Cybersecurity Essentials for Small Businesses

Kathy (host):

Well, hello there and welcome back to another episode of “Help My Business is Growing,” a podcast where we explore how to grow and build a business that is healthy and sustainable. I’m your host, Kathy Svetina, fractional CFO and founder of Newcastle Finance, a company where we believe that everything you do in your business will eventually end up in your numbers. And to get to healthy numbers is to have a healthy business. How do you get there? Well, this is where this podcast comes into help.

Kathy (host):

As a small business owner, you focus on growing your company, acquiring new customers, and increasing revenue. But have you ever thought about potential cyber threats that come with that growth? Data theft, sabotage, security breaches – all of these can be catastrophic events that can potentially ruin your business. And as technology advances and businesses digitize, cybersecurity is needed more than ever to protect your business operations, no matter the size of your company.

Kathy (host):

But what do you do if you’ve already been attacked and your systems have been taken, hostage? Do you pay the ransomware demands or ignore them and rebuild everything from scratch? And how do you implement cybersecurity measures and safeguard your business from these cyber threats?

Kathy (host):

As a quick reminder, all of the episodes on this podcast, including this one, come with timestamps for topics that we discuss, and each one has its own blog post too. You can find all the links and the detailed topics in this episode’s show notes.

Kathy (host):

My guest today is Bryant Tow. He is a Chief Security Officer at LeapFrog Services. And for over 25 years, Bryant has held responsibilities as an entrepreneur and senior executive in all aspects of risk management. Currently, Bryant and his team assist clients with complete security programs that include strategy, governance, and operations, focusing on managing risks within Leap Frog’s Ring of Security methodology.

Kathy (host):

Join us.

Kathy (host):  

Welcome to the show, Bryant. 

Bryant (guest):  

Alright, how are you? Good. 

Kathy (host):  

Well, thank you for joining us because we’re going to talk about something that’s really important. And I’ve noticed that in the small business world, you know, we talk a lot about sales, we talk a lot about marketing, ops, finance, but there’s not a lot of discussion about it, especially cybersecurity. You know, I’m ashamed to say that even in this podcast, we’re almost at this point about 60 episodes in, and we have not even touched it, at all. So I’m going to end this today, and we’re going to talk about it. And I’m also making a commitment on this podcast that there will be a lot more episodes dedicated to it in the future.

Kathy (host):  

So, Bryant, let’s start at the beginning. What exactly falls under the umbrella of cybersecurity in small businesses?

Bryant (guest):  

First of all, thanks for having me. I appreciate it. So first of all, you’re gonna get from me probably a little bit different type than you are for most Chief Security Officer types, technical types, and all that. 

Kathy (host):  

Good, we’d like that. 

Bryant (guest): 

Yeah, well, I’ll explain why in a second. But part of the reason is just in how you set this up and how you framed this, which was more, quote IT, “And now let’s talk about security.” Right? So what most people don’t realize, especially in the small business community, is that when you do the root cause analysis on any of the headline breaches, right? I mean, you can just about open up the newspaper any day, and some brand name that you’ve probably heard of that probably has some of your information has been compromised in some way. Ransomware or just a general hack or custodial data stolen or something along those lines, right?

Bryant (guest):  

But when you do that root cause analysis, meaning you ask why, the five whys methodology, right, that was developed at Nissan, what we find is that nearly all, if not, I’ve tried not to speak in finance like that. But nearly all of these breaches are originated in process. They’re originated in policy, they’re originated in people. So we talk about cyber, and we talk about the technical, and we talk about it because, you know, firewalls end up with a zero-day vulnerability, they get compromised, and then something happens, right, or something because we talk about the technology. The question is why, right?

Bryant (guest):  

So even though it’s a little bit stale, I still use the Equifax example because we were all affected by it, right, everybody was, is that those patches had been out for those Apache web servers, which is just kind of funny to me. It has the word “patch” in the name. So you think that it’s some kind of an indication, right, but those patches had been out for six months. So was that a technology failure? Or was it a resourcing failure, not having either the visibility to it and not having the people to do that work? Not having the budget, maybe we just simply don’t care. It’s never gonna happen to us kind of with that. So where exactly was that failure that caused those patches to be left behind for six months that caused a breach that costs into billions of dollars, right?

