UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:10)
Welcome everybody to episode 83 of unhacked Mario. It's good to have you back, brother. You guys left me hanging last week. You left me hanging. I've never done a podcast by myself in my life. I mean, I survived it. I'm here, but good Lord, not a good time. I won't be doing that on purpose anytime soon. So yeah, thanks. Thanks for being back. Yeah.

Mario Zaki (00:17)
Yeah, thank you. Thank you. Good. good to be back. My little hiatus.

Well Justin,

is your world. We're just living in it. We're trying to participate wherever we can.

Justin Shelley (00:43)
and, and I appreciate it. ⁓ if I ever doubted your value before, I no longer do. I I didn't, but you know, so here is, okay, listen, bring her on next week. We'll have a little heart to heart. Mario. I've got a, we'll call it the state of the podcast address. I'm a, I'm a sucker for metrics and I'm always looking at, you know, we post social media clips, Liana, God bless her. She sits over there and she just, she just watches these things.

Mario Zaki (00:46)
You

Make sure you tell my wife that, by the way.

Yeah

Justin Shelley (01:13)
⁓ as they rack up and we'll get, you know, in the thousands on occasion, you know, we're not Joe Rogan by any means, but you know, we're getting some ⁓ traction yet. Exactly. So she watches the YouTube shorts, you know, that's probably our most viewed ⁓ type of media for the podcast. I really focus on where we host the actual audio. That's the people that are subscribed, that are downloading.

Mario Zaki (01:22)
Yeah, yeah.

Justin Shelley (01:42)
And it's been fun kind of watching that go, you know, gradually increase. Well, Mario, for the month of April and we are this as of April 15th, halfway dead, halfway through the month, we beat our all time record of downloads for any previous full month. So I'm not saying a month today. I'm not comparing half of March to half of April. I'm comparing all of March, all of February, all of January to half of April. We've already beat that.

So I'm pretty excited. Now we'll see if we can keep that going. Then by the end of this month, we should have doubled our previous record. I'll take that all day long. So I'm happy. I'm excited. Podcast over. Good night. I'm going to go get a beer. If only.

Mario Zaki (02:12)
Thanks.

Now was

it because you did last week by yourself? Is it me and Brian kind of holding you down?

Justin Shelley (02:29)
I'm sure. Listen,

I didn't want to say anything, but yeah. No, I mean, I wish I wish I could take that kind of credit. No, these, these numbers were in. I mean, most of it happened before I even published the, the, the, the solo episode. Actually we'll see it might, it might fuck the rest of the month. TBD we'll see who really draws the attention here. So quick intro. I'm Justin Shelley, CEO of Phoenix IT advisors.

And you know, with my company, I really love, I'm passionate about business. I really am. I'm trying to get more involved in the community, the chamber of commerce, stuff like that. Because what I really like to do is help people use technology to build their wealth, to build their business and to grow it. Along with that, once you have an asset, you've got a target on your back. So we like to help people protect it. The Russian hackers, the government fines and penalties. And of course the attorneys who are going to come and sue you if you don't do everything just right and you ⁓ get breached. So.

That's what we do is we protect against that. Brian is not here today. Mario. ⁓ actually, he just said something in the chat. So I'm going to turn it over to you, give your introduction while I go see what Brian wants. Maybe we'll have a late, ⁓ a late join. I don't know, but Mario, meanwhile, tell everybody who you are, what you do and who you do it for.

Mario Zaki (03:47)
Yeah, Mario Zaki, CEO of Mastek IT, also known as Justin's Minion, I guess. ⁓ Been in business for 22 years now, ⁓ located in New York, New Jersey area. And we specialize in helping business owners feel better and sleep better knowing that their business is secure and that they'll wake up in the morning and everything will still be.

Justin Shelley (03:52)
Yeah

mean, that's the hope. That's the hope. I think that's what I say every time when you do that. It's like, God, fingers crossed, you know, whatever. Yeah, now, Mario, have you ever woken up to a disaster specifically in security? like, even if you spread it out, you know, broaden the question a little bit. Have you ever had that where you wake up and shit has actually hit the fan?

Mario Zaki (04:16)
Yeah.

⁓ knock on wood, I, nothing comes to mind to be honest with you. ⁓ but I, I tend to be a deep sleeper, maybe.

Justin Shelley (04:45)
Yeah.

Okay.

Yeah, I mean, I've only done the, I I've already said it, so I'm kind of repeating myself here, but I woke up to that fire alarm. I don't if you remember me telling that story. I've probably told it more than once where, or maybe that was last week when, ⁓ when you guys ditched me, I don't know. ⁓ but I woke up to a fire alarm going off in my house with there's only one exit down the stairs. We all have bedrooms upstairs. We couldn't get out and scared the shit out of me. ⁓ I've never had anything like that in technology, but it is the fear. ⁓

You know.

Mario Zaki (05:24)
Was there anything happening?

