UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 80 of unhacked guys. I feel like, episode 80, this is a, this is a, not really a cardinal number milestone, but kind of, ⁓ preview of things to come. Just wait for episode 100. I'm really going to fuck with you. But today I was told very directly by my editing partner and by my stepkids that our introduction needs an upgrade. They said it's really, and I quote,

Mario Zaki (00:08)
Milestone.

Bryan Lachapelle (00:29)
Hmm.

Justin Shelley (00:29)
Super boring when we introduce ourselves. So today guys, the surprise is we're doing a fit check

Mario Zaki (00:38)
Okay.

Bryan Lachapelle (00:38)
A

what?

Justin Shelley (00:41)
Do we not know what a fit check is? Well, guess what? Neither did I until this morning. I had to look it up. No, this is, Oh my God, Mario, you dated yourself so bad. How old are you? And obviously you 46 years as a baby. You should know this better than I do. Uh, Brian, um, age check first, I guess you're younger than me too, right? Okay. All right.

Mario Zaki (00:44)
Does it look like I know anything about being fit?

Bryan Lachapelle (01:04)
I am, but I'm older than Mario. We'll just

leave it at that.

Justin Shelley (01:06)
We'll leave it at that. That's

fine guys. I just turned 52. I'll go ahead and brag about it. I think I have to check the math. Yes, I turned 52. Okay. So us old folks don't know anything about the younger generations. New language, all the slang fit has to do with your outfit, Mario, not your fitness level. So today we're doing a fit check, which is basically what are you wearing? How confident are you? Why'd you pick the style? Um, and people make these little videos. There's some controversy about it. I don't know.

Bryan Lachapelle (01:25)
⁓ bet.

Mario Zaki (01:25)
⁓

Justin Shelley (01:36)
the where it comes from, I guess, is a little sketch. That's another youth words. The youth use sketch. So that's an older one. OK, enough of this work. Cap cap. You guys are cooked. You guys are cooked. That's actually my favorite one. OK, guys, ⁓ tell us about your wardrobe. I will I will start this shirt that I'm wearing. You can't really see much. And if you listen to the audio, you really can't see it. ⁓ This is one of my older shirts. I've had this for God, probably 10 years.

Bryan Lachapelle (01:45)
That's cap. That's cap. They don't use that. That's cap.

Mario Zaki (01:48)
Six seven.

Justin Shelley (02:06)
Um, but it's one of my favorite ones. So you'll see it from time to time, go back and look at the YouTube. You'll see this shirt popping up from time to time. And I don't want to brag guys, but when I record, well, most of the time I have a home office now. Um, if I'm on camera, I dress like it up top. I might have a bracelet on, you know, I look all sharp, which is what started this. came out of the bedroom today and it was like, what the hell you dressed up for? Cause you know, anyways, um, usually I'm in pajama bottoms.

Whatever today I'm wearing jeans. That's my fit check. ⁓ Justin Shelley, just checking in Brian. You're next.

Bryan Lachapelle (02:40)
You caught me at the one time where I'm not completely dressed up, you know, in a ⁓ shirt and dress pants. I'm just really cash today. Yeah.

Justin Shelley (02:42)
Hahaha!

wait, I should have done this one.

We're bringing out the sound effects.

Bryan Lachapelle (02:53)
So this is just a standard

shirt, nothing too fancy jeans shirt. Normally I wear dress pants and dress shirt, but today I felt like ⁓ it was a casual day today. I thought for whatever reason it was Friday when I woke up. yep. Very wishful thinking, yes.

Justin Shelley (03:02)
Fitcheck day, you, you cashed it in.

Hey.

Mario Zaki (03:10)
Ha

Justin Shelley (03:11)
Wishful thinking hits only Thursday people. Mario, what do you got

for your fit today?

Mario Zaki (03:18)
So one of many of the Mastek collections I'm wearing my black button down with my beautiful Mastek logo.

Justin Shelley (03:27)
Branded. Yeah. Has anybody ever thought about getting a tattoo of their company logo?

Bryan Lachapelle (03:32)
Not happening.

Mario Zaki (03:34)
I ⁓ am,

wife has like five, six tattoos for me. I have a very, very low pain tolerance. I do not want any tattoos. Unnecessary for any pain.

Bryan Lachapelle (03:48)
That being said, Justin, we had a contest once upon a time where my service manager agreed that if something XYZ occurred, he would put a tattoo of B4 networks on his forehead. ⁓ A removable tattoo wasn't permanent and they won and he had to put a ⁓ peel and stick tattoo on his head and it was there for a couple of days.

Justin Shelley (03:59)
⁓

Damn it.