Bryant (guest):  

So when we talk about cybersecurity, most of the conversations that you hear are going to be about the zero-day vulnerabilities, which we’ve already mentioned, you know, the, you know, triple stack buffer overflows, low orbit, Ion Cannon tools that are being developed and all that, and it’s sexy, to some, I guess. But the bulk of that, while obviously required, misses the actual root cause analysis. So I’ve basically made a career out of helping businesses enable their technology and do the right things, make the right decisions with their technology, but from the process side, understanding business first, understanding keys to the kingdom, you know, business impact analysis, right, and things that we need to do with the technology to protect the business, not using the technology only to protect the business.

Kathy (host):  

So if I’m hearing this correctly, it’s not really about the tools and the IT systems that you’re using. It’s more about how you’re using it and how people are operating within those systems. And what are the policies that you have to use those well? Correct? 

Bryant (guest):  

Yeah. So I’ll give you a primary example of you know, before we came on, we were talking about incident response, right, calling 911, and all of that, and I use the term very often, you know, right down the street with your hair on fire event, right, that this thing is happening. And we see it all the time. You know, they’re whether they’re called ELE, right, Extinction Level Events, where a business gets compromised, and they just simply don’t survive for a multitude of reasons.

Bryant (guest):  

But the idea on the process side, like we were talking about is to be prepared. As simple as that concept is, right having an incident response plan is not a technical solution, there is no Blinky light or button you can push on the keyboard to make that work. It is a process; it is part of your organizational structure, having identified in your organization, your cyber incident response team.

Bryant (guest):  

Okay, well, what does that mean? Is that a bunch of guys and girls in the basement with the middle shells and the swaying lightbulb and hoodies pushing buttons to protect things? No, it’s not that at all. Who do you need? You need executives on that committee that can make decisions. Right? You need HR on that committee that can help with personnel and be able to make decisions. You need, obviously, your technical and your IT team that can execute and do things and provide input. You need PR on that team that understands how to handle personal relationships with your press, right? When do we need to make a breach notification? What’s our legal right, so you need legal involvement that can help guide and make decisions on things like staying within boundaries on breach notification laws? And when do we have to say what do we have to say, you know, who’s directly in contact with your insurance company? Is that even a thing we need to do? Do we need to execute insurance right away? Who handles forensics, by the way, who on your team has had direct contact? And has the local law enforcement and local FBI agents number in their cell phones? Who was that person in your organization?

Bryant (guest):  

Because chances are, you get a breach, and that’s significant enough, you’re gonna want to have law enforcement involved at least a report, because they may not be able to do anything initially. But they can also give some really, really good tips on trends. Yes, we’re seeing this in this industry. And by the way, the keys for that ransomware that you just got hit with, we have those keys, right? So there’s all kinds of things and that’s, you know, two minutes on just a process of what having an incident response plan to protect your business takes that running down the street with your hair on fire moment, and it turns it into an eye roll. Right, you roll your eyes and you go, Okay, this happened. We know what to do. We have our systems and everything properly architected for recovery, we have our executives on alert, know that this is happening, they know what to do, they know what to expect, and have been armed with the knowledge of what decisions lead to what outcomes, right?

Bryant (guest):  

So you know how to do that, you know when to an event that is classified at a certain level activates this team and so forth? And it sounds like a lot. It does, right? I just named off 10 people, maybe that actually may be on these teams. And if you’re a business of 20 people, you don’t have all of those people necessarily, but you probably have people that can or are empowered to make certain decisions. And those decisions are going to have to be made whether by title or not.

Bryant (guest):  

So getting in and running a tabletop exercise with an event like this, you know, run a tabletop with a sample of it with the ransomware. What would happen if your let’s say your HR and payroll system were to be ransomed? Okay, well, what does that mean? Do we pay the ransom we had, I had one of these times medical care facility that got ransomed. And the CEO the very first, they had never done an incident, they were not prepared the fee. The very first time the CEO says, well, we don’t negotiate with terrorists. I was like, Well, you’ve seen one too many movies. And isn’t that cute? But okay.

Bryant (guest):  

So ransom came in at believe that one was probably 250 or $300,000, something right around in there. Right. So all right, well, what does it take for us to get these systems back? Alright, so we go and gather the right people from the organization from HR from payroll, architects, engineers, and code writers that had been involved in the system. And we backed into it, and it’s going to take for probably five engineers a better part of three to four months to get that rebuilt. Okay, Mr. CEO, you’re not going to cut a paycheck for four months. Okay, well, what’s the ransom? Well, it starts off at $250,000. So my point is, if we had that plan in place, we would know that the HR systems are not sustainable. And there needs to be a separate round of high availability and backups and things. So those that then we get over into the technical side, right, we need the technology to do those things source.