Justin Shelley (05:26)
It was a false alarm.

Mario Zaki (05:28)
You want to hear some crazy that actually has happened. guess disqualifies that this has happened to me twice in my house and both times it was the night before we woke up to go on vacation. So it was very weird. The alarm would go off at like two, three in the morning and I'm looking around like what's going on? Nothing. Nothing was a false alarm. The alarms in the house just went off for no reason and it happened twice and it was both right before we woke up.

Justin Shelley (05:35)
Yeah?

Mario Zaki (05:57)
Go on, Rikki.

Justin Shelley (05:59)
Jesus. That is crazy. ⁓ well, yeah, I was, was trying to answer his question. I'm trying to copy a Brian, thanks for showing up late. God damn it. Anyways, do your introduction. While I try to pull up the link, I tried to send it to you in the chat and I pasted some other nonsense that I copied before when I was building the outline. I don't know what's going on. It's a bad technology day. Brian say hi.

Mario Zaki (06:00)
It was weird.

Look at this guy.

Bryan Lachapelle (06:12)
you

you

⁓ Hi,

everybody. My name is Brian Lashbro with B4 Networks and I help business owners. No, wait, that's a different one. ⁓ Yeah, no, I'm based out of beautiful Ontario, Canada. It's one of those days. It's one of those days. Let's just carry on.

Justin Shelley (06:36)
We're a mess today.

Mario Zaki (06:36)
He's rusty. He's rusty.

Justin Shelley (06:42)
No, you gotta do it. You gotta share your intro.

Bryan Lachapelle (06:45)
I

don't even know where I'm doing today. ⁓

Justin Shelley (06:49)
Oh, Mario, Mario got the link in there. I'm going to put it in as well. Sometimes the shared links from shared links don't work. I don't know, Brian, I'll do your introduction for you then. Beautiful Ontario, Canada. Uh, it's a journey. It's not a destination. 1 % better every day. Listen. Oh, fuck. Oh yeah. You liked.

Mario Zaki (06:52)
Yeah, I got you.

Bryan Lachapelle (06:53)
We're good.

Sure.

⁓ That's the conclusion. Yeah, but ⁓ I have so much

Mario Zaki (07:09)
and that I have all my hair.

Bryan Lachapelle (07:12)
hair, I cut some of it off because it was just like, just too much.

Justin Shelley (07:17)
Show off.

Listen.

Mario Zaki (07:19)
Do you want to

share the good news with him or do you think he's...

Justin Shelley (07:22)
Yeah, I

will, but I'm to come back to that. So you're bragging about hair and trying to make me feel bad because I'm bald. Um, these days I get so genuinely pissed off when I see people walk. Isn't that the dumbest thing? So, I mean, I've, I've, and this is the third week, I think now that I've been podcasting with a broken ankle, I get it wrong. say leg, foot, ankle. It's a fibula fracture. All right, whatever. So I can't walk.

Bryan Lachapelle (07:44)
Mmm.

Justin Shelley (07:49)
I can't put any weight on it and just as it was healing, I thought things were going to get better. I thought the doc was going to clear me to do a little bit of walking. Nope. Got to go in for surgery. So I'm fucked again for longer. Pardon my French. I'm not happy about this. And I legitimately get mad when I see people just jump up and walk around and like, you show off. I don't know. Fuck you, Brian.

Bryan Lachapelle (08:07)
I went for a run the other day, a couple of actually every day I do 5k so you know there's that.

Mario Zaki (08:12)
You

push the wow wow wow button.

Justin Shelley (08:14)
I know. don't

know if I... Bastard. Yeah, so you missed it. So our audience, sorry about you. You're to have to listen to this twice. Brian, we hit on as of April 15th, dead center halfway through the month. We hit, we beat our record on downloads for any previous full month. Right? So we are double currently as we sit on downloads of our previous record.

Bryan Lachapelle (08:19)
I love it. I love it.

Justin Shelley (08:44)
So, I mean, I don't want to brag, but go us. apparently, listen, that was 1.5 to three, 3.7. Um, yeah, we're like,

Bryan Lachapelle (08:47)
So we went from one listener to two, is that what you're saying?

Mario Zaki (08:57)
Which is

weird because there were three of us. least we, us three should be on there. If we weren't from one to...

Bryan Lachapelle (09:01)
My mom and my dad downloaded it this month.

Mario Zaki (09:06)
I installed it on my wife's phone without her looking.

Justin Shelley (09:09)
There you go. There you go. That's why we bumped up the numbers. And

Bryan Lachapelle (09:11)
Alright.

Justin Shelley (09:12)
it is fun. I only share percentages. I don't like the actual numbers themselves because we're not yet, and I don't know if I'm going to get sued for keep using his name, but we're not Joe Rogan yet. know, like that's the goal. The Joe Rogan of cybersecurity and small businesses. I don't know guys, we should probably say something important or we're going to lose the audience we've built. So now that we have completely ⁓ overstayed our welcome on the introductions.

