1
00:00:00,000 --> 00:00:08,300
Well, this past month on the Tech for Business podcast, we've been discussing a layered approach to cyber security.

2
00:00:08,300 --> 00:00:17,100
And today, we've got Todd, our COO, and CISO, who's going to explain how all these pieces fit together.

3
00:00:17,100 --> 00:00:20,300
So Todd, I'm not sure where you want to start.

4
00:00:20,300 --> 00:00:28,300
I know I wrote down MFA and EDR just because those are kind of the top things you've mentioned in the past.

5
00:00:28,300 --> 00:00:31,200
If you do one thing, here's the thing.

6
00:00:31,200 --> 00:00:34,800
So how are these all fitting together?

7
00:00:34,800 --> 00:00:36,900
Yeah, I love that we started with.

8
00:00:36,900 --> 00:00:41,200
If you do one thing, you should do two, which is me in a nutshell.

9
00:00:41,200 --> 00:00:48,700
So yeah, if we've heard any of our previous podcasts, if you've talked to me, I say there's always one A and one B that you need to do in cybersecurity.

10
00:00:48,700 --> 00:00:50,900
And they are MFA and EDR.

11
00:00:50,900 --> 00:00:52,000
And I know those are analogies.

12
00:00:52,000 --> 00:00:54,300
I'm sorry.

13
00:00:54,300 --> 00:00:58,600
Abbreviations for endpoint detection response and multi-factor authentication.

14
00:00:58,600 --> 00:01:00,000
There's plenty of podcasts out there.

15
00:01:00,000 --> 00:01:03,900
I'm sure you know by now, but just wanted to make sure we level set.

16
00:01:03,900 --> 00:01:06,800
And once upon a time, I used to just say it was just multi-factor.

17
00:01:06,800 --> 00:01:08,700
You just need to multi-factor, you need to multi-factor.

18
00:01:08,700 --> 00:01:13,300
But EDR has really come a long way and the old tools just don't work anymore.

19
00:01:13,300 --> 00:01:22,400
So they are the two, the one-two punch in my opinion that absolutely have to go through it to the point where we've started talking about them as non-negotiables.

20
00:01:22,400 --> 00:01:25,400
And to me, they just things that you got to have.

21
00:01:25,400 --> 00:01:32,100
And if anybody out there is working through cybersecurity insurance or any of those other things also required there.

22
00:01:32,100 --> 00:01:36,300
So one-two punch, one A, one B, you got to have them.

23
00:01:36,300 --> 00:01:39,700
So that's typically where I start every other conversation.

24
00:01:39,700 --> 00:01:47,000
I also recently have been kind of trying to find a way to quickly get in now that you've done those things because most people have.

25
00:01:47,000 --> 00:01:52,300
And I probably shouldn't say that most of our customers have because we are so big on it.

26
00:01:52,300 --> 00:01:57,200
I think the adoption rate for multi-factor is still relatively low, like less than 40%.

27
00:01:57,200 --> 00:02:00,900
I think it's like 38 or something like that industry-wide.

28
00:02:00,900 --> 00:02:07,800
Yeah, the report today, sorry, only because I just saw this earlier that it was like 57% have not or have.

29
00:02:07,800 --> 00:02:08,400
It was 57.

30
00:02:08,400 --> 00:02:11,600
Anyways, we'll put that in the notes afterwards if here's the stats.

31
00:02:11,600 --> 00:02:13,400
But yes, it's around that number.

32
00:02:13,400 --> 00:02:14,600
It's globally.

33
00:02:14,600 --> 00:02:15,900
I'll double check.

34
00:02:15,900 --> 00:02:16,500
Yeah.

35
00:02:16,500 --> 00:02:18,300
Thank you for that.

36
00:02:18,300 --> 00:02:22,300
To me, it seems like it's a foregone conclusion and you should just have it.

37
00:02:22,300 --> 00:02:24,800
We've been screaming it from the mountaintops for seven years.

38
00:02:24,800 --> 00:02:28,500
So that's how long I've been saying that you've got to have it.

39
00:02:28,500 --> 00:02:31,200
EDR, we've only been doing that for about two years now.

40
00:02:31,200 --> 00:02:38,200
But for us as an organization, we work with a ton of different companies across industry.

41
00:02:38,200 --> 00:02:43,400
And we just basically started to push them down the path we didn't really even ask anymore.

42
00:02:43,400 --> 00:02:45,800
We just said, again, it's a non-negotiable.

