Welcome to today's PTG podcast, where we are discussing Biden's dire warning. That Russian cyber attacks are coming. Biden said last night that with Putin's back against the wall, there's a greater. Chance that he may employ. Additional tactics and increase, the severity of the tactics, and one of the tools that he's most likely to use. And our view is cyber warfare. So maybe we can talk on that a little bit.
Sure. Yeah, we've been talking about that for three weeks now.
Yeah.
So it was just a speculation around increase your defenses, make sure you have capability To detect and defend your business against the cyber attack. also at the consumer level too. Make sure that your. Being cautious on emails and. Don't open any suspicious emails or click on links or attachments. And. If you get random people calling, don't be quick to answer the phone. I try to avoid the robo calls.
We had previous episodes where we put out some tips on how to best secure your mobile device so definitely check back on our YouTube channel and other sources there to brush up if you need to. But yeah, the writing's on the wall, right? It's not going to go away anytime soon. Sadly, I think this is new norm. And I've said this before firewalls and antivirus are no longer enough. So you have to have technology like XDR and some of these other layers, obviously training.
And, doing the risk assessments and pen tests and all that fun stuff quite frankly, a lot of companies, they don't have the budget to do it. So they, pretty much do nothing. I think Now's the time to really change that. And. Go through a proof of concepts and. Really. Explore. look through a lens that you've never looked through before to see all the things that are really happening on your networks without your knowledge. That you thought were getting trapped. We're not.
Yeah. I think too. Another thing that's really important that a lot of people miss, back, in 2014. I got hacked on my. Social media, Facebook. They took over my chat and sent out some pretty inappropriate messages to my cousins and stuffs. That was fun. I'm not really sure how they were able to get it. I probably reuse a password or something that's another thing too, is that they'll also contact you in social media. They'll clone different profiles and pretend to be somebody.
And send out messages.
Yep.
Yeah. So just be careful on social media. Be careful with emails, we careful with your phone calls, didn't, we read too recently that SMS smishing is also
on the rise. Yep, absolutely. Smishing, if you don't know what that term means is it's fishing to your email. But it's to your phone, through a message. problem with smishing is that you can't hover over the link to see where it goes. So definitely do not click on any links text. For sure. To keep yourself safe. Like I said we posted a bunch of other tips there to secure your mobile devices and take those security control precautions. Seriously, definitely.
Now with the threat landscape elevated.
Yeah, definitely.
Hey, Blake.
Hey, it's good to see some different faces.
That's right.
It's interesting to look at the quadrant of our pictures. Craig bits Glowing faces. PTG always got his. really good visuals there. And then Erin and Blake have the blurred background and then mine is just the background. I don't know that picture. Just popped up on my thing. It's interesting cause. I just think it's neat. Combination there.
It's funny because with my big fluffy hair, Background, doesn't always do the best. So that's why I think Blair is probably. Better.
Craig, you. he posted something regarding passwords.
Oh, this one's funny. I don't know if I posted this, but I read it. So somebody used the super secure password of password. genius idea. And then they got extorted for $15 million. in ransomware fees. Because guess what it wasn't, I'm just on their email account. It was on a server. At a company.
Oh,
Sirius. Oh, that's bad.
Yeah. Obviously if you're listening, don't use the password. Take our tip seriously and secure your passwords with a multi-factor and obviously complex long string Use a password manager.
It's so easy. For example, somebody at their home network. Most of the time, whenever you put a router or wifi. Network in. Usually the access is 1 9, 3. 1 68. Nine out of 10 times. And then it'll pop up for a log in and then the username is admin and the password is password.
Or it's just admin.
Or it's blank for some reason. Anybody on your home network, if it's a friend or family, I easily get in there. And yeah. recommend James at. It's silly things like that, that people just don't know.
Yeah. These default configurations are just weak and insecure and, in the manuals, they always say, make sure you change this, but nobody reads the manual.
When you actually type your password in there's something there that's intelligently receiving that input. and deciding if it matches the correct password. Am I explaining that right? Something there is comparing what you input to, what is the known password? Has anyone ever successfully breached that, whatever you want to call it.
I think you're referring to the hashing database.
Okay. Yeah, that's probably what I'm referring to.
