1
00:00:00,000 --> 00:00:07,600
Today on our Tech for Business podcast, we're joined by Todd, our COO and CISO, and Nate,

2
00:00:07,600 --> 00:00:13,440
our Director of Cybersecurity and BCISO. About a month, probably two months by the time this

3
00:00:13,440 --> 00:00:20,320
podcast comes out, CIT had our Tech Fair. We're both of you presented and networked.

4
00:00:20,320 --> 00:00:25,760
So my icebreaker today is, what is your favorite part of Tech Fair?

5
00:00:25,760 --> 00:00:29,840
Why everybody can stick for me. Todd is listening to himself talk the entire time.

6
00:00:30,880 --> 00:00:35,920
What kind of fun than that? I think that actually has to be mine because I gave the most number

7
00:00:35,920 --> 00:00:42,480
of presentations during the Tech Fair. So on a serious note, it's actually education back to

8
00:00:42,480 --> 00:00:48,880
those in the industries. It was so much fun being able to just communicate. And the questions that

9
00:00:48,880 --> 00:00:56,720
came out of it were phenomenal. And it's stuff that organizations deal with every day. We have a

10
00:00:56,720 --> 00:01:02,800
lot of these answers, but unless you ask them, either we'll just talk about it on a podcast

11
00:01:02,800 --> 00:01:07,440
because we just want to continue talking. But it was fun actually being able to look at people

12
00:01:07,440 --> 00:01:11,760
and answer their questions and help try to drive those business decisions.

13
00:01:12,800 --> 00:01:16,720
Yeah, I tend to agree. I mean, everybody likes to tell me I like to talk, which I do.

14
00:01:16,720 --> 00:01:20,880
Don't get me wrong. Love it. But getting to do it in person makes a difference. So we do a lot of

15
00:01:20,880 --> 00:01:26,320
these podcasts. And the reality is I get to talk to the group that's on the podcast, but you don't

16
00:01:26,320 --> 00:01:31,360
get any real time reaction to it. So you're kind of hoping what you put out there means something

17
00:01:31,360 --> 00:01:35,440
that makes sense. And it's helpful when you're doing it in person, you can see if somebody's

18
00:01:35,440 --> 00:01:39,600
with you or not. Right. So it's a different thing. It's a different conversation, especially if you

19
00:01:39,600 --> 00:01:45,040
can do them one on one that they're way more enjoyable. When there's a big group, I like to

20
00:01:45,040 --> 00:01:49,040
crack jokes and try and make people laugh. So I keep them away. But other than that, the best part

21
00:01:49,040 --> 00:01:54,000
is just being able to communicate. I think Ariel had asked me why I got into cybersecurity on a

22
00:01:54,000 --> 00:01:58,640
podcast previously. And my answer was because I get to help people fix problems and that that's

23
00:01:58,640 --> 00:02:02,160
ultimately what's meaningful to me. And I get to do that in person. It's great.

24
00:02:02,160 --> 00:02:07,760
Here in Kelsey, what's your favorite part of the tech fair? Us being we didn't present, but we

25
00:02:07,760 --> 00:02:15,760
were definitely there in the background. Yes, we were in the background working hard. I would say,

26
00:02:15,760 --> 00:02:20,160
you know, really just seeing the people along the lines what Todd had mentioned, I mean, us on the

27
00:02:20,160 --> 00:02:25,200
marketing team, we're sending out the emails and we know that's Todd from CIT. But when you get to

28
00:02:25,200 --> 00:02:30,160
see him in person, like, you're like, Oh my gosh, now I know who you are. And then we get to have

29
00:02:30,160 --> 00:02:35,040
that interaction and talk with them and really make sure that what we're doing from the marketing

30
00:02:35,040 --> 00:02:40,080
department is hitting home with them kind of along those education lines. So for me, I love seeing

31
00:02:40,080 --> 00:02:48,080
the people. Sorry, quick interjection. Tara, I also completely agree on that was we see names

32
00:02:48,080 --> 00:02:55,440
associated to companies all the time. And we email and communicate all the time. But seeing

33
00:02:55,440 --> 00:03:01,920
that face is drama. 100%. I love all the people, people on this podcast, not saying I'm not a

34
00:03:01,920 --> 00:03:08,720
people person, which I feel like Todd's probably sad, she's going, but I do really enjoy that as

35
00:03:08,720 --> 00:03:13,680
it being an in person event that we get to select cool venues. So this year was at the

36
00:03:13,680 --> 00:03:18,000
Huing Hotel, so it was cool to be able to go and experience it in a space that wasn't just

37
00:03:18,000 --> 00:03:23,760
our office or right a conference room that we were like, this was also a cool experiential.

38
00:03:23,760 --> 00:03:28,640
And then we did have an app this year that we had people gamify, do points and the photos that

39
00:03:28,640 --> 00:03:33,280
they took made my entire day. I think at some point, somebody like folded a mini swan and they're

40
00:03:33,280 --> 00:03:37,200
like, find this one. And I was like, you are my type of people. The people are like, this has

41
00:03:37,200 --> 00:03:41,760
nothing to do with the conference, but that's my favorite thing. So seeing the little creative

42
00:03:41,760 --> 00:03:46,400
fun moments that came out of people interacting with things, that was probably my favorite part.

