1 00:00:00,000 --> 00:00:08,040 Welcome to the Growing EBITDA Podcast, where we unlock the doors to management and technology 2 00:00:08,040 --> 00:00:10,160 insights in the middle market. 3 00:00:10,160 --> 00:00:15,480 Join us as we explore innovative strategies to drive revenue and EBITDA growth, interviewing 4 00:00:15,480 --> 00:00:18,440 industry leaders and technology experts. 5 00:00:18,440 --> 00:00:23,340 Whether you're looking to streamline operations, understand the latest tech trends, or lead 6 00:00:23,340 --> 00:00:27,760 your company towards exponential growth, you're in the right place. 7 00:00:27,760 --> 00:00:31,920 Stay tuned and let's grow together. 8 00:00:31,920 --> 00:00:35,480 Cybersecurity word of the day, cybersecurity. 9 00:00:35,480 --> 00:00:41,680 Increasingly, we are finding cybersecurity being one of the top business priorities, 10 00:00:41,680 --> 00:00:45,080 if not the top business priority for middle market companies. 11 00:00:45,080 --> 00:00:46,560 And a couple of reasons why. 12 00:00:46,560 --> 00:00:53,200 A report that came out that was affiliated with the FBI, but published in Cybercrime 13 00:00:53,200 --> 00:01:02,440 magazine very recently reported that cybercrime will cost the world $10.5 trillion annually 14 00:01:02,440 --> 00:01:04,240 by next year 2025. 15 00:01:04,240 --> 00:01:07,480 $10.5 trillion. 16 00:01:07,480 --> 00:01:12,040 Very interestingly, and also from the same report, more than half of all cyber attacks 17 00:01:12,040 --> 00:01:14,600 are committed against small and medium sized companies. 18 00:01:14,600 --> 00:01:20,280 So middle market companies, and 60% of them go out of business within six months of falling 19 00:01:20,280 --> 00:01:22,520 victim to a breach or an attack. 20 00:01:22,520 --> 00:01:27,680 Now 60%, I'm sure those numbers are a little bit skewed by smaller businesses, right? 21 00:01:27,680 --> 00:01:32,200 And obviously our listeners tend to be running kind of more medium sized middle market businesses. 22 00:01:32,200 --> 00:01:35,360 But nonetheless, those are some pretty scary figures. 23 00:01:35,360 --> 00:01:36,720 Lots of dollars, high impact. 24 00:01:36,720 --> 00:01:41,200 Probably the one of the most interesting to me is that 60% of all breaches are with smaller 25 00:01:41,200 --> 00:01:43,120 and medium sized organizations. 26 00:01:43,120 --> 00:01:46,980 I have my theory why, may or may not be accurate. 27 00:01:46,980 --> 00:01:53,040 And that is bigger companies have more infrastructure, better systems, bigger IT departments. 28 00:01:53,040 --> 00:01:55,920 I'm sure there's a lot of mid market companies out there, James, you'll probably speak to 29 00:01:55,920 --> 00:02:01,520 this in a minute that don't have big IT teams, don't have sophisticated processes and protocols 30 00:02:01,520 --> 00:02:04,200 in place to protect them from some of these breaches. 31 00:02:04,200 --> 00:02:08,880 But anyway, obviously this is huge impact on companies, on businesses. 32 00:02:08,880 --> 00:02:13,880 Almost every executive that I know, and every investor that I know is starting to think 33 00:02:13,880 --> 00:02:15,520 more seriously about cybersecurity. 34 00:02:15,520 --> 00:02:18,880 And hence, that's why we wanted to kick off our podcast by talking about that today. 35 00:02:18,880 --> 00:02:21,760 So that's about all I know about cybersecurity. 36 00:02:21,760 --> 00:02:25,800 As our guests will come to learn, I can operate my own laptops and my own emails, but that's 37 00:02:25,800 --> 00:02:28,440 largely where my IT competency ends. 38 00:02:28,440 --> 00:02:33,340 So thank goodness we have James here to guide us through today's episode and today's topic. 39 00:02:33,340 --> 00:02:39,320 It's crazy to think that the 10.5 number you provided, that is three times the, or over 40 00:02:39,320 --> 00:02:41,500 three times the value of Apple today. 41 00:02:41,500 --> 00:02:44,320 It's crazy in our lifetime, we saw a business worth a trillion dollars. 42 00:02:44,320 --> 00:02:48,760 I think it's such a huge business to think that something three times the size of Apple 43 00:02:48,760 --> 00:02:50,120 is a total net loss globally. 44 00:02:50,120 --> 00:02:51,120 It's a crazy number. 45 00:02:51,120 --> 00:02:52,120 It's a lot of money. 46 00:02:52,120 --> 00:02:53,120 A lot of money. 47 00:02:53,120 --> 00:02:54,120 If I had that kind of money, I could retire. 48 00:02:54,120 --> 00:02:55,600 Yeah, we'd get a better studio. 49 00:02:55,600 --> 00:02:56,600 Absolutely. 50 00:02:56,600 --> 00:02:57,600 Maybe a better producer. 51 00:02:57,600 --> 00:02:58,600 Maybe. 52 00:02:58,600 --> 00:03:00,680 I think we should introduce everybody to producer Matt. 53 00:03:00,680 --> 00:03:01,680 Producer Matt here. 54 00:03:01,680 --> 00:03:06,000 It was producer Matt's idea to start this podcast, if I'm not mistaken. 55 00:03:06,000 --> 00:03:07,000 Is that? 56 00:03:07,000 --> 00:03:08,000 Yes. 57 00:03:08,000 --> 00:03:09,000 It's an origin story. 58 00:03:09,000 --> 00:03:10,000 Yes. 59 00:03:10,000 --> 00:03:11,000 It's an origin story. 60 00:03:11,000 --> 00:03:12,000 Origin story. 61 00:03:12,000 --> 00:03:13,000 He was talking about it. 62 00:03:13,000 --> 00:03:14,560 It's a 10.5 trillion dollar podcast. 63 00:03:14,560 --> 00:03:16,400 It just so happened to line up with today's number. 64 00:03:16,400 --> 00:03:17,880 Back to business here, James. 65 00:03:17,880 --> 00:03:20,160 Maybe we could talk about why it's a top priority to businesses. 66 00:03:20,160 --> 00:03:21,160 Yes, definitely. 67 00:03:21,160 --> 00:03:22,160 Let's do that. 68 00:03:22,160 --> 00:03:26,440 So when we think about kind of the cybersecurity and the priorities around it, generally think 69 00:03:26,440 --> 00:03:29,760 of it as three different major categories. 70 00:03:29,760 --> 00:03:34,360 One of the things that we really say, and it's kind of the most important thing is cybersecurity 71 00:03:34,360 --> 00:03:37,400 is protecting your organization's digital assets. 72 00:03:37,400 --> 00:03:42,200 Those digital assets could be data, could be files, could be email, could be a lot of 73 00:03:42,200 --> 00:03:44,880 things, but it's protecting those digital assets. 74 00:03:44,880 --> 00:03:50,040 The next thing is we think about the reliance that organizations have, much like our podcast 75 00:03:50,040 --> 00:03:52,400 today and all the technology surrounds us to your point. 76 00:03:52,400 --> 00:03:54,760 We have a heavy reliance on systems. 77 00:03:54,760 --> 00:04:00,320 And when those systems fail due to a cyber threat or cyber issue, it really does affect 78 00:04:00,320 --> 00:04:02,880 our businesses and our ability to run our business effectively. 79 00:04:02,880 --> 00:04:07,720 And then the last part, which I think is the reason anybody has a business, is the ability 80 00:04:07,720 --> 00:04:09,460 to generate revenue. 81 00:04:09,460 --> 00:04:12,320 And how does a cyber attack affect revenue? 82 00:04:12,320 --> 00:04:14,680 It allows you to not be able to do the great things you do today. 83 00:04:14,680 --> 00:04:20,440 And no matter what business you are in, cyber attacks find ways to halt revenue, which creates 84 00:04:20,440 --> 00:04:24,400 stress and strain on business owners, especially in the middle market like our listeners. 85 00:04:24,400 --> 00:04:28,720 I understand that it affects revenue, but maybe unpack that for us a little bit. 86 00:04:28,720 --> 00:04:32,580 Tell us how you've seen it impact revenue in businesses either that you've been involved 87 00:04:32,580 --> 00:04:34,400 with or that you've heard about. 