43
00:02:45,800 --> 00:02:49,900
Back in the day, if you use the analogy where you just got a computer and came with antivirus,

44
00:02:49,900 --> 00:02:52,500
this is the same thing except antivirus doesn't work anymore.

45
00:02:52,500 --> 00:02:54,400
You just need to have EDR.

46
00:02:54,400 --> 00:03:03,300
But as I'm trying to get into the next layer, the big one that I'm trying to make a big push for is end user training slash fishing simulations.

47
00:03:03,300 --> 00:03:11,200
And the reason why I want to kind of get into those details is because to me that this is the layered approach as Ariel mentioned.

48
00:03:11,200 --> 00:03:15,400
What you're doing is you're bringing in a lot of different tools to handle a variety of things.

49
00:03:15,400 --> 00:03:21,000
And the two main attack vectors, well, three, quite frankly, are can I get a username and a password?

50
00:03:21,000 --> 00:03:26,500
So that's where the multi-factor comes in as it's that third item that most attackers can't get.

51
00:03:26,500 --> 00:03:30,500
And then EDR in the event they did get in, what happens?

52
00:03:30,500 --> 00:03:32,600
But the main attack vector is people.

53
00:03:32,600 --> 00:03:35,200
And so you do need to train them.

54
00:03:35,200 --> 00:03:39,300
So if you look at them, two of those things were logical controls.

55
00:03:39,300 --> 00:03:40,700
They're technology.

56
00:03:40,700 --> 00:03:42,400
You buy something, you put it in place.

57
00:03:42,400 --> 00:03:47,400
You don't always have to buy, you may already be paying for something like Microsoft.

58
00:03:47,400 --> 00:03:50,600
But those are those ones are logical controls and you do need them.

59
00:03:50,600 --> 00:03:56,800
But then I think you really need that administrative piece, which is where you're fishing or simulations or trainings come from.

60
00:03:56,800 --> 00:04:08,400
As you're really trying to help the individual recognize things to the point where for CIT, our employees, we fish them every single week, which may seem excessive.

61
00:04:08,400 --> 00:04:09,200
And there is laughing.

62
00:04:09,200 --> 00:04:12,300
So clearly the answer is yes, it's excessive.

63
00:04:12,300 --> 00:04:15,600
But there's a reason why I do it that way.

64
00:04:15,600 --> 00:04:17,500
To me, it's funny.

65
00:04:17,500 --> 00:04:20,600
I don't even actually see I get fished that frequently too.

66
00:04:20,600 --> 00:04:22,800
And I don't even actually see the fishing simulations.

67
00:04:22,800 --> 00:04:34,700
I'm so quick to go garbage, garbage, garbage, garbage, fishing, spam, whatever that I don't even see most of my maybe see one a month if I'm lucky because they just seem so obvious to me now that I've seen them so frequently.

68
00:04:34,700 --> 00:04:36,400
And that's what I want.

69
00:04:36,400 --> 00:04:38,300
I want people to just out of hand go.

70
00:04:38,300 --> 00:04:39,100
That's just trash.

71
00:04:39,100 --> 00:04:40,100
I don't need it.

72
00:04:40,100 --> 00:04:46,400
There are times when something will come in and we're getting close to that season right now.

73
00:04:46,400 --> 00:04:48,800
It's it's fall spooky season here.

74
00:04:48,800 --> 00:05:01,900
If you're watching on video, we've got our cybersecurity awareness month backgrounds on and what's coming up shortly after this as you're starting to get into the holidays and there's going to be all of the attacks that are coming in are going to be right place, right time kind of stuff.

75
00:05:01,900 --> 00:05:05,500
Stuff that's going to go like, hey, your Amazon account didn't work.

76
00:05:05,500 --> 00:05:11,700
Your FedEx delivery isn't here. Your pumpkin spice latte is free at Starbucks this week.

77
00:05:11,700 --> 00:05:13,300
All of that.

78
00:05:13,300 --> 00:05:15,400
All of that stuff is coming.

79
00:05:15,400 --> 00:05:19,200
So those are the ones that the training is really going to kick in, right?

80
00:05:19,200 --> 00:05:25,200
So the fishing simulations are going to get that muscle memory in place and then the fishing simulations are going to make it so you can go.

81
00:05:25,200 --> 00:05:33,800
Okay, I'm going to pause before I print off that fake gift card for Starbucks pumpkin spice latte.

82
00:05:33,800 --> 00:05:43,500
Yeah, I'm sorry about that.

