82. Your IT Company Is Probably Not Patching Your Systems — Here's How to Catch Them
Justin Shelley (00:00)
Welcome everybody to episode 82 of Unhacked. I am Justin Shelley, CEO of Phoenix IT Advisors. And here at Phoenix IT, we help businesses build their wealth using technology, of course, and then protect that wealth from the Russian hackers, the government fines and penalties and class action lawsuits. And I am here joined as always by my faithful co-hosts. ⁓ shit. I'm on my own today, guys. This is I've been doing podcasts for six years.
This is the first time in my six year podcasting career, I have dared showed up alone. I like to rely on other people while they're talking. I can strategize. I can think of what I'm going to say next. I can read my notes today. I can do none of that because I'm here on my own and I'm not super happy about it, but ⁓ the show must go on as they say. So today is the eighth in our series of the cybersecurity basics. Now it's kind of funny as we
dive into these so-called basics and it's going to take us 12 weeks to do it. There's some overlap, but it's a lot. The basics aren't so basic. I've kind of known that, but it gets worse. more I, the more, what is it they say? The more you know, the more you know, you don't know. So anyways, quick recap of what we've talked about so far. We started off just by understanding frameworks, governance,
basically who's responsible for this and shocker if you're the business owner, it's you. Doesn't matter who you're writing a check to or who you put a title in front of. ⁓ it's all going to come down to you. So, that's where we started. We got into personal identity access, who has access to what, ⁓ software passwords, MFA, all that kind of stuff. Then we started going over assets, visibility, inventory, all that. Now, you know, what, what do you have? If you can't see it,
You can't secure it. Endpoint security. Now we're talking about laptops, workstations. These are the primary attack surface, but I mean, this just continues to grow. That problem does. Backups and recovery, we got into that. And honestly, this is almost, it's become, know, backups used to be it. And now it's just like, have to, it's an afterthought. There's so much we have to do before we ⁓
⁓ worry about relying on a backup. I don't know. That's go listen to that episode. We'll dig into it. Email phishing and human risk. We talked about that last week. We talked about network and perimeter security, and I know this is all garbled. Go listen to the episodes. It's a lot. If you want a shortcut, hire somebody and we're going to teach you how to make sure that they're doing their job. That's really the point of all this today. We're going to talk about the ultimate. You can't do it yourself. Patching and vulnerability management. ⁓
And here's the thing, as I'm prepping for this, I'm realizing that what I'm about to tell you as a business owner is that, ⁓ let me back up a little bit and I'm just going to talk personally. I know that I, I get up every day with enough problems. never wake up in the morning and just think, gee, I've got nothing to do. Nobody's throwing shit my way. don't have any grenades being launched at me today. I wonder what I'll do with my time. but the truth is we're going to talk today about.
stuff that's being thrown at us that we really don't even know about. And that sucks. ⁓ Let's talk about some definitions first guys. This is where I would throw it to a cohost and have them throw something in here. I got nothing. ⁓ Mario, what do you think? Yeah. Can't do that today. Brian, where are you? ⁓ I'm pissed at both of them, but actually fun fact, they are supposed, I'm supposed to be with them. That's the real problem. I'm saying I'm mad at them. ⁓ I think last week, if you were on the show, you know, I broke my leg while on vacation.
That's great fun. If you look behind me, if you're watching the video, you can see my crutches. There's some new European style, something I don't know. I get made fun of for them because they're not traditional crutches, but I kind of like them. And then right here beside me, if you can see my, I'm told I'm supposed to call this my trusty steed. ⁓ Liana, that's you. Anyways, ⁓ she went out and got me this little scooter. You know, you stick your knee on it you can roll around at high speeds and take corners really fast and hope you don't hit anything.
I've only almost wiped out a couple of times. They're great. It's great. Can definitely move faster than I can on the crutches. And also fun fact, if you've never had broken leg before crutches hurt and they take a lot of core strength things I did not know. ⁓ all right. Anyways, so point is I'm supposed to be in Dallas right now at a trade show, a great big event. And, that's where Mario and Brian are. So I will give them a free pass, but
I did decide we're going to go ahead and debut my first solo podcast. So here we are. We're going to open up with definitions. talk about vulnerabilities, patching, zero day, some of the stuff that you'll hear. We're going to get clear on what it means. So a vulnerability in its simplest form is just an exposure that opens us up to the possibility of an attack in the world of cybersecurity. There is no shortage of them. We'll get into that. A patch is kind of, I call it an afterthought. It's a repair job.