88 00:04:34,400 --> 00:04:36,480 Help our listeners understand that a little bit more. 89 00:04:36,480 --> 00:04:37,480 Yeah. 90 00:04:37,480 --> 00:04:40,320 I mean, when you think about the revenue side, when I have these conversations with folks, 91 00:04:40,320 --> 00:04:42,760 a lot of folks immediately go to e-commerce sites. 92 00:04:42,760 --> 00:04:45,560 My website went down and I'm not able to transact. 93 00:04:45,560 --> 00:04:46,560 That's interesting. 94 00:04:46,560 --> 00:04:48,280 That is one of the challenges folks face. 95 00:04:48,280 --> 00:04:50,260 But it could be any sort of business. 96 00:04:50,260 --> 00:04:55,680 If I'm not able to procure goods, if I'm not able to pay my people, if I'm able to collect 97 00:04:55,680 --> 00:05:02,840 cash, if I can't even get to my bank, think about it as everything you do today not functioning. 98 00:05:02,840 --> 00:05:06,460 And the way a lot of times that we talk about it with folks is, you know, we've all had 99 00:05:06,460 --> 00:05:08,600 to unfortunately exit folks from an organization. 100 00:05:08,600 --> 00:05:11,840 When you exit from an organization, we cut off all the access to that organization. 101 00:05:11,840 --> 00:05:13,760 You no longer affiliate with the organization. 102 00:05:13,760 --> 00:05:15,640 You no longer have any of the access. 103 00:05:15,640 --> 00:05:21,680 Just imagine that you are that employee, essentially the business terminating you due to the cybersecurity 104 00:05:21,680 --> 00:05:22,880 locking you out. 105 00:05:22,880 --> 00:05:23,880 So that's the visual. 106 00:05:23,880 --> 00:05:26,760 We all know what that visual is because we've locked folks out in the past. 107 00:05:26,760 --> 00:05:28,260 It affects everything you do. 108 00:05:28,260 --> 00:05:31,760 So when it affects revenue, e-commerce, sure. 109 00:05:31,760 --> 00:05:32,760 Ability to procure, sure. 110 00:05:32,760 --> 00:05:33,760 Pay. 111 00:05:33,760 --> 00:05:37,440 The only thing it affects is the ability to just truly run your day to day, know the state 112 00:05:37,440 --> 00:05:40,440 of your business, report on your business, have an understanding of your business. 113 00:05:40,440 --> 00:05:41,440 It affects your employees. 114 00:05:41,440 --> 00:05:42,440 Yeah. 115 00:05:42,440 --> 00:05:46,880 And it also, when you have a breach, I imagine Murphy's Law kicks in. 116 00:05:46,880 --> 00:05:49,000 It's never going to be a good time. 117 00:05:49,000 --> 00:05:52,400 And it's probably when it happens, it's never going to be the right time. 118 00:05:52,400 --> 00:05:55,320 And that's probably one of the reasons why it's so talked about today, not just that 119 00:05:55,320 --> 00:06:02,320 it's beyond prolific and not just that the impact is huge, but it does, like you described, 120 00:06:02,320 --> 00:06:04,720 it impacts every corner of your business. 121 00:06:04,720 --> 00:06:07,800 They may not all go down at once, but they could. 122 00:06:07,800 --> 00:06:12,160 There's been some recent examples of that, but it just has the potential to really bring 123 00:06:12,160 --> 00:06:14,360 a business to its knees. 124 00:06:14,360 --> 00:06:18,640 So James, stick it in the context of the mid-market, which is where we spend most of our time. 125 00:06:18,640 --> 00:06:24,140 Give me an overview of what cybersecurity today means in the middle market. 126 00:06:24,140 --> 00:06:25,320 This is an interesting topic. 127 00:06:25,320 --> 00:06:30,360 The first thing I always talk about when we have this conversation is everyone has to 128 00:06:30,360 --> 00:06:32,160 participate. 129 00:06:32,160 --> 00:06:39,520 It's not the some participate, I'm a financial business, I'm a Bitcoin business, everyone 130 00:06:39,520 --> 00:06:40,520 has to participate. 131 00:06:40,520 --> 00:06:42,560 And that's a bit of a change. 132 00:06:42,560 --> 00:06:46,360 It's no longer for just large organizations. 133 00:06:46,360 --> 00:06:50,660 Mid-market has to follow the standards of everyone else. 134 00:06:50,660 --> 00:06:56,340 And I think that the most important part of that is your clients and your employees expect 135 00:06:56,340 --> 00:07:00,360 you to follow it because they expect you to safeguard and protect that data. 136 00:07:00,360 --> 00:07:04,560 And so we think about compliance over the years, many years ago, for those who remember, 137 00:07:04,560 --> 00:07:08,400 we went from the swipe credit card readers to the chip and pin where you had to insert. 138 00:07:08,400 --> 00:07:11,760 And that was one of the first cyber changes because people are getting compromised credit 139 00:07:11,760 --> 00:07:13,880 cards and it was a challenge. 140 00:07:13,880 --> 00:07:17,840 No matter what size business you go into, pay attention next time, whether it's a small 141 00:07:17,840 --> 00:07:22,760 business around the corner or a large multinational organization, they all have the same reader. 142 00:07:22,760 --> 00:07:23,760 Why? 143 00:07:23,760 --> 00:07:28,280 Because the industry standardized on the security protocol that was generally agreed to by all 144 00:07:28,280 --> 00:07:32,920 folks and whether it's tap list or insert, there's no more, in extreme cases, maybe a 145 00:07:32,920 --> 00:07:36,920 little bit of swiping, but very rarely as they're swiping, we agreed to that standard. 146 00:07:36,920 --> 00:07:39,560 Think about mid-market is that same type of idea. 147 00:07:39,560 --> 00:07:41,840 Those standards are out there, they're generally accepted. 148 00:07:41,840 --> 00:07:45,200 Folks need to adjust to those to be able to align to even the way large businesses are 149 00:07:45,200 --> 00:07:46,200 protecting themselves. 150 00:07:46,200 --> 00:07:51,840 And in your experience, how many businesses, I'm sure for a lot of our listeners, they 151 00:07:51,840 --> 00:07:57,180 can relate to the credit card scanner example in their personal lives, right? 152 00:07:57,180 --> 00:08:01,600 But many, many mid-size businesses are more B2B in nature. 153 00:08:01,600 --> 00:08:06,720 So that example may not draw immediate parallels to their mind. 154 00:08:06,720 --> 00:08:10,640 Do you have any examples that are kind of in a more B2B environment? 155 00:08:10,640 --> 00:08:15,600 So I think an example for B2B folks is the way that you wire transfer and do your wire 156 00:08:15,600 --> 00:08:19,920 transfers today that is an interesting change on the validation side, right? 157 00:08:19,920 --> 00:08:23,880 So I know as a business owner, you're familiar with the wire transfer process and maybe you 158 00:08:23,880 --> 00:08:27,080 could tell me more from the business side, but I'll tell you from the technology side 159 00:08:27,080 --> 00:08:31,920 that the way that you wire today and you have that handshake, which is a communication between 160 00:08:31,920 --> 00:08:35,640 two systems is a large difference on how we do wire transfer today. 161 00:08:35,640 --> 00:08:39,900 So if you remember back in the day, you put in your routing information and it wouldn't 162 00:08:39,900 --> 00:08:41,400 give you any results. 163 00:08:41,400 --> 00:08:45,480 Now you get that confirmation that says, are you from UMB blank, blank, blank, whatever 164 00:08:45,480 --> 00:08:46,480 bank it is? 165 00:08:46,480 --> 00:08:50,040 And you have that little bit of moment like, okay, I know I typed in that number correctly. 166 00:08:50,040 --> 00:08:54,440 That's done because they built a trust with those banks to allow that information to be 167 00:08:54,440 --> 00:08:58,400 sent out and returned so you the user can feel a little more comfortable. 