Bryant (guest):  

But you understand that we’ve made those decisions based on the business need, right? The business requires that system to be better protected, clearly isolated, backups kept completely offline, and a lot of those things like that, that you would do to properly protect the system that was not in place, because we have a three to four-month rebuild time on that’s not doable, right? So what’s the impact of the organization of that system going down? Or the likelihood of it being? And then what’s the remediation cost? And from those things, we can make a decision on what is the proper spend for our business, on properly protecting these things. And you have not heard me say yet about an antivirus tool or something like that, right? We’re talking about that process side. And we have something that we call our ring of security methodology that I developed, gosh, almost 20 years ago, but it looks at people process technology and facilities, right?

Bryant (guest):  

Nothing new about the four pillars, right? They’ve been there. They’ve been there since transistors were ever invented. But when you wrap that attack surface around those, those four pillars, what we quickly see is that technology only covers half, right, the other half of our attack surface is completely open. And I’ve given you some examples just in incident response, right? That’s one category of many processes that we need in place to enable and empower the technology that we have to have in place to be able to do those things. But it needs to start on that left side of the ring, as we like to say on the process.

Kathy (host):  

So, how often have you seen businesses actually have that incident response developed and done before they have had an incident? Do they really think strategically about it and figure out, well, if this ever happens, we need to have this plan in place? Or is it usually something has bad has happened? And now they realize that they have to have these procedures in place?

Bryant (guest):  

Statistically, I would say it depends on the segment of business, okay? Financial services will have an incident response plan of some sort because the SEC is going to require it, right? So if you’re doing business in New York and you have the Department of Financial Services, they have their own compliance requirements. If you’re doing business with people in New York, an incident response plan is one of those. Now, any of the other basic compliance targets are going to require that you have one, but they’re not going to give you a score on how good it is. You can say, “I have it,” and you can send them a table of contents perhaps, and likely pass that audit and so forth. But to answer your question, in the SMB market, I would say it’s very rare to have a complete incident response plan in place to actually know what you’re going to do because most of these types of podcasts and event conferences and things like that, everybody focuses so much on prevention. We’re a prevention-oriented industry, right? We don’t want to be hacked. You don’t want to be hacked, and 100% valid, of course, nobody wants to be hacked. But at the same time, those same people from those same conferences are going to stand up and say, “It’s not if but when.”

Kathy (host):  

Let’s talk about what happens, you know, your small business, right now, we’ve talked a lot about if you have people, right? You have an HR, you have a legal department, you have all these people involved. But let’s say that you’re a small business that has about 10 to 20 people, and all of a sudden you got a major attack with ransomware. What would you do in that situation?

Bryant (guest):  

Well, hopefully, we have a plan in place, and let’s say we don’t, right, because we just said most small businesses don’t so let’s not go down the path of assuming that some do. And then let’s talk to the people that don’t, right?

Bryant (guest):  

So, okay, let’s say you’ve got a financial services company with 20-25 people or something. Okay? All of the roles that I talked about, even in a small business, those roles exist, somebody is doing HR stuff, right? Somebody’s doing legal stuff, and in a small business, it’s probably outside counsel. You probably have an attorney somewhere that’s doing something, and they are targeted, right?

Bryant (guest):  

So, in your plan, that firm, in today’s world, most of those firms have cyber people. So, as part of your plan, you would contact your attorney and then have them put you in touch with the cyber people to have an initial conversation. Here’s our business, here’s who we are, we want to get you on the team for legal, blah, blah, blah, and you’ve done that.

Bryant (guest):  

So, it sounds huge. And I think I said that before. But even in a small business, all of those roles, somebody is doing PR, it may be the CEO, maybe the CEO is doing the marketing, and they’re doing the PR stuff. But somebody’s doing that function. I mean, I’ve done incident response plans where we’ve had five people, but every one of those people knows what their role is and what they’re supposed to do. They’ve been through the exercise, through a tabletop, and they know about those things so that we turn that into an IRA, right? So, if day zero, we call it, right? So, you come in the next morning, and you can’t get to your critical systems. What do you do?

Bryant (guest):  

Well, first thing you do is call your cyber people if you have them and let them know what’s happening. If you have good IT management, if you’re a small business like that, chances are most of your stuff is in the cloud, or you have a managed IT provider of some sort. If you have a good or even a decent Managed IT provider, they know about that outage before you do, right? They’re going to be informing you of the outage. And that’s what you want, right?