Yeah. We've definitely breached it several times. And when we do pen tests, for sure.
That's not something you really hear very much about because you hear about people trying to wait passwords using algorithms to crack. And then you hear about advanced algorithms that listen for key strokes on a keyboard to determine what's being typed. Witnessed that in pin test that can be breached. So if we've reached it and pen tests. What's the missing link there.
the very first pen test I ever did ages ago was breaching the password database on a unit system. And what happened was They did not restrict who can look at that database. So I was able to download it in the pen, test exercise, and then run some software that would crack the encryption. At that time it was a 3 86 X 86 microprocessor. And it took about a week to crack the passwords, but when it was done, I had about 1500 accounts and passwords.
Oh, my gosh. Wow.
So nowadays fast forward to. Most companies use Microsoft windows server. As their operating system. There's what's called SMB. And there's obviously with the later versions of windows server, it's more secure. And encrypted by default. But in older versions, it was not, and you could still run software against it. And even You know what default settings may not be enough. But the point is that you could still capture that. Password database and then run.
Tools against it to crack everyone's password. What you were talking about a minute ago was called brute force. So a lot of hackers will try combinations and use software and scripts to try combinations of. What they'll do is they'll look at past breaches and they'll load up a database of all these different username, password combinations. And they'll start with that database and then they'll use, what's called a dictionary file, and then they'll set up a brute force attack.
So there's different ways to obviously mitigate those risks, but yeah, those are the two most common practices.
You were talking at the beginning about looking at things through a different lens and it really makes you do that when you start hearing these details. Because everyone hears, password security, but when you hear it broken down like that in all different ways that passwords can be breached. And it takes on a whole new meaning. It's oh wow. This. This actually really is. Something to really take seriously. That's a lot of. Entry points,
Look at what happened with Equifax, right? When the heck of Equifax, had Equifax been encrypting, then the database that was captured install one would have been scrambled. they didn't use that layer for whatever reason.
They weren't encrypting the passwords that were store.
They weren't encrypting the data that was able to be exfiltrated out. I don't know if they were encrypting the passwords. By default, but I know that payload was not encrypted to have they been using more encryption layers than the payload would have been scrambled. And the hackers wouldn't have been able to breach.
Oh, wow. When I was asking about the, whatever it is that. Measures or compares. The data input for the password to what sports what'd you call it a half sweat.
hashing.
So is that kind of the same concept of the hash algorithm? For example, that cryptocurrency operates on the foundation of
similar concept. Obviously crypto is on a blockchain, so it's different but yeah, so when you type in password your password, it's then translated by the operating system. To a hash screen. Which is similar to a quid, usually very long character. Multicharacter thing and then typically it's encrypted. So then the tools would then decrypt that database and then be able to reverse the hash back to what is the English password,
so. the hash is one thing, and then it. Which is another thing on top of the
called salting and salting is another type of security technology that is in addition to the hashing layer. That makes things a little bit more secure. It's just another layer of security.
Wow.
I hear the hashing and I think of a new movie by M night. Shama Nella machine.
It's just interesting because there's an air of mystery around it. What is it? What is it doing actually? What functions is it performing and how I want it? Does this, is it getting smarter each time? Is there a degree of machine learning that takes place with creating each hash? Looking at it from that lens, that's probably Linds.
We don't usually look at it through, but when you look at it through that way, it's if you were the algorithm doing the Hashi are you getting sharper and smarter hash?
No. It's a fixed programming In the operating system. So it's not going to get smarter. just going to do it one way and it's not going to get any smarter. That's a whole different
That's interesting.
Yeah. So there is what's called SMB signing. And then there's different versions of SMB signing that would help better protect that hash database. But anyway, as new versions of Microsoft, for example, as new versions of Microsoft server came out. Security was elevated in each version of their server, at least. So obviously the latest version of server is more secure by default than a 2003 server,
have you noticed lately, I've been really noticing a lot of the big tech companies. The others as well, but I've really been noticing what big tech companies they're really talking about security a lot lately, even on my at and T home network, the fiber optic network. They now have something called at and T active security or something like that. you're hearing a lot more about this. Microsoft's talking about it hearing a lot more about security layers within big tech.