43
00:03:46,400 --> 00:03:51,280
For sure. I was going to say that too. I really interacted with people on our app and got to

44
00:03:51,280 --> 00:03:56,240
communicate with some people and saw their name throughout the day. So which actually brings

45
00:03:56,240 --> 00:04:03,360
us to what we're talking about today. We have got some tech fair attendee questions specifically

46
00:04:03,360 --> 00:04:10,880
about our cybersecurity course presentation that Todd and Nate gave. So we had so much interaction

47
00:04:10,880 --> 00:04:16,560
with this. We are going to have a second part. So today we're kind of focusing mostly on kind of

48
00:04:16,560 --> 00:04:21,440
MFA and passwords seem to be a lot of the questions. But our first one is actually about

49
00:04:21,440 --> 00:04:29,920
Sentinel one and someone asked about specific examples of Sentinel one kind of saving a client

50
00:04:29,920 --> 00:04:36,000
from that other software didn't stop. Yeah, I don't know if they have examples you'd be comfortable

51
00:04:36,000 --> 00:04:44,640
sharing. I've I'm going to do a selfish plug and say go check out the last episode or two about the

52
00:04:44,640 --> 00:04:51,520
respond to the security incidents. I had one of my incident response leads actually joined me on

53
00:04:51,520 --> 00:04:56,160
that podcast or I joined him whatever way you want to look at it. But we talked about a lot of

54
00:04:56,160 --> 00:05:01,280
different security incidents that we dealt with. And Sentinel one did come up plenty of times in

55
00:05:01,280 --> 00:05:08,800
that. So there's there's plenty of endpoint detection or response or EDR solutions. You know,

56
00:05:08,800 --> 00:05:15,360
it's obviously I would love to have you be a part of CIT's you know the environment there because

57
00:05:15,360 --> 00:05:21,520
we do see a broad range of threats and we should constantly try to push down new protections on

58
00:05:21,520 --> 00:05:28,720
those and manage it. But with that EDR solution, we have seen plenty of threats come through from

59
00:05:28,720 --> 00:05:36,400
there. So for example, I think one of the first customers we ever put on Sentinel one was they

60
00:05:36,400 --> 00:05:43,600
downloaded a malicious macro and we quickly identified that it was nefarious. And it was

61
00:05:43,600 --> 00:05:48,880
progenized, which means you know kind of the horse coming through the building and then it

62
00:05:48,880 --> 00:05:57,600
unlocks kind of the chaos is it was weaponized to do remote connections outside of the network

63
00:05:57,600 --> 00:06:02,800
introduce ransomware everything like that. So we were able to stop something like that. We've had

64
00:06:02,800 --> 00:06:09,280
cases of someone where it didn't quite identify like the initial cause of that. So I'm a little

65
00:06:09,280 --> 00:06:14,960
on a mystery of that complaint. But once someone was on that system, we saw things like downloading

66
00:06:14,960 --> 00:06:21,440
Mimi cats Mimi love these are all tools dedicated to capture admin credentials, and then compromise

67
00:06:21,440 --> 00:06:26,960
the rest of the network. It was trying to also download browser credentials. So if you're in

68
00:06:26,960 --> 00:06:31,600
the browser saying save my password for me without using some type of password manager,

69
00:06:31,600 --> 00:06:37,600
it's stored in there and it's easily accessible to attackers. So that's another tool that they used.

70
00:06:37,600 --> 00:06:42,480
So we can kind of get into the password manager discussion later, you know foreshadowing. But

71
00:06:42,480 --> 00:06:48,880
one of the other things was I really recall that one because we even had the threat actor trying

72
00:06:48,880 --> 00:06:53,920
request an uninstall of the tool because they tried downloading tools to rip off the edr

73
00:06:53,920 --> 00:06:58,800
solution that has a timbre protection so you can't do that. And then they got stuck after

74
00:06:58,800 --> 00:07:04,000
everything was getting blocked and they said, Can you please just uninstall this? Obviously,

75
00:07:04,000 --> 00:07:09,840
we said no, and we isolated the entire device off the network. That's the fun one. I have

76
00:07:09,840 --> 00:07:16,080
plenty more examples of just stuff going on, but it's a phenomenal tool. Yeah, I think the real

77
00:07:16,080 --> 00:07:20,480
question is so backing up a little bit for those that weren't at the tech fair, essentially that

78
00:07:20,480 --> 00:07:24,400
the chorus meeting was there's a couple of things that we feel like you absolutely need to be doing

79
00:07:24,400 --> 00:07:31,120
absolutely need to be doing for your cybersecurity. EDR with a bullet and MFA or one, one, one a

80
00:07:31,760 --> 00:07:36,640
by B, one, one, two, whatever you want to call it. And so that was kind of where the conversation

81
00:07:36,640 --> 00:07:41,440
started. And in our opinion, it really is a non-negotiable you need to be doing that. But

82
00:07:41,440 --> 00:07:44,640
which I think we've talked about before, but really that's the question, right? Does it work?

83
00:07:44,640 --> 00:07:49,840
And the answer is yes, it absolutely does work. We aren't just slinging products for the sake of

84
00:07:49,840 --> 00:07:53,600
slinging projects. As we mentioned at the very beginning of this, the whole point of this is

85
00:07:53,600 --> 00:08:01,280
education. So very valid question. But it is one of the few security tools where your expectations

86
00:08:01,280 --> 00:08:05,440
are usually exceeded. A lot of times you're like, why hope this is working? And then if you don't

87
00:08:05,440 --> 00:08:09,360
get an alert, you're like, well, did it do anything? Did I spend my money wisely? And the answer was,

88
00:08:09,360 --> 00:08:13,840
yes, you did. It is the right tool. It is the right solution. And it should be doing it.

89
00:08:13,840 --> 00:08:17,600
The one thing that I'd add on to what Nate's talking about too is making sure that it's not

90
00:08:17,600 --> 00:08:21,920
just a tool it's plugged in and you're just hoping it works. I still think, in my opinion,

91
00:08:21,920 --> 00:08:25,920
you need to have somebody paying attention to what's happening on there. Because those are

92
00:08:25,920 --> 00:08:29,360
some pretty advanced attacks that Nate's referring to, whether it's Meemecats or other.