I could tell there's so many stories. got to, we got to rain it in a little bit, but, ⁓ I mean, tattoos are, wonderful guys. I, know, that this is a thing where you can hire people to you. They'll be walking billboards for you. You can put your brand stuff on them tattoo. I don't know. I heard about it. It's, it's gotta be true. Cause I heard about it one time. So guys, let's go ahead. No, this is now Mario. God damn it. How old are you? Tick tock, tick tock. We don't do Facebook is for the unks.

Mario Zaki (04:26)
Thank

Bryan Lachapelle (04:29)
I'm gonna pass on.

Mario Zaki (04:33)
on Facebook.

Hahaha

The who's are the uncles? ⁓ that I that I haven't heard

Justin Shelley (04:44)
my God, guys are so far removed.

Bryan Lachapelle (04:50)
What's TikTok?

Justin Shelley (04:51)
Unc means you're old. TikTok, if you don't know what TikTok is, it means you're unc. And on TikTok, you would learn what unc means. All right, guys, we have just lost all of our audience with this really ridiculous introduction. And I'm to go back to my producer and just say, is that what you wanted? How about, I think you let us stick with our normal introduction from now on, huh? No more wise ideas. Anyways.

Bryan Lachapelle (04:57)
Ugh!

I agree.

Justin Shelley (05:13)
Today,

we are going to talk about, I mean, we're continuing our series. think we are, this is the sixth in our like 12 part series on security basics. So what have we talked about so far? We talked, you know, we kind of opened it up with the, who owns security. This is a leadership problem and you need to have a measurable, you know, something that you're measuring against. use published frameworks. You can have internal standards, whatever, but it's gotta be the same.

⁓ you know, with regular updates, but you just have to consistently measure against something to know where you're at. Right. Then we talked about identity and access, ⁓ passwords, MFA privilege, all that kind of stuff. Today's going to be a little bit of overlap on that kind of, but we're going to try to keep it as separate as possible. Then we talked about inventorying our assets, you know, what kind of computers do you have networking equipment, making sure they're all up to date. We talked about endpoint security. We talked about backups and recovery last week. And today.

we get into email, phishing and human risks. So like I said, a little bit of overlap, but we're going to try to keep it ⁓ unique, fresh, you know, not we don't want to keep saying the same thing over and over. So guys story time. And this is how I'm going to introduce today's topic. Years ago, ⁓ I had a client who emailed me and maybe they called, I don't know, but basically the, the CEO was out on a business trip. Normal, normal stuff, right?

Um, the CFO gets an email from him and it says, Hey, I'm making a purchase of $50,000 to, know, these are the instructions, uh, get that money wired ASAP. I mean, you guys are going to get ahead of me. You got to know where this is going. Right. Um, it wasn't the CEO who sent the email and, and later when we go back and review it, it was spoofed. did not come from a compromised account, which is another way of doing this. Um, but $50,000 was gone. Money wired.

Pass the deadline when the bank can get it back, which is pretty short, somewhere between 12 and 48 hours depending, ⁓ irrecoverable. So that's, that's my story. That's why we talk about this and you know, it is, it continues to be one of the main ways that people get breached and lose money. ⁓ Brian, then Mario, tell me a little bit about your thoughts on, ⁓ email compromises and, ⁓ and, and if you want, bring in how much you love Microsoft, because that was a subject that was getting thrown around before I hit record Brian.

Bryan Lachapelle (07:38)
Yeah, okay, so what I've seen, and actually it happens very often, and unfortunately we can't protect very much against it, that is when one of our customers' suppliers have gotten compromised, their email compromised, which means that it's a valid email account that is sending out messages to our clients, but in a nefarious way, obviously. So one of our clients recently received a message from

one of their vendors just indicating, hey, here's our new payment information and here's how you pay us, et cetera, et cetera. And of course the ⁓ followed through and sent some wire transfers to the wrong ⁓ address or wrong location. And there's no getting it back, like you said, Justin, by the time people realize what happened, and this is not a compromise on my client, it is not a compromise on anything that we could have protected against other than making the recommendation.

to everybody, which I think we've done even on this podcast multiple times is never change payment information, especially wire transfer information via email or any kind of electronic means. Just confirm it with a good old fashioned telephone call to the number you have on file and confirm the digits. it is something that they indicated, yes, they want to change the information, confirm it verbally with the person on the other end. And that way you have double verification, both an email and...

⁓ That's my story. Email compromises happen still fairly frequently today. So I'm still quite shocked at that.

Justin Shelley (09:16)
Mario, what are your thoughts on this?