83
00:05:43,500 --> 00:05:52,400
It's pumpkin season for me. It'd be pumpkin beers. So I don't do pumpkin spice lattes, but I would do a pumpkin beer. So if you want to fish me.

84
00:05:52,400 --> 00:05:56,200
That wouldn't work either. Nobody gives me free beer.

85
00:05:56,200 --> 00:06:07,900
So I'll pause there, but that's kind of the thrust of the things that go in. And like I said, to me, they all work in concert. To me, we've been referring to them internally as almost like puzzle pieces, right?

86
00:06:07,900 --> 00:06:12,700
You're starting to put the whole picture together, but it wasn't as simple as I just do this.

87
00:06:12,700 --> 00:06:25,300
Problem solved. It's a piece or it's a layer. There's just multiple things that organizations and individuals should be doing to start to protect themselves. And that's kind of how it all comes together.

88
00:06:25,300 --> 00:06:34,200
So we've got our MFA, which we put as our number one together. And then you've got this training.

89
00:06:34,200 --> 00:06:42,000
And what would be sort of kind of next down the line? Because those do feel like things that a lot of companies kind of had in place.

90
00:06:42,000 --> 00:06:54,600
Where does this list for lack of a battery of phrasing this, where does it start to fall apart for businesses? Where do they kind of fall off the rails with their cybersecurity?

91
00:06:54,600 --> 00:07:09,900
It's unfortunately at the moment, it's still the end user or the person that's clicking on them. So, and it is why I feel like you really need these three things. And but I'll use an example. We had a customer who their organization was doing all the right things.

92
00:07:09,900 --> 00:07:19,800
They had multifactored their email and they had, they call it a sandbox approach. So it opens up attachments to make sure they're not malicious, etc.

93
00:07:19,800 --> 00:07:28,600
And they did not have EDR in place. The individual opened up their own personal Gmail and it looked like they had been, as I said, it's that right time of year.

94
00:07:28,600 --> 00:07:40,100
Hey, you recently purchased something from the Apple store. Here's the receipt and the individuals like I didn't buy anything from that. Clicked on the PDF and it launched ransomware on the company network.

95
00:07:40,100 --> 00:07:55,000
So more often than not, it's kind of like a not quite complete security profile. So they have bits and pieces, but they don't have them together. They don't get the layer. So they're not quite putting the pieces together on the puzzle or they've got a missing piece.

96
00:07:55,000 --> 00:07:59,500
And so the attack came through that hole, if you will.

97
00:07:59,500 --> 00:08:09,900
But assuming you do have those things in place, things still happen. Unfortunately, not nearly as frequently and really training those three things to me.

98
00:08:09,900 --> 00:08:23,300
If you're doing them and you're really paying attention and it's really hitting home, you will protect yourself from the vast majority of things out there. So, for example, we have had people that do have MFA in where you push to the phone that says, Hey, did you log in?

99
00:08:23,300 --> 00:08:35,500
And we've actually done this through penetration testing where we're going, well, we're never going to get in. We're stuck on the MFA and the simulated attack says, well, I'm just going to push the MFA and see what happens.

100
00:08:35,500 --> 00:08:42,200
And we've had users go, yep, that was me. And then they got in there like, are you kidding me? How did this happen? And that's where the training piece comes in.

101
00:08:42,200 --> 00:08:50,500
You need to know that I didn't actually enter my credential. I shouldn't be prompted. So I'm not going to accept that. I should go contact my IT company or person.

102
00:08:52,300 --> 00:08:59,100
But other things that I would typically put in the list is there are some other things that are blocking and tackling for me, which is making sure you've got good backups.

103
00:08:59,100 --> 00:09:11,500
Most people have those today because it used to be the number one way of recovering from ransomware, which is why then people started to pull data out and networks is like, well, if you can recover, I'm going to take the data out and then make you look really bad.

104
00:09:11,500 --> 00:09:23,300
So you'll pay me to delete it. So there is another layer that comes into play there. And then we can kind of keep on going because it is a layered approach. And unfortunately, it feels like it's never ending.

105
00:09:23,300 --> 00:09:39,100
And to some degree, that's kind of true. The big trend that we're starting to see on the horizon and I'm kind of getting a little bit away from my course, but I can kind of see this as a future core is that the vast majority of attacks that go into a lot of software is currently,

106
00:09:39,100 --> 00:09:45,300
whether it's Microsoft or something that's relying on open source is what's referred to an escalation of privilege.