93
00:08:30,320 --> 00:08:33,920
There's a lot going on. Somebody should be looking at that and validating it. And if you're just

94
00:08:33,920 --> 00:08:38,560
waiting for the tool to pop up and go, oh, hey, by the way, I took this device off the network,

95
00:08:38,560 --> 00:08:45,120
you probably want to be slightly ahead of that. Sorry, Lasing. I know that this question is

96
00:08:45,760 --> 00:08:50,800
specifically about the examples that we've seen. The one thing that I did want to say is,

97
00:08:50,800 --> 00:08:55,200
if you don't have it, you're already behind the game. Even the federal government has requested,

98
00:08:55,200 --> 00:09:00,800
or sorry, not requested and mandated this across the entire federal suite of devices.

99
00:09:00,800 --> 00:09:06,000
If the federal government has already told everyone that this is required to be implemented,

100
00:09:06,960 --> 00:09:14,160
they are one of the slowest moving components of our country, I guess, already behind the game.

101
00:09:14,160 --> 00:09:20,240
Right. And so we saw the federal government make those requirements. We saw insurance make those

102
00:09:20,240 --> 00:09:26,080
requirements. If you're still not on it, you're about two years too late so far. So that's kind

103
00:09:26,080 --> 00:09:31,520
of the criticality of this. Yeah, I mean, I'll throw some statistics on that too. So we had a

104
00:09:31,520 --> 00:09:36,000
conversation with one of our partners about it. And just to kind of give you some insights as to

105
00:09:36,000 --> 00:09:39,680
what's going on. And this is kind of getting back to the real world, things that are going on there.

106
00:09:39,680 --> 00:09:44,560
The adoption rate for CIT customers is roughly about 75%. That's just a real rough number.

107
00:09:44,560 --> 00:09:50,640
But to me, that's not high enough. I'd like to see it like well into the high 90s, but we're

108
00:09:50,640 --> 00:09:55,520
doing fairly well. Industry-wide, which is the partner's feedback, as they're saying, it's probably

109
00:09:55,520 --> 00:10:00,320
closer to 30% or 40%, which they think is incredibly low. And I would agree with that.

110
00:10:00,320 --> 00:10:06,480
The reason why I said the real world example is, we used to deal with a significant number of

111
00:10:06,480 --> 00:10:13,600
security incidents at CIT prior to being very heavy on the front end of EDR, EDR, EDR. And it has made

112
00:10:13,600 --> 00:10:17,920
a significant difference. We still deal with them, but the vast majority of issues that we're running

113
00:10:17,920 --> 00:10:23,840
into are either not related to a tool set that would, tool set like EDR would handle, or they're

114
00:10:23,840 --> 00:10:29,760
ones that don't have it. And that's significantly the major difference. When we're not seeing something

115
00:10:29,760 --> 00:10:34,480
that, an example of something that would be outside of EDR, you're typically looking at an account

116
00:10:34,480 --> 00:10:40,720
takeover or something along those lines. So I know on other podcasts, we've kind of mentioned the EDR

117
00:10:40,720 --> 00:10:45,600
and MFA is the one to punch. So kind of move it into that other part of it. We had a couple

118
00:10:45,600 --> 00:10:54,400
questions about MFA specifically. And the first one is, is it getting too easy and simple? This

119
00:10:54,400 --> 00:11:01,760
person wrote in users' muscle memory and human behaviors by leaving secondary devices unlock,

120
00:11:01,760 --> 00:11:06,400
mitigate security measure. What can we do against user error?

121
00:11:06,400 --> 00:11:07,760
Throughout the computer.

122
00:11:09,760 --> 00:11:15,200
Real briefly, I'll expand on it just real briefly. MFA is a tremendous tool set. It works extremely

123
00:11:15,200 --> 00:11:21,920
well. There shouldn't be any way. There shouldn't be any real surprise that threats keep evolving

124
00:11:21,920 --> 00:11:25,920
and that they change tactics. So once you start to block something, they get a little more clever

125
00:11:25,920 --> 00:11:30,560
and they find new ways to attack them. So you are seeing MFA starting to evolve as well. So you're

126
00:11:30,560 --> 00:11:35,360
getting into a lot of things that are much harder to break. We can get into FIDO2 in a little bit,

127
00:11:35,360 --> 00:11:40,400
but some of the stuff that you're doing is trying to find MFA that's fishing resistant as the new

128
00:11:40,400 --> 00:11:45,920
term. And so a great example when you talked about the muscle memory stuff that we've seen in the past

129
00:11:45,920 --> 00:11:52,480
is we've had examples of doing a penetration test in the past. And the tester tries to log

130
00:11:52,480 --> 00:11:58,000
into something. They get stymied by an MFA and they're like, well, what the heck? I'll give a shot

131
00:11:58,000 --> 00:12:02,000
anyway. And they try to push the MFA and just see what happens. And unfortunately, somebody gets a

132
00:12:02,000 --> 00:12:06,400
push MFA in their phone and they're like, well, I'm logged in. That's really weird. Yep, I'll accept

133
00:12:06,400 --> 00:12:12,160
that. And then the pen testers like, cool, I'm in. So don't do that. That muscle memory doesn't

134
00:12:12,160 --> 00:12:18,880
make sense. Slow down just a little bit. Yeah. And we see that unfortunately time and time again.

135
00:12:18,880 --> 00:12:28,160
This past week, I don't know what it was, but we saw a massive tick of email compromises.

136
00:12:29,040 --> 00:12:34,880
And in most of those cases, it was multi-factor that was already enabled. It was the user just

137
00:12:34,880 --> 00:12:40,880
accepting the push, accepting the code, typing into a fraudulent website, which then passed the

138
00:12:41,520 --> 00:12:47,760
login off to someone else. In the past, we've seen things where someone said, I'm going to make the

139
00:12:47,760 --> 00:12:52,560
super secure. I can't log in outside of the office. I'm going to send all the calls to my desk phone

140
00:12:52,560 --> 00:12:58,000
so I can only accept it while I'm at work. Then they go hit one or a number and accept it anyways.