Mario Zaki (09:18)
Yeah, I mean very similar story to what Brian just mentioned like we work with a lot of construction companies so construction will work with a lot of subcontractors, know, like electricians, know, some plumbers and there isn't, you know, when it comes to like plumbers and electricians, they tend to not be a huge company. You usually were like a two, three user, you know, electrical company, you know, they're doing the work, they don't have

the budget for full managed services or email protection. if they get compromised, are then ⁓ their emails will get compromised and then they will set the hacker will send on their behalf. So they will send an email to the contractor, you know, and say, Hey, you know, we didn't get paid, you know, on this, you know, or we changed our information, you know, can you go ahead and verify it now?

this all this stuff will come through, you know, through regular spam filters because it's a person that they are regularly communicating with. You know, it's just who is on the other end of that email address. You know, we can't see, we can't do anything about, we can't verify. We just know that this is a valid email address and, and they will email on their behalf. And, and a lot of times what ends up happening, and we saw this recently,

is when a hacker gets in now, especially using AI, what they're doing is they're downloading their entire mailbox, the email that got compromised, they're downloading everything. And what they're doing is when they do get discovered, they're creating a new domain with a very small change. Instead of like an I, they'll change it to an L so you can't really notice it.

they'll copy, you know, signatures and stuff like that. And then they will make it look like you're continuing the conversation. You know, they'll paste the rest of that conversation in there and then just send you an email saying, Hey, you know, I never heard back from you or, whatever. They'll sometimes make it look like they're replying to a email that they had like weeks ago. And, ⁓ nobody's a wiser because it's mud. It's very hard.

to really identify it. You have to really go letter by letter and see what's correct and what's wrong.

Justin Shelley (11:49)
So I want to, we're kind of, I'm going to go in reverse order because we we've been discussing it and I want to break, like summarize what we're really talking about here. These are called BEC business email compromises. And they come in two primary forms. One, we have what you just mentioned, Mario, which is, um, a lookalike domain. There is little to nothing we can do about those, but I'm going to come back to that. And then the other one is an actual compromised email account, which is separate. They don't have to go buy a new domain. They don't have to have it look a little bit, you know, close to it.

Mario Zaki (12:14)
Mm-hmm.

Justin Shelley (12:19)
It's literally the inbox of the person being, you know, impersonated. This isn't them. Somebody broke into the email and they're sending out these emails from the actual user. They create custom rules that when the email comes back in, it diverts it somewhere else so that the user never knows. Right. That's the, these are both super scary.

Mario Zaki (12:36)
And sometimes it

starts with one and then when they're discovered, it goes to the other.

Justin Shelley (12:42)
There you go. Yep.

Yeah. Yeah. ⁓ but similar idea where somebody is pretending to be somebody else requesting a money transfer of some sort of payment of some sort, and giving instructions that Brian, to your point might vary from the, the previously agreed upon payment methods. And this gets you every time. And that that's a great answer to this problem, right? Brian have these procedures laid out the case that I mentioned before, ⁓

If you're going out of town and you might make a purchase, let your CFO know that upfront. Let them know exactly how you're going to request money. If there is a purchase to be made again, and just is kind of playing on what you already said, Brian. ⁓ so business email compromises, ⁓ we're, we're going to move into some other things, but before we do guys, you have anything else you want to add as far as this particular type of an email attack?

Bryan Lachapelle (13:37)
It might just be that a lot of people think business email compromised like their own email got compromised, but in a lot of cases, it's somebody else's. It could be yours. You could certainly have gotten compromised, hopefully not if you have all the systems and protections in place, but it could be. ⁓ Also, it could be somebody else. Just being vigilant that it could be either end that is compromised.

Justin Shelley (14:02)
Right,

right. In either way, right, they could either be compromised by somebody getting into the inbox or by somebody spoofing or, you know, getting these lookalike domains. Policies and procedures, this is going to come down to do that. And we'll get into training here in a second. Mari, any final thoughts on BECs before we move?

Mario Zaki (14:22)
No, no, that's good.

Bryan Lachapelle (14:24)
I do have one about lookalike domains though. Are we discussing protections yet or just that? Okay, so one of the things we've done, at least in Office 365, is that any newly registered domain emailing into any of our customers will flag it as soon as a person opens up the email. It'll say at the top, know, this domain has been recently registered. Be cautious of any emails going in and out of this account. Essentially saying that, you know, hey, be wary that this domain is recently

Justin Shelley (14:26)
Okay.

Yeah, let's, yeah, go for it.

Bryan Lachapelle (14:54)
been registered by somebody else, meaning that it might not be the domain that you're used to talking. And so it's bright yellow. You can't miss it. And so if you're actively communicating with someone and all of sudden you get that, it's likely fraudulent. And so it just adds one layer of protection to make sure people are paying attention, like, hey, this domain is new. Is it the one I've been talking with before? And just brings people to that scrutiny.