Yeah. It's probably because of the elevated threat landscape that we're living in right now, right? So the providers are trying, to do what they can to protect their consumers. Just yesterday. I think you saw the posts that I posted about ASIS routers, being vulnerable. Big flaw there. So obviously you need to patch the firmware of your router and it goes back to what's called your asset inventory. As a consumer and especially as a business, you should know what's on your network at all times.
You should have mechanisms in place to make sure that devices can't be added to your network without your knowledge, you should be maintaining all those devices on the network. And obviously router firewall, access points, wireless wifi. IOT devices, all that stuff. The more stuff you buy, DJ. For more stuff you add to that network. The more work you gotta do. And then before you know it, you're going to have all this stuff, then you're not gonna have any time to do anything else.
So you're going to need to outsource it.
I have PPG managed services
I feel like we need to write a system security plan for BJ.
Yeah. Policies and procedures going.
back to Equifax. beat her, they got social security numbers from this. The people. So if there's anybody out there listening and you store social security numbers of your customers, that is a highest sensitivity data point. And for example, if you're an accountant or if you have a medical practice, doctor chiropractor, Dentist or whatever. Make sure. But you are encrypting your data.
That's a really good point, Blake. You can't also assume that you're a medical software provider or your it guy is doing that job because those are different.
Jobs
and the responsibility
is
yours as the business owner make sure that you have the supporting evidence and the proof that stuff is secure because there's data breach laws and almost all of the states, there's FTC regulations. So depending on the type of business you have, and you might say, oh, I'm a business owner or maybe I have a plumber or I don't collect data on people. You actually are collecting if you're selling to a consumer. collecting oftentimes, name, address, phone number.
address Now you probably want to take money from that customer for the services that you provide. So you're probably taking your credit card. Now you're subject to PCI compliance mandates, you might be thinking why you square? Or I use QuickBooks or something like that? Again, it's still the business owner's responsibility to ensure that proper safeguards are in place.
And oftentimes if you're a low volume business where you don't do thousands of transactions a day, you could do what's called a self-assessment and self attestation. when you go through that, it's typically 59 questions for a small business. When you go through it they tell you look. be storing credit card numbers in an insecure system. You can't be writing them down on a piece of paper. You have responsibilities to keep this information secure. And if you don't.
You're hot water for fines and the fines are steep.
In their defense, it's understandable because they're not it or fiber businesses, they do other things. It's like a wave, right? We caught the wave in the beginning. We all got online with AOL and whatever dial up service. And we all started chatting online when it was brand new. And then sometime between then and now things gained momentum and there was regulation put in place. And probably there's a lot of businesses that aren't even aware of their responsibilities in regards to.
It infrastructure and cybersecurity and data breach reporting. I would say there's probably a large number of businesses that just completely are in the dark about their responsibilities. There. But it happened even if we weren't paying attention to the regulation. As things progressed, it's there now and there's breach reporting laws and things like that. And It's an education matter now, right? People starting to understand what the responsibilities are. we talked before about the gap.
We have experts like you Craig on one end of the spectrum that can, Just spell off all this technical stuff, the thing, your brain. And then we have the other end of the spectrum that people who, maybe don't even really understand how computing works and how a network works and all that. And that gap there has created a lot of uncertainty maybe. And so now as people start to understand the severity of risk, in regards to cyberspace now it's an education matter.
Now we have to all come together and learn what is this that we're using? And it becomes so reliant on, and then how do we knew that responsibly? And then how do we protect ourselves and our clients,
Yep.
a lot of people For example like Craig said, they sign up for these third-party services. Square, whatever payment process or whatever website. Especially medical practices. They use a lot of customer, patient software. And a lot of times when these people sign up for them, they're like, oh I don't have any data here. I'm using. This patient portal or this or that, it has an, a cloud. They promised their secure. A lot of times, if you go back and read the terms of service, they are UBS.
Absolving themselves. Of legal liability. So if your patients are stored within their database and somehow they get hacked, you get had to vice versa. Your client list. Leaks out social security numbers. You are responsible for That loss of data. Depending on your service industry, there's also a window of opportunity from the time that the breach occurred to the time that you have to notify your customers. And if you don't follow those two things, you could be in hot water.