Mario Zaki (09:31)
you

Justin Shelley (09:36)
Brian shows up late unprepared. send him the wrong information, trying to give him the link. We're going to jump into this week's episode of Unhacked. And guys, we are ninth, I believe, in our series. We've got this little mini series of 12 episodes going on of the Cybersecurity Basics. And it's funny because I have a hard time now saying basics when we're talking about cybersecurity after we've really dove into this over ⁓ two months now. ⁓

Guys, it's not basic. This is hard shit. It's a lot. There's a lot going on. So we have covered, I'm not going to read the list because it's getting too long. And if you've been listening along, you don't want to hear it. If you haven't go back and listen. Today's topic is cloud and SaaS security. I hate that acronym software as a service SaaS. I think that's how you're supposed to say it. I don't know. but I don't know what, what's the difference between cloud and SaaS anybody.

Bryan Lachapelle (10:23)
Mm-hmm.

Well, SAS is on the cloud.

It's just the cloud is a lot of stuff. Yeah, it's just software as a service.

Justin Shelley (10:38)
Yeah. Software in the cloud.

cloud is software that runs anywhere but your own network, whatever. So anyways, ⁓ I'm talking with a client the other day and they want to decommission their server. have an on-prem server. is, unless these guys have been a client of mine for God, 15 years or more. So when the network was set up, servers were absolutely mandatory these days, maybe not so much. It's a small company. They want to decommission it and they want to move everything to the cloud and it's fine.

But I just said, you know, what is your overall goal for this? Why, why do you want to get rid of your server? And before I even answer that pop quiz guys, how hard is it to decommission a server and move a network to the cloud for everything? Print sharing, ⁓ active directory. You've got DNS and DHCP running on the server.

Bryan Lachapelle (11:34)
You're

probably looking at about 40 hours or more.

Justin Shelley (11:38)
Yeah. You're rebuilding the network from the ground up, right? You rebuild everything and then you have to migrate their profiles because you can't just log into a different service and have, you know, windows keep your profile the way it is. They rebuild it. Thanks, Microsoft. So I'm like, you know, and they're in a money, ⁓ you know, none of us want to spend money, but they're, you know, trying to cut costs and whatever. So I ask them, you know, what's, what's the overall goal for getting rid of the server?

Mario Zaki (11:39)
It's a pain in the ass. Yeah. Yeah. Yeah.

Bryan Lachapelle (11:52)
You

Justin Shelley (12:08)
And their answer was, and I quote, we just want to simplify things. I did not laugh, but I did say, you know, it's a common misconception. The cloud doesn't necessarily simplify anything. It takes it and it puts it out into the wild, wild west where we don't really even have control over stuff anymore. today.

Mario Zaki (12:27)
or save you money.

Justin Shelley (12:29)
does not save money. I know. And I tried to explain that too. I'm like, yeah,

I know I've got to charge you to maintain your server here. When we move everything to the cloud, I got to charge you to maintain it there. And it's, you know, we've still got to have data backup. We still got to manage active directory. It's just called something else. Um, and it's more complicated. It's, uh, whatever. Okay. So yeah, we're not saving money. We're not simplifying, but still there is an advantage and we're still probably going to go through with this just at some point. Um, so there we go guys.

Moving to the cloud is not the same as we're secure or we've simplified.

breath. ⁓ Let's dive in. Let's dive in. ⁓ Why does any of this matter? And I'm just going to kind of punt to you, Mario, first. I want you to just spitball, just kind of talk about this a little bit. Brian, you talk about a little bit, and then we're going to start hitting it with some more direct questions. But just talk about, and again, we've already done a lot of this, right? This is not the first time we've introduced a topic, but is there anything new?

Bryan Lachapelle (13:04)
Let's do it.

Justin Shelley (13:31)
that we need to talk about today. ⁓ Mario, how do you have this conversation with your clients?

Mario Zaki (13:37)
Well, it's very similar to the way you started it. You what is the end goal for it? know, moving things to the cloud is really to achieve the ability for people to either work from home. If you don't want to rely on your physical server, if it goes down, you know, maybe waiting a couple of days to get a part, your internet in your office, you know, your... ⁓

it power in your office. If you lose power a lot, if you ha if you want to be able to have like a 99.9 % uptime, then the cloud is what makes sense. But like we said before, it's not easy to just do that. And it's not necessarily cheaper because you're literally taking what you have here and then you're moving it to the cloud and then paying a monthly on top of the managed services, a monthly like hosting costs as well.

for, you know, if it's on AWS, on Azure, on whatever, you know, server, you have to pay that as well. So it's not a cost-effective type of situation and it's more of a convenience and, ⁓ you know, a more uptime type of situation.