It's a, ⁓ shit, we didn't think about that when we developed this thing and now we got to fix it. Cause bad guys are getting in no bueno. Now another term that gets thrown around a lot zero day. This is something that if I pop quiz people on, usually don't get it right. So I'm to talk about it while Brian and Mario aren't here. And then maybe I'll pop quiz them next time. A zero day vulnerability is something that is currently unknown to a developer.
or anybody who is able to mitigate or fix this problem. So the bad guys know about it. The good guys haven't fixed it yet. That's a zero day. Those are bad. We don't like those. ⁓ So definitions out of the way. Let's just talk about the real problem. I mentioned, you know, as a business owner, you don't get up looking for more deal issues that you have to deal with.
let's set the stage for the scope of the problem that is patch management. It's thrown around there and we'll get into the kind of behind the scenes and the world of the MSP. ⁓ But this is something that we like to think we can just set it and forget it. I'm getting ahead of myself because I really want to dig into our industry. I love and hate my industry at the same time. ⁓ Okay, so here's the situation. We have a published list.
of vulnerabilities. It's called the CVE, Common Vulnerabilities and Exposures. There's a website for it. It basically, the way it works is ⁓ vendors like Microsoft, Adobe, ⁓ there's I think 500 partners that participate. When they identify a vulnerability, hopefully they have a fix for it, then they go ahead and publish it so that we, as the consumers, can ⁓ understand our risk and then apply a patch.
a fixed job, a repair job. Now I'd love to be able to have some co-hosts or a guest or somebody to pop quiz. How many of these vulnerabilities do you suppose are identified on, let's call it on an annual basis? Well, in 2025 last year, we had just shy of 50,000 new vulnerabilities identified and published.
50,000 guys, that's almost 130. Oh, it's actually a little bit more than 130 every single day. The total on this list, the CVE list right now is 326,000. And, uh, you know, I wish we were getting a handle on this and it was going down, but no, it's increasing and it's increasing exponentially. It's not just getting bigger by a little bit. It's getting bigger every year by a lot. And part of that
is because now we have AI, everybody loves AI, we like to talk about AI, we like to make AI do things for us. Well, so do the bad guys. And now they can get in there and they can find these exploits, these vulnerabilities way faster than they used to be able to. ⁓ I've heard some rumors about some stuff. I can't confirm it, so I'm not really going to get into it. But let's just say it's scary what the bad guys are doing with AI. We got to be on our game here. ⁓ So the point is,
No human, no business owner can realistically track and fix this problem manually. We've got to have the right tools. We've got to have processes in place. And that's what we're going to talk about today. All right. So if you're a GI Joe fan from back when I was a kid, now you know, and knowing is half the battle. We have to know, we have to understand what these vulnerabilities are. And if we're getting 130 plus a day,
We got to know about them. So as a business owner, I'm not saying you have to know about them, but you better have somebody that you can really count on. Um, but that's half of it is just knowing where these problems are. The other half of course is the patch itself, the repair job. If we've got 130 vulnerabilities per day being identified, that means somebody's got to be fixing 130 vulnerabilities every single day. need 130 repair jobs daily.
That's a lot. Where do these come from? Well, the companies who develop the software, ⁓ we hope, we trust that they are identifying these and fixing them and releasing the patches. That's what we call patch management is where an MSP like myself, we have a list of the problems, we have a list of the fixes, and then we have to make decisions on how to apply them and in what order and how it's verified. We've got to know the problem.
And also like they don't all apply to everything. So you might have one that only it's only a problem with Microsoft Word, for example, or Adobe Acrobat. So we've got to know where the problems are, what it applies to, how to fix it. And then we have to have some sort of a verification process once that's done. It's a lot. So I've said frequently that security is not a DIY.
type of situation. This is a great example of why that is. This isn't just a task. It's not something that you can just do even with the right tooling and MSP with, and I've got great tools to handle this. I cannot just set it up and have it automatically fix itself. We have to constantly go in and review the problems, review the patching and verify that it's done. So, ⁓
This is where I think the biggest problem comes into play though. And I'll switch and we'll just assume that I'm, I'm, I'm a business owner still, but I don't run an MSP. I'm not technical and I listened to this great podcast called unhacked. And so I'm well aware of the fact that this is a huge problem and I want to do something about it because why I don't want the Russian hackers to come and steal all my shit. So, ⁓ I go out, I do my best, ⁓ due diligence. I find a good.