Justin Shelley (15:10)
Okay, yeah.

Yeah.

an old company with a newly registered domain, probably not the way it's going to be. ⁓ Here's, here's another thing you can do though, is you can report these. So this takes a little bit of work. I actually had to go through this exercise with a client recently because they are on a list somewhere or somehow ⁓ where somebody knows who they are, what they do, how they do it. And they will go register these domains and send out emails to their clients. Right? So it's not even anybody I'm directly in

involved with a bad guy goes in registers a lookalike domain for my client sends out emails to their clients. I'm completely out of the picture. That's a tough one. So what they have to do, which, you know, this, this really sucks, but every time that happens, somebody has to report it to them. So they even know about it. Then they've got to go into like a who is lookup. I had to explain to them what that was and find out who the domain registrar is, had to explain what that meant. And then once you know that you can go to the registrar and you can find out where

you know, how to report abuse with them. And you can, you can, ⁓ just send that and say, Hey, this domain looks very similar to mine. It's being used for malicious behaviors. And the registrar will then take that domain down. you can also report it there. The FBI. Yeah. I mean, you have to prove it. and sometimes then you, there's a place the FBI has an agency. forget what it's called, but like a subsidiary or whatever, where you can report to all this. can Google, right. Or use chat GPT to figure it out.

Mario Zaki (16:35)
Sometimes.

Justin Shelley (16:51)
I think the FTC has something as well. So you're, you are left to reporting this to authorities and hoping that they'll do something to help you. Very annoying, very frustrating, but unfortunately there's just not a lot we can do to prevent that one. Mario.

Mario Zaki (17:06)
You know, something

else a little, you know, little related, but not exactly. One thing that we've seen a lot is when new employees add themselves to LinkedIn, you know, saying they got a new job at XYZ company and they're so happy and stuff like that, they become a target because now they realize that this is a new employee.

most likely they want to impress their boss or the owner. So they become a target. then they automatically start getting like these emails, like pretty much similar to what you were saying. From the owner, I'm on a business trip, I need you to do me a favor, go to Walgreens and get me some gift cards and keep this between us.

And they'll make it like, welcome to the company. Here's your first major assignment. You know, I need this. So all of a this new, yeah. You know, all of sudden this new employee is like, my God, the owner of the company is actually emailing me directly. He needs a top secret favor and you know, and stuff like that. And then, you know, they, they become a victim, but it was just because, you know, they, they posted on LinkedIn and or Facebook or Tik TOK, whatever the hell these.

Bryan Lachapelle (18:06)
Use your own money.

Mario Zaki (18:29)
kids are doing now and then and they just get they become a target.

Justin Shelley (18:37)
Yeah. And so we're, we're now, well, I guess that's, that's still impersonation. I'm trying to keep our buckets, you know, aligned here. ⁓ It comes down to training, right? So, so if we're to talk about it, we've got to figure out how do we prevent this and really step one is as terrible as it is for new employees is they have to understand how we do business. And that's, you know, hopefully it's something better than

Mario Zaki (18:47)
Yeah.

Justin Shelley (19:03)
throwing them in a dark room with a book that's 150 pages long and say, read this, don't worry, there's a test afterwards. No pressure. You start tomorrow morning, know, get all your paperwork done today. Tomorrow we go to work. ⁓ Hopefully you've got a better system than that, but however you do it, you've got to make sure your employees know what your normal procedures are. ⁓ Right? I mean, guys, what else you got on this one?

Mario Zaki (19:28)
just make sure you have those procedures in place.

Bryan Lachapelle (19:31)
Yeah, I think having the procedures in place first and then definitely making sure new people are aware of it. Like our team goes through at least a three, four week training process that goes through all of the different tools we use as well as our critical policies and procedures. And it sounds like overkill, but honestly, by the time they get on the phones to help our clients, they are very well aware of almost everything that we do and how we do it.

Justin Shelley (19:55)
Yeah. I'm going to throw this in. We're definitely out of order because I want to come back to ⁓ security awareness training. But I will say if your plan to train people is to, you know, open up the fire hose and just douse them with it on day one or even weeks three through four, and then it's over. And I know you don't do this, Brian. So I'm well aware that you have a better procedure than this, but a lot of companies don't, you know, you just

annihilate them in the beginning with everything. And then you expect them to remember that for the rest of their employment. I mean, come on, you've got to have this be a part of your culture. can't just be, you know, annual training is the minimum. That's what most of the frameworks call for. But even monthly training or weekly micro training or some of these other tools that are used, it's better. But this has to become a culture within your company of constantly educating and making people aware of these risks. Any thoughts on that?

Bryan Lachapelle (20:50)
Agreed.