141
00:12:59,200 --> 00:13:06,080
If you go take a look at the statistics for any type of compromise, in over 90% of cases,

142
00:13:06,080 --> 00:13:12,000
it requires some type of human interaction, right? It is the tools, the technology is consistent,

143
00:13:12,000 --> 00:13:18,400
and it only does what it's told. People are often unpredictable. Now they can be great of

144
00:13:19,280 --> 00:13:24,320
giving you a heads up notice of things like, I'm getting notified a lot for these multi-factor

145
00:13:24,320 --> 00:13:29,600
requests. I think something's wrong. And then you can go dig into that. But in my opinion,

146
00:13:29,600 --> 00:13:35,600
it's getting too easy. That's why we do see an industry shift to extra validation. So,

147
00:13:35,600 --> 00:13:39,280
if people are going to listen to this and say, this is getting ridiculous, but we're moving

148
00:13:39,280 --> 00:13:44,160
from two factor authentication to third factor authentication. So you put in your username,

149
00:13:44,160 --> 00:13:50,960
you put in your password, you put in the multi-factor code. Now what we're starting to see,

150
00:13:50,960 --> 00:13:58,320
Microsoft has already started pushing it recently. Okta has it, is after you hit yes, this is me,

151
00:13:58,320 --> 00:14:02,880
it asks you, there's three numbers on the screen. Hit the appropriate one that's on the screen as

152
00:14:02,880 --> 00:14:07,440
well. And you have to confirm that number to validate that it is you. So it continues to decrease

153
00:14:07,440 --> 00:14:12,880
at risk. I don't love that approach overall. That's where we tend to see things go more

154
00:14:12,880 --> 00:14:21,200
passwordless altogether and say, no more passwords, it's tied to a user and a device. And if one of

155
00:14:21,200 --> 00:14:28,720
the two don't match up, then grant access. So we've got plenty of podcasts already about zero trust

156
00:14:28,720 --> 00:14:35,680
and device trust and everything like that. That's the route we're going. Eliminate the password,

157
00:14:35,680 --> 00:14:41,200
have the depth of the password through it and say, there's a user, there's a device,

158
00:14:41,200 --> 00:14:45,280
they have to be matched together. And then you can put additional layers on top on the background.

159
00:14:46,640 --> 00:14:52,720
Remote passwords. Yeah, one thing I just wanted to, I smirked when Nate said, yes, it is getting a

160
00:14:52,720 --> 00:14:57,680
little too easy and you're kind of bypassing MFA. It's kind of ironic because again, industry-wide,

161
00:14:57,680 --> 00:15:02,880
the adoption of MFA is extremely low still. So you're still in that 40% range for adoption.

162
00:15:02,880 --> 00:15:05,840
And yet we're getting to this point where we're trying to mature it.

163
00:15:06,960 --> 00:15:11,360
Nate did mention it is a little more inconvenient, which is kind of funny because a lot of people,

164
00:15:11,360 --> 00:15:14,800
the ones that haven't implemented as they find MFA to be inconvenient, well,

165
00:15:15,600 --> 00:15:20,240
that is true. It can be, that's where the push thing kind of removes some of that friction is,

166
00:15:20,240 --> 00:15:24,320
it just pushes it and says, hey, is this really you? And you say, yes, well, unfortunately,

167
00:15:24,320 --> 00:15:28,000
people are hitting yes when it's not them, which is why you get that additional layer,

168
00:15:28,000 --> 00:15:32,720
which hopefully would be a catch and go, whoa, wait a second, I don't have that number on my

169
00:15:32,720 --> 00:15:37,120
screen. But it does get rid of that. Ultimately, where I was going with that, it is convenient,

170
00:15:37,120 --> 00:15:42,000
is what's more inconvenient losing access to your email credit card information.

171
00:15:42,000 --> 00:15:47,440
We can kind of go from there. There is a layer of risk, certainly understand that. And to some

172
00:15:47,440 --> 00:15:50,800
degree, you're kind of going, well, it's really highly unlikely that it's going to happen to me.

173
00:15:50,800 --> 00:15:53,760
Well, it's a lot more likely than if you're going to play the lottery. And I'm guessing a whole

174
00:15:53,760 --> 00:15:58,560
bunch of people played the lottery when it was $2 billion. So slow down, think about your MFA.

175
00:15:58,560 --> 00:16:02,400
It is definitely something that should be there. The one other thing that I wanted to throw on

176
00:16:02,400 --> 00:16:07,280
there, Nate was kind of alluding to it currently. And I want to stress this as currently, because

177
00:16:07,280 --> 00:16:12,560
who knows what will end up happening. Currently, the only way that most attackers say they can't get

178
00:16:12,560 --> 00:16:18,240
into a system is with some sort of physical device or some sort of additional token. And that's kind

179
00:16:18,240 --> 00:16:23,360
of where we're seeing the industry going. So most people that are in cybersecurity are aware of who

180
00:16:23,360 --> 00:16:28,000
Kevin Mitnick is. And when he did his presentations, he says, that's the only thing he can't get past.

181
00:16:28,000 --> 00:16:32,640
Because if you don't have it, you couldn't get in. So it was a physical token that you had to have

182
00:16:32,640 --> 00:16:37,040
in your hand. It wasn't a push. It wasn't anything else. That is inconvenient because now, you know,

183
00:16:37,040 --> 00:16:42,320
people are carrying around on their key chains or whatever. But it is extremely robust security as

184
00:16:42,320 --> 00:16:49,680
well. And I think that's why we also see a giant shift in the industry focus on this as well,

185
00:16:49,680 --> 00:16:55,520
is saying, you know, the username, the password, the multi-factor, the second, third multi-factor,

186
00:16:55,520 --> 00:17:02,160
whatever it is, right, it's becoming just too much, right? And so that's why we see this device trust

187
00:17:02,160 --> 00:17:08,560
coming into play is you don't need to make it extremely complicated to say, now we need, you

188
00:17:08,560 --> 00:17:15,760
know, a key that you're carrying around with you or anything like that. We're seeing a fundamental