Bryant (guest):  

So, maybe as part of your overall planning stage, when you run through your exercise, if your cyber provider isn’t the one that’s alerting you of what’s going on, maybe it’s time for an evaluation and possibly a realignment, right? So, your cyber provider lets you know, then we back into, okay, which system is it? What’s the criticality to the business? Who needs access? Right? So, you go through all of that.

Bryant (guest):  

And, you know, it turns out it hits the critical system for the business, and our recovery time objective for that is 30 minutes, or we start losing money. All right, well, let’s see what that is. Is it a ransomware? Is it a custodial breach? Identify what type of attack it is.

Bryant (guest):  

What I would do in that situation is immediately gonna sound weird. But we jump into the dark web, and we look for trends and see if we can find out any signatures, anything in that breach, which would indicate origin. There’s a lot of these ransomware groups or cybercriminal groups that have very specific what we call TTPs, right, techniques, tactics, and procedures that act as a bit of a signature. So, you can see a lot of times you could tell it came from, you know, Dark Overlord group or one of these crazy groups, and you can tell who that is. And sometimes keys will be made available. A lot of times they reuse the same keys and certain attacks on something like that. So, if something like that happens, then you’re in luck. We can go get the keys and begin the restoration process.

Kathy (host):  

And who would do the dark web investigation? Would that be… Obviously, if you’re an owner and you have this breach, you probably panic at this point. Like, “I have no idea how to do any of these.” Who would do the dark web investigation? Would that be the IT provider that you’re currently using? How would that look like?

Bryant (guest):  

It should be. Your IT provider if they’re providing security services for you, they should have that capability. In my team, we have a team called our StrikeForce team. We have reconnaissance and lockdown services. Part of recon lockdown is the initial investigation and triage. That includes dark web research and monitoring public forums like Reddit, which are the good guys’ side of the internet. We are fairly plugged into most of the major chatter that you would see. Sometimes we find something, sometimes we don’t. If there’s a day zero or a new attack being done out there, and you have the unfortunate opportunity to be the victim, there may not be much to find, and we have to dig in and try to figure it out ourselves. So as we’re putting a little bit of color on these real-world scenarios, you can see how quickly having a plan in place and knowing the right steps to take becomes important. You’re asking the very first question that you would ask: Who handles it? It’s great to identify that before or as soon as the fire starts, rather than after.

Kathy (host):  

So now that you’ve done this dark web investigation, let’s say that you found nothing. Okay, so now what happens? We’ve done this portion. So now what happens?

Bryant (guest):  

Well, obviously, we have to make a go/no-go decision assuming that we’re talking about ransomware, right? We have to make a go/no-go decision on ransom, whether or not we’re going to have to pay it. Now, the FBI will stand their ground, and they will tell you, you don’t ever pay the ransom, you embolden the enemy? Well, that’s cute, until the gun’s pointed at your kid’s head. That changes things a little bit when you just learned that you’ve got a four-month recovery time. You’re not going to cut a payroll check for four months. Okay, that is not a sustainable business model. That would be an extinction-level event. You don’t pay your people for four months, your business no longer exists, right?

Bryant (guest):  

So, we either go extinct, or we figure out what our secondary plan would be, okay? So in that particular case, we would start negotiations with the ransomware actors. We ended up in that particular case, got the ransom down to about $60,000. We sent them $5,000.05 critical files that we asked them to decrypt and send back to us intact, to prove that the keys that we would be getting would actually work. And they said, “Thank you very much,” and they sent us our files back in about an hour. And everything was good. So we paid the ransom and we started the decryption process.

Bryant (guest):  

One thing, however, in these processes, is it’s not a natural thing to think about the actual recovery time and the amount of processing power it takes to decrypt that level, right? I mean, you’re talking about days. Again, part of the plan is how do you recover when you have, you know, say 1,000 kiosks at your checking stations that all have to be decrypted.

Kathy (host):

And then again, who does that decryption? Is it your IT provider? Is it your people? Do you have all hands on deck? Everyone is decrypting this thing, like what do you do?