168 00:08:58,400 --> 00:09:02,960 That security to allow for that, there's a ton of work and a ton of protocols that sits 169 00:09:02,960 --> 00:09:07,120 behind that very simple type in a number return a word, but there's a lot done there. 170 00:09:07,120 --> 00:09:10,240 And I think for anybody who runs a business, you're very familiar with this being scared 171 00:09:10,240 --> 00:09:14,000 of a wire transfer because you know when you transfer an erroneous wire transfer, it's 172 00:09:14,000 --> 00:09:15,460 very hard to get back. 173 00:09:15,460 --> 00:09:19,740 So those little nuances that protocols have been put in place to protect you, the consumer 174 00:09:19,740 --> 00:09:20,920 also makes your life easier. 175 00:09:20,920 --> 00:09:27,640 Got it, so I think what you're saying is there's different standards, cybersecurity standards 176 00:09:27,640 --> 00:09:33,280 that are out there, but I'm sure a lot of businesses are less familiar with those standards. 177 00:09:33,280 --> 00:09:37,920 Sticking with the middle market theme here, what percentage of middle market businesses 178 00:09:37,920 --> 00:09:43,280 have cybersecurity, would you call them systems or protocols or how would you describe that 179 00:09:43,280 --> 00:09:49,360 and what percentage of mid market companies have an adequate landscape, so to speak? 180 00:09:49,360 --> 00:09:51,240 Yeah, I would say it is two numbers. 181 00:09:51,240 --> 00:09:52,960 That's an excellent point. 182 00:09:52,960 --> 00:09:55,880 It's how many have cybersecurity protocols in place? 183 00:09:55,880 --> 00:09:58,640 I'm gonna go on a limb and say probably 100. 184 00:09:58,640 --> 00:10:02,440 Everyone has something for cybersecurity because whether your vendors required it, your employees 185 00:10:02,440 --> 00:10:07,760 have activated it, or your technology team has done it, everyone has something. 186 00:10:07,760 --> 00:10:12,920 How many are using it to the degree in which we expect and know is required for the space? 187 00:10:12,920 --> 00:10:13,920 It's a scary number. 188 00:10:13,920 --> 00:10:15,760 It's probably around 25%. 189 00:10:15,760 --> 00:10:17,200 Think about the number you talked about earlier. 190 00:10:17,200 --> 00:10:19,720 You said 50% of the businesses are compromised. 191 00:10:19,720 --> 00:10:22,840 Of those 50, that means that there's 50 that aren't compromised. 192 00:10:22,840 --> 00:10:25,820 That's not to say that those 50 are protected and they got through. 193 00:10:25,820 --> 00:10:27,320 They're probably underprepared as well. 194 00:10:27,320 --> 00:10:31,400 And in my opinion, there's probably another 25% there that is exposed. 195 00:10:31,400 --> 00:10:35,440 And so when you think about it, it's a target market of 75% of business have an opportunity 196 00:10:35,440 --> 00:10:36,480 to be exposed. 197 00:10:36,480 --> 00:10:37,640 Think about that as a bad actor. 198 00:10:37,640 --> 00:10:42,480 It's a great easy way to make some money in an nefarious way by attacking those folks 199 00:10:42,480 --> 00:10:43,480 aren't prepared. 200 00:10:43,480 --> 00:10:45,560 So I'd say probably about 25% or where they need to be. 201 00:10:45,560 --> 00:10:49,680 Wow, yeah, so if you are a bad actor, all you got to do is pick one company and 75% 202 00:10:49,680 --> 00:10:51,880 chance you're getting in that one. 203 00:10:51,880 --> 00:10:54,440 Pick two, the odds are with the bad actors. 204 00:10:54,440 --> 00:10:56,200 I wish my Vegas odds were that good. 205 00:10:56,200 --> 00:10:59,280 Building on that, what are some of the more common threats? 206 00:10:59,280 --> 00:11:03,760 Because we all hear about, oh, there's this cybersecurity threat out there. 207 00:11:03,760 --> 00:11:08,400 60% of businesses, small and medium sized businesses, $10.5 trillion annually impact 208 00:11:08,400 --> 00:11:10,040 on the global economy. 209 00:11:10,040 --> 00:11:12,120 Let's bring it home a little bit more though. 210 00:11:12,120 --> 00:11:18,920 If I'm a mid market operating executive, I could be the CEO, CFO, head of IT, head of 211 00:11:18,920 --> 00:11:20,160 supply chain. 212 00:11:20,160 --> 00:11:23,880 What are some of the threats that are out there that are going to resonate with some 213 00:11:23,880 --> 00:11:24,880 of these folks? 214 00:11:24,880 --> 00:11:25,880 Bring it home for them a little bit. 215 00:11:25,880 --> 00:11:26,880 Yeah. 216 00:11:26,880 --> 00:11:30,020 So for me, cybersecurity, you can think of it as it's on a continuum, right? 217 00:11:30,020 --> 00:11:33,160 So you can land anywhere in cybersecurity can be as much as you want. 218 00:11:33,160 --> 00:11:38,280 Anybody who's a sports enthusiast or an outdoors enthusiast such as you and I, you know, there's 219 00:11:38,280 --> 00:11:41,000 price points at all levels of outdoorness, right? 220 00:11:41,000 --> 00:11:45,000 There's the REI price point, and then there's a crazy price point above that, and then there's 221 00:11:45,000 --> 00:11:47,120 a Walmart price point below that. 222 00:11:47,120 --> 00:11:49,900 Same type of thing applies to cybersecurity. 223 00:11:49,900 --> 00:11:50,900 There's different levels. 224 00:11:50,900 --> 00:11:55,760 What we really want folks to focus on is selecting the right level for your business. 225 00:11:55,760 --> 00:11:59,440 The cybersecurity you need isn't the same that a bank needs. 226 00:11:59,440 --> 00:12:03,160 So here's some areas to think about for a mid sized business that we're talking about 227 00:12:03,160 --> 00:12:04,160 today. 228 00:12:04,160 --> 00:12:09,000 My applications that run my business today, whether that's my ERP, whether that's Quickbooks, 229 00:12:09,000 --> 00:12:14,300 whether that's my email, whatever that business system is that runs my business that I use 230 00:12:14,300 --> 00:12:15,880 needs to be protected. 231 00:12:15,880 --> 00:12:18,520 Number two, my collaboration tools. 232 00:12:18,520 --> 00:12:21,680 Collaboration tools is a fancy way of saying email and chat. 233 00:12:21,680 --> 00:12:24,440 Lots go through email and chat needs to be protected. 234 00:12:24,440 --> 00:12:28,360 Number three, your clients and your employees data. 235 00:12:28,360 --> 00:12:32,160 We all know all the time we hear about leaks every single week about the information getting 236 00:12:32,160 --> 00:12:33,800 out there in those leaks. 237 00:12:33,800 --> 00:12:36,400 Protecting that data should be high on your priority. 238 00:12:36,400 --> 00:12:41,120 So number one, business applications, number two, collaboration and number three, data. 239 00:12:41,120 --> 00:12:44,760 So how do you protect a business application? 240 00:12:44,760 --> 00:12:45,760 Let's just start there. 241 00:12:45,760 --> 00:12:51,220 I think you're describing for the listeners three really nice buckets to think about, 242 00:12:51,220 --> 00:12:52,220 but how do you protect? 243 00:12:52,220 --> 00:12:56,000 How do you prevent somebody from actually getting into one of your business applications? 244 00:12:56,000 --> 00:12:57,000 Yeah. 245 00:12:57,000 --> 00:13:02,400 So there's two types of business applications that are very common in the mid market. 246 00:13:02,400 --> 00:13:05,620 Application number one is what's called a hosted application. 247 00:13:05,620 --> 00:13:11,240 That's where I have a server in my back room that has that application on the server. 248 00:13:11,240 --> 00:13:14,440 Type number two is a cloud based application. 