Justin Shelley (14:54)
And real quick, before I pass them mic to you Brian, I want to just push back a little bit on that uptime guarantee. I know that was kind of the initial hope and dream, but damn, lately it seems like we're having cloud outages all the time. ⁓ Starlink went down. This was, I mean, it's been a while. It wasn't super recent, but that was a global outage with Starlink. Everybody on Starlink was out. ⁓ I've got clients on

I won't say their name because again, I'm trying not to get sued, but it's a company that starts with the letter F and they broke off of a company starting with the letter V and now they've like re-merged or something. I don't know. The worst support I've ever had in my life of any ISP, they went down three times in the last couple of weeks. So, I mean, it's like uptime used to be the hope and the promise, but I don't know anymore. Brian, what are your thoughts here?

Bryan Lachapelle (15:46)
Yeah, I mean, really at the end of the day, the initial move for moving things to the cloud was really just to get rid of the, from the hardware layer, like having to manage and maintain your own hardware. At the end of the day, all of your data, all of your systems, all of your applications are just running somewhere else. Some of the initial benefits that we had initially thought, I won't say thought, some of the benefits have materialized, but essentially,

Justin Shelley (15:58)
Yeah.

Bryan Lachapelle (16:13)
accessing your data from anywhere on any device, that has become a relatively true statement. You don't necessarily have to VPN anywhere anymore. You could pretty much be connected to most of your data and applications anywhere, ⁓ QuickBooks Online, any of those SaaS applications. You no longer have to truly worry about maintaining your own physical server, taking everything down. That responsibility has shifted to the cloud provider. ⁓

costs shifts from big hardware purchases that are one time every three years, four years, maybe to a predictable-ish monthly fee. So like we're no longer having to worry about all these big outlays all at once and then ⁓ nothing ongoing or little to nothing ongoing other than maintenance. Which leads me to the other point, a lot of businesses didn't maintain their equipment and their software and their updates and patches anyway, which...

is nice with cloud because it's all automatic behind the scenes. Other people are maintaining it. Other people are updating it. Other people are keeping it relatively stable for you. ⁓ You can scale up or down. You can add services to cloud versus if you were on a server and you grew relatively quick, you may have to buy all new server all again.

Justin Shelley (17:28)
⁓

Quick, quick interjection, fine print, C footnote, A slash B one 2.4 contract terms. I was just in conversations with a cloud vendor yesterday talking about these goddamn contracts that you can't get their service without the bill or without a contract. And if I try to scale down, nope, no can do Kimo Sabe.

Bryan Lachapelle (17:35)
Right.

Right.

Right,

so that's more of a contractual thing versus like, you know, if you have bought a physical hardware server and it was good for 20 users and you grew to 60, you may have to buy all new hardware. Like the old hardware would be no good anymore to support that growth. And then if you scale down, you're still stuck with that old, that hardware that's now way more than what you need. If you're not under contract, you can scale down. And the last was, you know, security patches and updates happen automatically. You don't have to do it yourself.

Justin Shelley (18:00)
True enough, yeah, yeah, yeah.

True. Yeah. Yeah.

Bryan Lachapelle (18:20)
in most cases. So those are the five

points off the top of my head that I believe were the original benefits of moving to cloud. And they have, for the most part, materialized.

Justin Shelley (18:31)
True. Yeah. I like, you know, where the advantage is, you're right. We don't have to purchase and maintain hardware. ⁓ And to some extent, we don't have to handle the overall security of a platform. We do rely on them. That comes with pros and cons because we really are just left trusting somebody that we don't know if we can trust. But we still have to make sure the thing is set up and configured properly and used properly. And that is where the danger comes from my

Bryan Lachapelle (18:51)
This is true.

Justin Shelley (19:01)
perspective is like, yeah, we can, we can set some something up. It's locked down. Microsoft's a great example. mean, good Lord, what it takes to secure Microsoft 365. That's no small task, you know, and then to make sure that it stays secure. I've got a client that wants to move to a secure file sharing platform and they sent me the link and they're like, Hey, is this secure? I'm like, I don't know. I know they say they are.

Bryan Lachapelle (19:14)
Yeah. Agreed.

you

Justin Shelley (19:29)
You know, and I can look at their website and they're claiming SOC 2 compliant. Great. But they won't give you the report until you've already signed a contract with them. Like, okay. How am I supposed to vet this contract or this, this vendor?

Bryan Lachapelle (19:37)
Yeah, that

reminds me too, because there is a fairly significant drawback to a lot of these cloud services. it is what it is. When you buy a server or buy a piece of software and you install it, you can choose when you upgrade to the next version. With software as a service and with cloud services, you get what you get. If they update it halfway through, you're stuck on that. They don't typically give you versions. It's just whatever is there is what you get.

So if they make a change to your cloud application, that application changes immediate. And now if there's a bug or a flaw, you can't delay the update until the next time. you do lose the ability to choose when you update, which isn't a bad thing because a lot of businesses just weren't doing it at all. But that is a drawback.