IT company, MSP, and I hire them to do this for me. Problem solved. I'm paying them good money. Like this is not cheap. Here's where the problem is not solved though. If you're not watching, it's probably not happening. Let me give you the one, one of the, the worst problems that happens in the MSP world. So I'm going to switch back. I'm going to put on my, uh, IT technician hat, right?
systems engineer, whatever you want to call it to make me feel better about myself. I wake up in the morning and I've got four different clients calling me, three texting me, and I've got seven tickets in the system that I need to address immediately. That's just before I get my coffee. ⁓ You know what I don't have time for is I don't have time to go in and look at patching. So almost all IT companies, when you look behind the scenes,
There is some level of chaos going on. It's the world we live in. And if that chaos isn't very carefully managed, if there are very good processes around it, it just doesn't happen. When we pick up a new client, the first thing we do is we go in and we run our security assessment. And I look at patching. It's one of the first things, but I don't even have to look hard. I'm going say it's one of the first things I look at. I don't have to look at like throws itself up in the air at me. The red flags are all over the place because patching isn't happening. ⁓
It just isn't. there's a system that I used to study. They called this the reactive spiral of death. As problems, know, our clients throw more problems at us. ⁓ We react, we go in and we try to fix it. We throw more people at the problem and then we get a few new customers and it just expands until like our ticketing system. That's where we track all of our...
the issues we're working on, it grows faster than we can manage it. So at best, many, would say most, but at least a good number of us are just putting out fires all day long. And what we are not doing is the proactive work. I can say it, I've been there. I'm not there today, but I've been there. ⁓ It's a terrible place to live. And ⁓ anyways, just a dirty little secret that goes on when, when your IT company isn't responding quickly.
That's why it's not because they don't care. And it's not because they're even ⁓ necessarily understaffed. It's because they don't have the right processes to keep the chaos from overwhelming them. All right. So that's problem number one. Now the, even if somebody is paying attention to patching, even if you've got a guy who's either dedicated a hundred percent of the time, or maybe it's just his responsibility. And he knows that he has to do this, ⁓ you know, two hours out of the day, that's part of your job.
Well, here are some other things that get in the way. You've got reboots. This is like the ultimate evil in the world of patch management. Here's the problem. If I reboot my client's computers and they happen to be working on something important, they're really pissed off. If I don't reboot their computer, the patch isn't properly applied. They get a virus or some other type of attack. Guess what? They're pissed off. There's no great answer to this. So one way or another,
This has to be enforced. has to be monitored, has to be reported on. We've got to know that these computers, the automation is great. We can apply the patches, most of them, with automation, most of the critical ones, I should say. But those often require a reboot. And if we allow the user to approve or say, you know what, not right now, I'm in the middle of, ⁓ hey, listen, it's happened to me. I'm in the middle of a podcast and a little stupid thing.
My own system pops up and says, Justin, time to reboot your computer. I'm like, can't right now. I'm recording a goddamn podcast. Um, everybody's got their version of that. And so what we actually have to do in most cases is remove that option from people. have to find out when they are not using their computer, which is usually the middle of the night. Hope to God, they didn't shut it off when they went home because now this isn't, it's going to break the whole process. And then assuming it got left on the patch gets applied properly.
We schedule the reboot immediately and there is no option to not reboot. All right. And we hope nobody's working in the middle of the night because they got up because they remembered they didn't get something in on time. And I mean, it's like, I don't know this. This is the number one problem with patching is reboots. hate it. Um, I think we've cracked the code. think we've got a system that seems to be working pretty good for us, but we're constantly dancing around it one way or another. It's a pain. All right. The other problem with patching is sometimes the fix.
breaks something else or breaks everything else. ⁓ Nobody wants to be responsible for that. Let's say I roll out a patch to your server and you come in the next morning and your server doesn't work and you can't get on to your files or you can't run your local software or whatever, right?