Bryant (guest):

In this particular case, we created a PowerShell script and deployed it as an element of automation. So you pick a small sampling of those devices and you get the script written, that you tested on one, possibly two, then you do a small sample, and then you shoot the script out for that process. Let that go. And then after that, you can do a mass deployment. But you still have to have somebody on-site to push the buttons when that machine reboots, right? So there are some things on there. But so, who’s that person going to be? Who’s your power user at one of your, you know, however many locations? That’s going to be that person. So you can see, as we’re kind of walking through this, there are a lot of people that should be identified as people that we would reach out to and be responsible, right, coming back to that overall plan. So as you go through that and things begin to come back up online, then you know who was responsible for this application or that application? Like we were saying,

Kathy (host):

So what happens, let’s say now that you’ve survived this ransomware attack? Now, what happens? Do you do an entire audit of your entire business? Obviously, if you haven’t had a plan in place, you have to put a plan in place. But how do you make sure that the people who have started this attack don’t come back three months from now, or maybe even a month from now, and say, “Hey, we want another $250,000?”

Bryant (guest):  

Yeah, that’s a very good point. I think it would be a good cyberverse. So the first thing is, there are several, I mean, we’re talking about this in very generalities, right? So there are parallel work streams that go on with that. One of those, like you were saying, is, you know, how do we make sure they’re not coming back in? Well, I will tell you unequivocally that if they’ve gotten in once, they’ve probably put their own backdoor in. Because especially if you’re a payer, if you’re a payer, and they know you’re a payer, they’re coming back for you because they know that you will pay them. So part of the investigation and part of the reconnaissance is looking for that smoking gun and looking for other backdoors, looking for other vulnerabilities. One of the things that the adversaries will do is they will find a vulnerability on systems, they will exploit that vulnerability, establish their command and control, and then patch it and fix the vulnerability. So your vulnerability scanners don’t see that anymore. It’s already been fixed. But the command and control has already been established.

Bryant (guest):  

Right? So, there are tools that we use as part of the reconnaissance to look for those secondary entry points and backdoors and so forth. One really interesting thing that you find about the smoking gun, right? I mentioned a couple of parallel work streams, is insurance companies are interested in the smoking gun, mostly because if they can establish the fact that you’ve done something silly, meaning one of your employees clicked on something they weren’t supposed to, and it was a user-induced error that caused the breach, they’re not going to pay you.

Bryant (guest):  

So one of the things that I tell people and Ark Lion’s Den, is yes, when it comes time, and we do provide official notice to the insurance company, nobody talks to that insurance company but me. I will want to contact for the insurance because we have to know what we do and what we do not say to them, not to be dishonest in any way. But we also want to make sure that our policy and everything like that is properly protected. And we’re presenting honest, good factual information, but in such a way that we’re not going to breach coverage, right?

Bryant (guest):  

So we just want to make sure that that’s done correctly because people get into a panic, and then they start saying a whole lot of words, and pretty soon they find themselves.

Kathy (host):

And for people who are not familiar with a smoking gun, can we talk more about what exactly that is?

Bryant (guest):

Yeah. So I mean, the well, we use that term was gonna say affectionately, but perhaps in affectionately, you know, what causes the breach. Right? So what went off? What somebody did something, what was missed? And the example that I’m telling you about, the administrative password on their public internet-connected backup, was Bluebird, all lowercase. So, alright, let’s think about that. Let’s do the root cause analysis on that. Should we?

Bryant (guest):

All right, was it did the backup system fail? No, the backup system was fine. There was no enforcement of password complexity and passwords being changed, especially on Internet-facing accounts. So had they had proper complex passwords in a situation like that, at least 12 characters alphanumeric? And at this point, the way technologies evolve, now it needs to factor on it, right? Something phone or text or something like that. We can get into that. You can argue day after day over which one is better, which one’s worse, and which one has which vulnerability, but just having a two-factor authentication on something like that would have prevented the breach. It was not the backup system that was failing, it was the users, the administrator that used the password of Bluebird, that is crackable, literally in sub-seconds. That caused it. That’s the smoking gun.

Kathy (host):  

And since we talk about passwords, let’s pause here for a second because a lot of small businesses use password managers. And right now, we all know that LastPass has had some significant breaches in the past. What is your take on this? And especially if someone is using LastPass?

Bryant (guest):  

All right. There’s a couple things here. So password managers? Yes, 100%. Absolutely use one. Because I try not to quote statistics because when I do these things, there’s inevitably somebody that wants to dig into a statistic and says that was 74, not 75%. All right, well, forest in the trees, whatever. But on average, depending on who you talk to, the average person has upwards of 200 presences on the internet from you logged into this to pull this certificate for dog food or something, right? Anything like that. So just on average, it’s two Enders.