Mario Zaki (20:27)
Yeah, and you don't know necessarily and it could break and you know one day you come in and it's like why can't I access this and All of sudden you just you know, you're sitting there calling them and then they'll say yeah It's a known issue. We're working on it, you know It's it's annoying when we have to say that to somebody but it's also very annoying when we have to hear that from some

Bryan Lachapelle (20:34)
Right.

Yeah.

Justin Shelley (20:50)
Yeah. So Brian, ⁓ excuse me. thought I was going to say last week, but no, you abandoned me last week. And listen, I'm joking. I know you were where I was supposed to be, but I busted my foot so I couldn't go. I technically abandoned you anyways. ⁓ Maybe it was two weeks ago. You talked about, ⁓ I asked you if, know, when you have bring on a user and then you have to give them access to all, you know, various platforms.

Bryan Lachapelle (21:04)
Yeah.

Justin Shelley (21:19)
How do you pull that back? And you mentioned that most of your users are on a single sign-on, right? Which is a very convenient way of, of, restrict or pulling that access back. ⁓ let's talk a little bit about now the importance of, of locking that account down because, you give me, and I work for you, you give me a, you know, Microsoft account, and then that becomes my single sign-on for everything else. And then I don't have my Microsoft locked down well enough.

Bryan Lachapelle (21:23)
Mm-hmm. Right.

Justin Shelley (21:48)
and somebody gets in and pulls that access. have my full access to Microsoft. Now they have access to everything that I've got, right? So let's, let's talk about that risk a little bit. How do you mitigate that?

Bryan Lachapelle (22:02)
For me, the biggest way to mitigate that risk is two factor authentication and having ⁓ some sort of identity ⁓ monitoring. In our case, we're using a product called Huntress that monitors Office 365 for suspicious behavior, suspicious logins, logins from areas and locations you're not usually signing into, multiple logins from different locations. So that would be the ultimate way to secure those two things is just having those two things in place.

Justin Shelley (22:07)
Yeah.

Okay, Mario,

are your thoughts on that? Single sign on, yes or no?

Mario Zaki (22:32)
Sorry, you said

single sign-on? Yeah, yeah, I like it. ⁓ It gives you one place, one truth, what is it called? Truth of source or whatever source where you can disable it. We're actually working on our own SAS platform now, and I've implemented a single sign-on for everybody. So that way, you don't have to go in there to multiple places and turn it on.

or turn off if somebody leaves and stuff and maybe forget somebody on a certain platform to disable.

Bryan Lachapelle (23:05)
Yeah, it removes the need

for users to have to use two factor authentication on dozens and dozens of different applications, which cause friction, which means that they won't want to implement two factor authentication because they got a pile of places where they have to use. Now we still have to have it in multiple places. Unfortunately, not everybody has single sign on. But it's beautiful for those who do have it because like Mario was saying, we have one place to manage it, one place to secure. We're not trying to secure 20 different websites. We're just using one.

Justin Shelley (23:12)
Right, yeah.

Bryan Lachapelle (23:35)
login and password that we have to maintain and manage.

Justin Shelley (23:39)
Yeah, I think that it's one of those things that if you're going to use it, you have to up your game with securing that primary account. And unfortunately, that's not, I mean, I don't know about the circle you guys run in, but when I go out and do an audit or an assessment of a new prospective client, I don't run into that. I don't run into people using the likes of Huntress and you know, the dozen other vendors out there that are used to really lock down Microsoft. So this can be, you know, back.

Back in the day, here we go. You know, six months ago and technology was a whole different world. Password managers were the thing and they still are to an extent, but that was the debate, right? If you have a password manager, that's great. Unless they compromise your password manager itself. Now they have access to everything. So you've got to be super careful with, you know, some great big, long 150,000 character password on your password manager and then hope to God that your password manager itself doesn't get breached last pass.

yeah, they come at me guys. They'll those guys are, they pissed me off. I was a, I was a partner of theirs. I probably should shut up.

Bryan Lachapelle (24:39)
you

Mario Zaki (24:40)
You're trying to get sued today, huh?

i mean it's public knowledge they you know you

Justin Shelley (24:53)
I know it

wasn't just once. It'd be like, you know, it happens once I get it, get in there and fix that shit right now. They didn't, um, at least according to the news. So I bailed, um, anyways, so yeah, it's God, it's like we fixed one problem and create five more. Now it feels maybe it's just me. Maybe I'm just having a bad day because my foot's broke. I don't know if I've mentioned that guys. Did you know I have, I have a broken foot. Um, okay. I've said that a time or two.

Bryan Lachapelle (25:18)
Yeah, I think so.

Mario Zaki (25:21)
The one,

another thing is, and when you're using an online cloud system, it's not every one of them can give you the ability to create your own backup. Like QuickBooks lets you do your own backup. know, Microsoft lets you, know, forces you to do your own backup. Some of these platforms, you have to depend on their own backup and you can't easily just go back and say, I deleted something, can you restore it? They'll tell you, no, we would have to restore your whole

Bryan Lachapelle (25:41)
Mm-hmm.

