, I've got this backup in place. We're good. But what about all the other places that our data lives? We have to know where it lives and have a process in place that's verified that it's being checked. So all right, guys, that's what I've got.

Bryan Lachapelle (37:34)
Yep.

Justin Shelley (37:50)
Brian was so excited about this. We're going to try to cut. I say short God time flies. We are not. We're not short at all. We're almost 40 minutes into this. Well, I must love this topic more than you do, Brian. I know I'm just I'm just harassing you. I know I wish we didn't have to be, but then we wouldn't have jobs. So whatever.

Bryan Lachapelle (38:02)
I love the topic. just I'm like, are we we here again?

Mario Zaki (38:13)
Yeah.

Justin Shelley (38:14)
Alright guys, that's it for this week's episode of Unhack. For more, go to UnhackMyBusiness.com. I will make the link on there available so that you can go run yourself through this exercise. ⁓ If you fill out the form, will admit it's going to create a ticket in our system and we're going to follow up and try to sell you some shit. So submit the form if you want or don't, I don't care. Copy the thing down on paper. Do what you want with it. But I do want to make that resource available just as an exercise that we can all use to kind of...

check our own math. And by the way, I go through this myself. that's what I've got. ⁓ Guys, final goodbyes. Brian, then Mario, then we're wrapping it up. Brian, go ahead and say goodbye.

Bryan Lachapelle (38:52)
All right, everybody, ⁓ my name is Brian Lashpaugh with B4 Networks. If you want a guide to help you through ⁓ implementing data backup and recovery, reach out to us and we're happy to be your guide.

Mario Zaki (39:05)
Yeah, Mario Zaki with Mastek, you know, sleep better at night knowing your data is safe with us and that your business will be there the next day. So reach out to us and we'll help you sleep better.

Justin Shelley (39:19)
All right, sounds like a plan guys. I'm Justin remember, listen in, take action and keep your businesses on the act. See you next week.