Bryant (guest):  

One of the biggest issues is credential harvesting, where people will reuse their same usernames and passwords, right? So you log in. So you use your email address and a password that you can always remember to get that dog food that could point out why said dog food coupons. And then you use it for your Internet banking. And then you get this really weird thing that you open up and it asks you for your Office 365 credentials because you think it’s a secondary login for some reason. You put in your credentials, they are they’ve harvested those credentials, and they’re throwing them and sweat all over the internet to see what they can get into. And now your bank account’s cleaned out. Because why do I have to break into a system if I can get you to hand me the key?

Bryant (guest):  

Right? Okay, so what solves that? Are you going to personally remember 200 or more significantly complex passwords, right? Qd nine V, 4k? capital Z H exclamation point. Right? You’re gonna remember that? No, probably not. So to solve part of that I teach passphrases. Right. So if you remember, it was a dark and stormy night, well, capital I write it in capitals or lowercase w you can see where I’m going with that, right? So you can remember that phrase, and then use your fingers to type the first character of each letter and a number in there, you know, a birthday of a niece or something like that in the middle of all of that, that’s going to give you a fairly complex password. But even still, sustaining that and remembering it across multiple internet sites is next to impossible. So use a password manager.

Bryant (guest):  

As far as LastPass is concerned, they’re dropping of the ball was in their key management. If you are a LastPass user over the past year or two, you’re probably okay. Probably. It’s the longtime LastPass users from when they were using. I don’t want to get very technical but when they were using a type of Key from that time that as time has evolved, that’s become out of date and easily crackable. And they never updated the older users to the newer stuff, right? That’s the most that’s the simplest way I can say it. So if you subscribe to the theory that, you know, lightning never strikes twice, you know, lightning just hit last pass, and they’ve upgraded all their keys. And they’ve done all of these things. Are They Now the Safest one? I don’t know a lot of people that are purists or abandon them, them completely going to, you know, one pass, or if there’s, if you go to wiki pedia go to Wikipedia and put in a password manager. And Wiki has actually done a really good job of lining up a dozen or so password managers on effectiveness cost, how they’re doing their keys, right, there’s a whole product comparison, in Wikipedia. For password managers, that’s it’s really, really interesting.

Bryant (guest):  

So I try to avoid at all cost making any kind of product recommendations or anything like that, I will say 100%, yes, use a password manager, if you have a small medium size business, same 20 to maybe 100 users or so go ahead and spring for the enterprise version. But there’s a lot of advantages to the enterprise version centralized, basically using it as I don’t want to say the word single sign-on, but I just did, because it is not a single sign-on product. But if you use your password managers to cue those passwords, the amount of time and everything that you save, and re-authentication and all that is is really, really, really sustainable in a business. So I do recommend the enterprise version, the jury’s still out, we’ll let the tools in the tool people in the purists argue whether or not LastPass, I’m not gonna make that argument. I do know a lot of people that still use it, I know some really, really sharp hacker types that have had their shot at some of the master keys and things and have come back with with really good results. So who knows?

Kathy (host):

Someone has been on LastPass now and they’re getting really nervous about it. Would you say that they might want to take a look at another password manager? Or should they be okay with LastPass?

Bryant (guest):

Well, you’re really pushing me on the product endorsement.

Kathy (host):

I did not ask specifically, even though I so wanted to. I still wanted to, Why would you recommend?

Bryant (guest):

Well, I’ll say again, in the community, I do know hacker types that have really put the screws to last pass on their encryption algorithms and things that they have in place now, basically taking the local storage of what’s there and beating it up pretty good and have come back with pretty good results.

Kathy (host):

Pretty good results in terms that they were not able to hack it or they were not able.

Bryant (guest):

And what, yeah, what little bit that they would, were able to get was not anything that was, that would be human-readable. Okay. So, where LastPass ultimately failed, they failed in two ways. Obviously, their key management got them breached, right? Oops, okay. But where they ultimately failed, it wasn’t how they handled it. They handled it like a five-year-old child. Did you eat the cookie from the cookie jar? No, we didn’t know we didn’t. Well, yes, we, I mean, you got chocolate all over your face, right? We can see everything that happened. And they just, and I’m not gonna go into the whole LastPass history, but they handled it, in my opinion, like a five-year-old child. And that’s what destroyed the reputation. I mean, they could come out and have the best possible whatever now, but they’re always going to have that or over them. I expect a portion of their technology will probably be acquired, and the name will dissolve. That’s probably the best thing that could happen for them.