Mario Zaki (25:50)
you know environment it's not doable or whatever you know so when you have it in house you can easily control you know backups restore you know you know a certain file if you need to so you're at the mercy and trust that they're doing their backups correctly and and so on

Bryan Lachapelle (25:53)
Right.

Justin Shelley (26:10)
Yeah. Well, let's talk about some more risks associated with this. All the ⁓ online slash cloud slash SaaS services. ⁓ Admins. Let's talk about admins. ⁓ This is another one that I find a lot when I go in and manage a new client is the owner who likes to be in charge is

full administrative access on his primary account that he uses for whatever, Microsoft included, that's the worst one. Do you guys ever find that?

Mario Zaki (26:46)
yeah, every time.

Bryan Lachapelle (26:47)
Yeah, I've got ⁓ certain ⁓ clients in the past that have tried to insist on having global admin access, which I'm not against them having that, but not on their primary account. Right. Yeah.

Justin Shelley (27:02)
Right. I'll give it to them, but it's a separate account. Just like for

me, I don't have admin anything on the accounts I use every day. None of those have administrative rights to anything.

Mario Zaki (27:05)
Yes.

Bryan Lachapelle (27:11)
No, it's same with my own global Office 365 administrative account is like my login is a separate login. It's actually under a separate domain name altogether. So somebody would have to know what domain I'm using to log in. Like the login isn't at b4networks.ca at all. Now I'm just like giving up some of my secret sauce, yeah, including all my staff who have global admin access, it's the same thing. Nobody has it on their primary account.

Mario Zaki (27:17)
soon.

Justin Shelley (27:39)
I mean, there's a lot of these, I want to reiterate on one hand because you learn by repetition, but I also don't want to bore people because we have kind of been beating this dead horse. ⁓ But a point that I do feel needs to be brought up that I find all the time is ⁓ former employees who still have access, accounts that don't get disabled when people leave. That's another huge risk that I see frequently.

Bryan Lachapelle (28:03)
Mm-hmm.

Justin Shelley (28:05)
And sharing. Okay. So here's a great one. We move everything to the cloud so that everybody can get to it, but we lock it down and then we give users the right to create a link to share a document. And they do that. And then they forget that they've shared it. How do you audit that?

Bryan Lachapelle (28:22)
like, shared in links in Office 365?

Mario Zaki (28:23)
Wait, what are you?

Justin Shelley (28:25)
I just created a link and gave it to you, Brian, for this episode of Unhacked, our show notes. I created a link and I sent it to you. Now, I will admit, because this isn't super secure, we're already reading the whole damn thing, so it doesn't matter. But that link is not time restricted, it's not password restricted. Anybody with the link can get on and fully edit the document.

Bryan Lachapelle (28:45)
So my standard practice and the practice that I teach our clients and my staff is always put an expiry date. Doesn't matter if it's six months down the road, doesn't matter if it's a year down, just put an expiry date so that things just automatically fall off. And if somebody still needs it, you can always reshare it. They'll scream, they'll yell, they'll be like, hey, what happened to that file I had access to? And then you have an opportunity to audit it and say, well, do they still need access to that file? So I just blanket across the board.

Justin Shelley (28:52)
Mm-hmm.

Bryan Lachapelle (29:12)
always put an expiry date and I believe in Office 365 you could force that. You can force that an expiry date is put in as a global setting. I haven't done it but.

Justin Shelley (29:21)
I think,

I think with the right version of M365, I don't think with the base coin you can't, I'm about to find out cause I'm setting up a file share portal for a client in SharePoint. So we'll, I'll report back in.

Bryan Lachapelle (29:31)
Fair enough.

Mario Zaki (29:36)
We're actually in the process of switching our security tools for 365, which is Microsoft pretty much requires you to use another company to secure their shit. The new one that we're using actually gives you like they have a tab that shows you all the links, you know, that it, for that tenant that was shared and when it expires, if it's anonymous or not.

Justin Shelley (29:45)
Yeah.

Bryan Lachapelle (29:46)
Yeah.

Mario Zaki (30:01)
⁓ it easy pulls that information. So it's good that you can get it right front center on a dashboard.

Justin Shelley (30:09)
Yeah, for sure. All right. Well, hopefully we've overwhelmed and scared people enough. Let's start talking about, ⁓ you know, what, what a good setup looks like. All right. So let's just kind of rapid fire this. What are you? And again, I know it's repeat, but we learned by repetition. So Mario, then Brian, your, your top one recommendation for how to protect against this sprawl of our data lives everywhere. Anybody can have access to it.

We may or may not know who has access to it at any given time. I've got one thing I need to do as a business owner. Where do I start? Anybody want to take that one?