I do subscribe to the culture of learning and a culture of making sure that we're highly aware of what's going on cybersecurity-wise. Like every time there's a major breach or any kind of notification, we're passing the information throughout our entire office and sometimes we'll even post it publicly for our clients to see if it's something that we feel might impact a lot of our clients. Like as an example, the ⁓ authenticator ⁓

critical update that went out for all applications or like for your mobile phones. ⁓ I don't know when it came out, but it was announced ⁓ recently that it's something that everybody should be updating. Justin's like, crap, I got update now. Anyway, ⁓ yeah. So we'll often pass those around the office like as in a Teams chat and then determine whether we want to share it with clients. And so our team is very well aware of all the type of securities that events that are going on.

Justin Shelley (21:33)
What the fuck you talking about? I was asleep for that one. Yeah.

Bryan Lachapelle (21:48)
But I'm also a big believer in lifelong learning, as you all know. And so we have constant training, constant, you know, we do weekly micro training for cybersecurity, but we also do repeated training over and over again for policies, procedures, and SOPs and things like that on an ongoing, we call it like the 12 month journey. So everybody goes through different training on a regular basis.

Justin Shelley (22:12)
So since we're already here, we're talking about culture, we're talking about awareness training. it's more than just knowing this stuff. It's more than just being educated on it. And the culture is probably the second most important thing, but I would argue that the first most important thing is to add a layer of communication. We have to not just like throw this stuff down their throats, ram it down their throats and make them ingest it and be aware of it. But when they see it, they've got to call it out. And you have to have a system that

of God at a minimum accepts these reports, you know, this information back in the other direction. But ideally the culture plays in here too, where you reward you train on it. And then you reward on employees bringing this stuff back to you because they're running the frontline. We aren't right. We don't even know what's going on half the time. Other than our little dashboards and reports and stuff that we're looking at, we're not out there interfacing. We're not dealing with it. So tell me a little bit about that. And Mario, you've been too quiet for a while. So I'm

Mario Zaki (23:12)
Mm-hmm

Justin Shelley (23:12)
punting over to you. ⁓ How do we get our employees, first of all, our own companies, but then also our clients and their employees to bring this information back to leadership?

Mario Zaki (23:25)
I mean, the one thing I will say, and I don't know if I'm really answering the question with this, but just like what we do with a lot of security is you have to have a zero trust approach. ⁓ You have to, if something comes in that kind of makes your spider sense, Spidey sense kind of tingle a little bit, you have to assume it's, you know, some sort of fake.

email hack or whatever and go with a zero trust approach. ⁓ Always assume it's not correct, you know, because if it's asking for some sort of information that is not normal, most likely there's something behind it. You know, ⁓ no, no, that's it.

Justin Shelley (24:11)
Brian, you have any thoughts on this? sorry, Brian, are you still going? Okay.

Bryan Lachapelle (24:16)
⁓ I don't disagree. I don't know if I've put systems in place to reward people specifically for bringing forth ⁓ any kind of breach or cybersecurity concern. What I will say though is that I've seen companies penalize somebody for ⁓ accidentally clicking on a link and then reporting it and saying like, I clicked on this link or I did this thing.

And then they penalize them for it when it should be the other way around. It's like, OK, well, you self-identified that you screwed up. You you congratulate. Thank you for letting us know because not letting us know is worse than letting us know. You penalize people. You punish them. What will happen is you've just trained them not to report it next time, right? You've just you've negatively reinforced like, hey, yeah, you probably shouldn't be letting us know that you clicked on the link because you're going to get in trouble. And so.

Justin Shelley (24:56)
Right.

Bryan Lachapelle (25:10)
Positive reinforcement, yes, but don't negatively reinforce it by punishing people when they accidentally do things, because we're all human and we all make mistakes. Now, if they repeatedly making the same mistake over and over over again, now they're a security concern. And as far as I'm concerned, it's no different than if they were ⁓ not treating, for example, climbing up a ladder or safety seriously, and they were putting other people at risk. When people are constantly putting people at risk from a cybersecurity perspective, they're

The whole company is at risk. And so don't punish people, but at the same time, don't let them get away with it over and over and over again if they're a problem.

Justin Shelley (25:47)
Well, and I want to clarify when you say don't penalize, punish people, whatever. ⁓ we have to be pretty careful with how we define that too, right? Because even remedial training can be seen as a form of punishment, which is one of the most common courses of action to take. If somebody clicks that link, the systems, most of the security awareness training systems, you click a link, you know, a bad link, a fake bad link. And it's like, ⁓ you screwed up. Now you're, you're punished by, have to sit and take this course. You have to, you know,

run through a video, you've got to take a test. You've got it, you know, and then it goes in and it, it dings your score. If you have a score system. ⁓ so, I mean, you're absolutely right. And it's, this is like, can be a double edged sword. have to be super careful how we handle this because what we see as remedial training or a way to improve or, to further protect can psychologically emotionally to our employees look like punishment. Any thoughts on that?