249 00:13:14,440 --> 00:13:18,320 That's the common applications we all know that are like software as a service that sit 250 00:13:18,320 --> 00:13:20,440 in the cloud that I access. 251 00:13:20,440 --> 00:13:23,640 So there's two different ways of protecting those systems. 252 00:13:23,640 --> 00:13:26,160 The first system is what's called an on premises system. 253 00:13:26,160 --> 00:13:28,200 It sits in my local server room. 254 00:13:28,200 --> 00:13:29,480 It's near to me. 255 00:13:29,480 --> 00:13:34,000 The way I protect that is I protect the servers and systems within my four walls. 256 00:13:34,000 --> 00:13:38,120 So that's through firewalls, VPNs and lots of great other tools that are out there to 257 00:13:38,120 --> 00:13:39,120 protect those. 258 00:13:39,120 --> 00:13:42,500 And that's more of the traditional IT that folks have been protecting for years. 259 00:13:42,500 --> 00:13:48,080 You protect those with very strong passwords, multifactor authentication and very good systems 260 00:13:48,080 --> 00:13:49,280 that protect my four walls. 261 00:13:49,280 --> 00:13:53,000 When I think about cloud based systems, we've all been there. 262 00:13:53,000 --> 00:13:56,800 You go to a login page, I put in my email address, I put in my password. 263 00:13:56,800 --> 00:14:01,520 Hopefully I have multifactor authentication or maybe I have a single sign on solution. 264 00:14:01,520 --> 00:14:02,860 That is how I protect that data. 265 00:14:02,860 --> 00:14:06,720 So the login of that data is the way I protect it. 266 00:14:06,720 --> 00:14:11,540 Now we expect those providers to protect their data. 267 00:14:11,540 --> 00:14:14,000 Because somewhere that data is still sitting on a bare metal server. 268 00:14:14,000 --> 00:14:16,400 It's not truly in the cloud and floating around. 269 00:14:16,400 --> 00:14:17,400 It exists somewhere. 270 00:14:17,400 --> 00:14:22,840 So it's important to vet and ensure that those providers you're doing business with protect 271 00:14:22,840 --> 00:14:25,900 your data much like you protect the data within your four walls. 272 00:14:25,900 --> 00:14:27,680 So really for you, there's nothing you can do. 273 00:14:27,680 --> 00:14:30,340 You're not going to build a go and give them standards that need to follow. 274 00:14:30,340 --> 00:14:34,280 But you do need to do your due diligence to ensure those providers you're using are strong 275 00:14:34,280 --> 00:14:37,320 providers in securing and protecting your data. 276 00:14:37,320 --> 00:14:42,080 And I'm sure a lot of our listeners, many of them probably have on-prem, on-premise 277 00:14:42,080 --> 00:14:43,960 servers with applications running. 278 00:14:43,960 --> 00:14:47,880 I'm sure many of them, I'm sure almost all of them these days run some element of their 279 00:14:47,880 --> 00:14:49,400 business in the cloud. 280 00:14:49,400 --> 00:14:50,880 If they don't, they should call you. 281 00:14:50,880 --> 00:14:52,480 You have to help them with that. 282 00:14:52,480 --> 00:14:56,100 Not just to save money, but this probably improve a number of things for them. 283 00:14:56,100 --> 00:15:01,920 So it's one thing to hear somebody like yourself say, hey, if you have an on-premise solution, 284 00:15:01,920 --> 00:15:05,380 make sure that you have the right firewalls. 285 00:15:05,380 --> 00:15:07,920 Make sure you have the right other pieces of equipment. 286 00:15:07,920 --> 00:15:10,240 Make sure you have multi-factor authentication. 287 00:15:10,240 --> 00:15:17,200 But it's an ever evolving landscape of new threats, of new bad actors, of new technologies. 288 00:15:17,200 --> 00:15:23,840 And I feel like even companies who have a relatively well-established IT team or department 289 00:15:23,840 --> 00:15:28,600 are constantly trying to catch up to the latest and greatest technologies. 290 00:15:28,600 --> 00:15:30,680 And that's fine because you're protecting your business. 291 00:15:30,680 --> 00:15:33,160 But what about companies without large teams? 292 00:15:33,160 --> 00:15:36,080 I mean, how are they addressing this? 293 00:15:36,080 --> 00:15:41,800 If I'm the CEO of a company and maybe it's my first day on the job and I do prioritize 294 00:15:41,800 --> 00:15:46,720 cybersecurity and I walk into the business that I've just decided that I'm going to 295 00:15:46,720 --> 00:15:50,560 spend the next number of years helping to lead and grow, how do I assess the current 296 00:15:50,560 --> 00:15:56,160 state and how do I possibly keep up to these evolving changes in the threat landscape? 297 00:15:56,160 --> 00:15:59,800 I think this is the challenge a lot of executives have. 298 00:15:59,800 --> 00:16:04,120 And the thing we kind of jokingly say is you can't just walk through the airport because 299 00:16:04,120 --> 00:16:07,200 we've all walked through the airport and we see the Barracuda sign or the kind of high 300 00:16:07,200 --> 00:16:09,800 level of the folks who advertise because they know they're captive audience. 301 00:16:09,800 --> 00:16:13,040 They know there's a lot of business folks who travel and see those things. 302 00:16:13,040 --> 00:16:15,120 And unfortunately, that's only a small piece of the puzzle. 303 00:16:15,120 --> 00:16:16,120 And you're correct. 304 00:16:16,120 --> 00:16:17,520 You have to rely on your team. 305 00:16:17,520 --> 00:16:21,560 So there's some things that you can you can start to think about as you talk to your team 306 00:16:21,560 --> 00:16:22,920 and work through your team. 307 00:16:22,920 --> 00:16:28,080 Number one is having open and honest dialogue with your team to say, where are we? 308 00:16:28,080 --> 00:16:29,920 I'm joining the organization. 309 00:16:29,920 --> 00:16:32,000 Let's go ahead and let the past be the past. 310 00:16:32,000 --> 00:16:37,160 Let's have a real conversation of where we sit, where we're at and what our journey is. 311 00:16:37,160 --> 00:16:41,240 There's a phrase in IT that's called technical debt, those things that you haven't accomplished 312 00:16:41,240 --> 00:16:42,240 or haven't completed. 313 00:16:42,240 --> 00:16:46,720 And we use this phrase a lot by saying paying down technical debt or the inverse of that 314 00:16:46,720 --> 00:16:48,420 improving my IT system. 315 00:16:48,420 --> 00:16:52,360 So having those conversations and open dialogue to your team to say, where are those areas 316 00:16:52,360 --> 00:16:53,600 of technical debt? 317 00:16:53,600 --> 00:16:55,360 And what do I need to do to pay those down? 318 00:16:55,360 --> 00:16:58,880 Now, it could be monetary, it could be hiring, it could be education. 319 00:16:58,880 --> 00:16:59,920 Those are different things. 320 00:16:59,920 --> 00:17:01,080 That's number one. 321 00:17:01,080 --> 00:17:03,760 Another one is being prepared to spend. 322 00:17:03,760 --> 00:17:06,860 Not gonna lie, cybersecurity comes at a cost. 323 00:17:06,860 --> 00:17:07,860 It's not cheap. 324 00:17:07,860 --> 00:17:12,160 There's a lot of tools out there that are really great for the mid market that are affordable, 325 00:17:12,160 --> 00:17:13,900 but they still come at a cost. 326 00:17:13,900 --> 00:17:19,360 If today your team is not doing it and tomorrow you start to do it, the transition is not 327 00:17:19,360 --> 00:17:20,360 gonna be free. 328 00:17:20,360 --> 00:17:21,680 It's gonna be some cost. 329 00:17:21,680 --> 00:17:25,640 And be completely honest, the cost is not only just a software, it's training your team, 330 00:17:25,640 --> 00:17:27,040 bringing them along for the journey. 