Mario Zaki (30:46)
I mean, depending on what the software is, if it has the ability for you to only allow connections from a certain IP address, I think that's very like, that's one of the most important things settings to enable. Because if you can set it where only people in your main office can access it, or if there are, you know, I know Brian said you don't need VPN anymore, but if you use VPN to just access the system,

It'd be great because even though now it's on the cloud, it's not open to the whole world. It's only open to a certain IP address.

Bryan Lachapelle (31:25)
So I would go one step further personally, and it depends if you're in a high security business that requires this, but you can also lock down Office 365 logins to devices that are on Office 365, meaning that it's already been authenticated, it's already been approved. That device is the only, or those devices, like any devices that are approved on Azure for the lack of a better word, or Entra, are the only applications or the only places you could log in.

Justin Shelley (31:26)
Okay.

Bryan Lachapelle (31:56)
to all the cloud services accessing OneDrive, all that stuff, right? That could be something that you do as well. But more importantly is knowing who has access to what, especially when it comes to, because not everything's gonna be tied to Office 365. So we've got applications in cloud and SaaS products that we provide, like the businesses consume, right? Dropbox and things like that, for example, that

⁓

because they're not strictly officer, you have to track who has what. So having a list of all the applications that you've configured and set up for all of your employees, that way when they leave, you can go through and disable everything, or at least have a list of every product and service your company uses so you can audit them when somebody leaves to see if that person has been given access to that particular application. Secondly would be, ⁓ first of all, to know what applications you're,

or you're using, but more importantly, sorry, I should backtrack there. It's making sure people aren't using SaaS products, for example, Dropbox, unless the company has approved it. And if you aren't going to use those products, lock them down, meaning like, you know, set it up so that they can't register for those products under your domain. So you sign up for it ⁓ primarily as a business owner, you can go to Dropbox, for example, sign up for a corporate account, not actually have any licenses.

but now that locks down every email address at your domain from ever being able to subscribe to that service. So it's preventing people from going and signing up as a shadow service, right? Where they're consuming that software and you don't even know.

Justin Shelley (33:39)
Yeah. Also, mean, let's, let's just keep going with that one. Have a process or make sure your IT company has a process for identifying shadow devices and software. Cause there, you know, there are, there's no perfect system, but there are plenty of things that we can do to be proactive on that. It's, it's really hard. This is something that's super hard to manage, but at least have some process. So you're doing something around that. Mario, do you have a thought?

Mario Zaki (34:04)
I

had a client that had an employee who signed up with a personal Gmail account. it was like the company name at gmail.com or company name, his name at gmail.com. And he created all these sheets and documents and stuff like that during using this Gmail account. And then he quit. And then

They came up to us and say, hey, we need to get access to this account. I'm like, we don't know anything about this account, you know, and there's, it's not going to happen. This is technically his business. I'm sorry. His personal account. We can't just get it. And they're like, what do mean we can't get it? I'm like, you can't get it. This is like you trying to hack into somebody else's email address. You can't get it. It's, it's gone. It's his account. You should have never allowed this.

Bryan Lachapelle (34:36)
Can't do it.

Mm-hmm.

The only way to do it through courts, through

the courts. Yep.

Justin Shelley (35:01)
Legally, yeah,

you'd have to go through the legal system because it is there and for me, if you, if you create or develop, this is especially true in software development. If you write code, if you'd build something while in the employment of, of somebody, they own it regardless of where you stored it, but getting that access, ⁓ whole different story.

Mario Zaki (35:02)
Yeah. Yeah.

Bryan Lachapelle (35:20)
Mm-hmm.

Mario Zaki (35:21)
Yeah. And I think, I think it was like the, you know, they didn't leave on the greatest terms. And I, and I told them like, maybe you can go to court and do that, but it's going to cost some money and it's going to take a very long time. yeah. Yeah. I'm like, it, it consider it gone. If it was a business account and you can do the same thing with your 365. We could have easily gotten you access before the end of this conversation, but.

Justin Shelley (35:26)
Yeah.

Hmm.

yeah.

Bryan Lachapelle (35:36)
Still not guaranteed to have it because maybe they deleted it in the meantime.

Justin Shelley (35:39)
Yeah, yeah.

Right.

Mario Zaki (35:52)
You know?

Bryan Lachapelle (35:53)
The key thing here is provide your team with the tools and resources that they need and they want. Because if you don't provide it, they will find it on their own and then now you don't want to have control over it. So if they want access to AI, find a way of getting them access to AI even if it's not something that you necessarily want. I obviously they have the policies, the procedures surrounding it, but you sign up for the accounts and you provide to them.

Justin Shelley (35:54)
I fit.

Bryan Lachapelle (36:16)
Same thing with a Dropbox or OneDrive or those things. You provide them whatever they need so that they're not tempted to go set up their own on the side.