Mario Zaki (26:41)
Mm-hmm.

Bryan Lachapelle (26:44)
Suck it up, buttercup, watch the video. Sorry. I don't know. I'm not sure how to add to that because I do believe in remedial training.

Justin Shelley (26:48)
All right, all right.

Mario Zaki (26:50)
And

Justin Shelley (26:53)
But

no, and I, I, be clear, I'm not saying you, shouldn't. I'm not. I am saying that, um, if we're not careful, these measures can be seen. And this is where I believe it comes down to culture. It's like, Hey, letting people know, you know, set the expectations upfront. Listen, we have these simulated fishing emails that you're going to get, and we're supposed to talk more about fishing. Um, maybe it'll just kind of organically happen here. Um, but you're going to get these emails. And if you click on them, just know that.

Mario Zaki (26:54)
Yeah.

Bryan Lachapelle (26:57)
Yeah.

Justin Shelley (27:21)
It is designed to call you out and to, you know, you'll have to do some training and this isn't punishment. You're not going to get fired for this. This is to make sure that we're all on the same page, you know, to protect this company, because without this company, none of us have a job. Right. mean, it comes down to how you frame this and what your culture is around it. Yes.

Mario Zaki (27:39)
Yeah, but people.

Bryan Lachapelle (27:40)
Yeah, and that you

can definitely incentivize.

Justin Shelley (27:42)
Yeah, absolutely. Click as many bad links as you can, take as much training as you can and you get a cookie. I'm not.

Mario Zaki (27:43)
People just need to stop things.

Bryan Lachapelle (27:48)
No, no, no. But if

you report the phishing attempts, because we did that for a long time, actually for a couple of years we did that, where all of our clients would be receiving phishing attempts. And if they reported it, and it was one of ours, which means if they're looking for ours, they're also looking for all the other ones that don't look like ours. If they reported ours, there was a little button that they would click on their outlook that they would say, like, think this is a phishing email. And it would automatically right away say, congratulations, you found one of our phishing attempts.

And they would be entered into a draw to win a hundred dollar gift card across all of our clients. I don't know why we stopped that. I think just the person who was responsible for it left. And then, you know, like everything else in corporate culture, you know, that, you know.

Mario Zaki (28:26)
Ha ha ha ha.

Justin Shelley (28:28)
Get on it, Brian. Get on it.

Bryan Lachapelle (28:30)
Yeah, but

definitely something I want to reintroduce now that you bring up rewarding people for good things.

Mario Zaki (28:36)
The thing is, at end of the day, people need to stop being so sensitive. know, yeah, you know, we're testing you and it's designed to trick you and if you don't get tricked, good job. If you get tricked, you know, stop, don't do it again. You know, like at the end of the day, that's how we grew up. You know, people now are like, you know, like, yeah, know, people are too sensitive now.

Justin Shelley (28:57)
We got our asses beat. Is that what you're saying?

the paddle out.

Bryan Lachapelle (29:05)
climb up

the tree fort you fall down you remember next time you know use the ladder correctly or I don't know don't fall down oh gosh

Justin Shelley (29:12)
school did your principal's office have the paddle up on the wall and you're like you go

Mario Zaki (29:16)
Thanks.

Justin Shelley (29:16)
in there every time afraid he's gonna pull that thing down and whack your ass with it ⁓ mine did hey I am I already said I'm the oldest one in the group I'm not hiding that okay ⁓ it used to be okay so here's and we I'm not I don't know that we've all arrived at a place where we're in agreement here but

Bryan Lachapelle (29:19)
No

Mario Zaki (29:20)
Once

again, you're showing your age,

Bryan Lachapelle (29:27)
Corporal punishment is not a thing in our schools. Come on.

Justin Shelley (29:41)
I do want to deflect to really what drives this point home to me is the worst example of the opposite that I've ever seen. ⁓ and fine print disclaimer, whatever. I just read this in the newspaper and dating myself again, it was online. it wasn't a physical paper, but, ⁓ city of Fort Worth, I guess I can say it. Cause again, I'm just, I'm just quoting the newspaper. They were breached, but what happened was the IT manager and I'm not.

claiming any of this is exactly accurate because I read this thing like five years ago. But two different people in the in the IT department identified problems. And they were quoted as having said something to the effect of we are not even 10 % compliant with industry standards. Okay, they were badly underprepared for this. They brought it to their superiors and said, Hey, these are the problems we've identified proposed solution here. What are we going to do? And their superiors

who included finance people said, sit down and shut up because if you say anything, we all look bad. Then we're going to have to go to budgeting meetings. We're not to say, Hey, we need money for this and that and the other thing. And they're going to say, well, why aren't you already doing it? Anyways, it got political. So they didn't do anything. And the breach happened and it got worse. They lost $500,000. They, ⁓ like huge deal that ended up in a lawsuit and like people fired just a mess. So details aside, I am saying that be careful about your culture.