So if you're serving customers at all, the biggest thing you can do is go back and look at your service agreements. Look at your contracts. Look at the terms of service for the applications of third-party software is that you signed up for and see the liability falls. That's the biggest thing that you can do for yourself right now.
What comes to mind to Blake is a lot of people will tell me, oh we use Google. We're a chiropractor or we're a small medical office. We use Google. If you look at Google's terms and conditions, Like you said a lot of these companies, Google, Microsoft, Amazon, they all hold themselves harmless of any kind of security. So the security is on the consumer. They provide you with the platform. But it's your responsibility as the user or business owner to secure that platform. properly.
And if you're not knowledgeable about the cybersecurity, you need to hire a company that is because one wrong move. One wrong change of a setting can cause a breach for you. And it's very rare nowadays, especially if you take a credit card or.
You're
meeting with a consumer. It's very rare nowadays that you're not subject to, it's almost assumed nowadays that you are regulated because there's all these regulations. For any kind of business, like I said, FTC regulations, there's ADA compliance. Now for people with disabilities, you've got to make sure that your website is properly able to be read by. What's called a screen reader and we have a free assessment around that now where you can just reach out to us.
And it takes us just a few seconds just to show you at no cost. Look, you have a website. If you're in business. Likely are not an ADA expert, but we can show you in seconds that look here's some problems with your website and how you can get a steep fine, a nasty fine. As a business owner. If you're in business nowadays, there's probably a very strong probability that you are regulated in some way, shape or form.
That is a perfect example, Craig of the culmination of all of this, because there's all these different industries and they have different regulations, PCI gap, whatever for, credit card processing industries you have CMMC for, cybersecurity maturity model for the department of defense. You have all kinds of different areas, HIPAA for medical. But then you have this ADA, and that is a unifying regulation.
Because if you have an online presence in a business capacity, no matter how small it is, technically you are required. To be ADA compliant and that applies to everyone that could be, if you're selling t-shirts online, out of your pickup truck, it doesn't matter if you have an online presence, you are subject to ADA. And. There is. Literally a pathway there for, someone sees your website, it feels that it's not ADA compliant.
There's contact information online for this, you contacted your report, the business as not being a compliant. And then the business is sued by the federal government. And then the person who blew the whistle on that business. Gets a portion of the reward from the fine. And so this is a very real, And there. have already been lots of lawsuits and lots of payouts And so this Everyone has to compliant for ADA. Everyone who's online has responsibilities,
Not only ADA. But your big ones are CCPA. If you have customers in California. You got to pay attention to that. If you have customers in a European unit, they got GDPR. Those are two that everybody has to comply
beauty of it is as much as this may sound like bad news on the front end, right? If I have a online business and I'm not compliant with any of this right now, and I'm not even aware of any of it, I'm going to hear all this and I'm going to be like, oh my gosh do I just want to have to stop doing business? This sounds bad, but the good news is that there's a lot of overlap with all of this.
All these different types of regulation and compliance, they're called different things and they're written up different ways. But it all boils down to the same general good practices for cyber hygiene. And so once you get your stuff it's kind of like flossing your teeth, you do that from a business perspective. We practice. Good cyber hygiene. Once you get it down. Once you're there, you're really going to be okay with all these different regulations because they all are redundant,
I think what you mean, BJ's there's parallel. So for example, if you're a medical clinic, you're most likely subject to what's called NIST 66 is the framework of maturity model to follow. But if you're a DOD contractor or a defense industrial base contractor, your requirements are higher. They're heightened, so that would be NIST 801 71 or 1 72, and then CMMC signs in the law.
So there's different levels of process, the HIPAA might have maybe 50 controls and DOD might have 110 controls, but the 50. On the HIPAA NIST, 66 verse the DOD NIST 801 71. there's overlap there. we're not saying that every company needs to do. The maximum, obviously that would be good for any company to follow the same regulations as a DIB contractor, but maybe that's not cost-effective, but there are ways to get that cost down. The point is that.
As a business owner, you have obligations on there's different regulations and by doing some of the security controls, you can satisfy multiple regulations and that's the point.