331 00:17:27,040 --> 00:17:30,400 Because you have to train your internal team, that's your technology team, or maybe you 332 00:17:30,400 --> 00:17:31,400 outsource it. 333 00:17:31,400 --> 00:17:34,280 You also have to train your employees. 334 00:17:34,280 --> 00:17:36,880 Cybersecurity is everyone at the company's responsibility. 335 00:17:36,880 --> 00:17:38,980 I think that's important to note. 336 00:17:38,980 --> 00:17:40,080 It's not just your team. 337 00:17:40,080 --> 00:17:41,880 It's not just the executive that's coming in. 338 00:17:41,880 --> 00:17:44,080 It's every single person. 339 00:17:44,080 --> 00:17:45,640 So let's talk about cost. 340 00:17:45,640 --> 00:17:50,480 Let's go back to that example I gave a minute or two ago about you're the new CEO or you're 341 00:17:50,480 --> 00:17:51,480 the new... 342 00:17:51,480 --> 00:17:56,320 Maybe you don't have to be the CEO, but you're an executive and you've stepped into an organization. 343 00:17:56,320 --> 00:18:01,320 And cybersecurity is a business priority for you, maybe for the board of directors, the 344 00:18:01,320 --> 00:18:02,320 shareholders. 345 00:18:02,320 --> 00:18:04,280 How much should you be thinking about spending? 346 00:18:04,280 --> 00:18:05,960 Do you have a benchmark number? 347 00:18:05,960 --> 00:18:10,040 Because I'm sure if I was this executive, I could look at the P&L and say, hey, last 348 00:18:10,040 --> 00:18:16,040 year we spent $10,000 or a million dollars, whatever the number is, on our cumulative 349 00:18:16,040 --> 00:18:18,400 cybersecurity spend. 350 00:18:18,400 --> 00:18:20,840 Do you think about it as like a percentage of revenue? 351 00:18:20,840 --> 00:18:25,840 And is that a decent proxy for how much technical debt the business might have? 352 00:18:25,840 --> 00:18:29,080 Or how should a mid-market executive think about this? 353 00:18:29,080 --> 00:18:33,680 Yeah, I think that thinking about it as a percent of revenue is a smart way to do it. 354 00:18:33,680 --> 00:18:37,000 And there's a couple factors that go into that. 355 00:18:37,000 --> 00:18:39,540 Depending on the type of business you're in, it could affect it. 356 00:18:39,540 --> 00:18:43,520 So if I'm a software business, my spend on cyber is going to be much higher than an industrial 357 00:18:43,520 --> 00:18:45,360 business that has that type of data. 358 00:18:45,360 --> 00:18:49,200 And so we do stratify that data by industry. 359 00:18:49,200 --> 00:18:51,920 And I think it's important to think of it by industry. 360 00:18:51,920 --> 00:18:57,400 But let's just take an example of a mid-market, easy example of a manufacturing organization. 361 00:18:57,400 --> 00:19:04,800 We typically look for the total IT spend to be between 3% and 8% of total revenue. 362 00:19:04,800 --> 00:19:05,800 Say that again. 363 00:19:05,800 --> 00:19:07,840 3% and 8% of total revenue. 364 00:19:07,840 --> 00:19:16,440 So the benchmark is for a mid-market industrial manufacturer, 3% to 8% of total revenue on 365 00:19:16,440 --> 00:19:17,440 IT. 366 00:19:17,440 --> 00:19:19,680 Now, that doesn't include just cyber. 367 00:19:19,680 --> 00:19:21,600 Yeah, we don't have that subset out. 368 00:19:21,600 --> 00:19:24,840 And I'll be honest, the reason we haven't been able to break that subset out is the 369 00:19:24,840 --> 00:19:30,660 way folks organize their P&L today is we're lucky if the IT expense is mapped to a single 370 00:19:30,660 --> 00:19:32,600 GL line for us to be able to do that analysis. 371 00:19:32,600 --> 00:19:37,800 I think the industry has not really done a great job of capturing that cyber data. 372 00:19:37,800 --> 00:19:42,760 One example is you can purchase cyber tools through Microsoft, but comes in on a single 373 00:19:42,760 --> 00:19:43,760 invoice. 374 00:19:43,760 --> 00:19:47,620 So being able to tease that out and having the discipline to tease that information out, 375 00:19:47,620 --> 00:19:48,620 we don't see a lot of times. 376 00:19:48,620 --> 00:19:49,620 I'm sure there's a benchmark. 377 00:19:49,620 --> 00:19:55,200 What you're saying is it's tougher to break out cybersecurity spend from overall IT spend. 378 00:19:55,200 --> 00:19:59,520 But 3% to 8% in the manufacturing space is a good benchmark. 379 00:19:59,520 --> 00:20:03,160 You have benchmarks for other macro industries too that you can share? 380 00:20:03,160 --> 00:20:04,640 Business services, for example. 381 00:20:04,640 --> 00:20:10,560 We see business services spend up to 15% on IT systems because the amount of data they're 382 00:20:10,560 --> 00:20:12,760 trying to secure or what they're doing. 383 00:20:12,760 --> 00:20:17,520 Now when I talk about these benchmarks of spend, that's to run your operations. 384 00:20:17,520 --> 00:20:21,340 If you're a software company, you're going to spend even more because you're not only 385 00:20:21,340 --> 00:20:25,140 saving and securing the information within your four walls. 386 00:20:25,140 --> 00:20:28,900 You also have a product that you're protecting. 387 00:20:28,900 --> 00:20:32,440 And that product you're protecting, you also have spend on that as well. 388 00:20:32,440 --> 00:20:36,560 So those benchmarks can vary and that one is another conversation for another day. 389 00:20:36,560 --> 00:20:40,680 But about 20% on sometimes we see people spending in this space to be able to get the right 390 00:20:40,680 --> 00:20:41,680 tools. 391 00:20:41,680 --> 00:20:42,680 Let's go back to my example. 392 00:20:42,680 --> 00:20:44,680 You're the new executive. 393 00:20:44,680 --> 00:20:46,060 You've walked in. 394 00:20:46,060 --> 00:20:49,400 You pretty quickly realize maybe there's some technical debt in the business. 395 00:20:49,400 --> 00:20:53,320 You can benchmark the legacy investment in IT. 396 00:20:53,320 --> 00:20:58,640 Not a proxy for cyber, but nonetheless the legacy IT spend by looking at the P&L 3% to 397 00:20:58,640 --> 00:21:02,120 8% if you're an industrial manufacturer as a good benchmark. 398 00:21:02,120 --> 00:21:03,840 Where do you go from there? 399 00:21:03,840 --> 00:21:07,160 Especially if you're a non-technical executive. 400 00:21:07,160 --> 00:21:09,840 If I walk into a business, 3% to 8% is a great benchmark to have. 401 00:21:09,840 --> 00:21:10,840 It's broad. 402 00:21:10,840 --> 00:21:14,640 I'll admit it's a broad range, but at least I know that I need to be somewhere in that 403 00:21:14,640 --> 00:21:15,800 range. 404 00:21:15,800 --> 00:21:20,960 Let's say I walk in and I realize as a non-technical person, I can realize we're spending 2%. 405 00:21:20,960 --> 00:21:22,720 So we're below the range or maybe we're spending 3%. 406 00:21:22,720 --> 00:21:24,320 So we're at the bottom of the range. 407 00:21:24,320 --> 00:21:28,960 But I just know intuitively that based on other businesses that I've been involved in, maybe 408 00:21:28,960 --> 00:21:30,820 we've spent more elsewhere. 409 00:21:30,820 --> 00:21:31,820 Where do I go from there? 410 00:21:31,820 --> 00:21:32,820 Where do I start? 411 00:21:32,820 --> 00:21:35,960 If I look at those numbers you can infer I'm probably underspending in cyber because I'm 412 00:21:35,960 --> 00:21:37,200 underspending at the aggregate. 413 00:21:37,200 --> 00:21:38,780 I think it's a fair point. 414 00:21:38,780 --> 00:21:43,880 The first thing for me is engaging an external party to come in and have a second look at 415 00:21:43,880 --> 00:21:45,420 the system. 