107
00:09:45,300 --> 00:10:03,500
And that is we're trying to get access to an administrator account so I can install something else like that. That MFA. I'm sorry. The PDF. For example, that I was doing is what happened is after that PDF opened, it tried to launch another program and that's what launched the ransomware.

108
00:10:03,500 --> 00:10:13,740
If the user doesn't have admin rights, you can't do the install. And I'm sure most people have seen that right. It says, are you sure you really want to do this install and everybody automatically hits yes. That's because you have the admin rights.

109
00:10:13,740 --> 00:10:27,240
Yep. So the new thing that's coming on is called privilege access management. And that's the next thing that I can kind of see as being the easiest way to stop you from installing software. You shouldn't just take away those credentials.

110
00:10:27,240 --> 00:10:35,340
So you can't do that. Does that mean that's going to be infallible? No, the bad guys are really motivated because there's a ridiculous amount of money in attacking.

111
00:10:35,340 --> 00:10:46,140
But for now, it's a tremendous toolset and I would anticipate within the next year or so. You'll hear it from us, but you'll see it start to really take up as the next big thing you gotta have.

112
00:10:46,140 --> 00:11:10,140
For sure. I asked this last week with Nate and Andrew, our guests, but I'll ask it again just to get kind of a different viewpoint is if you're an IT admin and you're like, yes, I need all these things.

113
00:11:10,140 --> 00:11:22,140
How do you start that conversation with your business or your C levels or are reaching out to a tech partner? What does that beginning conversation look like?

114
00:11:22,140 --> 00:11:31,140
Yeah, great question. I do have a C title, so I typically approach things slightly different.

115
00:11:31,140 --> 00:11:33,140
That's great. Yeah.

116
00:11:33,140 --> 00:11:35,140
I want to hear that part.

117
00:11:35,140 --> 00:11:43,140
There's a couple of things that I would typically start with. One is you just start having conversations, but how you frame those conversations are what matters.

118
00:11:43,140 --> 00:11:56,140
And depending on who you're talking to is going to resonate a little bit differently with different people in the organization. So for example, if you're trying to pitch selling something to a CFO, the most important thing to them is probably going to be the dollars.

119
00:11:56,140 --> 00:12:05,140
And so you just need to be aware of it when you start to go into those conversations of what am I paying for and ultimately what's the return on investment.

120
00:12:05,140 --> 00:12:12,140
You're talking to a CEO. You're talking to him about risk. This presents a risk because I now use ransomware as a great example.

121
00:12:12,140 --> 00:12:20,140
If you look at the statistics and you go search them, the statistics are scary as can be. You'll see that they'll say the average attack is $4 billion. That's not accurate.

122
00:12:20,140 --> 00:12:34,140
It is for some industries, but it's not accurate for all industries. We're in the small and medium-sized business industry and those on average are right around $250,000 is what we're seeing most ransoms coming in.

123
00:12:34,140 --> 00:12:45,140
That's for a variety of reasons. One is because insurance companies will negotiate, but also it's underneath a threshold if you will that will get too much attention from the authorities.

124
00:12:45,140 --> 00:12:51,140
You start bumping over $500K and the FBI cares. You stay under that. There's too many of them to worry about.

125
00:12:51,140 --> 00:12:58,140
But let's just use EDR as an example. I feel like I need to add EDR because it's going to reduce the risk of ransomware attack.

126
00:12:58,140 --> 00:13:06,140
And I can give you an example statistically from CIT's perspective as we were doing multiple ransomware remediations every single week.

127
00:13:06,140 --> 00:13:17,140
And once we started saying it's a non-negotiable, you need to have it, we dropped down to about one a month. So a reduction of probably around 85% of attacks went away just because we were using this tool set.

128
00:13:17,140 --> 00:13:25,140
And of those that we're helping out with, those individuals don't have the tool. So I'm one of those customers. I'm trying to get this through.

129
00:13:25,140 --> 00:13:34,140
I'm going to go to my CEO and say, hey, the risk is really, really high because why wouldn't we attack? No longer is it saying we're too small to not matter.

130
00:13:34,140 --> 00:13:43,140
No longer can you say I live in rural America? I don't matter. That doesn't matter. If you've got an IP address, you matter. And you are prone for an attack.

131
00:13:43,140 --> 00:13:53,140
So I would go to the CEO and say, hey, and I average an attack is going to cost an organization about $250,000. Maybe your insurance covers it. Maybe it doesn't.