And yeah, get the paddle out if you need to. But whatever you do, make sure that if somebody brings a valid concern to you, reward them. I'm going to go farther than just don't punish them. Reward them. Have a system in place to say, thank you for caring. Because we have to be a united front. We are fighting a goddamn war. Right? These are, this is organized crime. These are people that are very funded. And if security is just an afterthought at best,

Bryan Lachapelle (31:23)
Mm-hmm.

Justin Shelley (31:37)
And God forbid something we punish in our cultures, like what in the hell are we doing and how do we ever expect to win this battle?

Mario Zaki (31:45)
Very true. Very true.

Justin Shelley (31:46)
Help me guys, help me out here!

Bryan Lachapelle (31:49)
No, I agree with you 100%. Yeah.

Justin Shelley (31:50)
All right.

OK, rant over. ⁓

Bryan Lachapelle (31:55)
I remember that story though, remember it. As soon as you started telling the story I was like, ah, I remember this. Yeah.

Justin Shelley (31:57)
I tell it all the time. It's just like, can't believe to

this day, I'll go back and read it again thinking, clearly I read this wrong, right? Maybe they came out and clarified. It's like, no, no, this is really what happened. Jesus Christ.

Bryan Lachapelle (32:04)
Nope, Mono, you read it right.

Yep.

And it happens more often than you might think.

Justin Shelley (32:13)
That's my point.

So, know, ⁓ anyways, so. But I think guys, we've talked about most of what I think we need to talk about today, but before we wrap, I'm just going to kind of like let's free, just free form, whatever open mic talk about. Specifically email, but this kind of problem in a business, what do our listeners need to know? What do business owners need to know to properly protect themselves?

Hopefully something we haven't already, you know, a horse we haven't already beat to death.

Mario Zaki (32:47)
⁓ I mean, as far as what they need to do is they need to follow the, the, the outline that we've been putting together. You know, you need to have not only security on your firewall and you your workstations, but as your, your emails, you know, at the very minimum two F a, ⁓ you know, there's, there's dozens of companies out there that protect your three 65 in the event they detected something like a.

mailbox forwarding rule is created, it triggers something. You know, they will automatically lock out the account and you know, and stuff like that. Because like what I tell my customers is even if it is false, know, somebody created a mailbox rule and it triggered and it locked up their account. I rather, we rather apologize to them that it got locked out. Okay. You bring out without your email for a half hour hour.

a day than the worst case scenario where, know, there was something created. Nobody knew about it. It's they've been in your system for weeks or months and it went undetected because they're the, the guidelines were not in place to detect it. You know, so, and, this stuff is not expensive. I mean, we're talking a few dollars per mailbox. Yes, it builds up, but so does $40,000 going to a wrong ACH account, you know,

Justin Shelley (34:13)
Right. Yeah. Well, and you mentioned downtime because I, can hear that one in my brain. ⁓ and executives off doing, you know, trying to conduct business, his email account gets locked because it's suspicious. It really isn't suspicious. He's just, you know, not behavior that the system's trained on. Maybe he goes to Florida instead of New York, you know, for business one time. ⁓ and, it can be a real cost. And so I want to make this point. Security does come with a very real cost in both dollars and in convenience.

Mario Zaki (34:29)
Mm-hmm.

Justin Shelley (34:42)
Always it's inconvenient and it is expensive. I'm not going to lie, but that, know, maybe you miss a business deal. Maybe, you know, you, you can't send something off. can't send off a proposal. You can't close a deal. That's huge. It's better than going broke. It's better than losing your business. So, you know, I, yeah, like you said, you guys earlier said, ⁓ let's take off the little feather gloves and like, guys, this is real shit.

And it's annoying and it's expensive, but you better do it or you're to be out of business.

All right. Guys, I think, I think we're going to wrap our roll forward to key takeaways. So this is it. This is your last chance to say anything on this tub and that we're never going to say it again. We're never bringing this back up again. We will never repeat anything about email security as long as this podcast lives. Mario, what are your final thoughts?

Bryan Lachapelle (35:30)
You're right.