416 00:21:45,420 --> 00:21:48,320 There's multiple groups that will come in and there's things that are called penetration 417 00:21:48,320 --> 00:21:53,040 tests where they do some very interesting deep dive work on your system to understand 418 00:21:53,040 --> 00:21:54,320 where you're at. 419 00:21:54,320 --> 00:21:58,520 There's cyber assessments, which is more of a desktop exercise asking questions. 420 00:21:58,520 --> 00:22:02,880 I think a lot of times you have the proposal from your team, you understand where you are, 421 00:22:02,880 --> 00:22:04,400 we discussed that earlier. 422 00:22:04,400 --> 00:22:07,840 Then I go out to that outside group and ask them for that opinion of where I am. 423 00:22:07,840 --> 00:22:10,160 I can then put that together. 424 00:22:10,160 --> 00:22:14,420 Personally and folks ask me all the time for this, to create a roadmap for them to get 425 00:22:14,420 --> 00:22:16,840 to good and help them get to good. 426 00:22:16,840 --> 00:22:20,800 So if you feel that your team doesn't have it in them or doesn't have the ability or 427 00:22:20,800 --> 00:22:24,840 needs to be up skilled to be able to get you there, rely on an external party to help get 428 00:22:24,840 --> 00:22:27,380 you there because they can help educate or bridge that gap. 429 00:22:27,380 --> 00:22:29,480 So the first thing is get an assessment. 430 00:22:29,480 --> 00:22:32,720 Second thing is start making incremental impactful changes. 431 00:22:32,720 --> 00:22:36,760 One of those impactful changes we all hear about turning on multifactor authentication 432 00:22:36,760 --> 00:22:41,560 solves so many things within the organization and it's such a simple fix. 433 00:22:41,560 --> 00:22:43,360 Why folks don't do it. 434 00:22:43,360 --> 00:22:48,040 I don't understand but I encourage our listeners, if you don't have that on your organization, 435 00:22:48,040 --> 00:22:49,040 turn it on tomorrow. 436 00:22:49,040 --> 00:22:50,680 It's the most important. 437 00:22:50,680 --> 00:22:51,680 Let's go back to my example. 438 00:22:51,680 --> 00:22:55,560 Yeah, I'm the new executive title doesn't matter. 439 00:22:55,560 --> 00:23:02,600 I'm a new executive in business and my perception is that we're underspent on cybersecurity. 440 00:23:02,600 --> 00:23:06,120 It's a business priority for me personally. 441 00:23:06,120 --> 00:23:12,040 Maybe I'm in the CEO role or another senior level role or maybe my board has been asking 442 00:23:12,040 --> 00:23:16,280 us for more information about this topic and you've given us some good guidance about how 443 00:23:16,280 --> 00:23:19,060 to benchmark our spend, which is great. 444 00:23:19,060 --> 00:23:24,920 But we got to recognize that maybe I've been brought in to preserve and improve the profitability 445 00:23:24,920 --> 00:23:29,840 of the business and if you're going to say, hey, you're only at 2% or 3% of revenue on 446 00:23:29,840 --> 00:23:35,120 IT and maybe I've brought in some experts who come and say, we think you should be closer 447 00:23:35,120 --> 00:23:37,120 to 6%. 448 00:23:37,120 --> 00:23:43,120 How do I live with a 4% headwind on the bottom line? 449 00:23:43,120 --> 00:23:48,760 That's a big, maybe the business makes 12, 15% EBITDA. 450 00:23:48,760 --> 00:23:52,760 I'm going to go from a double digit EBITDA business to a single digit EBITDA business. 451 00:23:52,760 --> 00:23:54,160 How should I think about that? 452 00:23:54,160 --> 00:24:00,680 Yeah, and in the context of cybersecurity, right, I think it's protecting what you currently 453 00:24:00,680 --> 00:24:04,560 have today less than increased productivity. 454 00:24:04,560 --> 00:24:08,520 If we were having this conversation with the guys of an ERP and that incremental spend, 455 00:24:08,520 --> 00:24:12,880 I could say I'm digitizing some processes, I'm doing some automation. 456 00:24:12,880 --> 00:24:17,400 All those things are very easy to build a map those dollars back and build a show what 457 00:24:17,400 --> 00:24:18,400 it looks like. 458 00:24:18,400 --> 00:24:22,820 But if you think about cybersecurity as an insurance policy and less as a revenue stream 459 00:24:22,820 --> 00:24:26,080 or an improvement of revenue, it's like me asking you what's the value of your homeowner's 460 00:24:26,080 --> 00:24:28,640 insurance if you don't have a problem tomorrow, do you really need it? 461 00:24:28,640 --> 00:24:33,080 Well, you know that having that problem tomorrow would be such a detrimental effect on your 462 00:24:33,080 --> 00:24:40,880 business that the ability to recoup even a 6% net EBITDA loss, how about 100% EBITDA loss? 463 00:24:40,880 --> 00:24:44,520 So what we tell folks is it's carrying an insurance policy is preparing for a rainy 464 00:24:44,520 --> 00:24:48,600 day and I may also say it's important to be thoughtful and cybersecurity. 465 00:24:48,600 --> 00:24:52,480 There's a lot of folks out there that will sell you the world and try to sell you everything. 466 00:24:52,480 --> 00:24:56,080 Make sure you talk to a professional before you sign up for anything. 467 00:24:56,080 --> 00:24:57,640 Make sure you have the right level. 468 00:24:57,640 --> 00:25:01,800 Make sure your cybersecurity insurance isn't some crazy policy that you don't need. 469 00:25:01,800 --> 00:25:06,040 Have those conversations with experts, protect your business in a thoughtful way, but get 470 00:25:06,040 --> 00:25:07,040 that insurance in place. 471 00:25:07,040 --> 00:25:10,000 That's a great way to think about it like a homeowners insurance policy. 472 00:25:10,000 --> 00:25:12,800 So let's talk about different sizes of business. 473 00:25:12,800 --> 00:25:17,980 How does cybersecurity strategies differ from a medium sized kind of mid-market business 474 00:25:17,980 --> 00:25:20,000 to a large size business? 475 00:25:20,000 --> 00:25:23,960 You know, it's interesting, we're having this conversation in 2024. 476 00:25:23,960 --> 00:25:27,400 Had we had this conversation 10 years ago, it would be a very different answer. 477 00:25:27,400 --> 00:25:32,320 I'm going to tell you the answer is the threat vectors and the bad actors are the same. 478 00:25:32,320 --> 00:25:36,080 What's interesting is it's changed now that the attacks are the same. 479 00:25:36,080 --> 00:25:37,640 The way you're attacked is the same. 480 00:25:37,640 --> 00:25:39,800 The people going after you are the same. 481 00:25:39,800 --> 00:25:41,660 It's the amount of effect. 482 00:25:41,660 --> 00:25:45,400 So the biggest thing I think is the difference, and you mentioned this earlier, I think it's 483 00:25:45,400 --> 00:25:46,640 an excellent point. 484 00:25:46,640 --> 00:25:50,120 Large organizations are more prepared because they have more folks and they're focused on 485 00:25:50,120 --> 00:25:51,240 it. 486 00:25:51,240 --> 00:25:54,840 Large organizations have the ability to send eight people to a cyber conference and learn 487 00:25:54,840 --> 00:25:56,560 about it and then go back and do it. 488 00:25:56,560 --> 00:25:59,640 But the challenge for a large organization, it's a larger footprint. 489 00:25:59,640 --> 00:26:04,440 So yes, you're more educated, we have more threat vectors, midsize organizations, smaller 490 00:26:04,440 --> 00:26:08,920 footprint, smaller amount of threat vectors, less spend, but less to protect. 491 00:26:08,920 --> 00:26:13,760 So you have a fighting chance to be successful based on your footprint. 492 00:26:13,760 --> 00:26:19,480 And the last one is, and we're going to keep talking about it, it's the budget allocation. 493 00:26:19,480 --> 00:26:24,120 Large organizations budget millions and millions, and I'm sure there's a statistic that talks 494 00:26:24,120 --> 00:26:26,720 about how many billions of dollars go to it. 495 00:26:26,720 --> 00:26:30,840 Midsize organizations tend to allocate less budget in this space. 