132
00:13:53,140 --> 00:13:56,140
And you're going to be offline for two weeks.

133
00:13:56,140 --> 00:14:07,140
By contrast, I can buy this tool set. It's going to cost, and it's just a mythical number. It's based on nothing. I actually couldn't give you some real ideas, but we'll just say that the cost of the tool is about $10,000 for the year.

134
00:14:07,140 --> 00:14:15,140
That's a pretty easy conversation to the CEO. I can mitigate $250,000 at risk for $10,000. I'm in. Where do I sign?

135
00:14:15,140 --> 00:14:21,140
So that would be how I would typically approach it is one of those two ways.

136
00:14:21,140 --> 00:14:29,140
The third way is once you've had that conversation, I would start to put it into a budget, even if your budget hasn't been approved for an IT individual.

137
00:14:29,140 --> 00:14:34,140
You are being asked for your input year over year. What do you think you're going to spend?

138
00:14:34,140 --> 00:14:46,140
I am going to, I'm going to earmark 10K for this thing. And then if it goes through and you've had those conversations, typically what ends up happening is you go, hey, you remember we budgeted for that back in October.

139
00:14:46,140 --> 00:14:53,140
I'm going to pick it up. I'd really like to implement it. The budget's been approved. Are you okay with it? Your CFO is going to go. It was approved. The CEO is on board. Yes, proceed.

140
00:14:53,140 --> 00:14:56,140
Easy, right?

141
00:14:56,140 --> 00:15:03,140
Easy. Easy conversations. I love it.

142
00:15:03,140 --> 00:15:13,140
I'm going to pivot a little bit just because I have another kind of closing question, then I'll sort of open it up if there's anything else you want to share.

143
00:15:13,140 --> 00:15:25,140
But this is a question I asked our other guests for Cyber Security Awareness Month. You know, we're talking about a lot of different tools, a lot of different scary situations, a lot of different numbers and prices and budget.

144
00:15:25,140 --> 00:15:35,140
Why do you do this? Why do you keep coming back day after day and work in security and do this type of job?

145
00:15:35,140 --> 00:15:38,140
The funny response or the real one?

146
00:15:38,140 --> 00:15:41,140
I mean, it's you, Todd.

147
00:15:41,140 --> 00:15:44,140
I'm just going to go for punishment.

148
00:15:44,140 --> 00:15:57,140
No, I mean, quite honestly, if it was the real reason why I got into cybersecurity, I've been working in IT for a very, very long time, and I've always had some aspect of security under my umbrella of authority.

149
00:15:57,140 --> 00:16:10,140
But what really drove it to me is, boy, it's been a little while, but I'll just throw the number out of about seven years ago when we started to, in my opinion, really see the uptick in security risk increasing.

150
00:16:10,140 --> 00:16:14,140
At that time, I was going, things are going to get really, really bad.

151
00:16:14,140 --> 00:16:26,140
And I want to get in front of this. And so I happened to be working at CIT at that time. That's roughly about when I joined and I was working with our CTO at that time, who's now our president and CEO.

152
00:16:26,140 --> 00:16:32,140
And I was going, it's going to get ugly. And our customers are going to come looking to us saying, what do I need to do?

153
00:16:32,140 --> 00:16:43,140
And our response together was, well, we need to be in front of it. Being always behind and trying to help people recover just stinks. And it feels terrible for us. It feels terrible for the customers.

154
00:16:43,140 --> 00:16:53,140
How do we get in front of that? And being able to be a part of an industry where I can try to push the charge and saying, here's how you can do it. It isn't as bad or as scary as you think it is.

155
00:16:53,140 --> 00:17:06,140
We do know how to help you get to a defensible position. That's meaningful to me. There is that, I don't know if it's altruistic or intrinsic or whatever the driver is ultimately for me, but that's, that's what I am.

156
00:17:06,140 --> 00:17:20,140
I'm a fixer to a large degree and being able to communicate to individuals that here's where you're at, but we can get you to where you want to be by doing X, Y and Z is incredibly meaningful and fulfilling for me.

157
00:17:20,140 --> 00:17:32,140
That's great. It's, it's, it's so good to hear kind of that human element, especially from people who work in tech, but it really is about the people in the businesses. So thank you so much for coming on today.

158
00:17:32,140 --> 00:17:50,140
If you enjoyed this podcast, please like, subscribe. If you have a question or a topic, please reach out to us at info at cIT-net.com or head out to our podcast cIT-net.com slash podcast and we'll be back next week with a new episode.