Justin Shelley (36:26)
And also we're going to, we're going to deep dive in this into this in a couple of weeks, but you've got to have the right policies in place that, and then you have to train on those. You can't just build a policy and stick it on a shelf. You've got to train around these things so that they understand what the expectation is. If you, you, a yes, give them all the tools they need and then B educate the hell out of them. So they know it is not okay to go out and get their own tools.

Cause not everybody knows that, you know, you've got malicious employees. That's a different subject. I'm not talking about that, but not everybody understands that they can't go out and, know, use this, what we call shadow IT to do their job. Cause they're really just trying to get their job done. So you've got to have a good education process. All right, guys. ⁓ I think, ⁓ I think we're going to start wrapping this thing up. ⁓ There's there, like I said, I know that there's some repeat here, but

Bryan Lachapelle (37:07)
Thank

Justin Shelley (37:22)
I think there's value in it because we can't emphasize this stuff enough. This is a whole new world. Technology has changed completely in the last, I don't know, five years, 10 years. ⁓ it, is a whole new world. And if you're still running on the system that you set up when you started your business 10 or 20 years ago, you gotta be aware of what's going on today. And we aren't even talking about AI yet. my God. We're just talking about the basics. ⁓ all right, so let's move to key takeaways.

Mario first, Brian, take us home. Well, I guess I'll take us home, but, ⁓ let's, let's do our key takeaways. We're going to say goodbye and then we're going to sign off for the week and hopefully do some research and come back with an amazing episode next week. Mario, take it away.

Bryan Lachapelle (38:04)
Ha ha.

Mario Zaki (38:07)
Yeah, I mean not every cloud is equal. know the cloud is a very vague term. You know you have your...

Justin Shelley (38:13)
You've got cumulus. I

don't know if I blanked. Sorry, go on.

Mario Zaki (38:18)
⁓ You can have your own server like you have in your office onto the cloud, which needs to be managed and maintained just the same way. Or you could be using somebody's SaaS protection, SaaS software like QuickBooks Online and stuff like that. So there's several different things and they're not all equal, but they all do need to still be secure. By you being on the cloud does not mean

you can relax on the security. If anything, you need to ⁓ ramp up the security a little more, make sure everything's in place because now it's publicly accessible.

Justin Shelley (39:00)
Yeah. All right, Brian, what do you got?

Bryan Lachapelle (39:02)
All right, what I have is a couple of things. One, ⁓ if you're going to go with a cloud application or cloud services, know what you need and work with somebody who can help you set it up properly ⁓ to make sure it's A, secure, B, backed up, because even though the company does their own backups, you are responsible typically for the data as well, so co-responsible or shared responsibility.

And lastly, try as much as possible to put in single sign-on if you can, as long as your primary account is very secure. And that way, you're mitigating how many logins and passwords people have to use.

Justin Shelley (39:45)
Gotta lock that stuff down. I'm gonna wrap up and I have said this before. I'll probably continue to say this, but you gotta know where your stuff is. You gotta know where your data lives. You've got to know what programs you're using. You've got to know who has access to what. And I don't care if you write this on a piece of paper. I mean, that's not ideal, but have a system for keeping track of every time you get any service that's authorized, every time you give anybody access to that service so that you can undo it if and when they leave.

And at least so that you're aware of, what's going on, because if you don't know that you have it, you cannot protect it. That is my takeaway. And guys, that is it for this week's episode of Unhacked. Brian and Mario, thank you for the love of God. I'm so glad you're back. ⁓ I don't know that I'll try another one on my own, but I got through it next week. We're going to come back and we're going to talk about vendor risk and 30 third-party access. So boys do your homework. Meanwhile, that should be fun. All this stuff, so much fun.

Bryan Lachapelle (40:36)
That sounds like a juicy topic

Justin Shelley (40:43)
Um, go to unhackmybusiness.com for today's show notes, video, audio, um, join us on social media. There's all kinds of clips and, uh, and stuff there. And then, you know, if you've got a friend, a business owner who hasn't joined us on the show yet, please share it. Let them know. I got to get those, those numbers up. Um, listen, a hundred percent growth isn't enough. I'm a greedy bastard. So go ahead and share it. Tell everybody about us. Uh, appreciate you being here, Brian, go ahead and say.

Your goodbye and then Mario say your goodbye and then we're going to get the hell out of here. Brian go

Bryan Lachapelle (41:13)
Excellent.

My name is Brian with B4 Networks. If your business is looking for somebody to help you through the journey of ⁓ technology and security, reach out to us. We'll help you get better, 1 % better every day.

Justin Shelley (41:25)
Mario.

Mario Zaki (41:26)
Alright, if you're staying up at night worried about your business, give us a call. We'll help you sleep better.

Justin Shelley (41:32)
All right, guys, and I am Justin. Remember, listen in, take action, and keep your businesses unhacked. See you next week.

Bryan Lachapelle (41:38)
I forgot. Unhacked. Cheers.