496 00:26:30,840 --> 00:26:34,920 And that's a large differentiation between the two is what you spend on is what you focus 497 00:26:34,920 --> 00:26:35,920 on. 498 00:26:35,920 --> 00:26:40,320 If we're thinking about, if I'm a company thinking about starting to spend on cybersecurity, 499 00:26:40,320 --> 00:26:45,880 maybe for the first time, perhaps spend more on cybersecurity, if you've already been investing 500 00:26:45,880 --> 00:26:47,320 in it. 501 00:26:47,320 --> 00:26:50,040 What are the first steps you should take to protect yourself? 502 00:26:50,040 --> 00:26:52,440 Yeah, the big one, multi-factor authentication. 503 00:26:52,440 --> 00:26:55,120 Again, turn that on tomorrow. 504 00:26:55,120 --> 00:26:58,520 Should we do a, we should probably do a whole episode one day on multi-factor? 505 00:26:58,520 --> 00:27:02,240 We should have a whole conversation about that and tell folks the different options. 506 00:27:02,240 --> 00:27:04,920 I would love to have that conversation because there's some really interesting things out 507 00:27:04,920 --> 00:27:05,920 there. 508 00:27:05,920 --> 00:27:06,920 Single sign-on. 509 00:27:06,920 --> 00:27:10,180 For example, the organization you and I work with, I have one username, one password that 510 00:27:10,180 --> 00:27:11,600 gets me in everywhere. 511 00:27:11,600 --> 00:27:15,520 So I reduce those threats, those vectors, remembering where things are, reducing that 512 00:27:15,520 --> 00:27:16,520 risk. 513 00:27:16,520 --> 00:27:18,640 And I think that's a great conversation because we just found that journey over the last couple 514 00:27:18,640 --> 00:27:20,280 of years, making sure we locked down every application. 515 00:27:20,280 --> 00:27:25,360 Yeah, I remember that I got some nasty grams from you about my non-compliance. 516 00:27:25,360 --> 00:27:26,360 Correct. 517 00:27:26,360 --> 00:27:27,360 You're welcome. 518 00:27:27,360 --> 00:27:28,720 And yes, now I do it every time. 519 00:27:28,720 --> 00:27:29,720 Yes. 520 00:27:29,720 --> 00:27:30,720 Begrudgingly. 521 00:27:30,720 --> 00:27:31,720 Feels great. 522 00:27:31,720 --> 00:27:32,720 You know, and that's one of the first steps we took. 523 00:27:32,720 --> 00:27:33,720 I'm told it makes us safer. 524 00:27:33,720 --> 00:27:34,720 Yeah. 525 00:27:34,720 --> 00:27:35,720 From threat vectors. 526 00:27:35,720 --> 00:27:36,720 It's one of the first steps we took. 527 00:27:36,720 --> 00:27:37,720 It's one of the last steps you took. 528 00:27:37,720 --> 00:27:38,720 So it worked out really well. 529 00:27:38,720 --> 00:27:39,720 There you go. 530 00:27:39,720 --> 00:27:42,440 That's why they call me the closer. 531 00:27:42,440 --> 00:27:44,920 That's one of the first steps is get that multifactor on. 532 00:27:44,920 --> 00:27:46,620 Number two, and this is an interesting one. 533 00:27:46,620 --> 00:27:50,280 You may say, James, this isn't really cybersecurity, but I'll tell you what's out there. 534 00:27:50,280 --> 00:27:51,460 It's important. 535 00:27:51,460 --> 00:27:53,840 Understanding the applications your users use. 536 00:27:53,840 --> 00:27:56,040 I'm going to say that again. 537 00:27:56,040 --> 00:27:58,320 Understanding the applications your users use. 538 00:27:58,320 --> 00:28:00,380 Where are those shadow IT applications? 539 00:28:00,380 --> 00:28:04,360 Honest conversations around knowing what applications your users use. 540 00:28:04,360 --> 00:28:07,240 Do you know how I find what applications my users use? 541 00:28:07,240 --> 00:28:10,200 Investments reports and looking at expenses. 542 00:28:10,200 --> 00:28:13,200 I can find out what people have because I go to their accounting team. 543 00:28:13,200 --> 00:28:16,400 I say, what have we spent money on software wise this year? 544 00:28:16,400 --> 00:28:19,920 And then I reach out to those angels because I know who submitted the expense and I ask 545 00:28:19,920 --> 00:28:21,540 them what are you using it for? 546 00:28:21,540 --> 00:28:22,540 Why are you using it? 547 00:28:22,540 --> 00:28:23,680 And we begin to vet it. 548 00:28:23,680 --> 00:28:28,080 It's the easiest way for a midsize business to control this is looking at spend. 549 00:28:28,080 --> 00:28:29,080 Yeah. 550 00:28:29,080 --> 00:28:32,320 I've got a smirk on my face that the listeners can't see, obviously. 551 00:28:32,320 --> 00:28:38,200 And that may or may not have something to do with the fact that I have personally been 552 00:28:38,200 --> 00:28:42,680 emailed by you about the software that I've signed up for and expensed. 553 00:28:42,680 --> 00:28:49,080 You used a really good word, good phrase that I've come to like called shadow IT. 554 00:28:49,080 --> 00:28:52,200 And I don't think we've covered that yet. 555 00:28:52,200 --> 00:28:54,860 So maybe just unpack that for us very quickly. 556 00:28:54,860 --> 00:28:56,520 What is shadow IT? 557 00:28:56,520 --> 00:28:59,580 Shadow IT is we all know those main systems that we use, right? 558 00:28:59,580 --> 00:29:05,040 So we're a ERP and our ERP is this and we all know that shadow IT is and it's quite 559 00:29:05,040 --> 00:29:08,680 different now because you can go click to own a piece of software or at least rent a 560 00:29:08,680 --> 00:29:10,320 piece of software, right? 561 00:29:10,320 --> 00:29:14,160 It's when I as a user say I'm going to go get this piece software because it serves 562 00:29:14,160 --> 00:29:15,160 my needs. 563 00:29:15,160 --> 00:29:17,160 And it's not part of the organization. 564 00:29:17,160 --> 00:29:19,560 But I'm just going to go get it to get my done. 565 00:29:19,560 --> 00:29:25,400 So what happens a lot of times we see it so like Grammarly Grammarly Adobe Premiere. 566 00:29:25,400 --> 00:29:27,920 Yeah, countless others. 567 00:29:27,920 --> 00:29:31,440 Grammarly is one of the ones that gets me man because knowing where that data is stored 568 00:29:31,440 --> 00:29:34,560 and you know if you ever want to have a fun time for our listeners and you're stuck on 569 00:29:34,560 --> 00:29:39,080 a flight and you just want to entertain yourself, go read some T's and C's of some of the software 570 00:29:39,080 --> 00:29:43,020 your teams use and understand where your data is going. 571 00:29:43,020 --> 00:29:47,240 Not to be an alarmist or anything like that, but just read where your data is going and 572 00:29:47,240 --> 00:29:48,400 understand it. 573 00:29:48,400 --> 00:29:52,740 So those are great examples of tools that folks can go and buy on their own. 574 00:29:52,740 --> 00:29:57,580 And we see with AI tools every week I approve all the IT expenses for our organization. 575 00:29:57,580 --> 00:30:02,840 And I've counted so far this year six different AI tools people have submitted expenses on 576 00:30:02,840 --> 00:30:06,120 that we've had to have a conversation because people are looking for tools to do better 577 00:30:06,120 --> 00:30:07,120 at their job. 578 00:30:07,120 --> 00:30:08,120 I want to be clear here. 579 00:30:08,120 --> 00:30:12,520 I don't think folks are maliciously signing up for software to have an issue. 580 00:30:12,520 --> 00:30:14,120 They're trying to be better at their organization. 581 00:30:14,120 --> 00:30:16,520 They're taking ownership of selecting that software. 582 00:30:16,520 --> 00:30:18,240 It's just making sure they do it within the right confines. 583 00:30:18,240 --> 00:30:20,560 I want to be mindful of time here. 584 00:30:20,560 --> 00:30:24,260 We've we've been talking for a little bit on this on this topic. 