189
00:17:15,760 --> 00:17:21,280
shift across the entire industry. For those that are technical, it's called Thaido, you know, which

190
00:17:21,280 --> 00:17:28,000
is, you know, hardware-based authentication to websites. So it's not quite adopted across the

191
00:17:28,000 --> 00:17:32,800
entire industry at the moment, but we do see that happening. And so a lot of these websites, we see,

192
00:17:33,680 --> 00:17:39,440
you set this up on your device, it's trusted. You have maybe some single sign-on across all your

193
00:17:39,440 --> 00:17:47,280
enterprise organizations. And then it starts tying both that device to that employee. So for the

194
00:17:47,280 --> 00:17:52,640
employee, it's actually easier to log in to everything, but it increases the security posture

195
00:17:52,640 --> 00:17:58,560
of your organization. So that's the really important part is don't just throw hardware on top of the

196
00:17:58,560 --> 00:18:05,600
existing problem. It's a fundamental shift over to this approach, all right. That could be a whole

197
00:18:05,600 --> 00:18:10,320
different podcast. I won't go too deep into that. So that's just the same thing. Something I'm very

198
00:18:10,320 --> 00:18:16,240
passionate about, holding a lot. For sure. I was going to kind of jump into this because somebody

199
00:18:16,240 --> 00:18:27,200
asked about geo-fencing and my very limited knowledge. Is that something that you see coming into MFA?

200
00:18:27,200 --> 00:18:32,800
Do you feel like that's a good idea? Or is it just another one of these hoops to jump through

201
00:18:32,800 --> 00:18:39,440
that's not really worth it? I'll be blunt. It's a band-aid to the problem. Now there are

202
00:18:39,440 --> 00:18:46,800
limitations saying you need to retain access to your implementations and access to your systems

203
00:18:46,800 --> 00:18:53,280
within geographic boundaries. We do see that across some of the regulations. All of the

204
00:18:53,280 --> 00:18:59,440
factor it has to do is just come VPN into that organization. We're in the United States. There's

205
00:18:59,440 --> 00:19:04,480
plenty of VPNs all around that you can hop into. You just hop into there and then try and log in.

206
00:19:04,480 --> 00:19:10,800
So it's a band-aid. That's where that device trust and the password list and user trust all

207
00:19:10,800 --> 00:19:15,040
start to play into a bigger conversation. I was going to add to that, but I don't think we really

208
00:19:15,040 --> 00:19:20,320
need to. I think the answer was it was good and clean. The next couple of questions are about

209
00:19:20,320 --> 00:19:26,080
passwords. I know we've been talking about password lists. We might just say your ideas

210
00:19:26,080 --> 00:19:33,040
things move this way. Do you recommend password managers? Is there anything specific you would

211
00:19:33,040 --> 00:19:39,200
recommend for small and medium businesses? That was a big question people had at the Tech Fair.

212
00:19:39,920 --> 00:19:44,160
Yes. Thanks for coming to this podcast. Thank you very much.

213
00:19:45,360 --> 00:19:52,160
We're done. The answer is yes. I recently got a new phone and I was doing my transition from my

214
00:19:52,160 --> 00:19:55,920
old phone to the new phone. As I was going through it, I was like, wow, I've got a lot of MFA out

215
00:19:55,920 --> 00:20:01,440
there, which is a good thing. But if I didn't have my password manager, just for additional

216
00:20:01,440 --> 00:20:07,280
context, I think at 20 some MFA is later, I was like, wow, this is kind of a pain in the...

217
00:20:07,280 --> 00:20:12,480
Anyways, I have way more passwords than I have MFA. The MFA is around the stuff that I care about,

218
00:20:12,480 --> 00:20:19,520
which is all the good stuff, my work, my personal, my emails, my credit cards, etc. But I have so

219
00:20:19,520 --> 00:20:24,880
many passwords and I do try to do the whole news only a unique password for every individual site.

220
00:20:24,880 --> 00:20:29,600
I don't know how you do that without a password manager. There are pluses and minuses and I'll

221
00:20:29,600 --> 00:20:35,360
let Nate expand on it again. But some of the things are going to be a lot less robust. I think we did

222
00:20:35,360 --> 00:20:41,280
a password manager podcast a year or two ago already. But when you got into it, one of the big

223
00:20:41,280 --> 00:20:45,840
things that comes up is should I use the password manager in my browser? And we said it's least

224
00:20:45,840 --> 00:20:51,120
secure, but it's way better than using winter 2023 exclamation point on all your sites.

225
00:20:51,680 --> 00:20:58,400
So I would do something is better than nothing. There are a lot of good ones, especially... I like

226
00:20:58,400 --> 00:21:03,600
to do this for a personal individual. For your own personal, there are tools out there that are not

227
00:21:04,160 --> 00:21:09,440
for pay like LastPass has one and we can get into the LastPass stuff in a bit. But there are tools

228
00:21:09,440 --> 00:21:16,000
out there that are available for you and using them is better than using a n theory notebook is

229
00:21:16,000 --> 00:21:19,680
super secure because it's in your house, but it doesn't go with you everywhere you go.