That's exactly what I meant. And we see a common misconception, We see this a lot within HIPAA, within the medical practices. And we see it probably I would venture to say even more, which is unfortunate. Amongst the defense, industrial base contractors, they have a common misconception that if they're small, that these things don't really matter I'm such a small contractor. I only have this many devices on my network. So the CMMC is really not that important for me.
that's very untrue because it doesn't matter if you're small, you are a possible attack vector and you could be a gaping hole that could cause a ship to think. It doesn't appear that your network is small. You are an access point to. Defense industrial base.
That's right. And there's like a what I call foundational level of security, whether you're one person working out of your house, or if you've got a hundred people or a thousand people in your company, there's still a threshold and foundational level of security that if you're dealing with just one document that has sensitive information, controlled unclassified information. Or you have patient health information and you're a small chiropractor and it's just you and an assistant.
You're still subject to the same HIPAA compliance as a hospital. you might not be as big and as complicated as that hospital, but you both take insurance most likely, and you both are handling patient health information. So you're created the same way. HIPAA compliance for you is going to be oftentimes less expensive than that. Hospital, but you still have to have that minimum foundational compliance layer and you have to show all the supporting evidence to you're compliant.
So my boyfriend is surveyor. And he worked for this one company. I won't say any names, obviously, but he worked for this one company. I know they have government contracts. And he show me around the office one day. And there was maps of the city. Just sitting out. And I was like, oh my God. If I was a bad actor of some sort, I can go in there and Use those maps or take pictures or whatever, and use that to hurt people We as a small company, they just do serving.
So you think that I go, what's the big deal, if you have a government contract, In the wrong hands, They would be in so much trouble if
if you're
Oh yeah
person and you're dealing with. Our purchase order of the widgets of missile part or whatever. And you're that one, metal manufacturer, whatever you're doing in your small business, in your contribution. doesn't matter how small you are. You still have that obligation to protect that sensitive information, because it's so valuable to the adversary.
Not only that too, but if you're a reseller. Let's just say you're buying. Proprietary barns from a defense contractor or whoever. And you're not even doing it. And you're just reselling those parts. You still have to follow the same regulations as the person that's supplying those
parts to you.
if you're, what's called a sub to the prime.
You
have the what's called the trickle-down effect. So the whole flow of see why from that big provider down to your small company. You have to keep all of it secure.
Goes even further. Subcontractor that you have vendors of the
subcontractors.
And then all of the, third parties or anybody involved, in the medical world, you've got what's called the covered entity,
which
is typically the doctor's office or the hospital. Oftentimes if you take insurance, you've got, what's called a clearing house. And then let's say you've got an it provider that's what's called a business associate. So all of those. All are subject to HIPAA compliance.
Yeah.
But yeah, all the vendors, all the solutions, any kind of software or equipment firewalls. All that stuff has to be compliant. And if you don't have the evidence for it, you'll fail the audit. And that's where you'll get in trouble.
Not only will you fail it, but also, I have a feeling we're about to see some big. Attacks or attack attempts, so it's unsafe. For the national security. Just in general. And that's what I was wondering about Craig. I was reading the article that you had sent about. Biden's warning. I see the adversary is laying dormant almost
that's right Erin. Remember that term, right? We hear it from one of our partners with regards to the AI driven cybersecurity software that extended detection and response that term dwell time. We've known about a lot of breaches recently that were very big and very widespread. And then they went silent. And does that mean that they're no longer a threat? Absolutely not. Now we're in the dwell time phase. So now we don't know what's going on in the background.
You had solar winds and then you had logged for, I always get it mixed up. Is it log for day or log for sale?
Yeah, both.
So then you have those two main ones, that were huge recently. they're kind of seem dormant right now, I read an article last week that the log for date, just that one alone there's every hour millions of breach attempts happening exploit that vulnerability. Now, when you do the math with that and you look at how many businesses are affected by that log for J vulnerability. You factor in the mathematics of millions of breach attempts happening per hour.
And then how many of those are successful Probability is going to mean that some of those are successful. And then with those successful ones, we know that there's something like 80% lateral movement from a breach. So when one of these breaches is successful, then there's going to be an 80% likelihood of a lateral movement. And so we're in that holding pattern right now where we have no idea what the situation truly is because we're in the dwell time phase right now.
not only are we in that 12 time phase, but you have to assume that we're all Swiss cheese. We've all got all these vulnerabilities, especially businesses. Most businesses let's face the facts. They don't have the technology to stop this stuff. They've got more holes than they can fill and they need help and adversaries. Are exploiting that it's so easy for them to write a script and find the low hanging fruit. They literally push a button to scan, it goes back to them to report.