Kathy (host):

The future will tell what happens to LastPass.

Bryant (guest):

I know a lot of people that still use it and are happy with it. And they’ve beat it up and said, Yeah, well, it’s just too much hassle to change. It’s really not, though. There’s export capabilities in LastPass and import capabilities in one pass like I said. At some of the other ones, it’s an hour’s worth of work. But if it makes you feel better to do that, then I think you should.

Kathy (host):

Bryant, there’s been a lot of information in this episode. Thank you for that. So if someone is right now, let’s say that they’re panicking, like, “Oh, my God, I have nothing,” what Bryant said, like nothing. And I’m a small business of 10 to 20 people, what is the next one thing that they can do in the next week or two to get them closer to this ideal, having a plan, and knowing what to do, and you know, what we’ve talked about?

Bryant (guest):

Alright, well, we started the conversation, we kind of naturally flowed into incident response because, but prior to coming on, we were talking a little bit about that. The actual foundation, though, Kathy, for all of this is in institutional policies. And what I mean by that is acceptable use policies, things like that inside the organization. So you… What is your password complexity policy? What is your policy for incident response? Right, we need to have a policy that says that we’re going to be able to do these things. But the foundation really starts. The ideal foundation starts with strategy, and starts with the business. What do we even need to be protecting? What is it worth? How do we even look at getting an incident response plan together for that, right?

Bryant (guest):

So you have the way we solve all of this, and I know you’re asking me for an immediate next task, I’m gonna get to that. But the way we solve this is what we call our enterprise risk management pyramid. So imagine, at the top of the pyramid is their strategy, understanding the business, understanding the alignment, understanding the metrics, and how we measure risk across the organization. If we do that properly, that will tell you how we govern the organization, it’ll tell you what we do for our incident response plan, it will tell you what we do for our general policies, it will tell you what we do for our third-party risk. And he was having gotten to that one yet. Right, especially in the small business world, people think that we’re just going to put all this in the cloud, where you’re using SAS providers, and therefore you’ve relieved your cyber risk. And that could not be more inaccurate. You have moved your cyber risk out of it, like we started out talking about, and you’ve moved it over into third-party risk, cloud computing translated somebody else’s computer that you have no control over. So is your data actually safe, and is it being properly protected by that third party, and you think household names are going to properly do that, and most may or may not? But when you go to get your cyber insurance and all that you have to be able to do your own diligence on those third parties to make sure that your data is protected, because it’s not the provider, it’s going to be your name.

Bryant (guest):

So you… so where I’m going with all of this is, if I were to wake up in the morning and own a say 30-user or something like that small business or knowledge workers, the first thing I would be looking for is somebody that can help me with the proper risk strategy. Most are looking forward to it. Well, I’ve got endpoint detection and response, I’m good. Well, it doesn’t cover your third party, nor does that prepare you for an incident. Right, that left side of that ring, that process, those things have to be there to be properly protected, you can buy a tool or Blinky light at it all day long. But unless you have those policies and procedures, incident response, all these kinds of things… feel like I’m beating this poor dead horse. But unless you have all of those things in place, that’s what properly protects.

Bryant (guest):

So I’m really going a long way to maybe lay some groundwork for my response to you, what do we need to do? You need to find a seasoned veteran, somebody that understands security from the business level, not a technical person that’s going to throw a tool at you. But somebody that can understand what business impact analysis actually means. You know, I’ll give you another example. So as I run into this all the time with providers, so you say we’re gold, you know, our business continuity plan, we’re available to five nines, right, which translates to, you know, a couple, couple minutes a year of downtime, and that is nominal, it’s amazing, it takes a lot to get that done. So congratulations, your technology is available to five nines, that does not ring my cash register because you have high availability and those systems could potentially be available, does not mean that my business on the other side to us that technology is in line, right? So business continuity and technology continuity are two completely different things. And when you talk cyber, most of the time that conversation goes to technical, and most of the time those technical people are going to talk to you about five nines, which is phenomenal, best possible, absolutely great. But five-nines of availability for our phone system, when I’m doing business continuity and incident response, I have 500 call center agents I have to move from Bangalore to Chennai. A simple configuration change reroutes those calls, but there’s nobody in those chairs.

Kathy (host):

And for those people who are not familiar with the five nines term, can we explain what that means?

Bryant (guest):

99.999% of the time or systems are available. That translates to a few minutes a year, and downtime. So your systems are up just a few minutes a year. That is a phenomenal thing to do. It’s very expensive.