230
00:21:19,680 --> 00:21:27,360
Yeah, it's just a giant rest conversation. You have the notebook. What happens if you have a

231
00:21:27,360 --> 00:21:33,600
house fire? It's gone. Or you went somewhere, you're on vacation, whatever. Yep. Now you can't

232
00:21:33,600 --> 00:21:39,600
access any of your websites. I recently had a death on the family extended. We can get into

233
00:21:39,600 --> 00:21:46,400
anything because that person withheld all that and we spent months trying to deal with the outcome

234
00:21:46,400 --> 00:21:52,560
of that. I have a password manager. It has emergency access. After a grace period, just in case my

235
00:21:52,560 --> 00:22:00,560
wife does get compromised, then it'll automatically grant access to my password vault. And then she

236
00:22:00,560 --> 00:22:06,320
can just continue dealing on with whatever stuff that she needs in case I'm gone. There's a lot

237
00:22:06,320 --> 00:22:13,520
of benefits that you can tie into this. Now, the one common concern is if all my passwords are on

238
00:22:13,520 --> 00:22:19,120
some third party service, do I run the risk of them being compromised and gaining access to all my

239
00:22:19,120 --> 00:22:25,840
passwords? Yes. Right. I want to disregard that. They put a lot of effort into encrypting those

240
00:22:25,840 --> 00:22:30,640
and everything like that. We've seen password managers on the pass get compromised. They tend

241
00:22:30,640 --> 00:22:36,000
to not to lose the actual password themselves. It's more of an encrypted vault that someone then

242
00:22:36,000 --> 00:22:41,520
has to go spend significant time cracking. If you just rotate your passwords in that, you're safe

243
00:22:41,520 --> 00:22:48,880
again. There's a plenty of statistics out there and they all range a little bit depending on their

244
00:22:48,880 --> 00:22:57,040
surveys. But most of them tend to land between an average person has 100 to 250 different accounts

245
00:22:57,040 --> 00:23:03,600
that they manage online. I just pulled up my own personal password manager. I have 289 today.

246
00:23:03,600 --> 00:23:09,520
I don't know any of those passwords because they're all completely randomly generated. I only have my

247
00:23:09,520 --> 00:23:15,280
one main password to log into my password manager. Strong multi-factor authentication to try and get

248
00:23:15,280 --> 00:23:21,840
into that. The risk of having a unique password on every website greatly diminishes the risk

249
00:23:22,480 --> 00:23:28,480
because what happens if someone gets into your email? It's likely a shared password with your bank

250
00:23:28,480 --> 00:23:35,600
or whatever it is and they can quickly navigate, which leads me to just one quick final thought

251
00:23:35,600 --> 00:23:41,440
about password managers and just a little hint of info. Please make sure that the strongest things

252
00:23:41,440 --> 00:23:47,280
that you put protection around are your email and your financial institutions because if they get

253
00:23:47,280 --> 00:23:52,640
into your email, they can just initiate password resets to any other application because that's

254
00:23:52,640 --> 00:23:58,080
the central repository for all your accounts. So protect those as much as you can.

255
00:23:58,880 --> 00:24:02,160
Yeah. Now, again, I think they covered that extremely well. The one thing that I would add

256
00:24:02,160 --> 00:24:07,040
on to him too is he had mentioned the comment of, well, then you just go reset it and it sounds like

257
00:24:07,040 --> 00:24:13,040
an unsurmountable thing when you throw 200 plus passwords you got to do, but actually the password

258
00:24:13,040 --> 00:24:17,360
managers do a very nice job of helping you with the resetting process. They'll take you to the right

259
00:24:17,360 --> 00:24:22,480
site, 90% of the time, they'll take you right to where you need to go. They'll fill in your old

260
00:24:22,480 --> 00:24:27,600
password for you, prompt you for a new one. They're extremely well done. They have done a really nice

261
00:24:27,600 --> 00:24:32,320
job with the password managers and they aren't nearly as scary as they seem to be. It's really not

262
00:24:32,320 --> 00:24:38,160
that much work. Yeah. And for those that are still concerned about some type of third party

263
00:24:38,160 --> 00:24:43,600
offsite in the cloud, there are on-premise password managers as well that you can use.

264
00:24:44,240 --> 00:24:48,880
If you still want to manage that, you have to do a couple extra groups to be able to use that on

265
00:24:48,880 --> 00:24:56,240
other devices, but they've already thought of that concern as well. So we're going to zoom out a

266
00:24:56,240 --> 00:25:02,160
little bit. We've been talking very detailed about each of these cybersecurity cores and

267
00:25:02,160 --> 00:25:09,440
we had a few questions about a little bit more like business side. So I'm going to just ask all

268
00:25:09,440 --> 00:25:14,960
three of these because I feel like they kind of fit together. We had a lot of questions about

269
00:25:14,960 --> 00:25:21,920
budgets when it comes to these cybersecurity cores. What is the recommended budget that you

270
00:25:21,920 --> 00:25:28,240
would expect to spend on this, which is a hard question to answer? How do you justify these

271
00:25:28,240 --> 00:25:32,960
things in your budget and then how do you break that down for your C levels? I know that was a

272
00:25:32,960 --> 00:25:38,480
lot, but... Yeah, you're asking two security guys. So 100% of the company revenue needs to be dedicated

273
00:25:38,480 --> 00:25:45,840
to security. Perfect. Yes. Yeah, I think that the answer seems like it would be simple as

274
00:25:45,840 --> 00:25:52,000
know your audience. So for example, our CEO is very security conscious and rightfully so. We

275
00:25:52,000 --> 00:25:57,440
got a big responsibility and so forth, but he's with us. So when we come to him and we're adamant

276
00:25:57,440 --> 00:26:03,040
about something and we show the value of why we need to do it, he's very accepting to it. It means

277
00:26:03,040 --> 00:26:06,640
we don't have the ability to just say we want anything and everything and he's going to sign

278
00:26:06,640 --> 00:26:12,880
off on it, but he is very receptive. So for us at CIT, it is pretty easy to kind of move things

279
00:26:12,880 --> 00:26:17,840
along as long as we can make our case for it. If you look at, you can go out and search,

280
00:26:17,840 --> 00:26:21,360
Google will help you. You can go say, what does it look like for my industry? And you'll find

281
00:26:21,360 --> 00:26:25,360
numbers. A lot of times you'll find the numbers tend to go all over the place and I just had the

282
00:26:25,360 --> 00:26:29,680
biggest lightning strike right next to me. So if I go offline here in a second, I apologize.