Okay. our low hanging fruit. Here's the easiest ways in, and then they push another button to drop the ransomware And in less they just got a pay day of millions of dollars because of all these businesses
Yes, they do that. Push that little button, they run their automated software and then it's the wild west. Mathematically it's astounding. think of the possibilities. to bring it back to your first statement, Craig, when you talked about looking at it through a different lens, I guess a way I frame this in my mind, the current state of cybersecurity, if we were to picture cyber space as an entity, And picture it getting up and walking right now.
We've got a zombie with rabies and everything else walking right on this framework. That's got tons of holes in it and it's just a mess. It's a monster. Epic proportion. So we all need to do our part to get this thing in order. So that we have something that's a more pleasant picture, Then the current monster.
The other side, too. There's new laws that are being pushed through every day that a lot of people are, may not be aware of, but there's, what's called breach reporting laws and those breach reporting rules and laws, they vary from state to state, but there was another thing that Biden signed. I think it was just a few weeks ago, shortly after the war started, where he said that if you're A government entity, there are a couple of things that they did. If you're a government entity.
Now you have a shorter time window to report that breach this think about it from before when they didn't have that law in place. Businesses didn't know, number one, if they were breached because they didn't have the right technology in the lens, but number two, When they finally discover it. only have a certain period of time The timer starts ticking a cyber team it's a response team for cyber. This is brand new too.
If you're a local government entity, you have access now to an incident response, cyber team. To help you when a breach does happen, they'll do the forensics and the detail there.
But you were talking about, if you don't have the right technology and lens on your network, you don't know about a breach. You're not necessarily held harmless from that. If you're breached and you don't know it because you don't have the proper eyes on your network. You're not absolved of any, ramifications there. You have a responsibility to know when you're breached.
Think about it as taxes. If he failed to pay your taxes. And then you get audited. And then they discover, oh, you failed to pay this. Now you have penalties and interest, it's the same thing in the cyber world, if they do the forensic investigation, they find out, oh, this breach happened two years ago. penalties and interest. We're not reporting that. You best be in touch with a good cyber attorney to help you. And I'm not saying this stuff to scare you.
I'm just saying this is the reality of the world that we live in.
The reality and the solution always goes back to using humans, they say throughout history have always been as good as their tools, right? you can look at the iron age It's always what tools are available to humans and how do they use those tools to their maximum potential?
And right now tools extended detection and response, because from a breach reporting perspective, that's how, you know, when your network is breached because you have AI eyes on your network and it knows when something happens and it tells you, Hey, there's something happening here. And so then you're protecting yourself from liability there because you're knowing when you get breached and those tools are available.
So not using them as Mont a good defense to not knowing that you were breached because those tools are available to all at a very low entry point. Price-wise.
Yeah, and it's definitely a very effective layer. It's not the cure-all, you still need training and all these other things, but the more supporting evidence that you can furnish, the higher likelihood Of a payout. If you do get a breach from cyber insurance, if you don't have cyber insurance, it'll allow you to qualify to get cyber insurance. Quite frankly, the more layers you have in place, you're not going to have a breach in the first place.
Yeah. And if anything from just protecting your business standpoint, it shows due diligence, Yeah, with HIPAA. There's that due diligence? It shows did you actually, try so not doing anything in regards to your cybersecurity is definitely not showing and due diligence.
Yeah. Like with HIPAA. That law was enacted by bill Clinton in 1996. That's old, it's so vague the HIPAA law it doesn't even talk about the requirement of encryption. nowadays encryption is so easy to do. be really hard to argue in an audit that you chose to not leverage encryption at in your system security plan. And in favor of how inexpensive often free it is to do, to implement. I think it would be really hard to argue your point. as a medical practice
it would just be wise for anyone doing business online. To try to do a self assessment right now of themselves, or just say, look, if I were breached we're asked all these questions what tools were you using to prevent a breach? Did you use encryption, ask yourself those questions now, before someone else asks you those questions and, apply a degree of wisdom and those questions. If you ask it's a no brainer that you should take some kind of action.