585 00:30:24,260 --> 00:30:28,800 So let's go back to the reason why we sat down to talk today. 586 00:30:28,800 --> 00:30:32,240 Why cybersecurity should be your business's top priority. 587 00:30:32,240 --> 00:30:35,320 And let me tell you a couple of things that I've heard and you want to add a couple closing 588 00:30:35,320 --> 00:30:36,320 comments. 589 00:30:36,320 --> 00:30:42,920 First and foremost, ten point five trillion dollar impact annually across the world. 590 00:30:42,920 --> 00:30:50,240 Sixty percent of breaches, small and medium sized companies, more likely than not, you 591 00:30:50,240 --> 00:30:55,480 are being targeted and whether you're the business owner, maybe the entrepreneur or 592 00:30:55,480 --> 00:31:00,360 the operating executive or a private equity investor, you're worried about this. 593 00:31:00,360 --> 00:31:03,220 And if you haven't been worried about this, I think the key message that you're trying 594 00:31:03,220 --> 00:31:07,240 to impart to the audience is you should be worried about this. 595 00:31:07,240 --> 00:31:10,800 What do we mean when we think about when we talk about cybersecurity? 596 00:31:10,800 --> 00:31:13,680 We're thinking about every digital asset that your business has. 597 00:31:13,680 --> 00:31:15,560 What's the potential impact on your business? 598 00:31:15,560 --> 00:31:19,080 Every part of your business, every corner of your business could be impacted by this 599 00:31:19,080 --> 00:31:24,920 from production to scheduling to your supply chain to payroll to invoicing and how you 600 00:31:24,920 --> 00:31:26,760 get paid and how you pay vendors. 601 00:31:26,760 --> 00:31:29,600 You know, it has enterprise wide impact. 602 00:31:29,600 --> 00:31:33,240 It's probably going to sneak up on you when you least expect it and when you least want 603 00:31:33,240 --> 00:31:34,920 it to happen to you. 604 00:31:34,920 --> 00:31:36,760 But there are things that you can do about it, right? 605 00:31:36,760 --> 00:31:43,960 No company is perfect, but you can put some industry protocols in place and how you get 606 00:31:43,960 --> 00:31:44,960 there. 607 00:31:44,960 --> 00:31:47,360 If you don't have a large team is most likely going to involve bringing in some outside 608 00:31:47,360 --> 00:31:55,000 experts, whether those be, you know, cyber penetration testing companies or an IT consulting 609 00:31:55,000 --> 00:31:56,000 firm. 610 00:31:56,000 --> 00:31:59,760 You need to be thinking about this pretty seriously in 2024 because the threats are 611 00:31:59,760 --> 00:32:00,760 real. 612 00:32:00,760 --> 00:32:04,280 It's likely that if you're a smaller medium sized business that you're you're just probably 613 00:32:04,280 --> 00:32:07,520 more exposed than if you're a big company. 614 00:32:07,520 --> 00:32:10,960 And don't let the fact that you don't have a lot of resources get in your way. 615 00:32:10,960 --> 00:32:13,040 Find out how much you're spending. 616 00:32:13,040 --> 00:32:14,720 Use that as a starting point. 617 00:32:14,720 --> 00:32:19,080 hire some experts to come in who can help you think strategically and tactically about 618 00:32:19,080 --> 00:32:22,520 what to do about this so you can sleep well. 619 00:32:22,520 --> 00:32:23,520 Yeah, definitely. 620 00:32:23,520 --> 00:32:24,880 Great summary, by the way. 621 00:32:24,880 --> 00:32:25,880 I try that. 622 00:32:25,880 --> 00:32:28,360 That's that's why they that's why they asked me to be on this podcast. 623 00:32:28,360 --> 00:32:29,360 Sure. 624 00:32:29,360 --> 00:32:31,360 Like I said, the closer. 625 00:32:31,360 --> 00:32:35,840 Well speaking of closing for today on our two bits trivia, I have two pieces of trivia 626 00:32:35,840 --> 00:32:36,840 if you're ready. 627 00:32:36,840 --> 00:32:37,840 We're doing two bits. 628 00:32:37,840 --> 00:32:38,840 We call it two bits of trivia. 629 00:32:38,840 --> 00:32:39,840 Two bits. 630 00:32:39,840 --> 00:32:40,840 Two questions. 631 00:32:40,840 --> 00:32:41,840 Is there pun intended there? 632 00:32:41,840 --> 00:32:42,840 No, I'm not trying to be punny here, Mike. 633 00:32:42,840 --> 00:32:43,840 Okay. 634 00:32:43,840 --> 00:32:44,840 All right. 635 00:32:44,840 --> 00:32:47,120 So two bits of trivia to round out the show today. 636 00:32:47,120 --> 00:32:48,360 Let's let's give you this one. 637 00:32:48,360 --> 00:32:50,240 So first one, a little bit of a t ball. 638 00:32:50,240 --> 00:32:53,160 By the way, I'm not good at trivia, so I'm going to probably get both these wrong. 639 00:32:53,160 --> 00:32:54,800 Mike, I'm serving you a t ball. 640 00:32:54,800 --> 00:32:59,860 I hope you I hope you've been paying attention to your cyber training of all the threats 641 00:32:59,860 --> 00:33:03,280 and threat vectors of business has. 642 00:33:03,280 --> 00:33:06,640 What's the number one threat vector of a business? 643 00:33:06,640 --> 00:33:07,640 People. 644 00:33:07,640 --> 00:33:09,140 Oh, very close. 645 00:33:09,140 --> 00:33:11,560 And people use what to be able to talk to each other? 646 00:33:11,560 --> 00:33:12,560 Email email. 647 00:33:12,560 --> 00:33:13,560 Number one threat vectors email. 648 00:33:13,560 --> 00:33:14,560 Got to have people to have email. 649 00:33:14,560 --> 00:33:15,560 You got to have people have emails. 650 00:33:15,560 --> 00:33:16,560 Don't send themselves. 651 00:33:16,560 --> 00:33:17,560 See, the thing is, you're so macro. 652 00:33:17,560 --> 00:33:18,560 I took your micro. 653 00:33:18,560 --> 00:33:19,560 I'm more strategic. 654 00:33:19,560 --> 00:33:20,560 Yeah. 655 00:33:20,560 --> 00:33:21,560 Yeah, that's right. 656 00:33:21,560 --> 00:33:22,560 Bit number two. 657 00:33:22,560 --> 00:33:23,560 Likelihood of this one. 658 00:33:23,560 --> 00:33:24,560 Quite low. 659 00:33:24,560 --> 00:33:29,200 In what year did the first ransom event occur? 660 00:33:29,200 --> 00:33:31,880 Or it's the same which year, excuse me. 661 00:33:31,880 --> 00:33:36,400 What year did the first ransomware event occur? 662 00:33:36,400 --> 00:33:37,400 1997. 663 00:33:37,400 --> 00:33:40,400 Oh, pretty close. 664 00:33:40,400 --> 00:33:46,000 1989 fun fact was distributed on a floppy disk to folks. 665 00:33:46,000 --> 00:33:49,840 So if anybody saw the recent sensational article of San Francisco, the trolley still run on 666 00:33:49,840 --> 00:33:50,840 floppy disks. 667 00:33:50,840 --> 00:33:55,040 So if you have a time capsule, head on back to 1989 and lock those guys out on those on 668 00:33:55,040 --> 00:33:56,040 floppy disk. 669 00:33:56,040 --> 00:33:57,040 Correct. 670 00:33:57,040 --> 00:34:00,560 That was the that was the big cyber article this week about they still run on floppy disk. 671 00:34:00,560 --> 00:34:02,880 So I hope you enjoyed two bits trivia there. 672 00:34:02,880 --> 00:34:03,880 I did. 673 00:34:03,880 --> 00:34:04,880 That was good. 674 00:34:04,880 --> 00:34:05,880 We're keeping a score. 675 00:34:05,880 --> 00:34:06,880 I'm zero for zero. 676 00:34:06,880 --> 00:34:07,880 You're zero for zero for zero. 677 00:34:07,880 --> 00:34:08,880 Correct. 678 00:34:08,880 --> 00:34:09,880 There's two questions in there. 679 00:34:09,880 --> 00:34:16,280 Thanks for tuning into this episode of Growing EBITDA. 680 00:34:16,280 --> 00:34:21,360 If you like this episode, hit subscribe or follow us on LinkedIn for updates. 681 00:34:21,360 --> 00:34:23,560 Got a topic you'd like us to cover? 682 00:34:23,560 --> 00:34:24,560 Drop us a message. 683 00:34:24,560 --> 00:34:41,000 We'd love to hear from you.