283
00:26:31,120 --> 00:26:36,560
But in my opinion, that varies so much because there are a lot of nuances that go with companies,

284
00:26:36,560 --> 00:26:42,720
right? It's big size, location, etc. etc. And so ultimately, the answer for me is going to

285
00:26:42,720 --> 00:26:46,720
largely depend on what your appetite work is. And it's also going to depend on your industry,

286
00:26:46,720 --> 00:26:50,640
right? So if you're in healthcare finance, those kinds of things you're going to have requirements

287
00:26:50,640 --> 00:26:55,920
and you really unfortunately don't have a lot of wiggle room on them, you will work with other

288
00:26:55,920 --> 00:27:01,360
customers that will say, if you don't do X, you can't have Y. So if I don't invest in my EDR,

289
00:27:01,360 --> 00:27:05,360
I may not get this agreement. In which case you can kind of look at it and go, gosh, I'm going to

290
00:27:05,360 --> 00:27:10,960
spend $2,000 on this product, but I'm going to get a $500,000 agreement out of it. That's

291
00:27:10,960 --> 00:27:15,360
worth it. Move forward. It's a pretty easy conversation. Now, it could be a lot more

292
00:27:15,360 --> 00:27:19,600
complicated than that too. But again, those risks, conversations are how I would typically

293
00:27:19,600 --> 00:27:25,200
start to approach it and start looking at it. Most ransomware attacks you're looking at in the SMB

294
00:27:25,200 --> 00:27:30,320
market, which is small and medium size, you're looking at about $250,000 ransom or event in

295
00:27:30,320 --> 00:27:34,720
your offline for two weeks. So now you start to build your budget around it and say knowing that

296
00:27:34,720 --> 00:27:40,960
it costs that much, how can I put in tools that start to mitigate that risk without coming back?

297
00:27:40,960 --> 00:27:46,160
So if I came back with something that ended up being $200,000 to mitigate the risk and I'm saving

298
00:27:46,160 --> 00:27:50,960
$50,000, I'll probably just skip it and go, I can accept that risk for now. Then the last piece

299
00:27:50,960 --> 00:27:55,040
that I would put on there and I'll let Nate take over is once you start building your budget and

300
00:27:55,040 --> 00:27:59,120
it's in there, people start to go, okay, he's serious. He isn't letting this go. If you have a

301
00:27:59,120 --> 00:28:02,960
physical budget and it's in there month after month and you're talking about it and you're saying

302
00:28:02,960 --> 00:28:07,280
this is why and here's what I'm fixing on a risk perspective, things will move forward.

303
00:28:08,720 --> 00:28:15,360
There's a couple low hanging fruit items that just simply makes sense. When Todd's talking about

304
00:28:15,360 --> 00:28:22,000
these big numbers for critical security events or even things like you go take a look at business

305
00:28:22,000 --> 00:28:29,840
emo compromises, account takeovers. When you do those, take a look at some of the statistics of

306
00:28:29,840 --> 00:28:35,200
what is it actually or what's the likelihood that they actually happen? It's all over the place.

307
00:28:35,200 --> 00:28:41,760
These are the number one threats is system intrusion, their human interaction. So you have

308
00:28:41,760 --> 00:28:47,840
statistics to back you up on then and they often are the initial attack vector to these critical

309
00:28:47,840 --> 00:28:53,200
security incenses. The tools are actually pretty dang cheap to be able to protect against those.

310
00:28:53,200 --> 00:28:59,120
So yes, let's say you're talking about some type of endpoint detection response, it may be a couple

311
00:28:59,120 --> 00:29:04,720
thousand dollars a year, right, depending on the size of your organization, obviously. But

312
00:29:04,720 --> 00:29:09,520
how many years of protection can that give you if we know that this is the number one,

313
00:29:09,520 --> 00:29:14,400
number two, number three threat across the organization, you may be able to afford 10 years

314
00:29:15,120 --> 00:29:20,160
of protection simply for the cost of one security incident. And we already know that these are the

315
00:29:20,160 --> 00:29:26,400
critical things. Therefore, it's an easy business justification to try and put those in place.

316
00:29:26,400 --> 00:29:32,400
Multi-factor, yes, there are three solutions. We see this with Microsoft just saying,

317
00:29:32,400 --> 00:29:37,200
it's not required because it's so critical that you have it. There are other paid solutions that

318
00:29:37,200 --> 00:29:42,720
have more bells and whistles. We spend a significant amount of money on our identity and access

319
00:29:42,720 --> 00:29:50,880
management solution. However, we see the value because the criticality of an account compromise

320
00:29:50,880 --> 00:29:56,560
or access into these systems far outweighs the risk of not putting into the play. So again,

321
00:29:56,560 --> 00:30:02,560
the budget and everything is completely subjective to your industry and everything like that,

322
00:30:02,560 --> 00:30:08,640
especially if you're non-regulated versus regulated. But I guess the last thing I would say is there

323
00:30:08,640 --> 00:30:14,320
are actually frameworks to help calculate some of this stuff. So if you're not familiar with things

324
00:30:14,320 --> 00:30:21,200
like the fair risk matrix or reporting structure, there are ones out there such as fair that can

325
00:30:21,200 --> 00:30:27,680
help you out and make those a quantitative justifications. Yeah, I think it was that the

326
00:30:27,680 --> 00:30:32,160
FTC had generated some guidelines on what people should expect as they were rolling out some of

327
00:30:32,160 --> 00:30:35,680
their stuff and they built, they helped build budgets too. So those things do exist and you can

328
00:30:35,680 --> 00:30:41,200
go search for those and kind of get an idea what ballpark numbers look like. But that'll help.