The biggest action people could take is just to call us. They could take advantage of the free phone call. And they can get in touch with us. We could ask him some questions over the phone. Instantly great. Their maturity level, and if they're ready to do something about it, we have options for that. If they're not, and they just want information that's okay, too. But the point is to take that first step forward, right? At least try to chip away at this stuff. We don't have the magic pill.
We're going to say, look, Do this one thing, and then you're all secure. It doesn't work like that, but it is a continuous effort.
Yeah, sure. Is.
I wanted to say to you, this is a good segue about a lot of people whenever they reach out to us and we start Pointing out what they should be doing. And what they are doing, we're not here to turn you in. We're not going to turn around and say, oh, John Smith I was doing this incorrectly. It seems like a lot of people start defending themselves we have a new dialogue with a customer. They're scared to admit what they're doing wrong. And it's not really about that because.
The quicker you are to admit in the more. Honest you are with us. easier. Or if you come in for an assessment and you're saying that you're doing this, or you're not quite sure, or you say you are. And you aren't. And we expect that. And then we find out that you aren't. We're not going to penalize you obviously, but. adds more work to us and it's we have to go back and do the work again. Independently hurts you more than it hurts us. Because we can accurately, Give you a more accurate timeline.
If you were more transparent. Or more accurate costs to remediate. Your business. So don't be scared to approach a cybersecurity firm if, as us and tell them You're fearful of. Or what you're doing wrong.
We see that with the DOD contractors, that because of the fact that it was written in their contracts years ago, that they were supposed to be missed when the 800, 1 71 compliant. And They've been saying that they are to get these contracts, but they know that they're not, and now there's an uncomfortable transition now to go from self.
Attestation of being compliant to now actually enlisting help of professionals to get compliant, even though you were attesting to that compliance, because there's a degree of fear there that's causing a blockage for people, but know this you're not alone because this is very consistent. This is why CMMC came about, because this is such a widespread issue. You're not alone. Most contractors are in the same boat as you, everyone that calls us, they're in the same mess.
You haven't been the only one attesting to compliance and not taking it seriously. This is a widespread problem. It's affecting American businesses. It is a matter of national security now. So there's no reason to feel fear or guilt or shame. No, that we've all been guilty of this. now it's just a matter of fixing it and there's no judgment involved it's pretty much throughout the whole defense industrial base. And then it spreads from there to the whole nation. It's not just your business.
I don't remember what portion it was, but the number of. Companies that were compliant is like 1%.
But that's just human nature. It's not something to feel guilt or fear or shame over. It's just human nature. We prioritize what we feel is most important. And then we focus on those things and we back-burner everything else. And unfortunately for the last several years, cyber security was on the back burner and that's how we all did business with cyber security on the back burner. And now it's shifting and it's okay to know that you're a part of that. culture that had it on the back burner.
Everyone mostly was, but now it's just, Lockheed Martin, you know what I mean? The whole reason that China had a certain fighter jet was because of a breach at Lockheed Martin. it's a communal problem. We all understand. Cause we've all had it on the back burner.
If you think about it, if the only. 1% or maybe even 0%. Of these businesses are compliant clearly There's something wrong with the policies you can't have that many people Unable to get compliant with ness or struggling to get compliant and think no it's all your fault
know where to start.
That's the point of. CMMC to make it easier,
was published in one point, oh, I think it created more confusion than anything. And I think that it's been cleared up a little bit, but there's still a lot of misinformation out there, point is, that's what we do. We do this every day. We work hard to vet and test different solutions. We have the most efficient cost-effective path we're always working to improve that. It's not millions of dollars for the little guy.
We can come up with some affordable solutions that will vastly improve the security and move your spurs. Score up the ladder. Most people are negative in the. The defense industrial base and that's okay. We understand that, but we've come up with a very efficient cost-effective way to move them from that negative score in a short period of time to a positive score, and then keep honing that and then eventually getting them to that. Perfect. 110.