Mario Zaki (35:31)
you

Final thoughts is pretty much like everything we said, you have to have the proper guidelines in place. Make sure, you know, once you've put it in place, you test it, you know, have your employees follow it and, you know, go with the trust nobody, you know, because that, you know, the people that trust nobody are the ones that ends up, you know, being safer than the ones that are trusting everybody.

Justin Shelley (36:10)
Okay, Brian, final thoughts.

Bryan Lachapelle (36:12)
Okay, my final

thought is this. Like all cybersecurity, email security is a shared responsibility, right? ⁓ Yes, your IT provider will likely have, if you have one, ⁓ systems and processes in place and tools in place to protect you. However, you also have a responsibility of making sure that you understand what are the likely ways that an intruder will get into your email and or.

trick you through phishing and or somebody else's compromised email and have written policies, which IT like us as MMSPs could recommend, but you have to implement them because we can't, it's your business. ⁓ Written policies that go, okay, if somebody is changing a payment method, here's the process to follow, right? Which would include a verbal component to verification. If somebody is asking you to do something out of the norm, here's a...

procedure that you would follow. If you suspect that your email is compromised, here's the procedure you follow. In most cases, just send an email to your IT provider or your boss, whatever the case may be. But just have policies and procedures in place for the what-ifs. It's a shared responsibility. IT can't do it on their own.

Justin Shelley (37:31)
I'll, I'll add this as my final thought. I, I used to quote it. I wish I'd been looking around to see if I have this book sitting here and I don't, it's called future crimes by Mark Goodman, I believe is the author. And I would send this book to people and I would have a bookmark on page four 35, whatever it was. I don't remember what page it was. And I would highlight the line that said something to this effect. I won't quote a word for word cause I can't find the book. ⁓

Bryan Lachapelle (37:43)
Very good book, good book.

Yeah.

Mario Zaki (37:57)
You

Justin Shelley (37:57)
But

I if you think technology is the problem, then you don't understand the problem. And it would go on to say that we right here, us people, humans, we are the problem in security. We are where we need to spend most of our time and attention. And, you know, we've talked, we've, have beat this horse to death. When we talk about policies and procedures and training and rewards and punishments and culture. But I will just say it again, people are the problem. So

get a good IT company to handle your technology that has to be there. But you as a CEO of the organization are solely responsible for how this thing really plays out in your company. You have to build a culture that supports the cybersecurity efforts and that brings your team together to fight this battle because this battle is very real and we're fighting very real enemies. And these are not, you know, ⁓ people in their basement and their underwear hobbyists, right? That are

That's kind of the vision we had for a long time on hackers. This is organized crime guys. These are state sponsored in a lot of cases. ⁓ Regardless, there are the best brains in the business are are out there doing this kind of stuff. We have to fight hard and we have to fight strong. So that's my key takeaway guys. And I think that's going to be it for this week. Never again to revisit the subject of email security and bullshit. ⁓ We'll be back.

Bryan Lachapelle (39:02)
State sponsored in most cases.

Justin Shelley (39:24)
Anyways, go to unhackmybusiness.com for additional episodes, for resources, for downloads, for all that kind of stuff. All right, guys, let's go ahead and say our goodbyes. Brian, as always, thank you for being here. Mario, same, appreciate you guys every single week. Let's sign off and then we'll wrap. Brian, what do you got?

Bryan Lachapelle (39:44)
⁓ If any of you out there are looking for somebody to help you out and be your guide with cybersecurity, we're here to help you get 1 % better and welcome you on that journey. ⁓

Justin Shelley (39:56)
Don't botch your sayonara. mean, like, what do people remember? They remember the first thing and the last thing you say. There we go. All right. Don't worry. We'll cut it out. We'll bring one in from a previous episode where you got it right. I'm bullshitting. Mario, what's your side?

Bryan Lachapelle (39:58)
I know, I know.

Yeah, and I just botched it. So call Justin. Don't call me.

Mario Zaki (40:02)
You

Tell your employees to be stop being so sensitive to do their shit Because they're keeping your they're keeping you up at night and They're the cause there could be the cause that I'm now I'm watching this shit up They're the ones causing you to stay up at night, so if you want us to help you sleep better give us a call

Justin Shelley (40:18)
the

Bryan Lachapelle (40:30)
That's it, we're all watching it.

Justin Shelley (40:39)
And I'm going to stammer mine just to just so you guys feel better about yourselves guys. I am Justin remember listen in take action and keep your businesses unhacked. my God you missed the queue. All right guys we'll see you next week.

Bryan Lachapelle (40:42)
Okay, thank you.

Mario Zaki (40:47)
Unhacked.

Bryan Lachapelle (40:48)
Unhacked.

Mario Zaki (40:51)
You

Bryan Lachapelle (40:54)
you