Bryant (guest):

But if you have that level of high availability required, then you know, and I’ll give you I don’t know how much more time we have. I can do this for days. But I’ll give you have one more example. And we’re talking about availability. So we’re doing a strategy again, coming back to the answer for your question.

Bryant (guest):

What do I need to be doing need to be starting with strategy? Okay, well, we’re doing a strategy that hate When you say fast food, so we’ll call it a quick-serve restaurant. Okay, that is a household name that anybody that’s listening to this has probably eaten there within the past week.

Bryant (guest):

So we’re talking about payroll? Well, obviously, we have to be able to pay people. So here we are the security guys. And we’re saying, Well, yeah, that’s high availability, we need five nines, right? We need all that amazing stuff to make sure this is properly protected. Because when you get into talking about business continuity, we get into all these little terms, you know, recovery time, objective, recovery point objective.

Bryant (guest):

So what’s your RTO? For your payroll? Clearly, it needs to be within hours, if not minutes, right? And the chief financial officer of that organization goes two weeks. What? No, I mean, in the back of my mind, I gotta say it, but I’m this guy’s an idiot, he has no idea. Yes, he has no idea who I think I am.

Bryant (guest):

Right? Because we’re, we’re trying to help you. I’m sitting across from you, I’m trying to help you keep your payroll online. And then he explained, I have a very, very cash-heavy business, my payroll variance, week to week is less than 2%. I guess, since then, I can repeat the previous week’s payroll and have only a minor variance.

Bryant (guest):

I’ve got cash in the drawers and I have a process for paying cash out of the drawers should we have to do that I can sustain that for two, possibly three weeks, I don’t need high availability. So when you give the example of actually listening to and understanding the keys to the kingdom, the technology, people have no idea. Unless you ask the right questions, and you truthfully, and you hear the cliche, all the time, well, business-oriented processes, until you really truly understand what business loss could be what the important things are, and build that starting with strategy.

Bryant (guest):

Build your risk management program from the top down, we saved 300 in cash, I don’t know if it was nearly $400,000 annually, in high availability for that payroll system that we didn’t have to spend, we saved nearly a half a million dollars from that conversation, understanding and redirecting that money to where it would be most effective because what happens is people buy a tool or they do this or that they do that. And they spend, you know, good hard-earned small business money in a place that only protected three, possibly 5% of the attack surface.

Bryant (guest):

Meanwhile, 40% of your attack surface is left wide open, because you didn’t understand that that’s where the attacks are coming from.

Kathy (host):

And that’s a great example of what I always say: cost optimization, like optimizing what you have and making sure that is exactly right.

Bryant (guest):

Those same formulas that you’re talking about cost, that exact same formula that you’re using there, we use on the cyber side, prove a negative. So it is what it is. It’s difficult to do. But yeah.

Kathy (host):

Bryant, it was great talking to you. I could talk to you forever about this. But unfortunately, we have to end this episode. Please tell us, where can people find you?

Bryant (guest):

Leapfrog services.com is our website. My email address is very simple. It’s first dot last. bryant.tow@leapfrogservices.com is the email. The Ring of Security methodology that we talked about is on there with some explanation, the Enterprise Risk Management pyramid that we talked about. And these are all methodologies and things I’ve been developing over the last 20-some years. So there’s a little bit about it on there on the website, if you’d like, if you want to talk strategy or any of the ala carte services. Maybe we have some business ones, that don’t want to do strategy right away. They’re more concerned with an incident. So let’s start there. The most important thing is to start somewhere, do something, right? Even if it’s a little thing, do something right. Small goals, big dreams.

Kathy (host):

That’s great, Bryant. Thank you so much. Thank you for being on the podcast. I really appreciate it.

Bryant (guest):

Thank you, Kathy. It was fun. I’ll come back anytime. 

Kathy (host):

Thanks so much for joining us on today’s episode, and I hope that you’ve picked up some great tips on how to protect your business from cybersecurity threats. And as I said, we are planning to do more episodes focusing on this because it’s such an important topic as you’re growing your business.

Kathy (host):

Also, if you love this episode, you can find all the timestamps, show notes, blog posts, and links on our website at bewcastlefinance.us/podcast. And before I go, I do have a favor to ask if you are listening to this on Apple Podcasts. If you could please go to the show and tap the number of stars that you think the show deserves. This helps other people find it and gives us that much-needed algorithm love. Thanks so much. Until next time.