So part of this problem is we have to understand what the patches do. Don't forget there's 130 a day of these stupid things. We've got to understand what they do, what they might break. will right here think AI for, know, it does help a lot in as we make these judgments on what a patches we should apply and in what order and in what timing. ⁓ But this is another problem that can come into play when we're making decisions on patch management.
Another issue that comes up a lot is legacy systems. Any computer, any operating system, any software that runs on that operating system that is no longer supported by the people that developed it. Windows 10 is a great example. Windows 10 cannot be properly patched. Yes, I know there's exceptions to this. Generally speaking, if you're still running Windows 10, you're out of compliance with most of the frameworks if you're following them, HIPAA, CMMC, whatever.
but also you are, opening yourself up to all kinds of, ⁓ all kinds of problems. So the real challenge here, what we've got challenge number one is it's really hard to buy new computers right now. So old computers are becoming a bigger issue. Thank you. AI. the other problem is sometimes you've got specialty software that people use. They rely on it to run their business and it's not being updated. So they can't like, for example, it'll only run on
God, I've seen it for Windows 7. That's going back a little bit. Windows XP ⁓ forever. We would have to run these very contained virtual machines running Windows XP so that it could run their legacy software. you know, we have to be still careful because that opens up all kinds of vulnerabilities. Now it's, you know, not as common anymore, but ⁓ that was a big problem for a while. In some industries, it's still a huge problem. Manufacturing is a great example of that.
I've got some healthcare clients that are limited by the version of software that they're using. Now we could update it. Sure. It's a very significant financial cost and it would involve a lot of downtime. So we, for a lot of valid reasons, we get systems that are in play, they're in production, but they, there is no way to properly protect and patch those systems. So that's a problem. ⁓ I'll tell you one of the
I said the biggest problem was reboots. I'll stay there. The second and only a slight second problem, biggest problem is no ownership. And this is what I see over and over in my industry is it's a known problem, but somebody will set up an automation to apply these patches, maybe even to reboot. But then they go back to fighting tickets, fighting fires all day, every day. And nobody is ultimately responsible for this. So this is where you as business owner,
You kind of have to step up and take ownership of this, or at least get very comfortable knowing that your IT company is doing that. Last thing I'll talk about here is blind spots. Like if people think that if they've got windows up to date, they're good. That's not true. You have browsers always need to be updated and it'll usually show a little exclamation point up there or something saying, Hey, you need to reboot or ⁓ close and reopen usually is what Windows or Microsoft Edge will say. ⁓
And if you've got, like I do, ⁓ 1,300 tabs open across four different windows, it's not that simple to just shut your browser down. This is why force restarts, by the way. ⁓ Cause I know I don't want to do it. I don't want to shut everything down. So I leave it open. The update doesn't happen. ⁓ Like I said, I put tools in place to fix my own resistance.
⁓ so you've got browsers, you've got a third party software. Microsoft office is a great one. I've, I've said several times on this show that what changed my mindset from being an IT repair guy, a computer repair guy to a cybersecurity specialist was I had a client get breached and they got breached because they were running an old outdated version of Microsoft office that couldn't properly be patched. It took them down. They were down for three weeks. It dang near put them out of business.
It killed the relationship I had with the client. Obviously they're no longer a client. ⁓ Even though, listen, they should have updated their software and they wouldn't do it. Whatever. It still falls back on me. Anyway, so these are just some of the blind spots. You've got to update more than just windows. You got to update your firewall software. God, I can't tell you how many times I'll look at a firewall that ⁓ is sitting there throwing out all kinds of alerts saying that it's a firmware needs an update. You know, there's attacks going on all the time and nobody's watching that. So.