329
00:30:41,200 --> 00:30:45,200
And then last but not least, there are partners out there that will help you build the budget and

330
00:30:45,200 --> 00:30:49,600
go, okay, well, let's look at the overall budget of who you are, where you are in your maturity

331
00:30:49,600 --> 00:30:54,000
level and where you're going and we can help build that out and then help. If you need it,

332
00:30:54,000 --> 00:30:58,480
not everybody does, but sometimes people help need somebody to come in and just be that buffer

333
00:30:58,480 --> 00:31:03,760
between the person that's asking for the money and the people that are saying yes or no to spending

334
00:31:03,760 --> 00:31:08,880
it. So partners can help you with that piece as well. I think sorry, the one last thing I'm

335
00:31:08,880 --> 00:31:12,880
going to add on to this just to Ariel, just to help tie your last question together is

336
00:31:12,880 --> 00:31:18,320
how do you break down for your C levels or justify them? Or that initiative, how does it drive the

337
00:31:18,320 --> 00:31:24,240
business forward? Right? Even today, I was talking to Todd about some type of security initiative

338
00:31:24,240 --> 00:31:31,760
and going, how do I benefit from that? Right? And what's the cost? What's the labor associated?

339
00:31:31,760 --> 00:31:38,880
Taking those into consideration, are there alternatives that we have considered to maybe save

340
00:31:38,880 --> 00:31:45,120
those expenses, right? Having those conversations of saying we've considered and exhausted all

341
00:31:45,920 --> 00:31:52,080
efforts to mitigate this risk or transfer this risk or something along those lines,

342
00:31:52,080 --> 00:31:57,600
the only viable way that I see this moving forward and mitigating is to implement this.

343
00:31:57,600 --> 00:32:01,280
And if you have those numbers backed up, again, the business wants to keep moving,

344
00:32:01,280 --> 00:32:05,680
they want to keep making money, but they also want to mitigate risk because that costs money

345
00:32:05,680 --> 00:32:11,120
on the back end as well. I think like camera for us, Todd or Nate, who said it's important to

346
00:32:11,120 --> 00:32:14,640
know your audience and kind of know where they're coming from when you have these conversations.

347
00:32:15,200 --> 00:32:17,120
I totally take credit for that because I was talking.

348
00:32:17,120 --> 00:32:28,320
So my very last question is how often are you having these conversations? How often should

349
00:32:28,320 --> 00:32:34,080
you revisit these cyber policies? It depends. I have to work it in. You knew it was coming. It

350
00:32:34,080 --> 00:32:39,360
was just a matter of time. It really does depend if you have it written down in one of your other

351
00:32:39,360 --> 00:32:45,040
policies. And so for example, in HIPAA, in the finance world, etc., they say what they do and

352
00:32:45,040 --> 00:32:49,600
then you go through the audit process, improving you do what you say. And in most of those,

353
00:32:49,600 --> 00:32:54,320
they typically say they review them at quote unquote, at least annually. So if you document

354
00:32:54,320 --> 00:32:59,840
somewhere that it's at least annually, then you better do it at least annually. I generally recommend

355
00:32:59,840 --> 00:33:04,640
at least annually as kind of a baseline. You should be doing most things at least that frequently.

356
00:33:04,640 --> 00:33:09,440
Things do change enough that you should be doing it. We talked about MFA. We've been screaming it

357
00:33:09,440 --> 00:33:14,320
from the top of the mountain for seven years and it's changed. So we got into that fish

358
00:33:14,320 --> 00:33:18,880
resistant conversation because it's changing. You need to revisit your policies and say

359
00:33:20,160 --> 00:33:25,760
has what's happened in the world, our new adoption technology, our different change of our risk

360
00:33:25,760 --> 00:33:30,000
appetite has changed. Do I need to make adjustments to my policy? And then of course,

361
00:33:30,000 --> 00:33:36,560
did I miss anything the previous time? Like every day policy. So I guess whenever something comes

362
00:33:36,560 --> 00:33:41,920
up, right, is if you have a policy here at CIT, we've had these in the past where,

363
00:33:41,920 --> 00:33:48,640
yes, let's say the quarterly or sorry, not the quarterly, the annual cadence is we add a minimum

364
00:33:48,640 --> 00:33:55,120
needs to do this annually. If there's an issue that comes up and it's something that you didn't

365
00:33:55,120 --> 00:34:01,680
encounter in one of your policies, communicate it, right, make sure that it's associated into

366
00:34:01,680 --> 00:34:06,800
the business moving forward. So we have issues every single day. I'm going to say daily on your

367
00:34:06,800 --> 00:34:13,120
lunch break, just look at them and update them. Right. But annually is a good start. It is.

368
00:34:13,120 --> 00:34:16,960
And I mean, there are certain things that businesses do just by nature that causes it to

369
00:34:16,960 --> 00:34:22,000
happen. So for example, we do like an incident response plan and we review that at least yearly.

370
00:34:22,000 --> 00:34:26,560
And what typically ends up happening is we just had a conversation earlier today where

371
00:34:26,560 --> 00:34:31,360
someone was talking about, well, what happens if I implement an EDR and I get an alert,

372
00:34:31,360 --> 00:34:34,640
what does that look like? Well, if that's not an incident response plan, it should be.

373
00:34:34,640 --> 00:34:39,360
So those kinds of things that change pretty regularly and you just need to be on top of it

374
00:34:39,360 --> 00:34:43,120
and continue to revisit and make sure you're doing all your due diligence.

375
00:34:43,120 --> 00:34:48,240
Perfect. Well, we're definitely revisiting this topic. We got some more questions. We couldn't

376
00:34:48,240 --> 00:34:53,440
fit it all in. So we'll be back. And I see there were more questions. Thank you, Todd and Nate for

377
00:34:53,440 --> 00:34:58,960
joining us today. If you enjoyed this podcast, please like and subscribe. It's how we know

378
00:34:58,960 --> 00:35:04,160
that you are interested in these topics. If you have a question or a topic, you'd like us to

379
00:35:04,160 --> 00:35:12,880
discuss, reach out to us at info at cit-net.com or head out to our website cit-net.com slash

380
00:35:12,880 --> 00:35:36,880
podcast and we'll be back next week with an all new episode.