We found a strategy that is, identifying very strategic point in the CMMC and then applying the smart tools to that strategy. And it makes for a quick pivot into the positives. We've taken clients from the Negative a hundred to a positive 60. Pretty quickly, by just utilizing one simple strategy and then applying smart tools and then making that pivot.
we do as much of the work as we can. We probably do 80% of the work for the company and, We put ourselves through all the rigorous exams and certifications, really for our clients, the knowledge
and
expertise that we've gained for CMMC it helps us help the small business. It helps us help the medical clinic. That's subject to HIPAA compliance. That stuff we know is like the back of our hand now. And we've already found the efficiencies and more cost-effective ways to make them compliant too. We talk a lot about CMMC and TIFF companies and things like that. And some companies that are listening or people that are listening are like that's not me. That's okay. But the point is that.
It's a proven methodology for those folks. And we have a path forward that's cost-effective we're going to get you from that negative score or That mark. So to speak that easy hack to a much more hardened. Company that, hackers will move on to an easier target.
think that's another important thing to think of too, is The lot of the people that we work with as well, we. keep compliance in the back of our head. We are trying to simplify it. for everyone as much as possible, do the mapping, right? We can help you map it back to the security controls, as opposed to doing it yourself. And you're like, have no idea what this covers, think that's another. Important service that we offer.
And another thing too, we're not looking to take the it guy's job. If you've got her relationship with your it guy, your it company, keep that relationship, let them do that work, but we're here to be their cyber security and compliance arm to work with that provider if you're an it provider listening, We have solutions to help bolt on our cyber and compliance team to your services, we're not going to steal your clients. We're just here to help the client become more secure.
That's what we're about.
Yeah, a lot of the companies we work with. their it, and we hand in hand with them.
Yeah, because technically, especially with CPMC, there does need to be a separation of it and cybersecurity. So technically, if you are regulated by CMMC. can't have your IP team doing your cybersecurity. If there has to be a separation
Yup.
and cyber security.
That's right.
This stuff is so relevant. It's so critical right now. The viewpoint out for a moment because everyone realized that we're in a cyber war after just having two majorly, huge exploits out there with log for Jay and solar winds. And that's a horrible time for a cyber war guys.
according to the hackers, Colonial pipeline. They weren't even trying to mess us up. Maybe they were. It wasn't their goal. So if you look at something like that wasn't even their goal. They do want to wreak havoc.
It's not time to be fearful. doesn't help anyone, but it's time to pay attention. To just take decisive action and just say, I'm going to stop being part of the problem and try to be part of the solution because the more of us that get secure, the less pivot points, there are the less threat vectors. There are an attack surfaces. We're all one moving organism, right? So the more we do our part, the safer we all are.
More to say there's two parts of a cyber attack. There's the physical, side entering your system, collecting your data, breaching your network, yada. And then there's the psychological side of every attack.
And then you have the reputation management too.
Get a lot of calls about people that are like, oh, my Facebook's had. getting these text messages about them releasing this. Like Aaron said, messages. To their friends. That's the psychological side of the attack. And a lot of hackers utilize that to make their prey or their. Our target feel weaker to lower them and, create a larger advantage. Between data that they're collecting and what they really have. So that's another side.
The reason why I was saying that is you need to frame your mind for both sides, That helps a lot to step into doing. The security things that we're talking about. But you need to frame your mind stop thinking that this can't happen to you.
Unfortunately as the rise of automated tools, help us to manage cybersecurity much better. the flip side, you have automated malware tools and that makes the risk so much more widespread in such a faster spread. that, really illogical to think that this can't, I won't happen to you do to automate and malware tools. Let's spread the reaches far and wide.
It's already happened. Craig said, if you have used Equifax trans union. And whatever security number is probably on the dark web already, or your password is already on the dark web or your account, You just haven't found out about it yet. asked the truth. That's the reason why we're here and we're doing these types of things for awareness, but. frame your mind. You need to be prepared To take on both sides.
Guys, let's wrap up for the day. Thank you guys.
Yes. And please join us tomorrow at noon for our live broadcast on Facebook, Twitter. YouTube live. If you're not able to join us live, we will be posting our podcast pretty much wherever podcasts are posted. So check us out. Thanks a lot, please like it. Subscribe. And we'll talk to you tomorrow.