Not patched. All right. So this is the problem that we're dealing with now bringing this back like I try to do all the time on on your on unhacked is as a non-technical business owner What do you do about this? How do you solve it and? It it really is relatively simple, but it does require some effort on your part and I'm sure we've all heard the phrase trust but verify that's where we're going here
You probably already have an MSP, an IT company who's handling your stuff. I can't tell you how many times I've talked to a business owner and tried to get into this conversation about security. They looked me dead in the eye and they say, it's handled. Like really, how do you know? We've got an IT company. None of them have ever been able to tell me that they've done any further due diligence than cutting the goddamn check. Guys, if you are writing a check and not
Verifying what you are paying for you're probably not getting what you are paying for so here is just two things I'll tell you to do now You got to meet with you whoever's handling your IT. You got to meet with them on a regular basis Call it once a quarter. All right, if you're really gonna be lazy. Sorry, I'll call you lazy Do it once a year, but you better do it And there's two questions on this topic that I want you to ask them You bring up patch management. You bring up the fact that you know
that there are 130 plus vulnerabilities identified every day. And you look them in the eye and you say, show me your process for protecting my company. And then you just be quiet.
If, and I bet you they can't, but if they can show you their process and make them show it to you in writing, because we should all have this stuff documented, if they can do that, then the next question, and this should be a question that you bring up every quarter when you meet to them, show me the reports from my company. Show me the vulnerability reports from my company. Now, you're not looking for 100%.
I will tell you that right now with 130 exploits being discovered and documented every single day, we cannot patch things the second they come out. Also, we don't always want to because sometimes, like I said before, they will introduce additional problems. But if you don't see a high percentage, if you don't see a detail of, you know, these patches were applied and in this order or this timeframe, get some amount of detail so that you know
that they are following their own process and always map it back to the process that they showed you. All right. That's what I will tell you. That's how you handle this so that you don't have to worry about it. You don't have to get up every day wondering about 130 goddamn new problems being thrown your way. You can just worry about this one. Is your MSP doing what they tell you they're doing, what you're paying them to do. All right. So, ⁓ okay. This is
trying to see now this is where I told you I usually can go over my notes while somebody else is talking I can't do that today so I'm going to do a quick look at my notes I think we've got it all handled I do okay I've confirmed it so that is it for this week a little bit short because I don't have anybody else to fill some time but I'm just gonna say you know my closing arguments my key takeaway for today is and we say it a lot but
Damn it, have that meeting with your IT company. And I say this, you can hear a little frustration in my voice because I hear it all the time within, with my peers and our peer groups where we're meeting with each other. We call these QBRs, quarterly business reviews. There's a dozen other names for it. It doesn't matter. But almost always what I hear my peers complaining about is that you as the business owner will not take the time to meet with us. And guys, we can't care more than you about your business.
All right. If you don't care, if you won't meet with us, if you won't take some initiative, makes it really hard for us to do what we need to do. Now the flip side, it's not all on you. And not only a small percentage of it is the flip side is you start putting some heat on your, team, your, your IT team, 90 % of the time, you're going to find that you are not getting what you pay for. ⁓ trust, but verify that's it guys. That's it for this week's episode of unhacked. ⁓
I can't say that I love the idea of doing this by myself. We will be back next week. I will have co-hosts. Maybe I'll do the occasional solo, but no bueno, not my favorite. ⁓ Really missing Mario and Brian today. Next week, we're going to dig into ⁓ cloud and software as a service. And I get it. This stuff kind of intermingles. There's some overlap. But this is one that's really important because of how many times we hear this from our clients or from our prospective clients.
Everything's in the cloud. We don't need to worry about it. Nothing could be farther from the truth. So meanwhile, visit unhackmybusiness.com. You'll get today's show notes. You'll get the full recording, the video, the audio, and the, free security assessment, free roadmap. can schedule an assessment. You can download the, ⁓ the easy stuff if you don't want to talk to anybody. but I highly recommend get somebody to, ⁓ audit the auditors, get outside verification, even if you have the conversation and
Please have the conversation with your IT company. ⁓ Get a second opinion. This stuff is important. them not only then prove it to you, but get somebody else to prove what they're saying. I'll do it for free. Call me up, fill out the form on the website, whatever. It doesn't matter where you live. I can do all this remote. I will do this for free. I will give you that second opinion. And I couldn't be happier if I find that you're covered, that you're taken care of. That is truly
What I hope to accomplish is to get businesses properly protected. That said, if you can't, yes. Or if you're not covered, yes, I will offer some recommendations up to and including hiring my firm to help you get this stuff taken care of. That's it guys. Thank you for joining me. Brian and Mario. God damn it. You better be here next week. I'm Justin. Remember listening, take action and keep your business unhacked. See you next week.
Creators and Guests
